fix(psci): potential array overflow with cpu on

Fix coverity finding in psci_cpu_on, in which target_idx is directly
assigned the return value from plat_core_pos_by_mpidr. If the latter
returns a negative or large positive value, it can trigger an out of
bounds overflow for the psci_cpu_pd_nodes array.

>>>>    CID 382009:    (OVERRUN)
>>>>    Overrunning callee's array of size 8 by passing argument "target_idx" (which evaluates to 4294967295) in call to "psci_spin_lock_cpu".
> 80         psci_spin_lock_cpu(target_idx);

>>>>    CID 382009:    (OVERRUN)
>>>>    Overrunning callee's array of size 8 by passing argument "target_idx" (which evaluates to 4294967295) in call to "psci_spin_unlock_cpu".
> 160         psci_spin_unlock_cpu(target_idx);

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ibc46934e9ca7fdcaeebd010e5c6954dcf2dcf8c7

diff --git a/lib/psci/psci_on.c b/lib/psci/psci_on.c
index c70b377fbb4eb0eae32034dac04da9c57e691e1e..6c6b23c5a8d4b02f097db748d00aab562351767c 100644 (file)
--- a/lib/psci/psci_on.c
+++ b/lib/psci/psci_on.c
@@ -62,12 +62,17 @@ int psci_cpu_on_start(u_register_t target_cpu,
        int rc;
        aff_info_state_t target_aff_state;
        int ret = plat_core_pos_by_mpidr(target_cpu);
-       unsigned int target_idx = (unsigned int)ret;
+       unsigned int target_idx;
 
        /* Calling function must supply valid input arguments */
-       assert(ret >= 0);
        assert(ep != NULL);
 
+       if ((ret < 0) || (ret >= (int)PLATFORM_CORE_COUNT)) {
+               ERROR("Unexpected core index.\n");
+               panic();
+       }
+
+       target_idx = (unsigned int)ret;
 
        /*
         * This function must only be called on platforms where the