From adb52533fce3c06adebd174301482e2f1fbcc3a1 Mon Sep 17 00:00:00 2001 From: Bora Guvendik Date: Tue, 17 Jan 2023 12:09:56 -0800 Subject: intel/common/block: Fix potential buffer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Possible Buffer Overflow - Array Index Out of Bounds. Array regions size is 256 but 'i' iterates from 0 to 256. Found-by: Klockwork BUG=None BRANCH=firmware-brya-14505.B TEST=Boot to OS Signed-off-by: Bora Guvendik Change-Id: Iee45a5821b9dd3f9e6f9816599beebf34555426d Reviewed-on: https://review.coreboot.org/c/coreboot/+/72049 Reviewed-by: Hannah Williams Reviewed-by: Jérémy Compostella Tested-by: build bot (Jenkins) --- src/soc/intel/common/block/crashlog/crashlog.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'src/soc/intel/common/block/crashlog/crashlog.c') diff --git a/src/soc/intel/common/block/crashlog/crashlog.c b/src/soc/intel/common/block/crashlog/crashlog.c index 5949264690..3bd2488846 100644 --- a/src/soc/intel/common/block/crashlog/crashlog.c +++ b/src/soc/intel/common/block/crashlog/crashlog.c @@ -145,16 +145,18 @@ int pmc_cl_gen_descriptor_table(u32 desc_table_addr, printk(BIOS_DEBUG, "CL PMC desc table: numb of regions is 0x%x at addr 0x%x\n", descriptor_table->numb_regions, desc_table_addr); for (int i = 0; i < descriptor_table->numb_regions; i++) { + if (i >= ARRAY_SIZE(descriptor_table->regions)) { + printk(BIOS_ERR, "Maximum number of PMC crashLog descriptor table exceeded (%u/%zu)\n", + descriptor_table->numb_regions, + ARRAY_SIZE(descriptor_table->regions)); + break; + } desc_table_addr += 4; descriptor_table->regions[i].data = read32((u32 *)(desc_table_addr)); total_data_size += descriptor_table->regions[i].bits.size * sizeof(u32); printk(BIOS_DEBUG, "CL PMC desc table: region 0x%x has size 0x%x at offset 0x%x\n", i, descriptor_table->regions[i].bits.size, descriptor_table->regions[i].bits.offset); - if (i > 255) { - printk(BIOS_ERR, "More than 255 regions in PMC crashLog descriptor table"); - break; - } } return total_data_size; } -- cgit v1.2.3