From: AKASHI Takahiro Date: Tue, 7 Nov 2023 00:05:47 +0000 (+0900) Subject: firmware: scmi: correct a validity check against power domain id X-Git-Tag: v2025.01-rc5-pxa1908~774^2~5 X-Git-Url: http://git.dujemihanovic.xyz/img/%7B%7B?a=commitdiff_plain;h=4808d1633336a98f3c48a94a7e1fcd1e1030a324;p=u-boot.git firmware: scmi: correct a validity check against power domain id A power domain id on sandbox should be in the range from zero to ARRAY_SIZE(scmi_pwdom) - 1. Correct the validity check logic. Addresses-Coverity-ID: 467401 ("Out-of-bounds write") Addresses-Coverity-ID: 467405 ("Out-of-bounds read") Signed-off-by: AKASHI Takahiro --- diff --git a/drivers/firmware/scmi/sandbox-scmi_agent.c b/drivers/firmware/scmi/sandbox-scmi_agent.c index 9f5f497e0a..d131809626 100644 --- a/drivers/firmware/scmi/sandbox-scmi_agent.c +++ b/drivers/firmware/scmi/sandbox-scmi_agent.c @@ -576,7 +576,7 @@ static int sandbox_scmi_pwd_attribs(struct udevice *dev, struct scmi_msg *msg) domain_id = *(u32 *)msg->in_msg; out = (struct scmi_pwd_attrs_out *)msg->out_msg; - if (domain_id > ARRAY_SIZE(scmi_pwdom)) { + if (domain_id >= ARRAY_SIZE(scmi_pwdom)) { out->status = SCMI_NOT_FOUND; return 0; @@ -613,7 +613,7 @@ static int sandbox_scmi_pwd_state_set(struct udevice *dev, struct scmi_msg *msg) in = (struct scmi_pwd_state_set_in *)msg->in_msg; status = (s32 *)msg->out_msg; - if (in->domain_id > ARRAY_SIZE(scmi_pwdom)) { + if (in->domain_id >= ARRAY_SIZE(scmi_pwdom)) { *status = SCMI_NOT_FOUND; return 0; @@ -653,7 +653,7 @@ static int sandbox_scmi_pwd_state_get(struct udevice *dev, struct scmi_msg *msg) domain_id = *(u32 *)msg->in_msg; out = (struct scmi_pwd_state_get_out *)msg->out_msg; - if (domain_id > ARRAY_SIZE(scmi_pwdom)) { + if (domain_id >= ARRAY_SIZE(scmi_pwdom)) { out->status = SCMI_NOT_FOUND; return 0; @@ -686,7 +686,7 @@ static int sandbox_scmi_pwd_name_get(struct udevice *dev, struct scmi_msg *msg) domain_id = *(u32 *)msg->in_msg; out = (struct scmi_pwd_name_get_out *)msg->out_msg; - if (domain_id > ARRAY_SIZE(scmi_pwdom)) { + if (domain_id >= ARRAY_SIZE(scmi_pwdom)) { out->status = SCMI_NOT_FOUND; return 0;