[Skiboot] [PATCH 7/8] Fix potential overrun of p7ioc_phb->{tve_hi_cache, tve_hi_cache}

Gavin Shan gwshan at linux.vnet.ibm.com
Wed Jun 24 10:01:52 AEST 2015


On Tue, Jun 23, 2015 at 02:07:37PM +0530, Kamalesh Babulal wrote:
>p7ioc_phb->{tve_hi_cache, tve_hi_cache} are array with upper bound
>of 128. In p7ioc_map_pe_dma_window(), we check if the range is 1..255,
>which might overrun the array.
>
>Fix it by checking for array index not greater than 127.
>
>Fixes Coverity Defect#97847.
>
>Signed-off-by: Kamalesh Babulal <kamalesh at linux.vnet.ibm.com>

Reviewed-by: Gavin Shan <gwshan at linux.vnet.ibm.com>

Thanks,
Gavin

>---
> hw/p7ioc-phb.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/hw/p7ioc-phb.c b/hw/p7ioc-phb.c
>index d282363..0b37993 100644
>--- a/hw/p7ioc-phb.c
>+++ b/hw/p7ioc-phb.c
>@@ -1850,7 +1850,7 @@ static int64_t p7ioc_map_pe_dma_window(struct phb *phb, uint16_t pe_number,
> 	uint64_t dma_window_size;
> 	uint64_t *cache_lo, *cache_hi;
> 
>-	if (pe_number > 127 || window_id > 255 || tce_levels != 1)
>+	if (pe_number > 127 || window_id > 127 || tce_levels != 1)
> 		return OPAL_PARAMETER;
> 	cache_lo = &p->tve_lo_cache[window_id];
>         cache_hi = &p->tve_hi_cache[window_id];
>-- 
>2.1.2
>
>_______________________________________________
>Skiboot mailing list
>Skiboot at lists.ozlabs.org
>https://lists.ozlabs.org/listinfo/skiboot



More information about the Skiboot mailing list