openwrt/flashrom
1
0
Fork 0
mirror of https://review.coreboot.org/flashrom.git synced 2025-05-02 01:13:39 +02:00
Code Issues Releases Wiki Activity

ich_descriptors: Fix range checks for dumps

Browse Source 
These explicit off-by-one calculations were... off-by-one.

Change-Id: If57c92ba28f91c4d72123ef0cfd2d9d5ac0a0656
Signed-off-by: Nico Huber <nico.huber@secunet.com>
Reviewed-on: https://review.coreboot.org/19031
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: David Hendricks <david.hendricks@gmail.com>
This commit is contained in:
Nico Huber 2017-03-28 17:08:46 +02:00 committed by Nico Huber
parent d2a03b3e43
commit 9e14aeda64
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ich_descriptors.c
View File

@ -724,7 +724,7 @@ int read_ich_descriptors_from_dump(const uint32_t *dump, unsigned int len, struc
} }
/* map */ /* map */
if (len < (4 + pch_bug_offset) * 4 - 1) if (len < (4 + pch_bug_offset) * 4)
return ICH_RET_OOB; return ICH_RET_OOB;
desc->content.FLVALSIG = dump[0 + pch_bug_offset]; desc->content.FLVALSIG = dump[0 + pch_bug_offset];
desc->content.FLMAP0 = dump[1 + pch_bug_offset]; desc->content.FLMAP0 = dump[1 + pch_bug_offset];
@ -732,14 +732,14 @@ int read_ich_descriptors_from_dump(const uint32_t *dump, unsigned int len, struc
desc->content.FLMAP2 = dump[3 + pch_bug_offset]; desc->content.FLMAP2 = dump[3 + pch_bug_offset];
/* component */ /* component */
if (len < (getFCBA(&desc->content) + 3 * 4 - 1)) if (len < getFCBA(&desc->content) + 3 * 4)
return ICH_RET_OOB; return ICH_RET_OOB;
desc->component.FLCOMP = dump[(getFCBA(&desc->content) >> 2) + 0]; desc->component.FLCOMP = dump[(getFCBA(&desc->content) >> 2) + 0];
desc->component.FLILL = dump[(getFCBA(&desc->content) >> 2) + 1]; desc->component.FLILL = dump[(getFCBA(&desc->content) >> 2) + 1];
desc->component.FLPB = dump[(getFCBA(&desc->content) >> 2) + 2]; desc->component.FLPB = dump[(getFCBA(&desc->content) >> 2) + 2];
/* region */ /* region */
if (len < (getFRBA(&desc->content) + 5 * 4 - 1)) if (len < getFRBA(&desc->content) + 5 * 4)
return ICH_RET_OOB; return ICH_RET_OOB;
desc->region.FLREGs[0] = dump[(getFRBA(&desc->content) >> 2) + 0]; desc->region.FLREGs[0] = dump[(getFRBA(&desc->content) >> 2) + 0];
desc->region.FLREGs[1] = dump[(getFRBA(&desc->content) >> 2) + 1]; desc->region.FLREGs[1] = dump[(getFRBA(&desc->content) >> 2) + 1];
@ -748,7 +748,7 @@ int read_ich_descriptors_from_dump(const uint32_t *dump, unsigned int len, struc
desc->region.FLREGs[4] = dump[(getFRBA(&desc->content) >> 2) + 4]; desc->region.FLREGs[4] = dump[(getFRBA(&desc->content) >> 2) + 4];
/* master */ /* master */
if (len < (getFMBA(&desc->content) + 3 * 4 - 1)) if (len < getFMBA(&desc->content) + 3 * 4)
return ICH_RET_OOB; return ICH_RET_OOB;
desc->master.FLMSTR1 = dump[(getFMBA(&desc->content) >> 2) + 0]; desc->master.FLMSTR1 = dump[(getFMBA(&desc->content) >> 2) + 0];
desc->master.FLMSTR2 = dump[(getFMBA(&desc->content) >> 2) + 1]; desc->master.FLMSTR2 = dump[(getFMBA(&desc->content) >> 2) + 1];
@ -763,7 +763,7 @@ int read_ich_descriptors_from_dump(const uint32_t *dump, unsigned int len, struc
* the maximum of 255 gives us 127.5 SPI components(!?) 8 bytes each. A * the maximum of 255 gives us 127.5 SPI components(!?) 8 bytes each. A
* check ensures that the maximum offset actually accessed is available. * check ensures that the maximum offset actually accessed is available.
*/ */
if (len < (getVTBA(&desc->upper) + (desc->upper.VTL / 2 * 8) - 1)) if (len < getVTBA(&desc->upper) + (desc->upper.VTL / 2 * 8))
return ICH_RET_OOB; return ICH_RET_OOB;
for (i = 0; i < desc->upper.VTL/2; i++) { for (i = 0; i < desc->upper.VTL/2; i++) {