svn commit: r318874 - head/sys/arm/mv
Zbigniew Bodek
zbb at FreeBSD.org
Thu May 25 14:16:45 UTC 2017
Author: zbb
Date: Thu May 25 14:16:43 2017
New Revision: 318874
URL: https://svnweb.freebsd.org/changeset/base/318874
Log:
Fix memory corruption while configuring CPU windows on Marvell SoCs
Resolving CPU windows from localbus entry caused buffer overflow
and memory corruption. Fix wrong indexing and ensure the index
does not exceed table size.
Submitted by: Wojciech Macek <wma at semihalf.com>
Obtained from: Semihalf
Sponsored by: Stormshield
Differential revision: https://reviews.freebsd.org/D10720
Modified:
head/sys/arm/mv/mv_common.c
Modified: head/sys/arm/mv/mv_common.c
==============================================================================
--- head/sys/arm/mv/mv_common.c Thu May 25 12:57:15 2017 (r318873)
+++ head/sys/arm/mv/mv_common.c Thu May 25 14:16:43 2017 (r318874)
@@ -2269,6 +2269,12 @@ win_cpu_from_dt(void)
entry_size = tuple_size / sizeof(pcell_t);
cpu_wins_no = tuples;
+ /* Check range */
+ if (tuples > nitems(cpu_win_tbl)) {
+ debugf("too many tuples to fit into cpu_win_tbl\n");
+ return (ENOMEM);
+ }
+
for (i = 0, t = 0; t < tuples; i += entry_size, t++) {
cpu_win_tbl[t].target = 1;
cpu_win_tbl[t].attr = fdt32_to_cpu(ranges[i + 1]);
@@ -2301,6 +2307,12 @@ moveon:
if (fdt_regsize(node, &sram_base, &sram_size) != 0)
return (EINVAL);
+ /* Check range */
+ if (t >= nitems(cpu_win_tbl)) {
+ debugf("cannot fit CESA tuple into cpu_win_tbl\n");
+ return (ENOMEM);
+ }
+
cpu_win_tbl[t].target = MV_WIN_CESA_TARGET;
#ifdef SOC_MV_ARMADA38X
cpu_win_tbl[t].attr = MV_WIN_CESA_ATTR(0);
More information about the svn-src-head
mailing list