Nico Huber submitted this change.

View Change

Approvals: build bot (Jenkins): Verified Mike Banon: Looks good to me, approved 
vc/amd/agesa: Fix out of bounds read

ByteLane is used unitialized from prior for statement,
creating a potential out-of-bound read of RxOrig[MaxByteLanes].
PassTestRxEnDly[MaxByteLanes] never appears as rvalue; all for
loops have ByteLane < MaxByteLanes exit condition.

Change-Id: Icd18a146aba6b6120d37518d8c40c7efbc05afa3
Signed-off-by: Joe Moore <awokd@danwin1210.me>
Found-by: Coverity CID 1241804
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36192
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Mike Banon <mikebdp2@gmail.com>
---
M src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c
M src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c b/src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c
index 3406d76..991667b 100644
--- a/src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c
+++ b/src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c
@@ -313,7 +313,6 @@
       //
       IDS_HDT_CONSOLE (MEM_FLOW, "\n\t\t Setting PassTestRxEnDly\n");
       IDS_HDT_CONSOLE (MEM_FLOW, "\t  PassTestRxEnDly: ");
-      PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];
       for (ByteLane = 0; ByteLane < MaxByteLanes; ByteLane++) {
         if (RxEnDlyTargetFound[ByteLane] == FALSE) {
           // Calculate "PassTestRxEnDly" from  current "RxEnDly"
@@ -328,6 +327,7 @@
             MemTRdPosRxEnSeedSetDly3 (TechPtr, PassTestRxEnDly[ByteLane], ByteLane);
             OutOfRange[ByteLane] = FALSE;
           } else {
+            PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];
             OutOfRange[ByteLane] = TRUE;
           }
         } else {
diff --git a/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c b/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c
index ce295ac..1446f3e 100644
--- a/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c
+++ b/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c
@@ -314,7 +314,6 @@
       //
       IDS_HDT_CONSOLE (MEM_FLOW, "\n\t\t Setting PassTestRxEnDly\n");
       IDS_HDT_CONSOLE (MEM_FLOW, "\t  PassTestRxEnDly: ");
-      PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];
       for (ByteLane = 0; ByteLane < MaxByteLanes; ByteLane++) {
         if (RxEnDlyTargetFound[ByteLane] == FALSE) {
           // Calculate "PassTestRxEnDly" from  current "RxEnDly"
@@ -329,6 +328,7 @@
             MemTRdPosRxEnSeedSetDly3 (TechPtr, PassTestRxEnDly[ByteLane], ByteLane);
             OutOfRange[ByteLane] = FALSE;
           } else {
+            PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];
             OutOfRange[ByteLane] = TRUE;
           }
         } else {

To view, visit change 36192. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Icd18a146aba6b6120d37518d8c40c7efbc05afa3
Gerrit-Change-Number: 36192
Gerrit-PatchSet: 8
Gerrit-Owner: awokd@danwin1210.me
Gerrit-Reviewer: Mike Banon <mikebdp2@gmail.com>
Gerrit-Reviewer: Nico Huber <nico.h@gmx.de>
Gerrit-Reviewer: awokd@danwin1210.me
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-CC: Kyösti Mälkki <kyosti.malkki@gmail.com>
Gerrit-CC: Paul Menzel <paulepanter@users.sourceforge.net>
Gerrit-MessageType: merged