Patrick Georgi has submitted this change and it was merged. ( https://review.coreboot.org/c/coreboot/+/32125 )
Change subject: soc/intel/baytrail: Correct array bounds check ......................................................................
soc/intel/baytrail: Correct array bounds check
If `gms == ARRAY_SIZE(gms_size_map)`, then we will have an out of bounds read. Fix the check to exclude this case. This was partially fixed in 04f68c1 (baytrail: fix range check).
Found-by: Coverity Scan, CID 1229677 (OVERRUN) Signed-off-by: Jacob Garber jgarber1@ualberta.ca Change-Id: I8c8cd59df49beea066b46cde3cf00237816aff33 Reviewed-on: https://review.coreboot.org/c/coreboot/+/32125 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Paul Menzel paulepanter@users.sourceforge.net Reviewed-by: Patrick Georgi pgeorgi@google.com --- M src/soc/intel/baytrail/gfx.c 1 file changed, 1 insertion(+), 1 deletion(-)
Approvals: build bot (Jenkins): Verified Patrick Georgi: Looks good to me, approved Paul Menzel: Looks good to me, but someone else must approve
diff --git a/src/soc/intel/baytrail/gfx.c b/src/soc/intel/baytrail/gfx.c index 5d6d504..d2cb589 100644 --- a/src/soc/intel/baytrail/gfx.c +++ b/src/soc/intel/baytrail/gfx.c @@ -48,7 +48,7 @@
gms = pci_read_config32(dev, GGC) & GGC_GSM_SIZE_MASK; gms >>= 3; - if (gms > ARRAY_SIZE(gms_size_map)) + if (gms >= ARRAY_SIZE(gms_size_map)) return; gmsize = gms_size_map[gms];