stm32mp: fix various array bounds checks

In all these cases, the index on the LHS is immediately afterwards
used to access the array appearing in the ARRAY_SIZE() on the RHS - so
if that index is equal to the array size, we'll access
one-past-the-end of the array.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>

diff --git a/arch/arm/mach-stm32mp/cpu.c b/arch/arm/mach-stm32mp/cpu.c
index dc4112d5e6cf2c6680abbcedf8aad8ac10d22fc0..e2f67fc4233316bee93bd1750a1e482e0ead32f3 100644 (file)
--- a/arch/arm/mach-stm32mp/cpu.c
+++ b/arch/arm/mach-stm32mp/cpu.c
@@ -190,7 +190,7 @@ static void setup_boot_mode(void)
                  __func__, boot_ctx, boot_mode, instance, forced_mode);
        switch (boot_mode & TAMP_BOOT_DEVICE_MASK) {
        case BOOT_SERIAL_UART:
-               if (instance > ARRAY_SIZE(serial_addr))
+               if (instance >= ARRAY_SIZE(serial_addr))
                        break;
                /* serial : search associated node in devicetree */
                sprintf(cmd, "serial@%x", serial_addr[instance]);
@@ -220,7 +220,7 @@ static void setup_boot_mode(void)
                break;
        case BOOT_FLASH_SD:
        case BOOT_FLASH_EMMC:
-               if (instance > ARRAY_SIZE(sdmmc_addr))
+               if (instance >= ARRAY_SIZE(sdmmc_addr))
                        break;
                /* search associated sdmmc node in devicetree */
                sprintf(cmd, "mmc@%x", sdmmc_addr[instance]);

diff --git a/board/st/stm32mp1/stm32mp1.c b/board/st/stm32mp1/stm32mp1.c
index ca8f0255ae0b4aa4e7400929611d1c325cf710a3..1a1b1844c8c08040ade76d9b01c3fcd2caa153c2 100644 (file)
--- a/board/st/stm32mp1/stm32mp1.c
+++ b/board/st/stm32mp1/stm32mp1.c
@@ -872,7 +872,7 @@ int mmc_get_boot(void)
                STM32_SDMMC3_BASE
        };
 
-       if (instance > ARRAY_SIZE(sdmmc_addr))
+       if (instance >= ARRAY_SIZE(sdmmc_addr))
                return 0;
 
        /* search associated sdmmc node in devicetree */

diff --git a/drivers/ram/stm32mp1/stm32mp1_interactive.c b/drivers/ram/stm32mp1/stm32mp1_interactive.c
index f0fe7e61e3383f8f4a3da3b2ed2aa07ad8c5059e..2c19847c663343f8ce5c25d7fdb2cab6edc89f5c 100644 (file)
--- a/drivers/ram/stm32mp1/stm32mp1_interactive.c
+++ b/drivers/ram/stm32mp1/stm32mp1_interactive.c
@@ -391,7 +391,7 @@ bool stm32mp1_ddr_interactive(void *priv,
        if (next_step < 0)
                return false;
 
-       if (step < 0 || step > ARRAY_SIZE(step_str)) {
+       if (step < 0 || step >= ARRAY_SIZE(step_str)) {
                printf("** step %d ** INVALID\n", step);
                return false;
        }