lib: sbi_pmu: avoid buffer overflow

total_ctrs is bounded by SBI_PMU_FW_CTR_MAX + SBI_PMU_HW_CTR_MAX) == 48 which exceeds BITS_PER_LONG on 32 bit systems. Iterating over the bits of &cmask results in a buffer overflow when looking for a bit >= BITS_PER_LONG. Adjust the iterators in sbi_pmu_ctr_start() and sbi_pmu_ctr_stop() accordingly. Signed-off-by: Heinrich Schuchardt <[email protected]> Reviewed-by: Anup Patel <[email protected]>
riscv-software-src · Nov 22, 2023 · 574b9c8 · 574b9c8
1 parent 16bb930
commit 574b9c8
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/sbi/sbi_pmu.c b/lib/sbi/sbi_pmu.c
@@ -445,7 +445,7 @@ int sbi_pmu_ctr_start(unsigned long cbase, unsigned long cmask,
 	if (flags & SBI_PMU_START_FLAG_SET_INIT_VALUE)
 		bUpdate = true;
 
-	for_each_set_bit(i, &cmask, total_ctrs) {
+	for_each_set_bit(i, &cmask, BITS_PER_LONG) {
 		cidx = i + cbase;
 		event_idx_type = pmu_ctr_validate(phs, cidx, &event_code);
 		if (event_idx_type < 0)
@@ -540,7 +540,7 @@ int sbi_pmu_ctr_stop(unsigned long cbase, unsigned long cmask,
 	if ((cbase + sbi_fls(cmask)) >= total_ctrs)
 		return SBI_EINVAL;
 
-	for_each_set_bit(i, &cmask, total_ctrs) {
+	for_each_set_bit(i, &cmask, BITS_PER_LONG) {
 		cidx = i + cbase;
 		event_idx_type = pmu_ctr_validate(phs, cidx, &event_code);
 		if (event_idx_type < 0)