[coreboot-gerrit] Patch set updated for coreboot: 5bad85a northbridge/intel: Out of bounds write to array in gma.h

[Edward O'Callaghan (eocallaghan@alterapraxis.com)]

Edward O'Callaghan (eocallaghan at alterapraxis.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/6473

-gerrit

commit 5bad85ac4bcdab72ad8aee2ae31ecc4f1924df0a
Author: Edward O'Callaghan <eocallaghan at alterapraxis.com>
Date:   Sun Aug 3 23:38:17 2014 +1000

    northbridge/intel: Out of bounds write to array in gma.h
    
    The signature[] array in the mailbox struct opregion_header_t has
    IGD_OPREGION_SIGNATURE written to it with a
    sizeof(IGD_OPREGION_SIGNATURE) and not a sizeof(signature[]). This
    resulted in a silent off-by-one out of bounds illegal write.
    
    Change-Id: I651620a753c743dd2ed2af51c012c27c14a5ea25
    Found-by: Coverity Scan
    Signed-off-by: Edward O'Callaghan <eocallaghan at alterapraxis.com>
---
 src/northbridge/intel/fsp_sandybridge/acpi.c | 2 +-
 src/northbridge/intel/haswell/acpi.c         | 2 +-
 src/northbridge/intel/nehalem/acpi.c         | 2 +-
 src/northbridge/intel/sandybridge/acpi.c     | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/northbridge/intel/fsp_sandybridge/acpi.c b/src/northbridge/intel/fsp_sandybridge/acpi.c
index 3e47ed4..faef4d7 100644
--- a/src/northbridge/intel/fsp_sandybridge/acpi.c
+++ b/src/northbridge/intel/fsp_sandybridge/acpi.c
@@ -142,7 +142,7 @@ int init_igd_opregion(igd_opregion_t *opregion)
 	// FIXME if IGD is disabled, we should exit here.
 
 	memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
-		sizeof(IGD_OPREGION_SIGNATURE));
+		sizeof(opregion->header.signature));
 
 	/* 8kb */
 	opregion->header.size = sizeof(igd_opregion_t) / 1024;
diff --git a/src/northbridge/intel/haswell/acpi.c b/src/northbridge/intel/haswell/acpi.c
index 964a9d3..b2fab11 100644
--- a/src/northbridge/intel/haswell/acpi.c
+++ b/src/northbridge/intel/haswell/acpi.c
@@ -140,7 +140,7 @@ int init_igd_opregion(igd_opregion_t *opregion)
 	// FIXME if IGD is disabled, we should exit here.
 
 	memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
-		sizeof(IGD_OPREGION_SIGNATURE));
+		sizeof(opregion->header.signature));
 
 	/* 8kb */
 	opregion->header.size = sizeof(igd_opregion_t) / 1024;
diff --git a/src/northbridge/intel/nehalem/acpi.c b/src/northbridge/intel/nehalem/acpi.c
index 077ceda..0ede237 100644
--- a/src/northbridge/intel/nehalem/acpi.c
+++ b/src/northbridge/intel/nehalem/acpi.c
@@ -139,7 +139,7 @@ int init_igd_opregion(igd_opregion_t * opregion)
 	// FIXME if IGD is disabled, we should exit here.
 
 	memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
-	       sizeof(IGD_OPREGION_SIGNATURE));
+		sizeof(opregion->header.signature));
 
 	/* 8kb */
 	opregion->header.size = sizeof(igd_opregion_t) / 1024;
diff --git a/src/northbridge/intel/sandybridge/acpi.c b/src/northbridge/intel/sandybridge/acpi.c
index 398cb30..58e3b54 100644
--- a/src/northbridge/intel/sandybridge/acpi.c
+++ b/src/northbridge/intel/sandybridge/acpi.c
@@ -142,7 +142,7 @@ int init_igd_opregion(igd_opregion_t *opregion)
 	// FIXME if IGD is disabled, we should exit here.
 
 	memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
-		sizeof(IGD_OPREGION_SIGNATURE));
+		sizeof(opregion->header.signature));
 
 	/* 8kb */
 	opregion->header.size = sizeof(igd_opregion_t) / 1024;