summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJacob Garber <jgarber1@ualberta.ca>2019-07-22 15:16:30 -0600
committerPatrick Georgi <pgeorgi@google.com>2019-07-30 09:56:02 +0000
commitbcdb893778f857f310115522bbf7d70ad0cc017f (patch)
tree4a8e4314bdc7527f130bc78e172212cd054e54c0
parent4926e989ac2f83bd887bee683c7e2c0481f5cd3a (diff)
soc/intel/{broad,cannon,sky}: Fix possible out-of-bounds reads
There will be a possible out of bounds array access if power_limit_1_time == ARRAY_SIZE(power_limit_time_sec_to_msr), so prevent that in the index check. This issue was fixed for other cpus in commit 5cfef13f8d (cpu/intel: Fix out-of-bounds read due to off-by-one in condition). Based on the discussion for that commit, also remove the magic constant 28 in favour of the index of the last array element. Change-Id: Ic3f8735b23a368f8a9395757bd52c2c40088afa1 Signed-off-by: Jacob Garber <jgarber1@ualberta.ca> Found-by: Coverity CID 1229673 Reviewed-on: https://review.coreboot.org/c/coreboot/+/34498 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Rudolph <siro@das-labor.org>
-rw-r--r--src/soc/intel/broadwell/cpu.c4
-rw-r--r--src/soc/intel/cannonlake/cpu.c4
-rw-r--r--src/soc/intel/skylake/cpu.c4
3 files changed, 6 insertions, 6 deletions
diff --git a/src/soc/intel/broadwell/cpu.c b/src/soc/intel/broadwell/cpu.c
index af587ee542..5ccaeaf810 100644
--- a/src/soc/intel/broadwell/cpu.c
+++ b/src/soc/intel/broadwell/cpu.c
@@ -324,8 +324,8 @@ void set_power_limits(u8 power_limit_1_time)
unsigned int tdp, min_power, max_power, max_time;
u8 power_limit_1_val;
- if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr))
- power_limit_1_time = 28;
+ if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
+ power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1;
if (!(msr.lo & PLATFORM_INFO_SET_TDP))
return;
diff --git a/src/soc/intel/cannonlake/cpu.c b/src/soc/intel/cannonlake/cpu.c
index 7eb413caa6..b0eaa5dd34 100644
--- a/src/soc/intel/cannonlake/cpu.c
+++ b/src/soc/intel/cannonlake/cpu.c
@@ -108,8 +108,8 @@ void set_power_limits(u8 power_limit_1_time)
config_t *conf = config_of_path(SA_DEVFN_ROOT);
- if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr))
- power_limit_1_time = 28;
+ if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
+ power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1;
if (!(msr.lo & PLATFORM_INFO_SET_TDP))
return;
diff --git a/src/soc/intel/skylake/cpu.c b/src/soc/intel/skylake/cpu.c
index 2fd01b471a..cb0ceaa0bc 100644
--- a/src/soc/intel/skylake/cpu.c
+++ b/src/soc/intel/skylake/cpu.c
@@ -119,8 +119,8 @@ void set_power_limits(u8 power_limit_1_time)
config_t *conf = config_of_path(SA_DEVFN_ROOT);
- if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr))
- power_limit_1_time = 28;
+ if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
+ power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1;
if (!(msr.lo & PLATFORM_INFO_SET_TDP))
return;