From 66327414fb1e3248d443f4eb2835f437625fb92c Mon Sep 17 00:00:00 2001 From: Olivier Deprez Date: Tue, 11 Apr 2023 10:00:21 +0200 Subject: [PATCH] fix(psci): potential array overflow with cpu on Fix coverity finding in psci_cpu_on, in which target_idx is directly assigned the return value from plat_core_pos_by_mpidr. If the latter returns a negative or large positive value, it can trigger an out of bounds overflow for the psci_cpu_pd_nodes array. >>>> CID 382009: (OVERRUN) >>>> Overrunning callee's array of size 8 by passing argument "target_idx" (which evaluates to 4294967295) in call to "psci_spin_lock_cpu". > 80 psci_spin_lock_cpu(target_idx); >>>> CID 382009: (OVERRUN) >>>> Overrunning callee's array of size 8 by passing argument "target_idx" (which evaluates to 4294967295) in call to "psci_spin_unlock_cpu". > 160 psci_spin_unlock_cpu(target_idx); Signed-off-by: Olivier Deprez Change-Id: Ibc46934e9ca7fdcaeebd010e5c6954dcf2dcf8c7 --- lib/psci/psci_on.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/psci/psci_on.c b/lib/psci/psci_on.c index c70b377fb..6c6b23c5a 100644 --- a/lib/psci/psci_on.c +++ b/lib/psci/psci_on.c @@ -62,12 +62,17 @@ int psci_cpu_on_start(u_register_t target_cpu, int rc; aff_info_state_t target_aff_state; int ret = plat_core_pos_by_mpidr(target_cpu); - unsigned int target_idx = (unsigned int)ret; + unsigned int target_idx; /* Calling function must supply valid input arguments */ - assert(ret >= 0); assert(ep != NULL); + if ((ret < 0) || (ret >= (int)PLATFORM_CORE_COUNT)) { + ERROR("Unexpected core index.\n"); + panic(); + } + + target_idx = (unsigned int)ret; /* * This function must only be called on platforms where the -- 2.39.5