:: commit e0b5fd0d2188e6d7ecbe42669c998b15b4b2cc71
sys/cpu_riscv: Validate RHCT hart_info offsets array bounds
diff --git a/common/sys/cpu_riscv.c b/common/sys/cpu_riscv.c
index 1491146e..0330b45d 100644
--- a/common/sys/cpu_riscv.c
+++ b/common/sys/cpu_riscv.c
@@ -131,6 +131,13 @@ static void init_riscv_acpi(void) {
panic(false, "riscv: missing rhct node for hartid %U", (uint64_t)hartid);
}
+ // Ensure the offsets[] array fits within the hart_info node as
+ // declared by the containing header.size.
+ uint64_t offsets_bytes = (uint64_t)hart_info->offsets_len * sizeof(uint32_t);
+ if (offsetof(struct rhct_hart_info, offsets) + offsets_bytes > hart_info->header.size) {
+ panic(false, "riscv: RHCT hart_info offsets_len exceeds node size");
+ }
+
const char *isa_string = NULL;
uint8_t mmu_type = 0;
uint8_t flags = 0;
