From 860a376817f687db31b586ec7bcf9a1db1bce7b3 Mon Sep 17 00:00:00 2001
From: Atish Patra <atishp@rivosinc.com>
Date: Wed, 20 Jul 2022 14:50:34 -0700
Subject: [PATCH] lib: sbi: Fix possible buffer overrun in counter validation

The active_events array is accessed with counter ID passed from the supervisor
software before the counter ID bound check. This may cause a buffer overrun
if a supervisor passes an invalid counter ID.

Fix this by moving the access part after the bound check.

Reported-by: Andrew Jones <ajones@ventanamicro.com>
Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
Signed-off-by: Atish Patra <atishp@rivosinc.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
---
 lib/sbi/sbi_pmu.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/sbi/sbi_pmu.c b/lib/sbi/sbi_pmu.c
index 16f915b7..5d31f58d 100644
--- a/lib/sbi/sbi_pmu.c
+++ b/lib/sbi/sbi_pmu.c
@@ -156,13 +156,13 @@ static int pmu_ctr_validate(uint32_t cidx, uint32_t *event_idx_code)
 	uint32_t event_idx_type;
 	u32 hartid = current_hartid();
 
-	event_idx_val = active_events[hartid][cidx];
-
-	if (cidx >= total_ctrs || (event_idx_val == SBI_PMU_EVENT_IDX_INVALID))
+	if (cidx >= total_ctrs)
 		return SBI_EINVAL;
 
+	event_idx_val = active_events[hartid][cidx];
 	event_idx_type = get_cidx_type(event_idx_val);
-	if (event_idx_type >= SBI_PMU_EVENT_TYPE_MAX)
+	if (event_idx_val == SBI_PMU_EVENT_IDX_INVALID ||
+	    event_idx_type >= SBI_PMU_EVENT_TYPE_MAX)
 		return SBI_EINVAL;
 
 	*event_idx_code = get_cidx_code(event_idx_val);