| Message ID | alpine.DEB.2.10.1612121120360.22778@sstabellini-ThinkPad-X260 (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi Stefano, On 12/12/16 19:22, Stefano Stabellini wrote: > pa_range_info has only 8 elements and is accessed using pa_range as > index. pa_range is initialized to 16, potentially causing out of bound > access errors. Fix the issue by checking that pa_range is not greater > than the size of the array. Remove the now superfluous pa_range&0x8 > check. > > Coverity-ID: 1381865 > > Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Julien Grall <julien.grall@arm.com> Regards,
diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c index e4991df..5d5bb87 100644 --- a/xen/arch/arm/p2m.c +++ b/xen/arch/arm/p2m.c @@ -1639,7 +1639,7 @@ void __init setup_virt_paging(void) } /* pa_range is 4 bits, but the defined encodings are only 3 bits */ - if ( pa_range&0x8 || !pa_range_info[pa_range].pabits ) + if ( pa_range >= ARRAY_SIZE(pa_range_info) || !pa_range_info[pa_range].pabits ) panic("Unknown encoding of ID_AA64MMFR0_EL1.PARange %x\n", pa_range); val |= VTCR_PS(pa_range);
pa_range_info has only 8 elements and is accessed using pa_range as index. pa_range is initialized to 16, potentially causing out of bound access errors. Fix the issue by checking that pa_range is not greater than the size of the array. Remove the now superfluous pa_range&0x8 check. Coverity-ID: 1381865 Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> --- Changes in v3: - remove the now superfluous pa_range&0x8 check