[coreboot-gerrit] New patch to review for coreboot: 273d6c1 northbridge/intel: Out of bounds write to array in gma.h

Edward O'Callaghan (eocallaghan@alterapraxis.com) gerrit at coreboot.org
Sun Aug 3 10:54:42 CEST 2014


Edward O'Callaghan (eocallaghan at alterapraxis.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/6473

-gerrit

commit 273d6c13c4f6feef7021a49cb9ef70bc0c0d6661
Author: Edward O'Callaghan <eocallaghan at alterapraxis.com>
Date:   Sun Aug 3 18:49:46 2014 +1000

    northbridge/intel: Out of bounds write to array in gma.h
    
    The signature[] array in the mailboxe struct opregion_header_t has
    IGD_OPREGION_SIGNATURE written to it with a
    sizeof(IGD_OPREGION_SIGNATURE) and not a sizeof(signature[]). This
    resulted in a silent off-by-one out of bounds illegal write.
    
    Change-Id: I651620a753c743dd2ed2af51c012c27c14a5ea25
    Signed-off-by: Edward O'Callaghan <eocallaghan at alterapraxis.com>
---
 src/northbridge/intel/fsp_sandybridge/gma.h | 2 +-
 src/northbridge/intel/haswell/gma.h         | 2 +-
 src/northbridge/intel/nehalem/gma.h         | 2 +-
 src/northbridge/intel/sandybridge/gma.h     | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/northbridge/intel/fsp_sandybridge/gma.h b/src/northbridge/intel/fsp_sandybridge/gma.h
index cdf5d91..5e0acf3 100644
--- a/src/northbridge/intel/fsp_sandybridge/gma.h
+++ b/src/northbridge/intel/fsp_sandybridge/gma.h
@@ -19,7 +19,7 @@
 
 /* mailbox 0: header */
 typedef struct {
-	u8	signature[16];
+	u8	signature[17];
 	u32	size;
 	u32	version;
 	u8	sbios_version[32];
diff --git a/src/northbridge/intel/haswell/gma.h b/src/northbridge/intel/haswell/gma.h
index 29281ba..b885d27 100644
--- a/src/northbridge/intel/haswell/gma.h
+++ b/src/northbridge/intel/haswell/gma.h
@@ -19,7 +19,7 @@
 
 /* mailbox 0: header */
 typedef struct {
-	u8	signature[16];
+	u8	signature[17];
 	u32	size;
 	u32	version;
 	u8	sbios_version[32];
diff --git a/src/northbridge/intel/nehalem/gma.h b/src/northbridge/intel/nehalem/gma.h
index fdea85a..e3f6012 100644
--- a/src/northbridge/intel/nehalem/gma.h
+++ b/src/northbridge/intel/nehalem/gma.h
@@ -23,7 +23,7 @@
 
 /* mailbox 0: header */
 typedef struct {
-	u8	signature[16];
+	u8	signature[17];
 	u32	size;
 	u32	version;
 	u8	sbios_version[32];
diff --git a/src/northbridge/intel/sandybridge/gma.h b/src/northbridge/intel/sandybridge/gma.h
index bc5d986..34bd643 100644
--- a/src/northbridge/intel/sandybridge/gma.h
+++ b/src/northbridge/intel/sandybridge/gma.h
@@ -19,7 +19,7 @@
 
 /* mailbox 0: header */
 typedef struct {
-	u8	signature[16];
+	u8	signature[17];
 	u32	size;
 	u32	version;
 	u8	sbios_version[32];



More information about the coreboot-gerrit mailing list