John Zhao has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/33051
Change subject: src/arch/x86: Prevent attack on null pointer dereference ......................................................................
src/arch/x86: Prevent attack on null pointer dereference
Clang Static Analyzer version 8.0.0 detects null pointer argument in call to memory copy function. Add sanity check for pointer header to prevent null pointer dereference.
TEST=Built and boot up to kernel.
Change-Id: I7027b7cae3009a5481048bfa0536a6cbd9bef683 Signed-off-by: John Zhao john.zhao@intel.com --- M src/arch/x86/acpi.c 1 file changed, 52 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/51/33051/1
diff --git a/src/arch/x86/acpi.c b/src/arch/x86/acpi.c index d1dcd03..97190d2 100644 --- a/src/arch/x86/acpi.c +++ b/src/arch/x86/acpi.c @@ -218,6 +218,9 @@
memset((void *)madt, 0, sizeof(acpi_madt_t));
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "APIC", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -248,6 +251,9 @@
memset((void *)mcfg, 0, sizeof(acpi_mcfg_t));
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "MCFG", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -302,6 +308,9 @@ if (!lasa) return;
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "TCPA", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -361,6 +370,9 @@ if (!lasa) tpm2_log_len = 0;
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "TPM2", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -481,6 +493,9 @@
memset((void *)srat, 0, sizeof(acpi_srat_t));
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "SRAT", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -508,6 +523,9 @@
memset((void *)dmar, 0, sizeof(acpi_dmar_t));
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "DMAR", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -669,6 +687,9 @@
memset((void *)slit, 0, sizeof(acpi_slit_t));
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "SLIT", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -694,6 +715,9 @@
memset((void *)hpet, 0, sizeof(acpi_hpet_t));
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "HPET", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -728,6 +752,9 @@
memset((void *)vfct, 0, sizeof(struct acpi_vfct));
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "VFCT", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -754,6 +781,9 @@
memset((void *)ivrs, 0, sizeof(acpi_ivrs_t));
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "IVRS", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -807,6 +837,10 @@ current = (uintptr_t)dbg2; memset(dbg2, 0, sizeof(acpi_dbg2_header_t)); header = &(dbg2->header); + + if (!header) + return; + header->revision = get_acpi_table_revision(DBG2); memcpy(header->signature, "DBG2", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -926,6 +960,9 @@ { acpi_header_t *header = &(rsdt->header);
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "RSDT", 4); memcpy(header->oem_id, oem_id, 6); @@ -946,6 +983,9 @@ { acpi_header_t *header = &(xsdt->header);
+ if (!header) + return; + /* Fill out header fields. */ memcpy(header->signature, "XSDT", 4); memcpy(header->oem_id, oem_id, 6); @@ -1046,7 +1086,8 @@
memcpy(pos, data, data_len); len += data_len; - header->length += len; + if(header) + header->length += len;
return len; } @@ -1058,6 +1099,9 @@ acpi_header_t *header = &(hest->header);
memset(hest, 0, sizeof(acpi_hest_t)); + + if (!header) + return;
memcpy(header->signature, "HEST", 4); memcpy(header->oem_id, OEM_ID, 6); @@ -1080,6 +1124,9 @@
memset(bert, 0, sizeof(acpi_bert_t));
+ if (!header) + return; + memcpy(header->signature, "BERT", 4); memcpy(header->oem_id, OEM_ID, 6); memcpy(header->oem_table_id, ACPI_TABLE_CREATOR, 8); @@ -1101,6 +1148,10 @@ acpi_header_t *header = &(fadt->header);
memset((void *) fadt, 0, sizeof(acpi_fadt_t)); + + if (!header) + return; + memcpy(header->signature, "FACP", 4); header->length = sizeof(acpi_fadt_t); header->revision = get_acpi_table_revision(FADT);