From f831b93357dd5858ba0f610f1f21f7bc599decb1 Mon Sep 17 00:00:00 2001
From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Date: Thu, 28 Sep 2023 15:03:57 +0200
Subject: [PATCH] lib: sbi_pmu: check for index overflows

sbi_pmu_ctr_cfg_match() receives data from a lower privilege level mode.
We must catch maliciously wrong values.

We already check against total_ctrs. But we do not check that total_ctrs is
less than SBI_PMU_HW_CTR_MAX + SBI_PMU_FW_CTR_MAX.

Check that the number of hardware counters is in the valid range.

Addresses-Coverity-ID: 1566114 Out-of-bounds write
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Atish Patra <atishp@rivosinc.com>
---
 lib/sbi/sbi_pmu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/sbi/sbi_pmu.c b/lib/sbi/sbi_pmu.c
index 9694aae..f4c8fc4 100644
--- a/lib/sbi/sbi_pmu.c
+++ b/lib/sbi/sbi_pmu.c
@@ -981,6 +981,9 @@ int sbi_pmu_init(struct sbi_scratch *scratch, bool cold_boot)
 		else
 			num_hw_ctrs = hpm_count + 1;
 
+		if (num_hw_ctrs > SBI_PMU_HW_CTR_MAX)
+			return SBI_EINVAL;
+
 		total_ctrs = num_hw_ctrs + SBI_PMU_FW_CTR_MAX;
 	}