cpu/intel: Fix out-of-bounds read due to off-by-one in condition

If power_limit_1_time > 129 is false then power_limit_1_time can have a
value of up to 129 leading to an out-of-bounds illegal read indexing the
power_limit_time_sec_to_msr[] array. Thankfully all call sites have been
doing the right thing up until now so the issue has not been visible.

Change-Id: Ic029d1af7fe43ca7da271043c2b08fe3088714af
Found-by: Coverity Scan
Signed-off-by: Edward O'Callaghan <eocallaghan@alterapraxis.com>
Reviewed-on: http://review.coreboot.org/6478
Tested-by: build bot (Jenkins)
Reviewed-by: Patrick Georgi <patrick@georgi-clan.de>
This commit is contained in:
Edward O'Callaghan 2014-08-03 20:00:47 +10:00
parent 18d9899be1
commit 5cfef13f8d
3 changed files with 4 additions and 4 deletions

View File

@ -156,7 +156,7 @@ void set_power_limits(u8 power_limit_1_time)
unsigned tdp, min_power, max_power, max_time; unsigned tdp, min_power, max_power, max_time;
u8 power_limit_1_val; u8 power_limit_1_val;
if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr)) if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
return; return;
if (!(msr.lo & PLATFORM_INFO_SET_TDP)) if (!(msr.lo & PLATFORM_INFO_SET_TDP))

View File

@ -463,8 +463,8 @@ void set_power_limits(u8 power_limit_1_time)
unsigned tdp, min_power, max_power, max_time; unsigned tdp, min_power, max_power, max_time;
u8 power_limit_1_val; u8 power_limit_1_val;
if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr)) if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
power_limit_1_time = 28; power_limit_1_time = ARRAY_SIZE(power_limit_time_sec_to_msr) - 1;
if (!(msr.lo & PLATFORM_INFO_SET_TDP)) if (!(msr.lo & PLATFORM_INFO_SET_TDP))
return; return;

View File

@ -247,7 +247,7 @@ void set_power_limits(u8 power_limit_1_time)
unsigned tdp, min_power, max_power, max_time; unsigned tdp, min_power, max_power, max_time;
u8 power_limit_1_val; u8 power_limit_1_val;
if (power_limit_1_time > ARRAY_SIZE(power_limit_time_sec_to_msr)) if (power_limit_1_time >= ARRAY_SIZE(power_limit_time_sec_to_msr))
return; return;
if (!(msr.lo & PLATFORM_INFO_SET_TDP)) if (!(msr.lo & PLATFORM_INFO_SET_TDP))