From 290708976c622282fb41ea575b8bda309ae31349 Mon Sep 17 00:00:00 2001
From: Evan Green <evgreen@chromium.org>
Date: Tue, 21 May 2019 14:29:39 -0700
Subject: common: dptf: Guard against wild sensor IDs

If developers have not set up TEMP_SENSOR_COUNT correctly, or the caller
starts sending wild sensor_id or idx values down, then the EC will do
arbitrary reads and writes over its own memory. In one case, the
PD log buffer indices are next in memory, so we would see the following
spew in the kernel (every 60 seconds, since the kernel only checks that
often):

[  138.151937] PDLOG 2019/05/17 22:46:26.913 P0 Disconnected
[  138.158512] PDLOG 2019/05/17 22:46:04.936 P0 Disconnected
[  138.165066] PDLOG 2019/05/17 22:46:04.935 P0 Disconnected
[  138.171643] PDLOG 2019/05/17 22:46:04.935 P0 Disconnected
[  138.178162] PDLOG 2019/05/17 22:46:04.935 P0 Disconnected
...

BUG=b:132999028
BRANCH=none
TEST=Build and boot hatch, observe no more log spam

Change-Id: If2e20972c3268e84bb4cdfa315c6b7f7cb76868f
Signed-off-by: Evan Green <evgreen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1623176
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Scott Collyer <scollyer@chromium.org>
---
 common/dptf.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/common/dptf.c b/common/dptf.c
index b5d58d0846..c7623ce479 100644
--- a/common/dptf.c
+++ b/common/dptf.c
@@ -59,6 +59,11 @@ static int dptf_check_temp_threshold(int sensor_id, int temp)
 	int tripped = 0;
 	int max, i;
 
+	if (sensor_id >= TEMP_SENSOR_COUNT) {
+		CPRINTS("DPTF: Invalid sensor ID");
+		return 0;
+	}
+
 	for (i = 0; i < DPTF_THRESHOLDS_PER_SENSOR; i++) {
 
 		max = dptf_threshold[sensor_id][i].temp;
@@ -92,6 +97,12 @@ void dptf_set_temp_threshold(int sensor_id, int temp, int idx, int enable)
 	CPRINTS("DPTF sensor %d, threshold %d C, index %d, %sabled",
 		sensor_id, K_TO_C(temp), idx, enable ? "en" : "dis");
 
+	if ((sensor_id >= TEMP_SENSOR_COUNT) ||
+	    (idx >= DPTF_THRESHOLDS_PER_SENSOR)) {
+		CPRINTS("DPTF: Invalid sensor ID");
+		return;
+	}
+
 	if (enable) {
 		/* Don't update threshold condition if already enabled */
 		if (dptf_threshold[sensor_id][idx].temp == -1)
-- 
cgit v1.2.1