fix(st): fix NULL pointer dereference issues

The get_bl_mem_params_node() function could return NULL. Add asserts to check the return value is not NULL. This corrects coverity issues: pager_mem_params = get_bl_mem_params_node(BL32_EXTRA1_IMAGE_ID); >>> CID 378360: (NULL_RETURNS) >>> Dereferencing "pager_mem_params", which is known to be "NULL". paged_mem_params = get_bl_mem_params_node(BL32_EXTRA2_IMAGE_ID); >>> CID 378360: (NULL_RETURNS) >>> Dereferencing "paged_mem_params", which is known to be "NULL". tos_fw_mem_params = get_bl_mem_params_node(TOS_FW_CONFIG_ID); >>> CID 378360: (NULL_RETURNS) >>> Dereferencing "tos_fw_mem_params", which is known to be "NULL". Do the same for other occurrences of get_bl_mem_params_node() return not checked, in the functions plat_get_bl_image_load_info() and bl2_plat_handle_pre_image_load(). Signed-off-by: Yann Gautier <yann.gautier@st.com> Change-Id: I79165b1628fcee3da330f2db4ee5e1dafcb1b21f
3 years ago · 2deff904a9
3 changed files with 9 additions and 3 deletions
--- a/plat/st/common/bl2_io_storage.c
+++ b/plat/st/common/bl2_io_storage.c
@ -409,6 +409,7 @@ int bl2_plat_handle_pre_image_load(unsigned int image_id)
 			gpt_init_done = true;
 		} else {
 			bl_mem_params_node_t *bl_mem_params = get_bl_mem_params_node(image_id);
+			assert(bl_mem_params != NULL);

 			mmc_block_dev_spec.buffer.offset = bl_mem_params->image_info.image_base;
 			mmc_block_dev_spec.buffer.length = bl_mem_params->image_info.image_max_size;
--- a/plat/st/stm32mp1/bl2_plat_setup.c
+++ b/plat/st/stm32mp1/bl2_plat_setup.c
@ -463,12 +463,14 @@ int bl2_plat_handle_post_image_load(unsigned int image_id)

 				/* In case of OPTEE, initialize address space with tos_fw addr */
 				pager_mem_params = get_bl_mem_params_node(BL32_EXTRA1_IMAGE_ID);
+				assert(pager_mem_params != NULL);
 				pager_mem_params->image_info.image_base = config_info->config_addr;
 				pager_mem_params->image_info.image_max_size =
 					config_info->config_max_size;

 				/* Init base and size for pager if exist */
 				paged_mem_params = get_bl_mem_params_node(BL32_EXTRA2_IMAGE_ID);
+				assert(paged_mem_params != NULL);
 				paged_mem_params->image_info.image_base = STM32MP_DDR_BASE +
 					(dt_get_ddr_size() - STM32MP_DDR_S_SIZE -
 					 STM32MP_DDR_SHMEM_SIZE);
@ -526,6 +528,7 @@ int bl2_plat_handle_post_image_load(unsigned int image_id)
 #if !STM32MP_USE_STM32IMAGE
 			bl_mem_params->ep_info.pc = bl_mem_params->image_info.image_base;
 			tos_fw_mem_params = get_bl_mem_params_node(TOS_FW_CONFIG_ID);
+			assert(tos_fw_mem_params != NULL);
 			bl_mem_params->image_info.image_max_size +=
 				tos_fw_mem_params->image_info.image_max_size;
 #endif /* !STM32MP_USE_STM32IMAGE */
--- a/plat/st/stm32mp1/plat_image_load.c
+++ b/plat/st/stm32mp1/plat_image_load.c
@ -1,14 +1,14 @@
 /*
- * Copyright (c) 2016-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2016-2022, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

-#include <platform_def.h>
-
 #include <common/desc_image_load.h>
 #include <plat/common/platform.h>

+#include <platform_def.h>
+
 /*******************************************************************************
 * This function flushes the data structures so that they are visible
 * in memory for the next BL image.
@ -27,6 +27,8 @@ bl_load_info_t *plat_get_bl_image_load_info(void)
 	bl_mem_params_node_t *bl33 = get_bl_mem_params_node(BL33_IMAGE_ID);
 	uint32_t ddr_ns_size = stm32mp_get_ddr_ns_size();

+	assert(bl33 != NULL);
+
 	/* Max size is non-secure DDR end address minus image_base */
 	bl33->image_info.image_max_size = STM32MP_DDR_BASE + ddr_ns_size -
 					  bl33->image_info.image_base;