lib: sbi_pmu: avoid buffer overflow

total_ctrs is bounded by

    SBI_PMU_FW_CTR_MAX + SBI_PMU_HW_CTR_MAX) == 48

which exceeds BITS_PER_LONG on 32 bit systems.

Iterating over the bits of &cmask results in a buffer overflow when looking
for a bit >= BITS_PER_LONG.

Adjust the iterators in sbi_pmu_ctr_start() and sbi_pmu_ctr_stop()
accordingly.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Anup Patel <anup@brainfault.org>

diff --git a/lib/sbi/sbi_pmu.c b/lib/sbi/sbi_pmu.c
index f4c8fc4c3be1387f2363fa945cbb483650ce3dd4..185068bb1f438e4ad0f16f621717ec291e88b6be 100644 (file)
--- a/lib/sbi/sbi_pmu.c
+++ b/lib/sbi/sbi_pmu.c
@@ -445,7 +445,7 @@ int sbi_pmu_ctr_start(unsigned long cbase, unsigned long cmask,
        if (flags & SBI_PMU_START_FLAG_SET_INIT_VALUE)
                bUpdate = true;
 
-       for_each_set_bit(i, &cmask, total_ctrs) {
+       for_each_set_bit(i, &cmask, BITS_PER_LONG) {
                cidx = i + cbase;
                event_idx_type = pmu_ctr_validate(phs, cidx, &event_code);
                if (event_idx_type < 0)
@@ -540,7 +540,7 @@ int sbi_pmu_ctr_stop(unsigned long cbase, unsigned long cmask,
        if ((cbase + sbi_fls(cmask)) >= total_ctrs)
                return SBI_EINVAL;
 
-       for_each_set_bit(i, &cmask, total_ctrs) {
+       for_each_set_bit(i, &cmask, BITS_PER_LONG) {
                cidx = i + cbase;
                event_idx_type = pmu_ctr_validate(phs, cidx, &event_code);
                if (event_idx_type < 0)