diff options
| author | Evan Green <evgreen@chromium.org> | 2019-05-21 14:29:39 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2019-05-23 02:14:17 -0700 |
| commit | 290708976c622282fb41ea575b8bda309ae31349 (patch) | |
| tree | d8492596daf2623fce14d6423b71a28fd174352f | |
| parent | 5f7dedbe84e92d6800e5c9384bd2a05f122d8f77 (diff) | |
| download | chrome-ec-290708976c622282fb41ea575b8bda309ae31349.tar.gz | |
common: dptf: Guard against wild sensor IDs
If developers have not set up TEMP_SENSOR_COUNT correctly, or the caller
starts sending wild sensor_id or idx values down, then the EC will do
arbitrary reads and writes over its own memory. In one case, the
PD log buffer indices are next in memory, so we would see the following
spew in the kernel (every 60 seconds, since the kernel only checks that
often):
[ 138.151937] PDLOG 2019/05/17 22:46:26.913 P0 Disconnected
[ 138.158512] PDLOG 2019/05/17 22:46:04.936 P0 Disconnected
[ 138.165066] PDLOG 2019/05/17 22:46:04.935 P0 Disconnected
[ 138.171643] PDLOG 2019/05/17 22:46:04.935 P0 Disconnected
[ 138.178162] PDLOG 2019/05/17 22:46:04.935 P0 Disconnected
...
BUG=b:132999028
BRANCH=none
TEST=Build and boot hatch, observe no more log spam
Change-Id: If2e20972c3268e84bb4cdfa315c6b7f7cb76868f
Signed-off-by: Evan Green <evgreen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1623176
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Scott Collyer <scollyer@chromium.org>
| -rw-r--r-- | common/dptf.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/common/dptf.c b/common/dptf.c index b5d58d0846..c7623ce479 100644 --- a/common/dptf.c +++ b/common/dptf.c @@ -59,6 +59,11 @@ static int dptf_check_temp_threshold(int sensor_id, int temp) int tripped = 0; int max, i; + if (sensor_id >= TEMP_SENSOR_COUNT) { + CPRINTS("DPTF: Invalid sensor ID"); + return 0; + } + for (i = 0; i < DPTF_THRESHOLDS_PER_SENSOR; i++) { max = dptf_threshold[sensor_id][i].temp; @@ -92,6 +97,12 @@ void dptf_set_temp_threshold(int sensor_id, int temp, int idx, int enable) CPRINTS("DPTF sensor %d, threshold %d C, index %d, %sabled", sensor_id, K_TO_C(temp), idx, enable ? "en" : "dis"); + if ((sensor_id >= TEMP_SENSOR_COUNT) || + (idx >= DPTF_THRESHOLDS_PER_SENSOR)) { + CPRINTS("DPTF: Invalid sensor ID"); + return; + } + if (enable) { /* Don't update threshold condition if already enabled */ if (dptf_threshold[sensor_id][idx].temp == -1) |