diff mbox series

ACPI: tables: Fix NULL dereference by acpi_os_map_memory()

Message ID 9445401f-7cfb-bbb5-e25c-28f578efa212@valinux.co.jp (mailing list archive)
State Under Review
Delegated to: Rafael Wysocki
Headers show
Series ACPI: tables: Fix NULL dereference by acpi_os_map_memory() | expand

Commit Message

Kiwamu Okabe July 26, 2023, 4:52 a.m. UTC
The Infer static analyzer https://fbinfer.com/ reports following
NULL poinster dereference by the acpi_os_map_memory() function.
I believe this patch does fix the issue without any panic.

Signed-off-by: Kiwamu Okabe <okabe@valinux.co.jp>
---
 drivers/acpi/tables.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Rafael J. Wysocki July 26, 2023, 2:35 p.m. UTC | #1
On Wed, Jul 26, 2023 at 6:53 AM Kiwamu Okabe <okabe@valinux.co.jp> wrote:
>
> The Infer static analyzer https://fbinfer.com/ reports following
> NULL poinster dereference by the acpi_os_map_memory() function.
> I believe this patch does fix the issue without any panic.

Please demonstrate to me that the NULL pointer dereference can
actually happen in this code.

Thanks!

> Signed-off-by: Kiwamu Okabe <okabe@valinux.co.jp>
> ---
>  drivers/acpi/tables.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
> index 8ab0a82b4da4..ae7b7343bacf 100644
> --- a/drivers/acpi/tables.c
> +++ b/drivers/acpi/tables.c
> @@ -717,6 +717,9 @@ acpi_table_initrd_override(struct acpi_table_header *existing_table,
>         while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) {
>                 table = acpi_os_map_memory(acpi_tables_addr + table_offset,
>                                            ACPI_HEADER_SIZE);
> +               if (WARN_ON(!table)) {
> +                       return AE_OK;
> +               }
>                 if (table_offset + table->length > all_tables_size) {
>                         acpi_os_unmap_memory(table, ACPI_HEADER_SIZE);
>                         WARN_ON(1);
> @@ -772,6 +775,9 @@ static void __init acpi_table_initrd_scan(void)
>         while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) {
>                 table = acpi_os_map_memory(acpi_tables_addr + table_offset,
>                                            ACPI_HEADER_SIZE);
> +               if (WARN_ON(!table)) {
> +                       return;
> +               }
>                 if (table_offset + table->length > all_tables_size) {
>                         acpi_os_unmap_memory(table, ACPI_HEADER_SIZE);
>                         WARN_ON(1);
> --
> 2.39.2
>
Kiwamu Okabe July 26, 2023, 9:51 p.m. UTC | #2
Dear Rafael,

On 7/26/23 23:35, Rafael J. Wysocki wrote:
> On Wed, Jul 26, 2023 at 6:53 AM Kiwamu Okabe <okabe@valinux.co.jp> wrote:
>>
>> The Infer static analyzer https://fbinfer.com/ reports following
>> NULL poinster dereference by the acpi_os_map_memory() function.
>> I believe this patch does fix the issue without any panic.
> 
> Please demonstrate to me that the NULL pointer dereference can
> actually happen in this code.

The `acpi_table_initrd_override()` function potentially occurs NULL pointer
dereference on `table->length`,

```
	while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) {
		table = acpi_os_map_memory(acpi_tables_addr + table_offset,
					   ACPI_HEADER_SIZE);
		if (table_offset + table->length > all_tables_size) {
			acpi_os_unmap_memory(table, ACPI_HEADER_SIZE);
			WARN_ON(1);
			return AE_OK;
		}
```

because the acpi_os_map_memory() function potentially returns NULL,

```
void __iomem __ref
*acpi_os_map_iomem(acpi_physical_address phys, acpi_size size)
{
--snip--
	map = kzalloc(sizeof(*map), GFP_KERNEL);
	if (!map) {
		mutex_unlock(&acpi_ioremap_lock);
		return NULL;
	}
--snip--

void *__ref acpi_os_map_memory(acpi_physical_address phys, acpi_size size)
{
	return (void *)acpi_os_map_iomem(phys, size);
}
```

because the `kzalloc()` potentially returns NULL.

And also, the other code have NULL check to call `acpi_os_map_memory()` as
following.

```
	subtable_header = acpi_os_map_memory(address, sizeof(*subtable_header));
	if (!subtable_header)
		return -ENOMEM;
--snip--
	rsdp = acpi_os_map_memory(rsdp_address, sizeof(struct acpi_table_rsdp));
	if (!rsdp) {
		return_ACPI_STATUS(AE_NO_MEMORY);
	}
```

>> Signed-off-by: Kiwamu Okabe <okabe@valinux.co.jp>
>> ---
>>  drivers/acpi/tables.c | 6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
>> index 8ab0a82b4da4..ae7b7343bacf 100644
>> --- a/drivers/acpi/tables.c
>> +++ b/drivers/acpi/tables.c
>> @@ -717,6 +717,9 @@ acpi_table_initrd_override(struct acpi_table_header *existing_table,
>>         while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) {
>>                 table = acpi_os_map_memory(acpi_tables_addr + table_offset,
>>                                            ACPI_HEADER_SIZE);
>> +               if (WARN_ON(!table)) {
>> +                       return AE_OK;
>> +               }
>>                 if (table_offset + table->length > all_tables_size) {
>>                         acpi_os_unmap_memory(table, ACPI_HEADER_SIZE);
>>                         WARN_ON(1);
>> @@ -772,6 +775,9 @@ static void __init acpi_table_initrd_scan(void)
>>         while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) {
>>                 table = acpi_os_map_memory(acpi_tables_addr + table_offset,
>>                                            ACPI_HEADER_SIZE);
>> +               if (WARN_ON(!table)) {
>> +                       return;
>> +               }
>>                 if (table_offset + table->length > all_tables_size) {
>>                         acpi_os_unmap_memory(table, ACPI_HEADER_SIZE);
>>                         WARN_ON(1);
>> --
>> 2.39.2
>>
> 

Best Regards,
diff mbox series

Patch

diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
index 8ab0a82b4da4..ae7b7343bacf 100644
--- a/drivers/acpi/tables.c
+++ b/drivers/acpi/tables.c
@@ -717,6 +717,9 @@  acpi_table_initrd_override(struct acpi_table_header *existing_table,
 	while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) {
 		table = acpi_os_map_memory(acpi_tables_addr + table_offset,
 					   ACPI_HEADER_SIZE);
+		if (WARN_ON(!table)) {
+			return AE_OK;
+		}
 		if (table_offset + table->length > all_tables_size) {
 			acpi_os_unmap_memory(table, ACPI_HEADER_SIZE);
 			WARN_ON(1);
@@ -772,6 +775,9 @@  static void __init acpi_table_initrd_scan(void)
 	while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) {
 		table = acpi_os_map_memory(acpi_tables_addr + table_offset,
 					   ACPI_HEADER_SIZE);
+		if (WARN_ON(!table)) {
+			return;
+		}
 		if (table_offset + table->length > all_tables_size) {
 			acpi_os_unmap_memory(table, ACPI_HEADER_SIZE);
 			WARN_ON(1);