From: Philippe Mathieu-Daudé <f4...@amsat.org>
The TPMState structure hold an array of TPM_TIS_NUM_LOCALITIES
TPMLocality loc[], having TPM_TIS_NUM_LOCALITIES defined as '5'.
tpm_tis_locality_from_addr() returns up to 3 bits, so 7.
While unlikely, Coverity is right to report an overrun. Assert
we are in range to fix:
*** CID 1487240: Memory - illegal accesses (OVERRUN)
hw/tpm/tpm_tis_common.c: 298 in tpm_tis_dump_state()
294 int idx;
295 uint8_t locty = tpm_tis_locality_from_addr(addr);
296 hwaddr base = addr & ~0xfff;
297
>>> CID 1487240: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "s->loc" of 5 24-byte elements at element index 7
(byte offset 191) using index "locty" (which evaluates to 7).
298 printf("tpm_tis: active locality : %d\n"
299 "tpm_tis: state of locality %d : %d\n"
300 "tpm_tis: register dump:\n",
301 s->active_locty,
302 locty, s->loc[locty].state);
Fixes: Coverity CID 1487240
Signed-off-by: Philippe Mathieu-Daudé <f4...@amsat.org>
---
hw/tpm/tpm_tis_common.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/tpm/tpm_tis_common.c b/hw/tpm/tpm_tis_common.c
index e700d82181..5b1055033e 100644
--- a/hw/tpm/tpm_tis_common.c
+++ b/hw/tpm/tpm_tis_common.c
@@ -295,6 +295,7 @@ static void tpm_tis_dump_state(TPMState *s, hwaddr addr)
uint8_t locty = tpm_tis_locality_from_addr(addr);
hwaddr base = addr & ~0xfff;
+ assert(TPM_TIS_IS_VALID_LOCTY(locty));
printf("tpm_tis: active locality : %d\n"
"tpm_tis: state of locality %d : %d\n"
"tpm_tis: register dump:\n",
--
2.35.1
