From bcdb893778f857f310115522bbf7d70ad0cc017f Mon Sep 17 00:00:00 2001 From: Jacob Garber Date: Mon, 22 Jul 2019 15:16:30 -0600 Subject: soc/intel/{broad,cannon,sky}: Fix possible out-of-bounds reads There will be a possible out of bounds array access if power_limit_1_time == ARRAY_SIZE(power_limit_time_sec_to_msr), so prevent that in the index check. This issue was fixed for other cpus in commit 5cfef13f8d (cpu/intel: Fix out-of-bounds read due to off-by-one in condition). Based on the discussion for that commit, also remove the magic constant 28 in favour of the index of the last array element. Change-Id: Ic3f8735b23a368f8a9395757bd52c2c40088afa1 Signed-off-by: Jacob Garber Found-by: Coverity CID 1229673 Reviewed-on: https://review.coreboot.org/c/coreboot/+/34498 Tested-by: build bot (Jenkins) Reviewed-by: Patrick Rudolph --- src/soc/intel/broadwell/cpu.c | 4 ++-- src/soc/intel/cannonlake/cpu.c | 4 ++-- src/soc/intel/skylake/cpu.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'src/soc') diff --git a/src/soc/intel/broadwell/cpu.c b/src/soc/intel/broadwell/cpu.c index af587ee542..5ccaeaf810 100644 --- a/src/soc/intel/broadwell/cpu.c +++ b/src/soc/intel/broadwell/cpu.c @@ -324,8 +324,8 @@ void set_power_limits(u8 power_limit_1_time) unsigned int tdp, min_power, max_power, max_time; u8 power_limit_1_val; - if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr)) - power_limit_1_time = 28; + if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr)) + power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1; if (!(msr.lo & PLATFORM_INFO_SET_TDP)) return; diff --git a/src/soc/intel/cannonlake/cpu.c b/src/soc/intel/cannonlake/cpu.c index 7eb413caa6..b0eaa5dd34 100644 --- a/src/soc/intel/cannonlake/cpu.c +++ b/src/soc/intel/cannonlake/cpu.c @@ -108,8 +108,8 @@ void set_power_limits(u8 power_limit_1_time) config_t *conf = config_of_path(SA_DEVFN_ROOT); - if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr)) - power_limit_1_time = 28; + if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr)) + power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1; if (!(msr.lo & PLATFORM_INFO_SET_TDP)) return; diff --git a/src/soc/intel/skylake/cpu.c b/src/soc/intel/skylake/cpu.c index 2fd01b471a..cb0ceaa0bc 100644 --- a/src/soc/intel/skylake/cpu.c +++ b/src/soc/intel/skylake/cpu.c @@ -119,8 +119,8 @@ void set_power_limits(u8 power_limit_1_time) config_t *conf = config_of_path(SA_DEVFN_ROOT); - if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr)) - power_limit_1_time = 28; + if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr)) + power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1; if (!(msr.lo & PLATFORM_INFO_SET_TDP)) return; -- cgit v1.2.3