tree 79d62138c8aca5f5f5dc7d7af0b03fcf81755e43
parent 0f553dc2f136adefc94c433fdac967a13f457b73
author Sandrine Bailleux <sandrine.bailleux@arm.com> 1466609701 +0100
committer Sandrine Bailleux <sandrine.bailleux@arm.com> 1469447862 +0100

Validate psci_find_target_suspend_lvl() result

This patch adds a runtime check that psci_find_target_suspend_lvl()
returns a valid value back to psci_cpu_suspend() and psci_get_stat().
If it is invalid, BL31 will now panic.

Note that on the PSCI CPU suspend path there is already a debug
assertion checking the validity of the target composite power state,
which effectively also checks the validity of the target suspend level.
Therefore, the error condition would already be caught in debug builds,
but in a release build this assertion would be compiled out.

On the PSCI stat path, there is currently no debug assertion checking
the validity of the power state before using it as an index into
the power domain state array.

Although BL31 platforms ports are responsible for validating the
power state parameter, the security impact (i.e. an out-of-bounds
array access) of a potential platform port bug in this code would
be quite high, given that this parameter comes from an untrusted
source. The cost of checking this in runtime generic code is low.

Change-Id: Icea85b8020e39928ac03ec0cd49805b5857b3906