diff options
author | Jacob Garber <jgarber1@ualberta.ca> | 2019-06-06 16:53:59 -0600 |
---|---|---|
committer | Martin Roth <martinroth@google.com> | 2019-06-13 20:13:03 +0000 |
commit | 27ca9620581920aaaf3a657553bce0e42477523f (patch) | |
tree | 3005efc715d20338a3fd1d391aaa3faa033ae01a /src/northbridge | |
parent | a2455b2967ad3ab7e95785820e49f600b06477f6 (diff) | |
download | coreboot-27ca9620581920aaaf3a657553bce0e42477523f.tar.xz |
nb/amd/amdfam10: die() on out of bounds reads
These two functions try to access arrays of lengths 32 and 64 at indices
of at most 259 and 71 (respectively). Something here is seriously wrong.
This code was introduced in 2007, and aside from cosmetic changes, has
had no modifications since then. I don't know what this code is supposed
to do, and asking around on IRC, no one else did either. Until someone
has the interest and time to work on it, let's at least add a die() to
prevent the out of bounds access and alert the user that something is
wrong.
Change-Id: I5fc15a50a9f0e97add31e3a40da82a15f7427358
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 12296{79-82}
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33404
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Diffstat (limited to 'src/northbridge')
-rw-r--r-- | src/northbridge/amd/amdfam10/ht_config.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/northbridge/amd/amdfam10/ht_config.c b/src/northbridge/amd/amdfam10/ht_config.c index 4810b99b59..8499dbb623 100644 --- a/src/northbridge/amd/amdfam10/ht_config.c +++ b/src/northbridge/amd/amdfam10/ht_config.c @@ -14,6 +14,7 @@ */ #include <stdint.h> +#include <console/console.h> #include <device/device.h> #include <device/pci_ops.h> @@ -127,6 +128,10 @@ u32 get_io_addr_index(u32 nodeid, u32 linkn) u32 index; for (index = 0; index < 256; index++) { + + if (index + 4 >= ARRAY_SIZE(sysconf.conf_io_addrx)) + die("Error! Out of bounds read in %s:%s\n", __FILE__, __func__); + if (sysconf.conf_io_addrx[index+4] == 0) { sysconf.conf_io_addr[index+4] = (nodeid & 0x3f); sysconf.conf_io_addrx[index+4] = 1 | ((linkn & 0x7)<<4); @@ -142,6 +147,10 @@ u32 get_mmio_addr_index(u32 nodeid, u32 linkn) u32 index; for (index = 0; index < 64; index++) { + + if (index + 8 >= ARRAY_SIZE(sysconf.conf_mmio_addrx)) + die("Error! Out of bounds read in %s:%s\n", __FILE__, __func__); + if (sysconf.conf_mmio_addrx[index+8] == 0) { sysconf.conf_mmio_addr[index+8] = (nodeid & 0x3f); sysconf.conf_mmio_addrx[index+8] = 1 | ((linkn & 0x7)<<4); |