lib: sbi_pmu: check for index overflows

sbi_pmu_ctr_cfg_match() receives data from a lower privilege level mode.
We must catch maliciously wrong values.

We already check against total_ctrs. But we do not check that total_ctrs is
less than SBI_PMU_HW_CTR_MAX + SBI_PMU_FW_CTR_MAX.

Check that the number of hardware counters is in the valid range.

Addresses-Coverity-ID: 1566114 Out-of-bounds write
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Atish Patra <atishp@rivosinc.com>

diff --git a/lib/sbi/sbi_pmu.c b/lib/sbi/sbi_pmu.c
index 9694aae4fd3a79022d4d31255e2ef82e9f7a4148..f4c8fc4c3be1387f2363fa945cbb483650ce3dd4 100644 (file)
--- a/lib/sbi/sbi_pmu.c
+++ b/lib/sbi/sbi_pmu.c
@@ -981,6 +981,9 @@ int sbi_pmu_init(struct sbi_scratch *scratch, bool cold_boot)
                else
                        num_hw_ctrs = hpm_count + 1;
 
+               if (num_hw_ctrs > SBI_PMU_HW_CTR_MAX)
+                       return SBI_EINVAL;
+
                total_ctrs = num_hw_ctrs + SBI_PMU_FW_CTR_MAX;
        }