awokd@danwin1210.me has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa/f16kb: Fix out of bounds read ......................................................................
vc/amd/agesa/f16kb: Fix out of bounds read
ByteLane is incorrectly used unitialized from prior for statement. Found nothing in following code that attempted to reference PassTestRxEnDly at that index, so appears safe to delete. Additionally, found nothing following with the OutOfRange[ByteLane]==TRUE condition that would expect 'PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];'.
Change-Id: Icd18a146aba6b6120d37518d8c40c7efbc05afa3 Signed-off-by: Joe Moore awokd@danwin1210.me Found-by: Coverity CID 1241804 --- M src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c 1 file changed, 0 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/92/36192/1
diff --git a/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c b/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c index ce295ac..caf8f51 100644 --- a/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c +++ b/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c @@ -314,7 +314,6 @@ // IDS_HDT_CONSOLE (MEM_FLOW, "\n\t\t Setting PassTestRxEnDly\n"); IDS_HDT_CONSOLE (MEM_FLOW, "\t PassTestRxEnDly: "); - PassTestRxEnDly[ByteLane] = RxOrig[ByteLane]; for (ByteLane = 0; ByteLane < MaxByteLanes; ByteLane++) { if (RxEnDlyTargetFound[ByteLane] == FALSE) { // Calculate "PassTestRxEnDly" from current "RxEnDly"
Hello build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/36192
to look at the new patch set (#2).
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
vc/amd/agesa: Fix out of bounds read
ByteLane is incorrectly used unitialized from prior for statement. Found nothing in following code that attempted to reference PassTestRxEnDly at that index, so appears safe to delete. Additionally, found nothing following with the OutOfRange[ByteLane]==TRUE condition that would expect 'PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];'.
Change-Id: Icd18a146aba6b6120d37518d8c40c7efbc05afa3 Signed-off-by: Joe Moore awokd@danwin1210.me Found-by: Coverity CID 1241804 --- M src/vendorcode/amd/agesa/f12/Proc/Mem/Tech/mtthrcSeedTrain.c M src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c M src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c 3 files changed, 0 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/92/36192/2
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 2:
(6 comments)
https://review.coreboot.org/c/coreboot/+/36192/2//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/36192/2//COMMIT_MSG@9 PS2, Line 9: ByteLane is incorrectly used unitialized from prior for statement. Might be bad coding style, not incorrect per-se. There is A potential out-of-bound read of RxOrig[MaxByteLanes].
https://review.coreboot.org/c/coreboot/+/36192/2//COMMIT_MSG@11 PS2, Line 11: PassTestRxEnDly at that index, so appears safe to delete. Rephrase perhaps: PassTestRxEnDly[MaxByteLanes] never appears as rvalue, all for loops have ByteLane < MaxByteLanes exit condition.
https://review.coreboot.org/c/coreboot/+/36192/2//COMMIT_MSG@14 PS2, Line 14: 'PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];'. I did not understand this comment.
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... File src/vendorcode/amd/agesa/f12/Proc/Mem/Tech/mtthrcSeedTrain.c:
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 329: if ((RxEn >= NBPtr->MinRxEnSeedGross) && (RxEn <= NBPtr->MaxRxEnSeedTotal)) { For coverity scan, this might evaluate as a static true statement.
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 337: OutOfRange[ByteLane] = TRUE; ... so this path of not setting PassTestRxEndDly might not ever be reached.
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 359: MemClkCycle = (UINT8) (PassTestRxEnDly[ByteLane] >> 5); PassTestRxEnDly could still be unset here?
Hello Mike Banon, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/36192
to look at the new patch set (#3).
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
vc/amd/agesa: Fix out of bounds read
ByteLane is used unitialized from prior for statement, creating a potential out-of-bound read of RxOrig[MaxByteLanes]. PassTestRxEnDly[MaxByteLanes] never appears as rvalue; all for loops have ByteLane < MaxByteLanes exit condition. If the intent here was to preload the PassTestRxEnDly array with RxOrig's contents, there is nothing following with the OutOfRange[ByteLane]==TRUE condition that uses it.
Change-Id: Icd18a146aba6b6120d37518d8c40c7efbc05afa3 Signed-off-by: Joe Moore awokd@danwin1210.me Found-by: Coverity CID 1241804 --- M src/vendorcode/amd/agesa/f12/Proc/Mem/Tech/mtthrcSeedTrain.c M src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c M src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c 3 files changed, 0 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/92/36192/3
Hello Mike Banon, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/36192
to look at the new patch set (#4).
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
vc/amd/agesa: Fix out of bounds read
ByteLane is used unitialized from prior for statement, creating a potential out-of-bound read of RxOrig[MaxByteLanes]. PassTestRxEnDly[MaxByteLanes] never appears as rvalue; all for loops have ByteLane < MaxByteLanes exit condition.
Change-Id: Icd18a146aba6b6120d37518d8c40c7efbc05afa3 Signed-off-by: Joe Moore awokd@danwin1210.me Found-by: Coverity CID 1241804 --- M src/vendorcode/amd/agesa/f12/Proc/Mem/Tech/mtthrcSeedTrain.c M src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c M src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c 3 files changed, 0 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/92/36192/4
awokd@danwin1210.me has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 4:
(5 comments)
https://review.coreboot.org/c/coreboot/+/36192/2//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/36192/2//COMMIT_MSG@9 PS2, Line 9: ByteLane is incorrectly used unitialized from prior for statement.
Might be bad coding style, not incorrect per-se. […]
Done
https://review.coreboot.org/c/coreboot/+/36192/2//COMMIT_MSG@11 PS2, Line 11: PassTestRxEnDly at that index, so appears safe to delete.
Rephrase perhaps: PassTestRxEnDly[MaxByteLanes] never appears as rvalue, all for loops have ByteLane […]
Done
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... File src/vendorcode/amd/agesa/f12/Proc/Mem/Tech/mtthrcSeedTrain.c:
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 329: if ((RxEn >= NBPtr->MinRxEnSeedGross) && (RxEn <= NBPtr->MaxRxEnSeedTotal)) {
For coverity scan, this might evaluate as a static true statement.
Coverity seemed to attempt to evaluate all branches, but I'm definitely unfamiliar with it. Why would it think this to be always true?
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 337: OutOfRange[ByteLane] = TRUE;
... so this path of not setting PassTestRxEndDly might not ever be reached.
This path is why I was wondering if the intent with 'PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];' was to initialize the PassTestRxEnDly array with RxOrig's contents (which are "Original RxEn Dly based on PRE results"). If so, that line would work better here. I found "2.9.5.9.3 DQS Receiver Enable Cycle Training" in the BKDG for AMD 15h. It was not immediately illuminating, but I will keep studying.
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 359: MemClkCycle = (UINT8) (PassTestRxEnDly[ByteLane] >> 5);
PassTestRxEnDly could still be unset here?
Since you point it out, I'm surprised Coverity didn't flag this or even the use in original line #343 as potentially uninitialized.
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 4:
(2 comments)
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... File src/vendorcode/amd/agesa/f12/Proc/Mem/Tech/mtthrcSeedTrain.c:
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 329: if ((RxEn >= NBPtr->MinRxEnSeedGross) && (RxEn <= NBPtr->MaxRxEnSeedTotal)) {
Coverity seemed to attempt to evaluate all branches, but I'm definitely unfamiliar with it. […]
Sources had one static initializer for right-hand side of comparison, so those could get treated as constants. Looks like left-hand side would also have predetermined range of values.
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 359: MemClkCycle = (UINT8) (PassTestRxEnDly[ByteLane] >> 5);
Since you point it out, I'm surprised Coverity didn't flag this or even the use in original line #34 […]
Is the file run through preprocessor before coverity analysis? IDS_HDT_CONSOLE() may just have empty expansion everywhere, inlcuding that line #343.
awokd@danwin1210.me has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 4:
(3 comments)
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... File src/vendorcode/amd/agesa/f12/Proc/Mem/Tech/mtthrcSeedTrain.c:
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 329: if ((RxEn >= NBPtr->MinRxEnSeedGross) && (RxEn <= NBPtr->MaxRxEnSeedTotal)) {
Sources had one static initializer for right-hand side of comparison, so those could get treated as […]
Ack
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 337: OutOfRange[ByteLane] = TRUE;
This path is why I was wondering if the intent with 'PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];' […]
Further reading shows the passing results are intended to be the only ones considered, so the contents should not matter in a failed case like this. However, it should be initialized regardless. Objection to my moving 'PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];' here?
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 359: MemClkCycle = (UINT8) (PassTestRxEnDly[ByteLane] >> 5);
Is the file run through preprocessor before coverity analysis? IDS_HDT_CONSOLE() may just have empty […]
Ack
Mike Banon has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 5: Code-Review+1
G505S (f15tn) works without a problem
Hello Mike Banon, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/36192
to look at the new patch set (#6).
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
vc/amd/agesa: Fix out of bounds read
ByteLane is used unitialized from prior for statement, creating a potential out-of-bound read of RxOrig[MaxByteLanes]. PassTestRxEnDly[MaxByteLanes] never appears as rvalue; all for loops have ByteLane < MaxByteLanes exit condition.
Change-Id: Icd18a146aba6b6120d37518d8c40c7efbc05afa3 Signed-off-by: Joe Moore awokd@danwin1210.me Found-by: Coverity CID 1241804 --- M src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c M src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c 2 files changed, 3 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/92/36192/6
Hello Mike Banon, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/36192
to look at the new patch set (#7).
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
vc/amd/agesa: Fix out of bounds read
ByteLane is used unitialized from prior for statement, creating a potential out-of-bound read of RxOrig[MaxByteLanes]. PassTestRxEnDly[MaxByteLanes] never appears as rvalue; all for loops have ByteLane < MaxByteLanes exit condition.
Change-Id: Icd18a146aba6b6120d37518d8c40c7efbc05afa3 Signed-off-by: Joe Moore awokd@danwin1210.me Found-by: Coverity CID 1241804 --- M src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c M src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c 2 files changed, 2 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/92/36192/7
awokd@danwin1210.me has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 7:
(1 comment)
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... File src/vendorcode/amd/agesa/f12/Proc/Mem/Tech/mtthrcSeedTrain.c:
https://review.coreboot.org/c/coreboot/+/36192/2/src/vendorcode/amd/agesa/f1... PS2, Line 337: OutOfRange[ByteLane] = TRUE;
Further reading shows the passing results are intended to be the only ones considered, so the conten […]
Done
Mike Banon has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 7: Code-Review+1
Is working fine on ASUS AM1I-A (f16kb). Will test on Lenovo G505S a bit later.
awokd@danwin1210.me has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 7:
Patch Set 7: Code-Review+1
Is working fine on ASUS AM1I-A (f16kb). Will test on Lenovo G505S a bit later.
Thanks, Mike. I successfully tested this on a Lenovo G505s after rebasing it to current master of bece6e86dd93e51624c97a9eaec2de0d8b76b9b2.
awokd@danwin1210.me has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 7:
(1 comment)
https://review.coreboot.org/c/coreboot/+/36192/2//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/36192/2//COMMIT_MSG@14 PS2, Line 14: 'PassTestRxEnDly[ByteLane] = RxOrig[ByteLane];'.
I did not understand this comment.
Done
Mike Banon has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 7: Code-Review+2
Patch Set 7:
Patch Set 7: Code-Review+1
Is working fine on ASUS AM1I-A (f16kb). Will test on Lenovo G505S a bit later.
Thanks, Mike. I successfully tested this on a Lenovo G505s after rebasing it to current master of bece6e86dd93e51624c97a9eaec2de0d8b76b9b2.
Thank you for testing on G505S! I'm a bit busy with desktops, so your help is really appreciated.
Nico Huber has submitted this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
vc/amd/agesa: Fix out of bounds read
ByteLane is used unitialized from prior for statement, creating a potential out-of-bound read of RxOrig[MaxByteLanes]. PassTestRxEnDly[MaxByteLanes] never appears as rvalue; all for loops have ByteLane < MaxByteLanes exit condition.
Change-Id: Icd18a146aba6b6120d37518d8c40c7efbc05afa3 Signed-off-by: Joe Moore awokd@danwin1210.me Found-by: Coverity CID 1241804 Reviewed-on: https://review.coreboot.org/c/coreboot/+/36192 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Mike Banon mikebdp2@gmail.com --- M src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c M src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c 2 files changed, 2 insertions(+), 2 deletions(-)
Approvals: build bot (Jenkins): Verified Mike Banon: Looks good to me, approved
diff --git a/src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c b/src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c index 3406d76..991667b 100644 --- a/src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c +++ b/src/vendorcode/amd/agesa/f15tn/Proc/Mem/Tech/mtthrcSeedTrain.c @@ -313,7 +313,6 @@ // IDS_HDT_CONSOLE (MEM_FLOW, "\n\t\t Setting PassTestRxEnDly\n"); IDS_HDT_CONSOLE (MEM_FLOW, "\t PassTestRxEnDly: "); - PassTestRxEnDly[ByteLane] = RxOrig[ByteLane]; for (ByteLane = 0; ByteLane < MaxByteLanes; ByteLane++) { if (RxEnDlyTargetFound[ByteLane] == FALSE) { // Calculate "PassTestRxEnDly" from current "RxEnDly" @@ -328,6 +327,7 @@ MemTRdPosRxEnSeedSetDly3 (TechPtr, PassTestRxEnDly[ByteLane], ByteLane); OutOfRange[ByteLane] = FALSE; } else { + PassTestRxEnDly[ByteLane] = RxOrig[ByteLane]; OutOfRange[ByteLane] = TRUE; } } else { diff --git a/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c b/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c index ce295ac..1446f3e 100644 --- a/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c +++ b/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Tech/mtthrcSeedTrain.c @@ -314,7 +314,6 @@ // IDS_HDT_CONSOLE (MEM_FLOW, "\n\t\t Setting PassTestRxEnDly\n"); IDS_HDT_CONSOLE (MEM_FLOW, "\t PassTestRxEnDly: "); - PassTestRxEnDly[ByteLane] = RxOrig[ByteLane]; for (ByteLane = 0; ByteLane < MaxByteLanes; ByteLane++) { if (RxEnDlyTargetFound[ByteLane] == FALSE) { // Calculate "PassTestRxEnDly" from current "RxEnDly" @@ -329,6 +328,7 @@ MemTRdPosRxEnSeedSetDly3 (TechPtr, PassTestRxEnDly[ByteLane], ByteLane); OutOfRange[ByteLane] = FALSE; } else { + PassTestRxEnDly[ByteLane] = RxOrig[ByteLane]; OutOfRange[ByteLane] = TRUE; } } else {
9elements QA has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36192 )
Change subject: vc/amd/agesa: Fix out of bounds read ......................................................................
Patch Set 8:
Automatic boot test returned (PASS/FAIL/TOTAL): 3/0/3 Emulation targets: EMULATION_QEMU_X86_Q35 using payload TianoCore : SUCCESS : No test failed. EMULATION_QEMU_X86_Q35 using payload SeaBIOS : SUCCESS : No test failed. EMULATION_QEMU_X86_I440FX using payload SeaBIOS : SUCCESS : No test failed.
Please note: This test is under development and might not be accurate at all!