Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3535210pxb; Mon, 24 Jan 2022 11:38:19 -0800 (PST) X-Google-Smtp-Source: ABdhPJyMogYLyUXbwyTzXWEm7danQL2LZ03hoQFZ10gESyJWF+l9jefM3eUACeKGXDuu6EzMGoLN X-Received: by 2002:a17:902:7842:b0:14a:eff6:b8c6 with SMTP id e2-20020a170902784200b0014aeff6b8c6mr15578583pln.37.1643053099544; Mon, 24 Jan 2022 11:38:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643053099; cv=none; d=google.com; s=arc-20160816; b=zX7VAFvt8ZWn+7rS9zcDrwNbBOjWV0HuRRPFvdFZw9++cVA0dR/sfhJZtUQNhudnXQ XzUJA7OSlKXa2Sqi63/9mrKUX9uXqV4WmUEWa7zIKisjJ0NFLqRxy13zaUcEwOB+pCnb 8OzfmDy8jpSYuNmuD/3fWdh7O1mSFKnsR9TbxnIlabIsZMc+I7ZqgmqnYGdo+ecsT/NU XTAn0cYms8YrFPTN/d88izcqNYO18yCMJCl534AutlPU8+lQZxPXFo5p/wHU0FiNe4ql lKaB/tv30q/nVrSdAdd19wmTTc4Jdr401Qo0i+JZ98ayZIBFgQ+EeBzJ/vKJYe4dvLaK bL4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter :dmarc-filter; bh=pNEeCGoKa1V6rmYqi+3L0jEf0NTPic6Q/DwIqKljNuU=; b=PyGvVG72g7FmyZ4pFBUeO01LyVWca9Gh0MRgBbmCeCIfb1azTt/gN/n/erd2Z53MRQ wmTsW4VH+RrnecvV3tg8WVtcj2kieIaG2ZHm63YxN6SrfNHz++Iik/XF8sZeGLVkQmxC Ma05PjkL4n4QRUfQBvw9hprKuPKRNS+pnNz+VJmeC6kWXEZHC6VTqpsVoFBa7EgMccY5 8FUrh4y2DvdhI+PMOjpKk/R8/YXpz04wZ9kDZXiAxwKMjuq5jkYjbGNBG2FBxrXQkYCq i2nNtNWEl+zlGLCHuTCgqzyOlsEpoRBWTERKgJObnfjSLa2HWtFJDVGccOxWHE7OP944 GXRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=oB+TQmFq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g7si3643216pfr.106.2022.01.24.11.38.05; Mon, 24 Jan 2022 11:38:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=oB+TQmFq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244064AbiAXRCr (ORCPT + 99 others); Mon, 24 Jan 2022 12:02:47 -0500 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:39818 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243911AbiAXRCq (ORCPT ); Mon, 24 Jan 2022 12:02:46 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 4JjGWT3ZYPz9vYdr for ; Mon, 24 Jan 2022 17:02:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Er-wlIDVSsuY for ; Mon, 24 Jan 2022 11:02:45 -0600 (CST) Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 4JjGWT1Wykz9vYdC for ; Mon, 24 Jan 2022 11:02:45 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p7.oit.umn.edu 4JjGWT1Wykz9vYdC DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p7.oit.umn.edu 4JjGWT1Wykz9vYdC Received: by mail-pj1-f70.google.com with SMTP id f1-20020a17090a8e8100b001b44bb75678so11085677pjo.0 for ; Mon, 24 Jan 2022 09:02:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=pNEeCGoKa1V6rmYqi+3L0jEf0NTPic6Q/DwIqKljNuU=; b=oB+TQmFq3vUafAHIx75KxfATkLnzA+020njfiNxZ7n4IVOIyb8n0++/zm1oUOQsUX5 7Jbo9yoDrwfe4y+V1Qhmw6QSlZLJ6VQ4zXnMqYw2wRKx7Wx++ARQhcW2/d/hzR+hcGxU cmtxskJiLEtUDFoRZS5PGx+yjgTn8bz9Y2tGPNnKB7RpDxcjshCxnCorZzjVfNZLSjvG iSxUkHlgtvpcZOnLkOmE0TzZxNoL7hKnKSU7lXK5LIe5rQNOZWI+TFJcRXNg8vDePNUv JqvxA7OQlKcmMWYepLjiLFq6VUxNGycAGKmf9p1j/EqZOxyOV+GW8NOxsmcQJtka6Snt yjlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=pNEeCGoKa1V6rmYqi+3L0jEf0NTPic6Q/DwIqKljNuU=; b=Ni/5welEJZkglv3u1ZBwIRnlAcs2wUDAbz+bpQwvf8FTXHZG4kuj7dSa2jRRCn8dRH Es/99qX+hGgRFG1nkzFg57dGoim96H12cQk9OdiKW4AfYa/s+ry80bN0KvSK1YqcHVnB Ml68o5P9wGO5EmDKbvg+g0Fp0ODv5MYJeVwEIa1/xwUmj/A2dcZnCvl+CwBnrlactvfQ nMLHERtlUix7hrfkY1LMFCjyk1/otsjD25tmnrgzjQoAJt7QEsFrJk1Zxyy9ghUS0rqt B2Z5Xm//dz4FjoSS9lprdhkdbfq5ZVwwutMcxa3aWkIHaSFVkLQwOsBfTKYvkUZ47C2R r9+w== X-Gm-Message-State: AOAM5338IyMbOuGAg5JesP+3+3Rvj23XUDz2vZhx/CwIbM0weizjFHDY lEz0rmI/noREuJBITrG5Y4UP6bTEGm0Rl5smHk6+PlF6pnU3KyQSWssUPFlgYcROQkJiEb8RAe2 difa2vSQYp0N/oxtrhpxSjasmYl/G X-Received: by 2002:a17:902:cec8:b0:14b:47b3:c0a2 with SMTP id d8-20020a170902cec800b0014b47b3c0a2mr6663273plg.51.1643043764481; Mon, 24 Jan 2022 09:02:44 -0800 (PST) X-Received: by 2002:a17:902:cec8:b0:14b:47b3:c0a2 with SMTP id d8-20020a170902cec800b0014b47b3c0a2mr6663249plg.51.1643043764246; Mon, 24 Jan 2022 09:02:44 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.61.248]) by smtp.gmail.com with ESMTPSA id q17sm17263784pfu.158.2022.01.24.09.02.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 09:02:43 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, "Rafael J. Wysocki" , Len Brown , Lv Zheng , linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] ACPI / tables: Fix a NULL pointer dereference in acpi_table_initrd_scan() Date: Tue, 25 Jan 2022 01:02:37 +0800 Message-Id: <20220124170237.57718-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In acpi_table_initrd_scan(), the return value of acpi_os_map_memory() is assigned to table and there is a dereference of it after that. acpi_os_map_memory() will return NULL on failure, which may lead to NULL pointer dereference. Fix this bug by adding a NULL check of table. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: 5ae74f2cc2f1 ("ACPI / tables: Move table override mechanisms to tables.c") Signed-off-by: Zhou Qingyang --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/acpi/tables.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 8b10c192ed32..356e08c4015b 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -755,6 +755,9 @@ static void __init acpi_table_initrd_scan(void) while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) { table = acpi_os_map_memory(acpi_tables_addr + table_offset, ACPI_HEADER_SIZE); + if (!table) + return; + if (table_offset + table->length > all_tables_size) { acpi_os_unmap_memory(table, ACPI_HEADER_SIZE); WARN_ON(1); -- 2.25.1