src/arch/x86: Prevent attack on null pointer dereference

Clang Static Analyzer version 8.0.0 detects null pointer argument in call to memory copy function. Add sanity check for pointer header to prevent null pointer dereference. TEST=Built and boot up to kernel. Change-Id: I7027b7cae3009a5481048bfa0536a6cbd9bef683 Signed-off-by: John Zhao <john.zhao@intel.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/33051 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Lance Zhao <lance.zhao@gmail.com> Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
2019-05-28 16:48:14 -07:00 · 2019-05-28 16:48:14 -07:00 · 2ba303e49d
parent 742df5ad34
commit 2ba303e49d
1 changed files with 52 additions and 1 deletions
--- a/src/arch/x86/acpi.c
+++ b/src/arch/x86/acpi.c
@ -218,6 +218,9 @@ void acpi_create_madt(acpi_madt_t *madt)

 	memset((void *)madt, 0, sizeof(acpi_madt_t));

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "APIC", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -248,6 +251,9 @@ void acpi_create_mcfg(acpi_mcfg_t *mcfg)

 	memset((void *)mcfg, 0, sizeof(acpi_mcfg_t));

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "MCFG", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -302,6 +308,9 @@ static void acpi_create_tcpa(acpi_tcpa_t *tcpa)
 	if (!lasa)
 		return;

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "TCPA", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -361,6 +370,9 @@ static void acpi_create_tpm2(acpi_tpm2_t *tpm2)
 	if (!lasa)
 		tpm2_log_len = 0;

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "TPM2", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -481,6 +493,9 @@ void acpi_create_srat(acpi_srat_t *srat,

 	memset((void *)srat, 0, sizeof(acpi_srat_t));

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "SRAT", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -508,6 +523,9 @@ void acpi_create_dmar(acpi_dmar_t *dmar, enum dmar_flags flags,

 	memset((void *)dmar, 0, sizeof(acpi_dmar_t));

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "DMAR", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -669,6 +687,9 @@ void acpi_create_slit(acpi_slit_t *slit,

 	memset((void *)slit, 0, sizeof(acpi_slit_t));

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "SLIT", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -694,6 +715,9 @@ void acpi_create_hpet(acpi_hpet_t *hpet)

 	memset((void *)hpet, 0, sizeof(acpi_hpet_t));

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "HPET", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -728,6 +752,9 @@ void acpi_create_vfct(struct device *device,

 	memset((void *)vfct, 0, sizeof(struct acpi_vfct));

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "VFCT", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -754,6 +781,9 @@ void acpi_create_ivrs(acpi_ivrs_t *ivrs,

 	memset((void *)ivrs, 0, sizeof(acpi_ivrs_t));

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "IVRS", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -807,6 +837,10 @@ void acpi_create_dbg2(acpi_dbg2_header_t *dbg2,
 	current = (uintptr_t)dbg2;
 	memset(dbg2, 0, sizeof(acpi_dbg2_header_t));
 	header = &(dbg2->header);
+
+	if (!header)
+		return;
+
 	header->revision = get_acpi_table_revision(DBG2);
 	memcpy(header->signature, "DBG2", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
@ -926,6 +960,9 @@ static void acpi_write_rsdt(acpi_rsdt_t *rsdt, char *oem_id, char *oem_table_id)
 {
 	acpi_header_t *header = &(rsdt->header);

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "RSDT", 4);
 	memcpy(header->oem_id, oem_id, 6);
@ -946,6 +983,9 @@ static void acpi_write_xsdt(acpi_xsdt_t *xsdt, char *oem_id, char *oem_table_id)
 {
 	acpi_header_t *header = &(xsdt->header);

+	if (!header)
+		return;
+
 	/* Fill out header fields. */
 	memcpy(header->signature, "XSDT", 4);
 	memcpy(header->oem_id, oem_id, 6);
@ -1046,7 +1086,8 @@ unsigned long acpi_create_hest_error_source(acpi_hest_t *hest,

 	memcpy(pos, data, data_len);
 	len += data_len;
-	header->length += len;
+	if (header)
+		header->length += len;

 	return len;
 }
@ -1059,6 +1100,9 @@ void acpi_write_hest(acpi_hest_t *hest,

 	memset(hest, 0, sizeof(acpi_hest_t));

+	if (!header)
+		return;
+
 	memcpy(header->signature, "HEST", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
 	memcpy(header->oem_table_id, ACPI_TABLE_CREATOR, 8);
@ -1080,6 +1124,9 @@ void acpi_write_bert(acpi_bert_t *bert, uintptr_t region, size_t length)

 	memset(bert, 0, sizeof(acpi_bert_t));

+	if (!header)
+		return;
+
 	memcpy(header->signature, "BERT", 4);
 	memcpy(header->oem_id, OEM_ID, 6);
 	memcpy(header->oem_table_id, ACPI_TABLE_CREATOR, 8);
@ -1101,6 +1148,10 @@ void acpi_create_fadt(acpi_fadt_t *fadt, acpi_facs_t *facs, void *dsdt)
 	acpi_header_t *header = &(fadt->header);

 	memset((void *) fadt, 0, sizeof(acpi_fadt_t));
+
+	if (!header)
+		return;
+
 	memcpy(header->signature, "FACP", 4);
 	header->length = sizeof(acpi_fadt_t);
 	header->revision = get_acpi_table_revision(FADT);