Edward O'Callaghan (eocallaghan@alterapraxis.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/6473
-gerrit
commit 273d6c13c4f6feef7021a49cb9ef70bc0c0d6661 Author: Edward O'Callaghan eocallaghan@alterapraxis.com Date: Sun Aug 3 18:49:46 2014 +1000
northbridge/intel: Out of bounds write to array in gma.h
The signature[] array in the mailboxe struct opregion_header_t has IGD_OPREGION_SIGNATURE written to it with a sizeof(IGD_OPREGION_SIGNATURE) and not a sizeof(signature[]). This resulted in a silent off-by-one out of bounds illegal write.
Change-Id: I651620a753c743dd2ed2af51c012c27c14a5ea25 Signed-off-by: Edward O'Callaghan eocallaghan@alterapraxis.com --- src/northbridge/intel/fsp_sandybridge/gma.h | 2 +- src/northbridge/intel/haswell/gma.h | 2 +- src/northbridge/intel/nehalem/gma.h | 2 +- src/northbridge/intel/sandybridge/gma.h | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/northbridge/intel/fsp_sandybridge/gma.h b/src/northbridge/intel/fsp_sandybridge/gma.h index cdf5d91..5e0acf3 100644 --- a/src/northbridge/intel/fsp_sandybridge/gma.h +++ b/src/northbridge/intel/fsp_sandybridge/gma.h @@ -19,7 +19,7 @@
/* mailbox 0: header */ typedef struct { - u8 signature[16]; + u8 signature[17]; u32 size; u32 version; u8 sbios_version[32]; diff --git a/src/northbridge/intel/haswell/gma.h b/src/northbridge/intel/haswell/gma.h index 29281ba..b885d27 100644 --- a/src/northbridge/intel/haswell/gma.h +++ b/src/northbridge/intel/haswell/gma.h @@ -19,7 +19,7 @@
/* mailbox 0: header */ typedef struct { - u8 signature[16]; + u8 signature[17]; u32 size; u32 version; u8 sbios_version[32]; diff --git a/src/northbridge/intel/nehalem/gma.h b/src/northbridge/intel/nehalem/gma.h index fdea85a..e3f6012 100644 --- a/src/northbridge/intel/nehalem/gma.h +++ b/src/northbridge/intel/nehalem/gma.h @@ -23,7 +23,7 @@
/* mailbox 0: header */ typedef struct { - u8 signature[16]; + u8 signature[17]; u32 size; u32 version; u8 sbios_version[32]; diff --git a/src/northbridge/intel/sandybridge/gma.h b/src/northbridge/intel/sandybridge/gma.h index bc5d986..34bd643 100644 --- a/src/northbridge/intel/sandybridge/gma.h +++ b/src/northbridge/intel/sandybridge/gma.h @@ -19,7 +19,7 @@
/* mailbox 0: header */ typedef struct { - u8 signature[16]; + u8 signature[17]; u32 size; u32 version; u8 sbios_version[32];