Patrick Georgi has submitted this change and it was merged. ( https://review.coreboot.org/c/coreboot/+/32902 )
Change subject: util/romcc: Prevent out-of-bounds read ......................................................................
util/romcc: Prevent out-of-bounds read
If 'class > LAST_REGC', then there will be an out-of-bounds read when accessing 'regcm_bound'. Prevent this by skipping to the next iteration of the loop. Note that this should not generally happen anyway, since 'result' represents a bitset for the indices of 'regcm_bound', and so iterations where 'class > LAST_REGC' should already be skipped by the previous continue statement (since those bits of 'result' should all be zero).
Found-by: Covericy CID 1129122 Signed-off-by: Jacob Garber jgarber1@ualberta.ca Change-Id: Id5f5adb0a292763251054aeecf2a5b87a11297b1 Reviewed-on: https://review.coreboot.org/c/coreboot/+/32902 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Patrick Georgi pgeorgi@google.com Reviewed-by: Paul Menzel paulepanter@users.sourceforge.net --- M util/romcc/romcc.c 1 file changed, 1 insertion(+), 0 deletions(-)
Approvals: build bot (Jenkins): Verified Patrick Georgi: Looks good to me, approved Paul Menzel: Looks good to me, but someone else must approve
diff --git a/util/romcc/romcc.c b/util/romcc/romcc.c index b9ec835..329cfd2 100644 --- a/util/romcc/romcc.c +++ b/util/romcc/romcc.c @@ -22160,6 +22160,7 @@ } if (class > LAST_REGC) { result &= ~mask; + continue; } for(class2 = 0; class2 <= LAST_REGC; class2++) { if ((regcm_bound[class2].first >= regcm_bound[class].first) &&