diff options
| author | spashabk-in <shakeebbk@in.ibm.com> | 2017-11-20 01:31:05 -0600 |
|---|---|---|
| committer | Sachin Gupta <sgupta2m@in.ibm.com> | 2017-11-21 00:30:33 -0500 |
| commit | 1fcbd7b14382aa252da89f710c7d69af93d5d6d1 (patch) | |
| tree | ffabdb30d0c531ac1c89376ae25ee8aa1a558f74 /src/sbefw | |
| parent | 20b1e798a82b422eba057e28d16672868f912df3 (diff) | |
| download | talos-sbe-1fcbd7b14382aa252da89f710c7d69af93d5d6d1.tar.gz talos-sbe-1fcbd7b14382aa252da89f710c7d69af93d5d6d1.zip | |
Security binary search bug fix
A bug in binary search was leading to array out of bound access.
As the indices were unsigned - it was leading to datatype overflow.
Changing the indices to singed integer.
Change-Id: Ib6b14862ca17fb21aa69cb26e3d58c2a6cd6eb3f
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49895
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: AMIT J. TENDOLKAR <amit.tendolkar@in.ibm.com>
Reviewed-by: Sachin Gupta <sgupta2m@in.ibm.com>
Diffstat (limited to 'src/sbefw')
| -rw-r--r-- | src/sbefw/sbeSecurity.C | 32 |
1 files changed, 19 insertions, 13 deletions
diff --git a/src/sbefw/sbeSecurity.C b/src/sbefw/sbeSecurity.C index 60cc3464..5f7643be 100644 --- a/src/sbefw/sbeSecurity.C +++ b/src/sbefw/sbeSecurity.C @@ -38,18 +38,23 @@ constexpr uint32_t get_shift_len(uint32_t mask, uint8_t shifts = 0) } template <typename Func> -map_t<bool, uint32_t> binary_search( +map_t<bool, int32_t> binary_search( const uint32_t search_key, - range_t<uint32_t> x_range, + range_t<int32_t> x_range, Func get_element) { - map_t<bool, uint32_t> ret = {false, 0}; // found=false + map_t<bool, int32_t> ret = {false, 0}; // found=false while((x_range.start <= x_range.end) && (ret.key == false)) { - uint32_t midpoint = (x_range.start + x_range.end) / 2; + int32_t midpoint = (x_range.start + x_range.end) / 2; + SBE_DEBUG("binary_search : midpoint[0x%08x]", + midpoint); uint32_t ele = get_element(midpoint); + SBE_DEBUG("binary_search : search_key[0x%08x] ele[0x%08x]", + search_key, + ele); if(search_key == ele) { ret.key = true; @@ -63,7 +68,11 @@ map_t<bool, uint32_t> binary_search( { x_range.start = midpoint + 1; } + SBE_DEBUG("binary_search : x_range.start[0x%08x] x_range.end[0x%08x]", + x_range.start, + x_range.end); } + SBE_DEBUG("binary_search : ret[%d]",ret.key); return ret; } @@ -87,14 +96,14 @@ bool _is_present(const table< map_t< range_t<M1_T>, M1_U > > &table1, search_key, i); // Found the range where key might belong to search_key = (i_addr & table2.mask) >> get_shift_len(table2.mask); - range_t<uint32_t> search_range = {}; + range_t<int32_t> search_range = {}; search_range.start = i ? table1.table[i-1].value : 0; search_range.end = table1.table[i].value - 1; - map_t<bool, uint32_t> search_result = + map_t<bool, int32_t> search_result = binary_search( search_key, search_range, - [&table2](uint32_t midpoint) -> uint32_t { + [&table2](int32_t midpoint) -> uint32_t { return table2.table[midpoint].key; }); if(search_result.key == true) @@ -112,7 +121,7 @@ bool _is_present(const table< map_t< range_t<M1_T>, M1_U > > &table1, search_result = binary_search( search_key, search_range, - [&table3](uint32_t midpoint) -> uint32_t { + [&table3](int32_t midpoint) -> uint32_t { return table3.table[midpoint]; }); if(search_result.key == true) @@ -140,11 +149,8 @@ bool isAllowed(const uint32_t i_addr, accessType type) ret = WHITELIST::isPresent(i_addr); else if(type == READ) ret = !BLACKLIST::isPresent(i_addr); - if(!ret) - { - SBE_INFO("SBE_SECURITY access[%d] denied addr[0x%08x]", - type, i_addr); - } + SBE_INFO("SBE_SECURITY access[%d] allowed[%d] addr[0x%08x]", + type, ret, i_addr); } return ret; } |
