BUG OF THE MONTH | Array overrun
V557 Array overrun is possible. The ‘dwc2_glbreg_read’ function processes value ‘[0..63]’. Inspect the third argument. Check lines: 667, 1040. hcd-dwc2.c 667
Warning N4V557 Array overrun is possible. The 'dwc2_glbreg_read' function processes value '[0..63]'. Inspect the third argument. Check lines: 667, 1040. hcd-dwc2.c 667#define HSOTG_REG(x) (x) .... struct DWC2State { .... #define DWC2_GLBREG_SIZE 0x70 uint32_t glbreg[DWC2_GLBREG_SIZE / sizeof(uint32_t)]; .... } .... static uint64_t dwc2_glbreg_read(void *ptr, hwaddr addr, int index, unsigned size) { .... val = s->glbreg[index]; .... } static uint64_t dwc2_hsotg_read(void *ptr, hwaddr addr, unsigned size) { .... switch (addr) { case HSOTG_REG(0x000) ... HSOTG_REG(0x0fc): val = dwc2_glbreg_read(ptr, addr, (addr - HSOTG_REG(0x000)) >> 2, size); .... } .... }
This code has a potential problem – an index outside the array bounds. The DWC2State structure defines a glbreg array consisting of 28 elements (comment 1). In the dwc2_glbreg_read function, our array is accessed by index (comment 2). Now note that the function dwc2_glbreg_read is passed the expression (addr – HSOTG_REG(0x000)) >> 2 (comment 3) as an index, which can take a value in the range [0..63]. To make sure of it, pay attention to comments 4 and 5. Perhaps, the range of values from comment 4 has to be fixed.
Please click here to see more bugs from this project.