diff options
author | Atish Patra <atishp@rivosinc.com> | 2022-07-21 00:50:34 +0300 |
---|---|---|
committer | Anup Patel <anup@brainfault.org> | 2022-07-30 08:55:48 +0300 |
commit | 860a376817f687db31b586ec7bcf9a1db1bce7b3 (patch) | |
tree | f967f0e5423218d4e879257fa05500670f15ede0 | |
parent | 83db3af5f93dbbffb599af41c58e26a24b1abc1c (diff) | |
download | opensbi-860a376817f687db31b586ec7bcf9a1db1bce7b3.tar.xz |
lib: sbi: Fix possible buffer overrun in counter validation
The active_events array is accessed with counter ID passed from the supervisor
software before the counter ID bound check. This may cause a buffer overrun
if a supervisor passes an invalid counter ID.
Fix this by moving the access part after the bound check.
Reported-by: Andrew Jones <ajones@ventanamicro.com>
Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
Signed-off-by: Atish Patra <atishp@rivosinc.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
-rw-r--r-- | lib/sbi/sbi_pmu.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/sbi/sbi_pmu.c b/lib/sbi/sbi_pmu.c index 16f915b..5d31f58 100644 --- a/lib/sbi/sbi_pmu.c +++ b/lib/sbi/sbi_pmu.c @@ -156,13 +156,13 @@ static int pmu_ctr_validate(uint32_t cidx, uint32_t *event_idx_code) uint32_t event_idx_type; u32 hartid = current_hartid(); - event_idx_val = active_events[hartid][cidx]; - - if (cidx >= total_ctrs || (event_idx_val == SBI_PMU_EVENT_IDX_INVALID)) + if (cidx >= total_ctrs) return SBI_EINVAL; + event_idx_val = active_events[hartid][cidx]; event_idx_type = get_cidx_type(event_idx_val); - if (event_idx_type >= SBI_PMU_EVENT_TYPE_MAX) + if (event_idx_val == SBI_PMU_EVENT_IDX_INVALID || + event_idx_type >= SBI_PMU_EVENT_TYPE_MAX) return SBI_EINVAL; *event_idx_code = get_cidx_code(event_idx_val); |