From 2ba303e49d03b3e0a77a6b2adde07e38a3aa5c1a Mon Sep 17 00:00:00 2001 From: John Zhao Date: Tue, 28 May 2019 16:48:14 -0700 Subject: [PATCH] src/arch/x86: Prevent attack on null pointer dereference Clang Static Analyzer version 8.0.0 detects null pointer argument in call to memory copy function. Add sanity check for pointer header to prevent null pointer dereference. TEST=Built and boot up to kernel. Change-Id: I7027b7cae3009a5481048bfa0536a6cbd9bef683 Signed-off-by: John Zhao Reviewed-on: https://review.coreboot.org/c/coreboot/+/33051 Tested-by: build bot (Jenkins) Reviewed-by: Lance Zhao Reviewed-by: Felix Held --- src/arch/x86/acpi.c | 53 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/src/arch/x86/acpi.c b/src/arch/x86/acpi.c index d1dcd03652..bf9813cbfe 100644 --- a/src/arch/x86/acpi.c +++ b/src/arch/x86/acpi.c @@ -218,6 +218,9 @@ void acpi_create_madt(acpi_madt_t *madt) memset((void *)madt, 0, sizeof(acpi_madt_t)); + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "APIC", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -248,6 +251,9 @@ void acpi_create_mcfg(acpi_mcfg_t *mcfg) memset((void *)mcfg, 0, sizeof(acpi_mcfg_t)); + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "MCFG", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -302,6 +308,9 @@ static void acpi_create_tcpa(acpi_tcpa_t *tcpa) if (!lasa) return; + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "TCPA", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -361,6 +370,9 @@ static void acpi_create_tpm2(acpi_tpm2_t *tpm2) if (!lasa) tpm2_log_len = 0; + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "TPM2", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -481,6 +493,9 @@ void acpi_create_srat(acpi_srat_t *srat, memset((void *)srat, 0, sizeof(acpi_srat_t)); + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "SRAT", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -508,6 +523,9 @@ void acpi_create_dmar(acpi_dmar_t *dmar, enum dmar_flags flags, memset((void *)dmar, 0, sizeof(acpi_dmar_t)); + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "DMAR", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -669,6 +687,9 @@ void acpi_create_slit(acpi_slit_t *slit, memset((void *)slit, 0, sizeof(acpi_slit_t)); + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "SLIT", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -694,6 +715,9 @@ void acpi_create_hpet(acpi_hpet_t *hpet) memset((void *)hpet, 0, sizeof(acpi_hpet_t)); + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "HPET", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -728,6 +752,9 @@ void acpi_create_vfct(struct device *device, memset((void *)vfct, 0, sizeof(struct acpi_vfct)); + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "VFCT", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -754,6 +781,9 @@ void acpi_create_ivrs(acpi_ivrs_t *ivrs, memset((void *)ivrs, 0, sizeof(acpi_ivrs_t)); + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "IVRS", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -807,6 +837,10 @@ void acpi_create_dbg2(acpi_dbg2_header_t *dbg2, current = (uintptr_t)dbg2; memset(dbg2, 0, sizeof(acpi_dbg2_header_t)); header = &(dbg2->header); + + if (!header) + return; + header->revision = get_acpi_table_revision(DBG2); memcpy(header->signature, "DBG2", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -926,6 +960,9 @@ static void acpi_write_rsdt(acpi_rsdt_t *rsdt, char *oem_id, char *oem_table_id) { acpi_header_t *header = &(rsdt->header); + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "RSDT", 4); memcpy(header->oem_id, oem_id, 6); @@ -946,6 +983,9 @@ static void acpi_write_xsdt(acpi_xsdt_t *xsdt, char *oem_id, char *oem_table_id) { acpi_header_t *header = &(xsdt->header); + if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "XSDT", 4); memcpy(header->oem_id, oem_id, 6); @@ -1046,7 +1086,8 @@ unsigned long acpi_create_hest_error_source(acpi_hest_t *hest, memcpy(pos, data, data_len); len += data_len; - header->length += len; + if (header) + header->length += len; return len; } @@ -1059,6 +1100,9 @@ void acpi_write_hest(acpi_hest_t *hest, memset(hest, 0, sizeof(acpi_hest_t)); + if (!header) + return; + memcpy(header->signature, "HEST", 4); memcpy(header->oem_id, OEM_ID, 6); memcpy(header->oem_table_id, ACPI_TABLE_CREATOR, 8); @@ -1080,6 +1124,9 @@ void acpi_write_bert(acpi_bert_t *bert, uintptr_t region, size_t length) memset(bert, 0, sizeof(acpi_bert_t)); + if (!header) + return; + memcpy(header->signature, "BERT", 4); memcpy(header->oem_id, OEM_ID, 6); memcpy(header->oem_table_id, ACPI_TABLE_CREATOR, 8); @@ -1101,6 +1148,10 @@ void acpi_create_fadt(acpi_fadt_t *fadt, acpi_facs_t *facs, void *dsdt) acpi_header_t *header = &(fadt->header); memset((void *) fadt, 0, sizeof(acpi_fadt_t)); + + if (!header) + return; + memcpy(header->signature, "FACP", 4); header->length = sizeof(acpi_fadt_t); header->revision = get_acpi_table_revision(FADT);