[coreboot-gerrit] Patch set updated for coreboot: a5560ea cpu/intel: Fix out-of-bounds read due to off-by-one in condition
Edward O'Callaghan (eocallaghan@alterapraxis.com)
gerrit at coreboot.org
Mon Aug 4 01:38:24 CEST 2014
Edward O'Callaghan (eocallaghan at alterapraxis.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/6478
-gerrit
commit a5560ea8ad27cc8a8f2631ec9766ddbd402e54cb
Author: Edward O'Callaghan <eocallaghan at alterapraxis.com>
Date: Sun Aug 3 20:00:47 2014 +1000
cpu/intel: Fix out-of-bounds read due to off-by-one in condition
If power_limit_1_time > 129 is false then power_limit_1_time can have a
value of up to 129 leading to an out-of-bounds illegal read indexing the
power_limit_time_sec_to_msr[] array. Thankfully all call sites have been
doing the right thing up until now so the issue has not been visible.
Change-Id: Ic029d1af7fe43ca7da271043c2b08fe3088714af
Found-by: Coverity Scan
Signed-off-by: Edward O'Callaghan <eocallaghan at alterapraxis.com>
---
src/cpu/intel/fsp_model_206ax/model_206ax_init.c | 2 +-
src/cpu/intel/haswell/haswell_init.c | 4 ++--
src/cpu/intel/model_206ax/model_206ax_init.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/cpu/intel/fsp_model_206ax/model_206ax_init.c b/src/cpu/intel/fsp_model_206ax/model_206ax_init.c
index c2f9f19..ac1880a 100644
--- a/src/cpu/intel/fsp_model_206ax/model_206ax_init.c
+++ b/src/cpu/intel/fsp_model_206ax/model_206ax_init.c
@@ -156,7 +156,7 @@ void set_power_limits(u8 power_limit_1_time)
unsigned tdp, min_power, max_power, max_time;
u8 power_limit_1_val;
- if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr))
+ if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
return;
if (!(msr.lo & PLATFORM_INFO_SET_TDP))
diff --git a/src/cpu/intel/haswell/haswell_init.c b/src/cpu/intel/haswell/haswell_init.c
index 043ba3a..68c7643 100644
--- a/src/cpu/intel/haswell/haswell_init.c
+++ b/src/cpu/intel/haswell/haswell_init.c
@@ -463,8 +463,8 @@ void set_power_limits(u8 power_limit_1_time)
unsigned tdp, min_power, max_power, max_time;
u8 power_limit_1_val;
- if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr))
- power_limit_1_time = 28;
+ if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
+ power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1;
if (!(msr.lo & PLATFORM_INFO_SET_TDP))
return;
diff --git a/src/cpu/intel/model_206ax/model_206ax_init.c b/src/cpu/intel/model_206ax/model_206ax_init.c
index 4e56414..dbde512 100644
--- a/src/cpu/intel/model_206ax/model_206ax_init.c
+++ b/src/cpu/intel/model_206ax/model_206ax_init.c
@@ -247,7 +247,7 @@ void set_power_limits(u8 power_limit_1_time)
unsigned tdp, min_power, max_power, max_time;
u8 power_limit_1_val;
- if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr))
+ if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
return;
if (!(msr.lo & PLATFORM_INFO_SET_TDP))
More information about the coreboot-gerrit
mailing list