Date: Thu, 25 May 2017 14:16:44 +0000 (UTC) From: Zbigniew Bodek <zbb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r318874 - head/sys/arm/mv Message-ID: <201705251416.v4PEGiD2048624@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zbb Date: Thu May 25 14:16:43 2017 New Revision: 318874 URL: https://svnweb.freebsd.org/changeset/base/318874 Log: Fix memory corruption while configuring CPU windows on Marvell SoCs Resolving CPU windows from localbus entry caused buffer overflow and memory corruption. Fix wrong indexing and ensure the index does not exceed table size. Submitted by: Wojciech Macek <wma@semihalf.com> Obtained from: Semihalf Sponsored by: Stormshield Differential revision: https://reviews.freebsd.org/D10720 Modified: head/sys/arm/mv/mv_common.c Modified: head/sys/arm/mv/mv_common.c ============================================================================== --- head/sys/arm/mv/mv_common.c Thu May 25 12:57:15 2017 (r318873) +++ head/sys/arm/mv/mv_common.c Thu May 25 14:16:43 2017 (r318874) @@ -2269,6 +2269,12 @@ win_cpu_from_dt(void) entry_size = tuple_size / sizeof(pcell_t); cpu_wins_no = tuples; + /* Check range */ + if (tuples > nitems(cpu_win_tbl)) { + debugf("too many tuples to fit into cpu_win_tbl\n"); + return (ENOMEM); + } + for (i = 0, t = 0; t < tuples; i += entry_size, t++) { cpu_win_tbl[t].target = 1; cpu_win_tbl[t].attr = fdt32_to_cpu(ranges[i + 1]); @@ -2301,6 +2307,12 @@ moveon: if (fdt_regsize(node, &sram_base, &sram_size) != 0) return (EINVAL); + /* Check range */ + if (t >= nitems(cpu_win_tbl)) { + debugf("cannot fit CESA tuple into cpu_win_tbl\n"); + return (ENOMEM); + } + cpu_win_tbl[t].target = MV_WIN_CESA_TARGET; #ifdef SOC_MV_ARMADA38X cpu_win_tbl[t].attr = MV_WIN_CESA_ATTR(0);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705251416.v4PEGiD2048624>