northbridge/intel: Out of bounds write to array in gma.h
The signature[] array in the mailbox struct opregion_header_t has IGD_OPREGION_SIGNATURE written to it with a sizeof(IGD_OPREGION_SIGNATURE) and not a sizeof(signature[]). This resulted in a silent off-by-one out of bounds illegal write. Change-Id: I651620a753c743dd2ed2af51c012c27c14a5ea25 Found-by: Coverity Scan Signed-off-by: Edward O'Callaghan <eocallaghan@alterapraxis.com> Reviewed-on: http://review.coreboot.org/6473 Tested-by: build bot (Jenkins) Reviewed-by: Patrick Georgi <patrick@georgi-clan.de>
This commit is contained in:
parent
5cfef13f8d
commit
2b48b65b19
|
@ -142,7 +142,7 @@ int init_igd_opregion(igd_opregion_t *opregion)
|
||||||
// FIXME if IGD is disabled, we should exit here.
|
// FIXME if IGD is disabled, we should exit here.
|
||||||
|
|
||||||
memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
|
memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
|
||||||
sizeof(IGD_OPREGION_SIGNATURE));
|
sizeof(opregion->header.signature));
|
||||||
|
|
||||||
/* 8kb */
|
/* 8kb */
|
||||||
opregion->header.size = sizeof(igd_opregion_t) / 1024;
|
opregion->header.size = sizeof(igd_opregion_t) / 1024;
|
||||||
|
|
|
@ -140,7 +140,7 @@ int init_igd_opregion(igd_opregion_t *opregion)
|
||||||
// FIXME if IGD is disabled, we should exit here.
|
// FIXME if IGD is disabled, we should exit here.
|
||||||
|
|
||||||
memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
|
memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
|
||||||
sizeof(IGD_OPREGION_SIGNATURE));
|
sizeof(opregion->header.signature));
|
||||||
|
|
||||||
/* 8kb */
|
/* 8kb */
|
||||||
opregion->header.size = sizeof(igd_opregion_t) / 1024;
|
opregion->header.size = sizeof(igd_opregion_t) / 1024;
|
||||||
|
|
|
@ -139,7 +139,7 @@ int init_igd_opregion(igd_opregion_t * opregion)
|
||||||
// FIXME if IGD is disabled, we should exit here.
|
// FIXME if IGD is disabled, we should exit here.
|
||||||
|
|
||||||
memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
|
memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
|
||||||
sizeof(IGD_OPREGION_SIGNATURE));
|
sizeof(opregion->header.signature));
|
||||||
|
|
||||||
/* 8kb */
|
/* 8kb */
|
||||||
opregion->header.size = sizeof(igd_opregion_t) / 1024;
|
opregion->header.size = sizeof(igd_opregion_t) / 1024;
|
||||||
|
|
|
@ -142,7 +142,7 @@ int init_igd_opregion(igd_opregion_t *opregion)
|
||||||
// FIXME if IGD is disabled, we should exit here.
|
// FIXME if IGD is disabled, we should exit here.
|
||||||
|
|
||||||
memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
|
memcpy(&opregion->header.signature, IGD_OPREGION_SIGNATURE,
|
||||||
sizeof(IGD_OPREGION_SIGNATURE));
|
sizeof(opregion->header.signature));
|
||||||
|
|
||||||
/* 8kb */
|
/* 8kb */
|
||||||
opregion->header.size = sizeof(igd_opregion_t) / 1024;
|
opregion->header.size = sizeof(igd_opregion_t) / 1024;
|
||||||
|
|
Loading…
Reference in New Issue