fix potential pa_range_info out of bound access

pa_range_info has only 8 elements and is accessed using pa_range as
index. pa_range is initialized to 16, potentially causing out of bound
access errors. Fix the issue by checking that pa_range is not greater
than the size of the array. Remove the now superfluous pa_range&0x8
check.

Coverity-ID: 1381865

Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Julien Grall <julien.grall@arm.com>

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index e4991df42f7b8b2efde847a98e1c36cebde3c513..5d5bb872d2d5ee51b8e1fae63df4210bd1367fd0 100644 (file)
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -1639,7 +1639,7 @@ void __init setup_virt_paging(void)
     }
 
     /* pa_range is 4 bits, but the defined encodings are only 3 bits */
-    if ( pa_range&0x8 || !pa_range_info[pa_range].pabits )
+    if ( pa_range >= ARRAY_SIZE(pa_range_info) || !pa_range_info[pa_range].pabits )
         panic("Unknown encoding of ID_AA64MMFR0_EL1.PARange %x\n", pa_range);
 
     val |= VTCR_PS(pa_range);