Patrick Georgi merged this change.

View Change

util/romcc: Prevent out-of-bounds read

If 'class > LAST_REGC', then there will be an out-of-bounds read when
accessing 'regcm_bound'. Prevent this by skipping to the next iteration
of the loop. Note that this should not generally happen anyway, since
'result' represents a bitset for the indices of 'regcm_bound', and so
iterations where 'class > LAST_REGC' should already be skipped by the
previous continue statement (since those bits of 'result' should all be
zero).

Found-by: Covericy CID 1129122
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Change-Id: Id5f5adb0a292763251054aeecf2a5b87a11297b1
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32902
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
---
M util/romcc/romcc.c
1 file changed, 1 insertion(+), 0 deletions(-)

diff --git a/util/romcc/romcc.c b/util/romcc/romcc.c
index b9ec835..329cfd2 100644
--- a/util/romcc/romcc.c
+++ b/util/romcc/romcc.c
@@ -22160,6 +22160,7 @@
 		}
 		if (class > LAST_REGC) {
 			result &= ~mask;
+			continue;
 		}
 		for(class2 = 0; class2 <= LAST_REGC; class2++) {
 			if ((regcm_bound[class2].first >= regcm_bound[class].first) &&

To view, visit change 32902. To unsubscribe, or for help writing mail filters, visit settings.