From 2deff904a953c6a87331ab6830ab80e3889d9e23 Mon Sep 17 00:00:00 2001 From: Yann Gautier Date: Fri, 6 May 2022 09:50:43 +0200 Subject: [PATCH] fix(st): fix NULL pointer dereference issues The get_bl_mem_params_node() function could return NULL. Add asserts to check the return value is not NULL. This corrects coverity issues: pager_mem_params = get_bl_mem_params_node(BL32_EXTRA1_IMAGE_ID); >>> CID 378360: (NULL_RETURNS) >>> Dereferencing "pager_mem_params", which is known to be "NULL". paged_mem_params = get_bl_mem_params_node(BL32_EXTRA2_IMAGE_ID); >>> CID 378360: (NULL_RETURNS) >>> Dereferencing "paged_mem_params", which is known to be "NULL". tos_fw_mem_params = get_bl_mem_params_node(TOS_FW_CONFIG_ID); >>> CID 378360: (NULL_RETURNS) >>> Dereferencing "tos_fw_mem_params", which is known to be "NULL". Do the same for other occurrences of get_bl_mem_params_node() return not checked, in the functions plat_get_bl_image_load_info() and bl2_plat_handle_pre_image_load(). Signed-off-by: Yann Gautier Change-Id: I79165b1628fcee3da330f2db4ee5e1dafcb1b21f --- plat/st/common/bl2_io_storage.c | 1 + plat/st/stm32mp1/bl2_plat_setup.c | 3 +++ plat/st/stm32mp1/plat_image_load.c | 8 +++++--- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/plat/st/common/bl2_io_storage.c b/plat/st/common/bl2_io_storage.c index 5cc339037..7cd5eb5a1 100644 --- a/plat/st/common/bl2_io_storage.c +++ b/plat/st/common/bl2_io_storage.c @@ -409,6 +409,7 @@ int bl2_plat_handle_pre_image_load(unsigned int image_id) gpt_init_done = true; } else { bl_mem_params_node_t *bl_mem_params = get_bl_mem_params_node(image_id); + assert(bl_mem_params != NULL); mmc_block_dev_spec.buffer.offset = bl_mem_params->image_info.image_base; mmc_block_dev_spec.buffer.length = bl_mem_params->image_info.image_max_size; diff --git a/plat/st/stm32mp1/bl2_plat_setup.c b/plat/st/stm32mp1/bl2_plat_setup.c index 0d554bda9..6f5fcc78c 100644 --- a/plat/st/stm32mp1/bl2_plat_setup.c +++ b/plat/st/stm32mp1/bl2_plat_setup.c @@ -463,12 +463,14 @@ int bl2_plat_handle_post_image_load(unsigned int image_id) /* In case of OPTEE, initialize address space with tos_fw addr */ pager_mem_params = get_bl_mem_params_node(BL32_EXTRA1_IMAGE_ID); + assert(pager_mem_params != NULL); pager_mem_params->image_info.image_base = config_info->config_addr; pager_mem_params->image_info.image_max_size = config_info->config_max_size; /* Init base and size for pager if exist */ paged_mem_params = get_bl_mem_params_node(BL32_EXTRA2_IMAGE_ID); + assert(paged_mem_params != NULL); paged_mem_params->image_info.image_base = STM32MP_DDR_BASE + (dt_get_ddr_size() - STM32MP_DDR_S_SIZE - STM32MP_DDR_SHMEM_SIZE); @@ -526,6 +528,7 @@ int bl2_plat_handle_post_image_load(unsigned int image_id) #if !STM32MP_USE_STM32IMAGE bl_mem_params->ep_info.pc = bl_mem_params->image_info.image_base; tos_fw_mem_params = get_bl_mem_params_node(TOS_FW_CONFIG_ID); + assert(tos_fw_mem_params != NULL); bl_mem_params->image_info.image_max_size += tos_fw_mem_params->image_info.image_max_size; #endif /* !STM32MP_USE_STM32IMAGE */ diff --git a/plat/st/stm32mp1/plat_image_load.c b/plat/st/stm32mp1/plat_image_load.c index 36a3a1c39..76af0fc68 100644 --- a/plat/st/stm32mp1/plat_image_load.c +++ b/plat/st/stm32mp1/plat_image_load.c @@ -1,14 +1,14 @@ /* - * Copyright (c) 2016-2021, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2016-2022, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ -#include - #include #include +#include + /******************************************************************************* * This function flushes the data structures so that they are visible * in memory for the next BL image. @@ -27,6 +27,8 @@ bl_load_info_t *plat_get_bl_image_load_info(void) bl_mem_params_node_t *bl33 = get_bl_mem_params_node(BL33_IMAGE_ID); uint32_t ddr_ns_size = stm32mp_get_ddr_ns_size(); + assert(bl33 != NULL); + /* Max size is non-secure DDR end address minus image_base */ bl33->image_info.image_max_size = STM32MP_DDR_BASE + ddr_ns_size - bl33->image_info.image_base;