John Zhao has uploaded this change for review.
src/arch/x86: Prevent attack on null pointer dereference
Clang Static Analyzer version 8.0.0 detects null pointer argument
in call to memory copy function. Add sanity check for pointer header
to prevent null pointer dereference.
TEST=Built and boot up to kernel.
Change-Id: I7027b7cae3009a5481048bfa0536a6cbd9bef683
Signed-off-by: John Zhao <john.zhao@intel.com>
---
M src/arch/x86/acpi.c
1 file changed, 52 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/51/33051/1
diff --git a/src/arch/x86/acpi.c b/src/arch/x86/acpi.c
index d1dcd03..97190d2 100644
--- a/src/arch/x86/acpi.c
+++ b/src/arch/x86/acpi.c
@@ -218,6 +218,9 @@
memset((void *)madt, 0, sizeof(acpi_madt_t));
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "APIC", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -248,6 +251,9 @@
memset((void *)mcfg, 0, sizeof(acpi_mcfg_t));
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "MCFG", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -302,6 +308,9 @@
if (!lasa)
return;
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "TCPA", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -361,6 +370,9 @@
if (!lasa)
tpm2_log_len = 0;
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "TPM2", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -481,6 +493,9 @@
memset((void *)srat, 0, sizeof(acpi_srat_t));
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "SRAT", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -508,6 +523,9 @@
memset((void *)dmar, 0, sizeof(acpi_dmar_t));
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "DMAR", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -669,6 +687,9 @@
memset((void *)slit, 0, sizeof(acpi_slit_t));
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "SLIT", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -694,6 +715,9 @@
memset((void *)hpet, 0, sizeof(acpi_hpet_t));
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "HPET", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -728,6 +752,9 @@
memset((void *)vfct, 0, sizeof(struct acpi_vfct));
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "VFCT", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -754,6 +781,9 @@
memset((void *)ivrs, 0, sizeof(acpi_ivrs_t));
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "IVRS", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -807,6 +837,10 @@
current = (uintptr_t)dbg2;
memset(dbg2, 0, sizeof(acpi_dbg2_header_t));
header = &(dbg2->header);
+
+ if (!header)
+ return;
+
header->revision = get_acpi_table_revision(DBG2);
memcpy(header->signature, "DBG2", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -926,6 +960,9 @@
{
acpi_header_t *header = &(rsdt->header);
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "RSDT", 4);
memcpy(header->oem_id, oem_id, 6);
@@ -946,6 +983,9 @@
{
acpi_header_t *header = &(xsdt->header);
+ if (!header)
+ return;
+
/* Fill out header fields. */
memcpy(header->signature, "XSDT", 4);
memcpy(header->oem_id, oem_id, 6);
@@ -1046,7 +1086,8 @@
memcpy(pos, data, data_len);
len += data_len;
- header->length += len;
+ if(header)
+ header->length += len;
return len;
}
@@ -1058,6 +1099,9 @@
acpi_header_t *header = &(hest->header);
memset(hest, 0, sizeof(acpi_hest_t));
+
+ if (!header)
+ return;
memcpy(header->signature, "HEST", 4);
memcpy(header->oem_id, OEM_ID, 6);
@@ -1080,6 +1124,9 @@
memset(bert, 0, sizeof(acpi_bert_t));
+ if (!header)
+ return;
+
memcpy(header->signature, "BERT", 4);
memcpy(header->oem_id, OEM_ID, 6);
memcpy(header->oem_table_id, ACPI_TABLE_CREATOR, 8);
@@ -1101,6 +1148,10 @@
acpi_header_t *header = &(fadt->header);
memset((void *) fadt, 0, sizeof(acpi_fadt_t));
+
+ if (!header)
+ return;
+
memcpy(header->signature, "FACP", 4);
header->length = sizeof(acpi_fadt_t);
header->revision = get_acpi_table_revision(FADT);
To view, visit change 33051. To unsubscribe, or for help writing mail filters, visit settings.