[PATCH 1/1] platform: generic: allwinner: avoid buffer overrun
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Tue Dec 27 04:01:18 PST 2022
On 12/27/22 12:46, Bin Meng wrote:
> On Tue, Dec 27, 2022 at 7:03 PM Heinrich Schuchardt
> <heinrich.schuchardt at canonical.com> wrote:
>>
>> plic_priority_save() and plic_priority_restore() access indexes 1 to num of
>> the passed array. Avoid a buffer overrun by increasing the used array size
>> by one.
>>
>> Addresses-Coverity-ID: 1530251 ("Out-of-bounds access")
>> Addresses-Coverity-ID: 1530252 ("Out-of-bounds access")
>
> Where is the Coverity for OpenSBI project hosted?
https://scan.coverity.com
>
>> Fixes: 8509e46ca63a ("lib: utils/irqchip: plic: Ensure no out-of-bound access in priority save/restore helpers")
>> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
>> ---
>> platform/generic/allwinner/sun20i-d1.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/platform/generic/allwinner/sun20i-d1.c b/platform/generic/allwinner/sun20i-d1.c
>> index 1da9e5b..9891ad0 100644
>> --- a/platform/generic/allwinner/sun20i-d1.c
>> +++ b/platform/generic/allwinner/sun20i-d1.c
>> @@ -72,7 +72,7 @@ static void sun20i_d1_csr_restore(void)
>> #define PLIC_SOURCES 176
>> #define PLIC_IE_WORDS ((PLIC_SOURCES + 31) / 32)
>>
>> -static u8 plic_priority[PLIC_SOURCES];
>> +static u8 plic_priority[PLIC_SOURCES + 1];
>
> This change could fix the Coverity, but IMHO we should not change this
> value. PLIC_SOURCES should be 176.
>
> You probably are using a buggy DTB that contains a wrong "riscv,ndev",
> which I pointed out in the linux-riscv ML.
The problem does not depend on any device-tree. PLIC_SOURCES is a
constant that your code uses in
platform/generic/allwinner/sun20i-d1.c:82:
fdt_plic_priority_save(plic_priority, PLIC_SOURCES);
platform/generic/allwinner/sun20i-d1.c:88:
fdt_plic_priority_restore(plic_priority, PLIC_SOURCES);
I wonder why plic_priority_save() and plic_priority_restore() start
indexing at 1 and not at 0. This might deserve a code comment.
>
>> static u32 plic_sie[PLIC_IE_WORDS];
>> static u32 plic_threshold;
>>
>
> My original patch [1] contains a size check against "riscv,ndev" in
> the DTB. But somehow that size check got dropped when the patch was
> applied.
>
> [1] https://patchwork.ozlabs.org/project/opensbi/patch/20221211065424.806478-2-bmeng@tinylab.org/
"riscv,ndev" isn't used anywhere in your patch. Just the constant
PLIC_SOURCES.
Best regards
Heinrich
>
> Regards,
> Bin
More information about the opensbi
mailing list