From: Ian Campbell Date: Thu, 16 Jul 2015 08:50:07 +0000 (+0100) Subject: xen: arm: bootfdt: Avoid reading off the front of *_cells array X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~2765 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=989f3939bd16a0e1669c179b6c5c264812a25fc2;p=xen.git xen: arm: bootfdt: Avoid reading off the front of *_cells array In device_tree_for_each_node the call to the callback was using {address,size}_cells[depth - 1], which at depth 0 could read off the front of the array. We already handled this correctly in the rest of the loop so fixup this instance as well. Reported-by: Chris (Christopher) Brand Signed-off-by: Ian Campbell Cc: Chris (Christopher) Brand Reviewed-by: Julien Grall --- diff --git a/xen/arch/arm/bootfdt.c b/xen/arch/arm/bootfdt.c index e100233826..74d208b5eb 100644 --- a/xen/arch/arm/bootfdt.c +++ b/xen/arch/arm/bootfdt.c @@ -100,6 +100,7 @@ static int __init device_tree_for_each_node(const void *fdt, node = fdt_next_node(fdt, node, &depth) ) { const char *name = fdt_get_name(fdt, node, NULL); + u32 as, ss; if ( depth >= DEVICE_TREE_MAX_DEPTH ) { @@ -108,14 +109,15 @@ static int __init device_tree_for_each_node(const void *fdt, continue; } - address_cells[depth] = device_tree_get_u32(fdt, node, "#address-cells", - depth > 0 ? address_cells[depth-1] : 0); - size_cells[depth] = device_tree_get_u32(fdt, node, "#size-cells", - depth > 0 ? size_cells[depth-1] : 0); + as = depth > 0 ? address_cells[depth-1] : 0; + ss = depth > 0 ? size_cells[depth-1] : 0; + address_cells[depth] = device_tree_get_u32(fdt, node, + "#address-cells", as); + size_cells[depth] = device_tree_get_u32(fdt, node, + "#size-cells", ss); - ret = func(fdt, node, name, depth, - address_cells[depth-1], size_cells[depth-1], data); + ret = func(fdt, node, name, depth, as, ss, data); if ( ret != 0 ) return ret; }