[coreboot-gerrit] Change in ...coreboot[master]: src/arch/x86: Prevent attack on null pointer dereference

5 Jun 2019

Felix Held has submitted this change and it was merged. ( https://review.coreboot.org/c/coreboot/+/33051 )
Change subject: src/arch/x86: Prevent attack on null pointer dereference
......................................................................
src/arch/x86: Prevent attack on null pointer dereference
Clang Static Analyzer version 8.0.0 detects null pointer argument
in call to memory copy function. Add sanity check for pointer header
to prevent null pointer dereference.
TEST=Built and boot up to kernel.
Change-Id: I7027b7cae3009a5481048bfa0536a6cbd9bef683
Signed-off-by: John Zhao john.zhao@intel.com
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33051
Tested-by: build bot (Jenkins) no-reply@coreboot.org
Reviewed-by: Lance Zhao lance.zhao@gmail.com
Reviewed-by: Felix Held felix-coreboot@felixheld.de
---
M src/arch/x86/acpi.c
1 file changed, 52 insertions(+), 1 deletion(-)
Approvals:
  build bot (Jenkins): Verified
  Felix Held: Looks good to me, approved
  Lance Zhao: Looks good to me, but someone else must approve

diff --git a/src/arch/x86/acpi.c b/src/arch/x86/acpi.c
index d1dcd03..bf9813c 100644
--- a/src/arch/x86/acpi.c
+++ b/src/arch/x86/acpi.c
@@ -218,6 +218,9 @@
memset((void *)madt, 0, sizeof(acpi_madt_t));
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "APIC", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -248,6 +251,9 @@
memset((void *)mcfg, 0, sizeof(acpi_mcfg_t));
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "MCFG", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -302,6 +308,9 @@
    if (!lasa)
    	return;
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "TCPA", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -361,6 +370,9 @@
    if (!lasa)
    	tpm2_log_len = 0;
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "TPM2", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -481,6 +493,9 @@
memset((void *)srat, 0, sizeof(acpi_srat_t));
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "SRAT", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -508,6 +523,9 @@
memset((void *)dmar, 0, sizeof(acpi_dmar_t));
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "DMAR", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -669,6 +687,9 @@
memset((void *)slit, 0, sizeof(acpi_slit_t));
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "SLIT", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -694,6 +715,9 @@
memset((void *)hpet, 0, sizeof(acpi_hpet_t));
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "HPET", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -728,6 +752,9 @@
memset((void *)vfct, 0, sizeof(struct acpi_vfct));
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "VFCT", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -754,6 +781,9 @@
memset((void *)ivrs, 0, sizeof(acpi_ivrs_t));
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "IVRS", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -807,6 +837,10 @@
    current = (uintptr_t)dbg2;
    memset(dbg2, 0, sizeof(acpi_dbg2_header_t));
    header = &(dbg2->header);
+
+	if (!header)
+		return;
+
    header->revision = get_acpi_table_revision(DBG2);
    memcpy(header->signature, "DBG2", 4);
    memcpy(header->oem_id, OEM_ID, 6);
@@ -926,6 +960,9 @@
 {
    acpi_header_t *header = &(rsdt->header);
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "RSDT", 4);
    memcpy(header->oem_id, oem_id, 6);
@@ -946,6 +983,9 @@
 {
    acpi_header_t *header = &(xsdt->header);
+	if (!header)
+		return;
+
    /* Fill out header fields. */
    memcpy(header->signature, "XSDT", 4);
    memcpy(header->oem_id, oem_id, 6);
@@ -1046,7 +1086,8 @@
memcpy(pos, data, data_len);
    len += data_len;
-	header->length += len;
+	if (header)
+		header->length += len;
return len;
 }
@@ -1059,6 +1100,9 @@
memset(hest, 0, sizeof(acpi_hest_t));
+	if (!header)
+		return;
+
    memcpy(header->signature, "HEST", 4);
    memcpy(header->oem_id, OEM_ID, 6);
    memcpy(header->oem_table_id, ACPI_TABLE_CREATOR, 8);
@@ -1080,6 +1124,9 @@
memset(bert, 0, sizeof(acpi_bert_t));
+	if (!header)
+		return;
+
    memcpy(header->signature, "BERT", 4);
    memcpy(header->oem_id, OEM_ID, 6);
    memcpy(header->oem_table_id, ACPI_TABLE_CREATOR, 8);
@@ -1101,6 +1148,10 @@
    acpi_header_t *header = &(fadt->header);
memset((void *) fadt, 0, sizeof(acpi_fadt_t));
+
+	if (!header)
+		return;
+
    memcpy(header->signature, "FACP", 4);
    header->length = sizeof(acpi_fadt_t);
    header->revision = get_acpi_table_revision(FADT);
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/33051
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I7027b7cae3009a5481048bfa0536a6cbd9bef683
Gerrit-Change-Number: 33051
Gerrit-PatchSet: 3
Gerrit-Owner: John Zhao john.zhao@intel.com
Gerrit-Reviewer: Balaji Manigandan balaji.manigandan@intel.com
Gerrit-Reviewer: Felix Held felix-coreboot@felixheld.de
Gerrit-Reviewer: John Zhao john.zhao@intel.com
Gerrit-Reviewer: Lance Zhao lance.zhao@gmail.com
Gerrit-Reviewer: Martin Roth martinroth@google.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-MessageType: merged



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in ...coreboot[master]: src/arch/x86: Prevent attack on null pointer dereference