GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mainboard/emulation/qemu-i440fx/fw_cfg: Fix undefined behavior 

Fixes 2 reports found by undefined behavior sanitizer. Dereferencing
pointers that are not aligned to the size of access is undefiend
behavior.

Change-Id: Iaa3845308171c307f1ddc7937286aacbd00e3a10
Signed-off-by: Ryan Salsamendi <rsalsamendi@hotmail.com>
Reviewed-on: https://review.coreboot.org/20155
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This commit is contained in:
Ryan Salsamendi 2017-06-11 19:39:06 -07:00 committed by Martin Roth
parent a4677e426a
commit d4f994bbc4
1 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/mainboard/emulation/qemu-i440fx/fw_cfg.c
View File

@ -17,6 +17,7 @@
#include <console/console.h> #include <console/console.h>
#include <arch/io.h> #include <arch/io.h>
#include <arch/acpigen.h> #include <arch/acpigen.h>
#include <commonlib/endian.h>
#include "fw_cfg.h" #include "fw_cfg.h"
#include "fw_cfg_if.h" #include "fw_cfg_if.h"
@ -203,8 +204,7 @@ unsigned long fw_cfg_acpi_tables(unsigned long start)
{ {
BiosLinkerLoaderEntry *s; BiosLinkerLoaderEntry *s;
unsigned long *addrs, current; unsigned long *addrs, current;
uint32_t *ptr4; uint8_t *ptr;
uint64_t *ptr8;
int rc, i, j, src, dst, max; int rc, i, j, src, dst, max;
rc = fw_cfg_check_file("etc/table-loader"); rc = fw_cfg_check_file("etc/table-loader");
@ -220,6 +220,10 @@ unsigned long fw_cfg_acpi_tables(unsigned long start)
current = start; current = start;
for (i = 0; i < max && s[i].command != 0; i++) { for (i = 0; i < max && s[i].command != 0; i++) {
void *cksum_data;
uint32_t cksum;
uint32_t addr4;
uint64_t addr8;
switch (s[i].command) { switch (s[i].command) {
case BIOS_LINKER_LOADER_COMMAND_ALLOCATE: case BIOS_LINKER_LOADER_COMMAND_ALLOCATE:
current = ALIGN(current, s[i].alloc.align); current = ALIGN(current, s[i].alloc.align);
@ -248,13 +252,19 @@ unsigned long fw_cfg_acpi_tables(unsigned long start)
switch (s[i].pointer.size) { switch (s[i].pointer.size) {
case 4: case 4:
ptr4 = (uint32_t*)(addrs[dst] + s[i].pointer.offset); ptr = (uint8_t *)addrs[dst];
*ptr4 += addrs[src]; ptr += s[i].pointer.offset;
addr4 = read_le32(ptr);
addr4 += addrs[src];
write_le32(ptr, addr4);
break; break;
case 8: case 8:
ptr8 = (uint64_t*)(addrs[dst] + s[i].pointer.offset); ptr = (uint8_t *)addrs[dst];
*ptr8 += addrs[src]; ptr += s[i].pointer.offset;
addr8 = read_le64(ptr);
addr8 += addrs[src];
write_le64(ptr, addr8);
break; break;
default: default:
@ -280,10 +290,10 @@ unsigned long fw_cfg_acpi_tables(unsigned long start)
if (dst == -1) if (dst == -1)
goto err; goto err;
ptr4 = (uint32_t*)(addrs[dst] + s[i].cksum.offset); ptr = (uint8_t *)(addrs[dst] + s[i].cksum.offset);
*ptr4 = 0; cksum_data = (void *)(addrs[dst] + s[i].cksum.start);
*ptr4 = acpi_checksum((void *)(addrs[dst] + s[i].cksum.start), cksum = acpi_checksum(cksum_data, s[i].cksum.length);
s[i].cksum.length); write_le32(ptr, cksum);
break; break;
default: default: