From owner-svn-src-head@freebsd.org Thu May 25 14:16:45 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 40960D814E2; Thu, 25 May 2017 14:16:45 +0000 (UTC) (envelope-from zbb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 12D231577; Thu, 25 May 2017 14:16:45 +0000 (UTC) (envelope-from zbb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v4PEGioG048625; Thu, 25 May 2017 14:16:44 GMT (envelope-from zbb@FreeBSD.org) Received: (from zbb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v4PEGiD2048624; Thu, 25 May 2017 14:16:44 GMT (envelope-from zbb@FreeBSD.org) Message-Id: <201705251416.v4PEGiD2048624@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: zbb set sender to zbb@FreeBSD.org using -f From: Zbigniew Bodek Date: Thu, 25 May 2017 14:16:44 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r318874 - head/sys/arm/mv X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2017 14:16:45 -0000 Author: zbb Date: Thu May 25 14:16:43 2017 New Revision: 318874 URL: https://svnweb.freebsd.org/changeset/base/318874 Log: Fix memory corruption while configuring CPU windows on Marvell SoCs Resolving CPU windows from localbus entry caused buffer overflow and memory corruption. Fix wrong indexing and ensure the index does not exceed table size. Submitted by: Wojciech Macek Obtained from: Semihalf Sponsored by: Stormshield Differential revision: https://reviews.freebsd.org/D10720 Modified: head/sys/arm/mv/mv_common.c Modified: head/sys/arm/mv/mv_common.c ============================================================================== --- head/sys/arm/mv/mv_common.c Thu May 25 12:57:15 2017 (r318873) +++ head/sys/arm/mv/mv_common.c Thu May 25 14:16:43 2017 (r318874) @@ -2269,6 +2269,12 @@ win_cpu_from_dt(void) entry_size = tuple_size / sizeof(pcell_t); cpu_wins_no = tuples; + /* Check range */ + if (tuples > nitems(cpu_win_tbl)) { + debugf("too many tuples to fit into cpu_win_tbl\n"); + return (ENOMEM); + } + for (i = 0, t = 0; t < tuples; i += entry_size, t++) { cpu_win_tbl[t].target = 1; cpu_win_tbl[t].attr = fdt32_to_cpu(ranges[i + 1]); @@ -2301,6 +2307,12 @@ moveon: if (fdt_regsize(node, &sram_base, &sram_size) != 0) return (EINVAL); + /* Check range */ + if (t >= nitems(cpu_win_tbl)) { + debugf("cannot fit CESA tuple into cpu_win_tbl\n"); + return (ENOMEM); + } + cpu_win_tbl[t].target = MV_WIN_CESA_TARGET; #ifdef SOC_MV_ARMADA38X cpu_win_tbl[t].attr = MV_WIN_CESA_ATTR(0);