From: Olivier Deprez <olivier.deprez@arm.com>
Date: Tue, 11 Apr 2023 08:00:21 +0000 (+0200)
Subject: fix(psci): potential array overflow with cpu on
X-Git-Tag: baikal/aarch64/sdk5.10~1^2~95^2
X-Git-Url: https://git.baikalelectronics.ru/sdk/?a=commitdiff_plain;h=66327414fb1e;p=arm-tf.git

fix(psci): potential array overflow with cpu on

Fix coverity finding in psci_cpu_on, in which target_idx is directly
assigned the return value from plat_core_pos_by_mpidr. If the latter
returns a negative or large positive value, it can trigger an out of
bounds overflow for the psci_cpu_pd_nodes array.

>>>>    CID 382009:    (OVERRUN)
>>>>    Overrunning callee's array of size 8 by passing argument "target_idx" (which evaluates to 4294967295) in call to "psci_spin_lock_cpu".
> 80         psci_spin_lock_cpu(target_idx);

>>>>    CID 382009:    (OVERRUN)
>>>>    Overrunning callee's array of size 8 by passing argument "target_idx" (which evaluates to 4294967295) in call to "psci_spin_unlock_cpu".
> 160         psci_spin_unlock_cpu(target_idx);

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ibc46934e9ca7fdcaeebd010e5c6954dcf2dcf8c7
---

diff --git a/lib/psci/psci_on.c b/lib/psci/psci_on.c
index c70b377fb..6c6b23c5a 100644
--- a/lib/psci/psci_on.c
+++ b/lib/psci/psci_on.c
@@ -62,12 +62,17 @@ int psci_cpu_on_start(u_register_t target_cpu,
 	int rc;
 	aff_info_state_t target_aff_state;
 	int ret = plat_core_pos_by_mpidr(target_cpu);
-	unsigned int target_idx = (unsigned int)ret;
+	unsigned int target_idx;
 
 	/* Calling function must supply valid input arguments */
-	assert(ret >= 0);
 	assert(ep != NULL);
 
+	if ((ret < 0) || (ret >= (int)PLATFORM_CORE_COUNT)) {
+		ERROR("Unexpected core index.\n");
+		panic();
+	}
+
+	target_idx = (unsigned int)ret;
 
 	/*
 	 * This function must only be called on platforms where the