Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-20 19:44:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(psci): potential array overflow with cpu on

Browse source 
Fix coverity finding in psci_cpu_on, in which target_idx is directly
assigned the return value from plat_core_pos_by_mpidr. If the latter
returns a negative or large positive value, it can trigger an out of
bounds overflow for the psci_cpu_pd_nodes array.

>>>>    CID 382009:    (OVERRUN)
>>>>    Overrunning callee's array of size 8 by passing argument "target_idx" (which evaluates to 4294967295) in call to "psci_spin_lock_cpu".
> 80         psci_spin_lock_cpu(target_idx);

>>>>    CID 382009:    (OVERRUN)
>>>>    Overrunning callee's array of size 8 by passing argument "target_idx" (which evaluates to 4294967295) in call to "psci_spin_unlock_cpu".
> 160         psci_spin_unlock_cpu(target_idx);

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ibc46934e9ca7fdcaeebd010e5c6954dcf2dcf8c7
This commit is contained in:
Olivier Deprez 2023-04-11 10:00:21 +02:00
parent 04f59c4a64
commit 66327414fb
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
lib/psci/psci_on.c
View file

@ -62,12 +62,17 @@ int psci_cpu_on_start(u_register_t target_cpu,
int rc;
aff_info_state_t target_aff_state;
int ret = plat_core_pos_by_mpidr(target_cpu);
unsigned int target_idx = (unsigned int)ret;
unsigned int target_idx;
/* Calling function must supply valid input arguments */
assert(ret >= 0);
assert(ep != NULL);
if ((ret < 0) || (ret >= (int)PLATFORM_CORE_COUNT)) {
ERROR("Unexpected core index.\n");
panic();
}
target_idx = (unsigned int)ret;
/*
* This function must only be called on platforms where the