[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH-for-7.1] hw/tpm/tpm_tis: Avoid eventual read overrun
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
[PATCH-for-7.1] hw/tpm/tpm_tis: Avoid eventual read overrun |
|
Date: |
Thu, 31 Mar 2022 01:57:23 +0200 |
From: Philippe Mathieu-Daudé <f4bug@amsat.org>
The TPMState structure hold an array of TPM_TIS_NUM_LOCALITIES
TPMLocality loc[], having TPM_TIS_NUM_LOCALITIES defined as '5'.
tpm_tis_locality_from_addr() returns up to 3 bits, so 7.
While unlikely, Coverity is right to report an overrun. Assert
we are in range to fix:
*** CID 1487240: Memory - illegal accesses (OVERRUN)
hw/tpm/tpm_tis_common.c: 298 in tpm_tis_dump_state()
294 int idx;
295 uint8_t locty = tpm_tis_locality_from_addr(addr);
296 hwaddr base = addr & ~0xfff;
297
>>> CID 1487240: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "s->loc" of 5 24-byte elements at element index 7
(byte offset 191) using index "locty" (which evaluates to 7).
298 printf("tpm_tis: active locality : %d\n"
299 "tpm_tis: state of locality %d : %d\n"
300 "tpm_tis: register dump:\n",
301 s->active_locty,
302 locty, s->loc[locty].state);
Fixes: Coverity CID 1487240
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/tpm/tpm_tis_common.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/tpm/tpm_tis_common.c b/hw/tpm/tpm_tis_common.c
index e700d82181..5b1055033e 100644
--- a/hw/tpm/tpm_tis_common.c
+++ b/hw/tpm/tpm_tis_common.c
@@ -295,6 +295,7 @@ static void tpm_tis_dump_state(TPMState *s, hwaddr addr)
uint8_t locty = tpm_tis_locality_from_addr(addr);
hwaddr base = addr & ~0xfff;
+ assert(TPM_TIS_IS_VALID_LOCTY(locty));
printf("tpm_tis: active locality : %d\n"
"tpm_tis: state of locality %d : %d\n"
"tpm_tis: register dump:\n",
--
2.35.1
- [PATCH-for-7.1] hw/tpm/tpm_tis: Avoid eventual read overrun,
Philippe Mathieu-Daudé <=