[Skiboot] [PATCH 7/8] Fix potential overrun of p7ioc_phb->{tve_hi_cache, tve_hi_cache}
Kamalesh Babulal
kamalesh at linux.vnet.ibm.com
Tue Jun 23 18:37:37 AEST 2015
p7ioc_phb->{tve_hi_cache, tve_hi_cache} are array with upper bound
of 128. In p7ioc_map_pe_dma_window(), we check if the range is 1..255,
which might overrun the array.
Fix it by checking for array index not greater than 127.
Fixes Coverity Defect#97847.
Signed-off-by: Kamalesh Babulal <kamalesh at linux.vnet.ibm.com>
---
hw/p7ioc-phb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/p7ioc-phb.c b/hw/p7ioc-phb.c
index d282363..0b37993 100644
--- a/hw/p7ioc-phb.c
+++ b/hw/p7ioc-phb.c
@@ -1850,7 +1850,7 @@ static int64_t p7ioc_map_pe_dma_window(struct phb *phb, uint16_t pe_number,
uint64_t dma_window_size;
uint64_t *cache_lo, *cache_hi;
- if (pe_number > 127 || window_id > 255 || tce_levels != 1)
+ if (pe_number > 127 || window_id > 127 || tce_levels != 1)
return OPAL_PARAMETER;
cache_lo = &p->tve_lo_cache[window_id];
cache_hi = &p->tve_hi_cache[window_id];
--
2.1.2
More information about the Skiboot
mailing list