sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

soc/intel/{broad,cannon,sky}: Fix possible out-of-bounds reads

Browse Source 
There will be a possible out of bounds array access if
power_limit_1_time == ARRAY_SIZE(power_limit_time_sec_to_msr), so
prevent that in the index check. This issue was fixed for other cpus in
commit 5cfef13f8d (cpu/intel: Fix out-of-bounds read due to off-by-one
in condition). Based on the discussion for that commit, also remove the
magic constant 28 in favour of the index of the last array element.

Change-Id: Ic3f8735b23a368f8a9395757bd52c2c40088afa1
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 1229673
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34498
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
This commit is contained in:
Jacob Garber
2019-07-22 15:16:30 -06:00
committed by Patrick Georgi
parent 4926e989ac
commit bcdb893778
3 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/soc/intel/broadwell/cpu.c
View File

@@ -324,8 +324,8 @@ void set_power_limits(u8 power_limit_1_time)
unsigned int tdp, min_power, max_power, max_time; unsigned int tdp, min_power, max_power, max_time;
u8 power_limit_1_val; u8 power_limit_1_val;
if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr)) if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
power_limit_1_time = 28; power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1;
if (!(msr.lo & PLATFORM_INFO_SET_TDP)) if (!(msr.lo & PLATFORM_INFO_SET_TDP))
return; return;

4
src/soc/intel/cannonlake/cpu.c
View File

@@ -108,8 +108,8 @@ void set_power_limits(u8 power_limit_1_time)
config_t *conf = config_of_path(SA_DEVFN_ROOT); config_t *conf = config_of_path(SA_DEVFN_ROOT);
if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr)) if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
power_limit_1_time = 28; power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1;
if (!(msr.lo & PLATFORM_INFO_SET_TDP)) if (!(msr.lo & PLATFORM_INFO_SET_TDP))
return; return;

4
src/soc/intel/skylake/cpu.c
View File

@@ -119,8 +119,8 @@ void set_power_limits(u8 power_limit_1_time)
config_t *conf = config_of_path(SA_DEVFN_ROOT); config_t *conf = config_of_path(SA_DEVFN_ROOT);
if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr)) if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
power_limit_1_time = 28; power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1;
if (!(msr.lo & PLATFORM_INFO_SET_TDP)) if (!(msr.lo & PLATFORM_INFO_SET_TDP))
return; return;