The varstore shadow FV is kept in sync with actual SPI flash read, write and erase operations. Since we only expose a small slice of the SPI flash for the variable store, we keep an internal LBA offset and take it into account when translating shadow FV LBAs to actual LBAs.
As it turns out, the erase routine applies the LBA offset incorrectly, resulting in the wrong flash block being erased, and the wrong range to be erased in the shadow FV, which could result in a crash if the memory access is out of bounds.
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel ard.biesheuvel@linaro.org --- Platforms/AMD/Styx/Drivers/StyxSpiFvDxe/StyxSpiFvDxe.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/Platforms/AMD/Styx/Drivers/StyxSpiFvDxe/StyxSpiFvDxe.c b/Platforms/AMD/Styx/Drivers/StyxSpiFvDxe/StyxSpiFvDxe.c index 03fd9e816b96..f544af3eeb2d 100644 --- a/Platforms/AMD/Styx/Drivers/StyxSpiFvDxe/StyxSpiFvDxe.c +++ b/Platforms/AMD/Styx/Drivers/StyxSpiFvDxe/StyxSpiFvDxe.c @@ -439,7 +439,6 @@ StyxSpiFvDxeErase ( for (Start = VA_ARG (Args, EFI_LBA); Start != EFI_LBA_LIST_TERMINATOR; Start = VA_ARG (Args, EFI_LBA)) { - Start += mNvStorageLbaOffset; Length = VA_ARG (Args, UINTN); Status = mIscpDxeProtocol->AmdExecuteEraseFvBlockDxe (mIscpDxeProtocol, (Start + mNvStorageLbaOffset) * BLOCK_SIZE,