From daf07215e8c4aed16af81e1615396f5502040c1f Mon Sep 17 00:00:00 2001
From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Date: Fri, 24 Mar 2023 08:55:19 +0100
Subject: [PATCH] stm32mp: fix various array bounds checks

In all these cases, the index on the LHS is immediately afterwards
used to access the array appearing in the ARRAY_SIZE() on the RHS - so
if that index is equal to the array size, we'll access
one-past-the-end of the array.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
---
 arch/arm/mach-stm32mp/cpu.c                 | 4 ++--
 board/st/stm32mp1/stm32mp1.c                | 2 +-
 drivers/ram/stm32mp1/stm32mp1_interactive.c | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/arm/mach-stm32mp/cpu.c b/arch/arm/mach-stm32mp/cpu.c
index dc4112d5e6..e2f67fc423 100644
--- a/arch/arm/mach-stm32mp/cpu.c
+++ b/arch/arm/mach-stm32mp/cpu.c
@@ -190,7 +190,7 @@ static void setup_boot_mode(void)
 		  __func__, boot_ctx, boot_mode, instance, forced_mode);
 	switch (boot_mode & TAMP_BOOT_DEVICE_MASK) {
 	case BOOT_SERIAL_UART:
-		if (instance > ARRAY_SIZE(serial_addr))
+		if (instance >= ARRAY_SIZE(serial_addr))
 			break;
 		/* serial : search associated node in devicetree */
 		sprintf(cmd, "serial@%x", serial_addr[instance]);
@@ -220,7 +220,7 @@ static void setup_boot_mode(void)
 		break;
 	case BOOT_FLASH_SD:
 	case BOOT_FLASH_EMMC:
-		if (instance > ARRAY_SIZE(sdmmc_addr))
+		if (instance >= ARRAY_SIZE(sdmmc_addr))
 			break;
 		/* search associated sdmmc node in devicetree */
 		sprintf(cmd, "mmc@%x", sdmmc_addr[instance]);
diff --git a/board/st/stm32mp1/stm32mp1.c b/board/st/stm32mp1/stm32mp1.c
index ca8f0255ae..1a1b1844c8 100644
--- a/board/st/stm32mp1/stm32mp1.c
+++ b/board/st/stm32mp1/stm32mp1.c
@@ -872,7 +872,7 @@ int mmc_get_boot(void)
 		STM32_SDMMC3_BASE
 	};
 
-	if (instance > ARRAY_SIZE(sdmmc_addr))
+	if (instance >= ARRAY_SIZE(sdmmc_addr))
 		return 0;
 
 	/* search associated sdmmc node in devicetree */
diff --git a/drivers/ram/stm32mp1/stm32mp1_interactive.c b/drivers/ram/stm32mp1/stm32mp1_interactive.c
index f0fe7e61e3..2c19847c66 100644
--- a/drivers/ram/stm32mp1/stm32mp1_interactive.c
+++ b/drivers/ram/stm32mp1/stm32mp1_interactive.c
@@ -391,7 +391,7 @@ bool stm32mp1_ddr_interactive(void *priv,
 	if (next_step < 0)
 		return false;
 
-	if (step < 0 || step > ARRAY_SIZE(step_str)) {
+	if (step < 0 || step >= ARRAY_SIZE(step_str)) {
 		printf("** step %d ** INVALID\n", step);
 		return false;
 	}
-- 
2.39.5