From patchwork Thu May  4 19:36:41 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julien Grall <julien.grall@arm.com>
X-Patchwork-Id: 98562
Delivered-To: patch@linaro.org
Received: by 10.140.89.200 with SMTP id v66csp777461qgd;
 Thu, 4 May 2017 12:40:27 -0700 (PDT)
X-Received: by 10.107.85.6 with SMTP id j6mr44292568iob.54.1493926827068;
 Thu, 04 May 2017 12:40:27 -0700 (PDT)
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120])
 by mx.google.com with ESMTPS id
 i72si2288350ioa.225.2017.05.04.12.40.26
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 04 May 2017 12:40:27 -0700 (PDT)
Received-SPF: neutral (google.com: 192.237.175.120 is neither permitted nor
 denied by best guess record for domain of
 xen-devel-bounces@lists.xen.org) client-ip=192.237.175.120; 
Authentication-Results: mx.google.com;
 spf=neutral (google.com: 192.237.175.120 is neither permitted nor
 denied by best guess record for domain of
 xen-devel-bounces@lists.xen.org)
 smtp.mailfrom=xen-devel-bounces@lists.xen.org
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <xen-devel-bounces@lists.xen.org>)
 id 1d6MaI-0002ka-EY; Thu, 04 May 2017 19:38:42 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <julien.grall@arm.com>) id 1d6MaH-0002kT-D1
 for xen-devel@lists.xen.org; Thu, 04 May 2017 19:38:41 +0000
Received: from [85.158.143.35] by server-5.bemta-6.messagelabs.com id
 81/6E-03371-0438B095; Thu, 04 May 2017 19:38:40 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrFLMWRWlGSWpSXmKPExsVysyfVTdehmTv
 SoL2Xz2LJx8UsDoweR3f/ZgpgjGLNzEvKr0hgzdjcMJG54BR7xax9mg2MC9m6GLk4hAQ2MUpc
 OHKFCcI5zSgx7foHli5GTg42AU2JO58/MYHYIgLSEtc+X2YEsZkFHCTefLwHViMsECLx/NM1s
 BoWAVWJw7fWsoPYvAKWEjN+zwSrlxCQl9jVdpF1AiPnAkaGVYwaxalFZalFusZGeklFmekZJb
 mJmTm6hgZmermpxcWJ6ak5iUnFesn5uZsYgf5iAIIdjKfXBR5ilORgUhLlVX/FHinEl5SfUpm
 RWJwRX1Sak1p8iFGGg0NJgje2iTtSSLAoNT21Ii0zBxg4MGkJDh4lEd4SkDRvcUFibnFmOkTq
 FKMux5x7X98zCbHk5eelSonz6oMUCYAUZZTmwY2ABfElRlkpYV5GoKOEeApSi3IzS1DlXzGKc
 zAqCfMmgEzhycwrgdv0CugIJqAjmmU5QI4oSURISTUwhlwt1z62Z41jjnrhKe8DnofXN923+r
 n6uaWwfefWVX27VmhlFR5890lEq3TVTf30Ura45KOzjikxibWWOlhzaHyQF9w0/5vYgdur1oa
 VvXDpPre6i+PKzLYTIddEbHkET6bHz1VIesFyIPtzsc4nSdauOeuW3Qn8uClmut9NFqbkb81X
 J8y4p8RSnJFoqMVcVJwIAJq7YH9dAgAA
X-Env-Sender: julien.grall@arm.com
X-Msg-Ref: server-4.tower-21.messagelabs.com!1493926719!60600727!1
X-Originating-IP: [217.140.101.70]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.4.12; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 59936 invoked from network); 4 May 2017 19:38:40 -0000
Received: from foss.arm.com (HELO foss.arm.com) (217.140.101.70)
 by server-4.tower-21.messagelabs.com with SMTP;
 4 May 2017 19:38:40 -0000
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 05C42344;
 Thu,  4 May 2017 12:38:39 -0700 (PDT)
Received: from e108454-lin.cambridge.arm.com (e108454-lin.cambridge.arm.com
 [10.1.206.53])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id
 66BA23F23B; Thu,  4 May 2017 12:38:38 -0700 (PDT)
From: Julien Grall <julien.grall@arm.com>
To: xen-devel@lists.xen.org
Date: Thu,  4 May 2017 20:36:41 +0100
Message-Id: <20170504193641.26469-1-julien.grall@arm.com>
X-Mailer: git-send-email 2.11.0
Cc: Julien Grall <julien.grall@arm.com>, sstabellini@kernel.org
Subject: [Xen-devel] [PATCH for-4.9] xen/arm: efi: Avoid out-of-bounds write
 in meminfo_add_bank
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>, 
 <mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>, 
 <mailto:xen-devel-request@lists.xen.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>

Commit 2c77db77 "xen/arm: efi: Avoid duplicating the addition of a new
bank", introduced a new function meminfo_add_bank that add a new bank.
This new code fails to check correctly the size of the array which may
result to an out-of-bounds write.

Coverity-ID: 1433183
Signed-off-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
---
    The new function was introduced during the development of Xen 4.9
    and should be fixed before the release.
---
 xen/arch/arm/efi/efi-boot.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
index e1e447ac8e..2986c83447 100644
--- a/xen/arch/arm/efi/efi-boot.h
+++ b/xen/arch/arm/efi/efi-boot.h
@@ -128,7 +128,7 @@ static bool __init meminfo_add_bank(struct meminfo *mem,
 {
     struct membank *bank;
 
-    if ( mem->nr_banks > NR_MEM_BANKS )
+    if ( mem->nr_banks >= NR_MEM_BANKS )
         return false;
 
     bank = &mem->bank[mem->nr_banks];