summaryrefslogtreecommitdiff
path: root/src/northbridge
diff options
context:
space:
mode:
authorJacob Garber <jgarber1@ualberta.ca>2019-06-06 16:53:59 -0600
committerMartin Roth <martinroth@google.com>2019-06-13 20:13:03 +0000
commit27ca9620581920aaaf3a657553bce0e42477523f (patch)
tree3005efc715d20338a3fd1d391aaa3faa033ae01a /src/northbridge
parenta2455b2967ad3ab7e95785820e49f600b06477f6 (diff)
downloadcoreboot-27ca9620581920aaaf3a657553bce0e42477523f.tar.xz
nb/amd/amdfam10: die() on out of bounds reads
These two functions try to access arrays of lengths 32 and 64 at indices of at most 259 and 71 (respectively). Something here is seriously wrong. This code was introduced in 2007, and aside from cosmetic changes, has had no modifications since then. I don't know what this code is supposed to do, and asking around on IRC, no one else did either. Until someone has the interest and time to work on it, let's at least add a die() to prevent the out of bounds access and alert the user that something is wrong. Change-Id: I5fc15a50a9f0e97add31e3a40da82a15f7427358 Signed-off-by: Jacob Garber <jgarber1@ualberta.ca> Found-by: Coverity CID 12296{79-82} Reviewed-on: https://review.coreboot.org/c/coreboot/+/33404 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Diffstat (limited to 'src/northbridge')
-rw-r--r--src/northbridge/amd/amdfam10/ht_config.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/northbridge/amd/amdfam10/ht_config.c b/src/northbridge/amd/amdfam10/ht_config.c
index 4810b99b59..8499dbb623 100644
--- a/src/northbridge/amd/amdfam10/ht_config.c
+++ b/src/northbridge/amd/amdfam10/ht_config.c
@@ -14,6 +14,7 @@
*/
#include <stdint.h>
+#include <console/console.h>
#include <device/device.h>
#include <device/pci_ops.h>
@@ -127,6 +128,10 @@ u32 get_io_addr_index(u32 nodeid, u32 linkn)
u32 index;
for (index = 0; index < 256; index++) {
+
+ if (index + 4 >= ARRAY_SIZE(sysconf.conf_io_addrx))
+ die("Error! Out of bounds read in %s:%s\n", __FILE__, __func__);
+
if (sysconf.conf_io_addrx[index+4] == 0) {
sysconf.conf_io_addr[index+4] = (nodeid & 0x3f);
sysconf.conf_io_addrx[index+4] = 1 | ((linkn & 0x7)<<4);
@@ -142,6 +147,10 @@ u32 get_mmio_addr_index(u32 nodeid, u32 linkn)
u32 index;
for (index = 0; index < 64; index++) {
+
+ if (index + 8 >= ARRAY_SIZE(sysconf.conf_mmio_addrx))
+ die("Error! Out of bounds read in %s:%s\n", __FILE__, __func__);
+
if (sysconf.conf_mmio_addrx[index+8] == 0) {
sysconf.conf_mmio_addr[index+8] = (nodeid & 0x3f);
sysconf.conf_mmio_addrx[index+8] = 1 | ((linkn & 0x7)<<4);