From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 12 Apr 2019 16:31:44 -0700 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6397B309266A; Fri, 12 Apr 2019 23:31:44 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-65.rdu2.redhat.com [10.10.120.65]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5278E6090C; Fri, 12 Apr 2019 23:31:43 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Ard Biesheuvel , Jordan Justen Subject: [PATCH 06/10] OvmfPkg/QemuVideoDxe: avoid arithmetic on null pointer Date: Sat, 13 Apr 2019 01:31:24 +0200 Message-Id: <20190412233128.4756-7-lersek@redhat.com> In-Reply-To: <20190412233128.4756-1-lersek@redhat.com> References: <20190412233128.4756-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Fri, 12 Apr 2019 23:31:44 +0000 (UTC) Content-Transfer-Encoding: quoted-printable The real mode interrupt vector table, which we modify for the sake of Windows 7, starts at address 0, which happens to be the representation of null pointers on all edk2 architectures. A null pointer may never undergo pointer arithmetic, and RH covscan justifiedly reports: > Error: CPPCHECK_WARNING (CWE-682): > edk2-89910a39dcfd/OvmfPkg/QemuVideoDxe/VbeShim.c:105: > error[nullPointerArithmetic]: Pointer addition with NULL pointer. > # 103| // > # 104| Segment0Pages =3D 1; > # 105|-> Int0x10 =3D (IVT_ENTRY *)(UINTN)Segment0 + 0x10; > # 106| Segment0AllocationStatus =3D gBS->AllocatePages ( > # 107| AllocateAddress, Fix this by calculating the EFI_PHYSICAL_ADDRESS of IVT entry 0x10 first, and by casting the address to the right type second. Cc: Ard Biesheuvel Cc: Jordan Justen Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1710 Issue: scan-1002.txt Signed-off-by: Laszlo Ersek --- OvmfPkg/QemuVideoDxe/VbeShim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.c b/OvmfPkg/QemuVideoDxe/VbeShi= m.c index 69081f09e630..c23dc984d453 100644 --- a/OvmfPkg/QemuVideoDxe/VbeShim.c +++ b/OvmfPkg/QemuVideoDxe/VbeShim.c @@ -91,17 +91,17 @@ InstallVbeShim ( // Attempt to cover the real mode IVT with an allocation. This is a UE= FI // driver, hence the arch protocols have been installed previously. Am= ong // those, the CPU arch protocol has configured the IDT, so we can over= write // the IVT used in real mode. // // The allocation request may fail, eg. if LegacyBiosDxe has already r= un. // Segment0Pages =3D 1; - Int0x10 =3D (IVT_ENTRY *)(UINTN)Segment0 + 0x10; + Int0x10 =3D (IVT_ENTRY *)(UINTN)(Segment0 + 0x10 * sizeof (IVT_E= NTRY)); Segment0AllocationStatus =3D gBS->AllocatePages ( AllocateAddress, EfiBootServicesCode, Segment0Pages, &Segment0 ); =20 if (EFI_ERROR (Segment0AllocationStatus)) { --=20 2.19.1.3.g30247aa5d201