Fix memory corruption while configuring CPU windows on Marvell SoCs

Resolving CPU windows from localbus entry caused buffer overflow and memory corruption. Fix wrong indexing and ensure the index does not exceed table size. Submitted by: Wojciech Macek <wma@semihalf.com> Obtained from: Semihalf Sponsored by: Stormshield Differential revision: https://reviews.freebsd.org/D10720
2017-05-25 14:16:43 +00:00 · 2017-05-25 14:16:43 +00:00 · 2b25a3b2c3
commit 2b25a3b2c3
parent 92c5d1f990
1 changed files with 12 additions and 0 deletions
--- a/sys/arm/mv/mv_common.c
+++ b/sys/arm/mv/mv_common.c
@ -2269,6 +2269,12 @@ win_cpu_from_dt(void)
 		entry_size = tuple_size / sizeof(pcell_t);
 		cpu_wins_no = tuples;

+		/* Check range */
+		if (tuples > nitems(cpu_win_tbl)) {
+			debugf("too many tuples to fit into cpu_win_tbl\n");
+			return (ENOMEM);
+		}
+
 		for (i = 0, t = 0; t < tuples; i += entry_size, t++) {
 			cpu_win_tbl[t].target = 1;
 			cpu_win_tbl[t].attr = fdt32_to_cpu(ranges[i + 1]);
@ -2301,6 +2307,12 @@ moveon:
 	if (fdt_regsize(node, &sram_base, &sram_size) != 0)
 		return (EINVAL);

+	/* Check range */
+	if (t >= nitems(cpu_win_tbl)) {
+		debugf("cannot fit CESA tuple into cpu_win_tbl\n");
+		return (ENOMEM);
+	}
+
 	cpu_win_tbl[t].target = MV_WIN_CESA_TARGET;
 #ifdef SOC_MV_ARMADA38X
 	cpu_win_tbl[t].attr = MV_WIN_CESA_ATTR(0);