[U-Boot] [PATCH] x86: zImage: avoid potential NULL dereference

Heinrich Schuchardt xypron.glpk at gmx.de
Sat Apr 15 16:30:21 UTC 2017 

On 04/15/2017 06:12 PM, Tom Rini wrote:
> On Sat, Apr 15, 2017 at 03:58:55PM +0200, Heinrich Schuchardt wrote:
> 
>> If bootargs is not assigned getenv("bootargs") will
>> return NULL.
>> Some part of the code is checking for this condition.
>> Other parts dereference a possible NULL pointer.
>>
>> The problem was indicated by cppcheck.
>>
>> Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
>> ---
>>  arch/x86/lib/zimage.c | 9 +++++----
>>  1 file changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/arch/x86/lib/zimage.c b/arch/x86/lib/zimage.c
>> index aafbeb01f9..9b564340a6 100644
>> --- a/arch/x86/lib/zimage.c
>> +++ b/arch/x86/lib/zimage.c
>> @@ -48,12 +48,14 @@ static void build_command_line(char *command_line, int auto_boot)
>>  
>>  	command_line[0] = '\0';
>>  
>> -	env_command_line =  getenv("bootargs");
>> +	env_command_line = getenv("bootargs");
>> +
>> +	if (!env_command_line)
>> +		env_command_line = "";
>>  
>>  	/* set console= argument if we use a serial console */
>>  	if (!strstr(env_command_line, "console=")) {
>>  		if (!strcmp(getenv("stdout"), "serial")) {
>> -
>>  			/* We seem to use serial console */
>>  			sprintf(command_line, "console=ttyS0,%s ",
>>  				getenv("baudrate"));
>> @@ -63,8 +65,7 @@ static void build_command_line(char *command_line, int auto_boot)
>>  	if (auto_boot)
>>  		strcat(command_line, "auto ");
>>  
>> -	if (env_command_line)
>> -		strcat(command_line, env_command_line);
>> +	strcat(command_line, env_command_line);
>>  
>>  	printf("Kernel command line: \"%s\"\n", command_line);
>>  }
> 
> I think this is a false positive from cppcheck.  With env_command_line
> set to NULL, strstr will return NULL.  The only other place we use
> env_command_line is further on where we alrady have a check.  Thanks!
> 

Please, have a look at lib/string.c:
strstr(NULL, b) will happily start searching at 0x0.
So the result will depend on the memory content there.
Should the first bytes be "foo, console=bar\0" the address of "console="
will be returned.
Or maybe a security controller will stop the process due to illegal
memory access.

Best regards

Heinrich Schuchardt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170415/d30595b2/attachment.sig>

More information about the U-Boot mailing list