From 22e16db4c5e2125409abc77b888493e63bbeea86 Mon Sep 17 00:00:00 2001 From: Martin Roth Date: Mon, 11 Sep 2023 13:40:55 -0600 Subject: [PATCH] acpi/soundwire.[ch]: Fix dpn entry array overrun In soundwire.h, SOUNDWIRE_DPN MIN & MAX are set to 1 and 14. When creating the dpn array, the length was set to MAX - MIN or 13, numbered 0 to 12. When accessing the array, the code was bailing out if a value greater than MAX was trying to be accessed, so the array was able to be overrun by two structure lengths. Fix this problem by: 1) Not subtracting the MIN value when creating the array, which does waste a little space. If anyone wants to refactor the code to fix that, please feel free. 2) Breaking out of the loop when the port is equal to the MAX port number instead of just when it's greater than the max port number. Reported-by: Coverity (CID:1429766 & CID:1429771) Signed-off-by: Martin Roth Change-Id: I0841bb8c9869fe9f53958f05614848785a98b766 Reviewed-on: https://review.coreboot.org/c/coreboot/+/77777 Tested-by: build bot (Jenkins) Reviewed-by: Tim Wawrzynczak --- src/acpi/soundwire.c | 2 +- src/include/device/soundwire.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/acpi/soundwire.c b/src/acpi/soundwire.c index af4ca7cf15..961f45b5b2 100644 --- a/src/acpi/soundwire.c +++ b/src/acpi/soundwire.c @@ -400,7 +400,7 @@ void soundwire_gen_codec(struct acpi_dp *dsd, const struct soundwire_codec *code struct acpi_dp *dpn; /* Stop processing at the first invalid data port. */ - if (entry->port < SOUNDWIRE_MIN_DPN || entry->port > SOUNDWIRE_MAX_DPN) + if (entry->port < SOUNDWIRE_MIN_DPN || entry->port >= SOUNDWIRE_MAX_DPN) break; if (entry->source) { diff --git a/src/include/device/soundwire.h b/src/include/device/soundwire.h index a78b52b719..27421dd5a2 100644 --- a/src/include/device/soundwire.h +++ b/src/include/device/soundwire.h @@ -419,7 +419,7 @@ struct soundwire_dpn_entry { struct soundwire_codec { struct soundwire_slave *slave; struct soundwire_audio_mode *audio_mode[SOUNDWIRE_MAX_MODE]; - struct soundwire_dpn_entry dpn[SOUNDWIRE_MAX_DPN - SOUNDWIRE_MIN_DPN]; + struct soundwire_dpn_entry dpn[SOUNDWIRE_MAX_DPN]; struct soundwire_bra_mode *dp0_bra_mode[SOUNDWIRE_MAX_MODE]; struct soundwire_dp0 *dp0; struct soundwire_multilane *multilane;