intel/common/block: Fix potential buffer overflow
Possible Buffer Overflow - Array Index Out of Bounds. Array
regions size is 256 but 'i' iterates from 0 to 256.
Found-by: Klockwork
BUG=None
BRANCH=firmware-brya-14505.B
TEST=Boot to OS
Signed-off-by: Bora Guvendik <bora.guvendik@intel.com>
Change-Id: Iee45a5821b9dd3f9e6f9816599beebf34555426d
Reviewed-on: https://review.coreboot.org/c/coreboot/+/72049
Reviewed-by: Hannah Williams <hannah.williams@intel.com>
Reviewed-by: Jérémy Compostella <jeremy.compostella@intel.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
diff --git a/src/soc/intel/common/block/crashlog/crashlog.c b/src/soc/intel/common/block/crashlog/crashlog.c
index 5949264..3bd2488 100644
--- a/src/soc/intel/common/block/crashlog/crashlog.c
+++ b/src/soc/intel/common/block/crashlog/crashlog.c
@@ -145,16 +145,18 @@
printk(BIOS_DEBUG, "CL PMC desc table: numb of regions is 0x%x at addr 0x%x\n",
descriptor_table->numb_regions, desc_table_addr);
for (int i = 0; i < descriptor_table->numb_regions; i++) {
+ if (i >= ARRAY_SIZE(descriptor_table->regions)) {
+ printk(BIOS_ERR, "Maximum number of PMC crashLog descriptor table exceeded (%u/%zu)\n",
+ descriptor_table->numb_regions,
+ ARRAY_SIZE(descriptor_table->regions));
+ break;
+ }
desc_table_addr += 4;
descriptor_table->regions[i].data = read32((u32 *)(desc_table_addr));
total_data_size += descriptor_table->regions[i].bits.size * sizeof(u32);
printk(BIOS_DEBUG, "CL PMC desc table: region 0x%x has size 0x%x at offset 0x%x\n",
i, descriptor_table->regions[i].bits.size,
descriptor_table->regions[i].bits.offset);
- if (i > 255) {
- printk(BIOS_ERR, "More than 255 regions in PMC crashLog descriptor table");
- break;
- }
}
return total_data_size;
}