/usr/src/sys/arch/amd64/stand/fdboot/../libsa/memprobe.c

Bug Summary

File:	src/sys/arch/amd64/stand/fdboot/../libsa/memprobe.c
Warning:	line 54, column 12 Dereference of null pointer (loaded from variable 'q')

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple i386-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name memprobe.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -ffreestanding -target-cpu i586 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sys/arch/amd64/stand/fdboot/obj -nostdsysteminc -nobuiltininc -resource-dir /usr/local/lib/clang/13.0.0 -D FDBOOT -D MDRANDOM -D FDBOOT -D _STANDALONE -D __INTERNAL_LIBSA_CREAD -I /usr/src/sys/arch/amd64/stand/fdboot/../../../.. -I /usr/src/sys/arch/amd64/stand/fdboot/../libsa -I . -I /usr/src/sys/arch/amd64/stand/fdboot -D BOOTMAGIC=0xc001d00d -D LINKADDR=0x40120 -D SLOW -D SMALL -D NOBYFOUR -D NO_GZIP -D DYNAMIC_CRC_TABLE -D BUILDFIXED -D HIBERNATE -D HEAP_LIMIT=0xA0000 -I /usr/src/sys/arch/amd64/stand/fdboot/../../../../stand/boot -Oz -fdebug-compilation-dir=/usr/src/sys/arch/amd64/stand/fdboot/obj -ferror-limit 19 -fwrapv -fno-builtin -fgnuc-version=4.2.1 -fpack-struct=1 -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/sys/arch/amd64/stand/fdboot/../libsa/memprobe.c

1/*	$OpenBSD: memprobe.c,v 1.19 2021/01/28 18:54:52 deraadt Exp $	*/

3/*
* Copyright (c) 1997-1999 Michael Shalayeff
* Copyright (c) 1997-1999 Tobias Weingartner
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
*    notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
*    notice, this list of conditions and the following disclaimer in the
*    documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/

31#include <sys/param.h>
32#include <machine/biosvar.h>
33#include <dev/isa/isareg.h>
34#include <stand/boot/bootarg.h>
35#include "libsa.h"

37u_int cnvmem, extmem;		/* XXX - compatibility */

39bios_memmap_t bios_memmap[64];	/* This is easier */

41/*
* Check gateA20
*
* A sanity check.
*/
46static __inline int
47checkA20(void)
48{
register char *p = (char *)0x100000;
register char *q = (char *)0x000000;
7
←
'q' initialized to a null pointer value→
int st;

/* Simple check */
if (*p != *q)
8
←
Dereference of null pointer (loaded from variable 'q')
return 1;

/* Complex check */
*p = ~(*p);
st = (*p != *q);
*p = ~(*p);

return st;
63}

65/*
* BIOS int 15, AX=E820
*
* This is the "preferred" method.
*/
70static __inline bios_memmap_t *
71bios_E820(bios_memmap_t *mp)
72{
int rc, off = 0, sig, gotcha = 0;

do {
BIOS_regs.biosr_es = ((u_int)(mp) >> 4);
__asm volatile(DOINT(0x15)"int $0x20+(" "0x15" ")" "; setc %b1"
    : "=a" (sig), "=d" (rc), "=b" (off)
    : "0" (0xE820), "1" (0x534d4150), "b" (off),
      "c" (sizeof(*mp)), "D" (((u_int)mp) & 0xf)
    : "cc", "memory");
off = BIOS_regs.biosr_bx;

if (rc & 0xff || sig != 0x534d4150)
	break;
gotcha++;
if (!mp->type)
	mp->type = BIOS_MAP_RES0x02;
mp++;
} while (off);

if (!gotcha)
return NULL((void *)0);
94#ifdef DEBUG
printf("0x15[E820] ");
96#endif
return mp;
98}

100/*
* BIOS int 15, AX=8800
*
* Only used if int 15, AX=E801 does not work.
* Machines with this are restricted to 64MB.
*/
106static __inline bios_memmap_t *
107bios_8800(bios_memmap_t *mp)
108{
int rc, mem;

__asm volatile(DOINT(0x15)"int $0x20+(" "0x15" ")" "; setc %b0"
   : "=c" (rc), "=a" (mem) : "a" (0x8800));

if (rc & 0xff)
return NULL((void *)0);
116#ifdef DEBUG
printf("0x15[8800] ");
118#endif
/* Fill out a BIOS_MAP */
mp->addr = 1024 * 1024;		/* 1MB */
mp->size = (mem & 0xffff) * 1024;
mp->type = BIOS_MAP_FREE0x01;

return ++mp;
125}

127/*
* BIOS int 0x12 Get Conventional Memory
*
* Only used if int 15, AX=E820 does not work.
*/
132static __inline bios_memmap_t *
133bios_int12(bios_memmap_t *mp)
134{
int mem;
136#ifdef DEBUG
printf("0x12 ");
138#endif
__asm volatile(DOINT(0x12)"int $0x20+(" "0x12" ")" : "=a" (mem) :: "%ecx", "%edx", "cc");

/* Fill out a bios_memmap_t */
mp->addr = 0;
mp->size = (mem & 0xffff) * 1024;
mp->type = BIOS_MAP_FREE0x01;

return ++mp;
147}

149/*
* addrprobe(kloc): Probe memory at address kloc * 1024.
*
* This is a hack, but it seems to work ok.  Maybe this is
* the *real* way that you are supposed to do probing???
*
* Modify the original a bit.  We write everything first, and
* then test for the values.  This should croak on machines that
* return values just written on non-existent memory...
*
* BTW: These machines are pretty broken IMHO.
*
* XXX - Does not detect aliased memory.
*/
163const u_int addrprobe_pat[] = {
0x00000000, 0xFFFFFFFF,
0x01010101, 0x10101010,
0x55555555, 0xCCCCCCCC
167};
168static int
169addrprobe(u_int kloc)
170{
volatile u_int *loc;
register u_int i, ret = 0;
u_int save[nitems(addrprobe_pat)(sizeof((addrprobe_pat)) / sizeof((addrprobe_pat)[0]))];

/* Get location */
loc = (int *)(intptr_t)(kloc * 1024);

save[0] = *loc;
/* Probe address */
for (i = 0; i < nitems(addrprobe_pat)(sizeof((addrprobe_pat)) / sizeof((addrprobe_pat)[0])); i++) {
*loc = addrprobe_pat[i];
if (*loc != addrprobe_pat[i])
	ret++;
}
*loc = save[0];

if (!ret) {
/* Write address */
for (i = 0; i < nitems(addrprobe_pat)(sizeof((addrprobe_pat)) / sizeof((addrprobe_pat)[0])); i++) {
	save[i] = loc[i];
	loc[i] = addrprobe_pat[i];
}

/* Read address */
for (i = 0; i < nitems(addrprobe_pat)(sizeof((addrprobe_pat)) / sizeof((addrprobe_pat)[0])); i++) {
	if (loc[i] != addrprobe_pat[i])
		ret++;
	loc[i] = save[i];
}
}

return ret;
203}

205/*
* Probe for all extended memory.
*
* This is only used as a last resort.  If we resort to this
* routine, we are getting pretty desperate.  Hopefully nobody
* has to rely on this after all the work above.
*
* XXX - Does not detect aliased memory.
* XXX - Could be destructive, as it does write.
*/
215static __inline bios_memmap_t *
216badprobe(bios_memmap_t *mp)
217{
u_int64_t ram;
219#ifdef DEBUG
printf("scan ");
221#endif
/*
* probe extended memory
*
* There is no need to do this in assembly language.  This is
* much easier to debug in C anyways.
*/
for (ram = 1024; ram < 512 * 1024; ram += 4)
if (addrprobe(ram))
	break;

mp->addr = 1024 * 1024;
mp->size = (ram - 1024) * 1024;
mp->type = BIOS_MAP_FREE0x01;

return ++mp;
237}

239void
240memprobe(void)
241{
bios_memmap_t *pm = bios_memmap, *im;

244#ifdef DEBUG
printf(" mem(");
246#else
printf(" mem[");
248#endif

if ((pm = bios_E820(bios_memmap)) == NULL((void *)0)) {
1
Assuming the condition is false→
2
←
Taking false branch→
im = bios_int12(bios_memmap);
pm = bios_8800(im);
if (pm == NULL((void *)0))
	pm = badprobe(im);
if (pm == NULL((void *)0)) {
	printf(" No Extended memory detected.");
	pm = im;
}
}
pm->type = BIOS_MAP_END0x00;

/* XXX - gotta peephole optimize the list */

264#ifdef DEBUG
printf(")[");
266#endif

/* XXX - Compatibility, remove later (smpprobe() relies on it) */
extmem = cnvmem = 0;
for (im = bios_memmap; im->type != BIOS_MAP_END0x00; im++) {
3
←
Assuming field 'type' is equal to BIOS_MAP_END→
4
←
Loop condition is false. Execution continues on line 307→
/* Count only "good" memory chunks 12K and up in size */
if ((im->type == BIOS_MAP_FREE0x01) && (im->size >= 12 * 1024)) {
	if (im->size > 1024 * 1024)
		printf("%uM ", (u_int)(im->size /
		    (1024 * 1024)));
	else
		printf("%uK ", (u_int)im->size / 1024);

	/*
	 * Compute compatibility values:
	 * cnvmem -- is the upper boundary of conventional
	 *	memory (below IOM_BEGIN (=640k))
	 * extmem -- is the size of the contiguous extended
	 *	memory segment starting at 1M
	 *
	 * We ignore "good" memory in the 640K-1M hole.
	 * We drop "machine {cnvmem,extmem}" commands.
	 */
	if (im->addr < IOM_BEGIN0x0a0000)
		cnvmem = max(cnvmem,(((cnvmem)>(im->addr + im->size))? (cnvmem) : (im->
addr + im->size))
		    im->addr + im->size)(((cnvmem)>(im->addr + im->size))? (cnvmem) : (im->
addr + im->size)) / 1024;
	if (im->addr >= IOM_END0x100000 &&
	    (im->addr / 1024) == (extmem + 1024))
		extmem += im->size / 1024;
}
}

/*
* Adjust extmem to be no more than 4G (which it usually is not
* anyways).  In order for an x86 type machine (amd64/etc) to use
* more than 4GB of memory, it will need to grok and use the bios
* memory map we pass it.  Note that above we only count CONTIGUOUS
* memory from the 1MB boundary on for extmem (think I/O holes).
*
* extmem is in KB, and we have 4GB - 1MB (base/io hole) worth of it.
*/
if (extmem > 4 * 1024 * 1024 - 1024)
5
←
Taking false branch→
extmem = 4 * 1024 * 1024 - 1024;

/* Check if gate A20 is on */
printf("a20=o%s] ", checkA20()? "n" : "ff!");
6
←
Calling 'checkA20'→
312}

314void
315dump_biosmem(bios_memmap_t *tm)
316{
register bios_memmap_t *p;
register u_int total = 0;

if (tm == NULL((void *)0))
tm = bios_memmap;

for (p = tm; p->type != BIOS_MAP_END0x00; p++) {
printf("Region %ld: type %u at 0x%llx for %uKB\n",
    (long)(p - tm), p->type, p->addr,
    (u_int)(p->size / 1024));

if (p->type == BIOS_MAP_FREE0x01)
	total += p->size / 1024;
}

printf("Low ram: %dKB  High ram: %dKB\n", cnvmem, extmem);
printf("Total free memory: %uKB\n", total);
334}

336int
337mem_limit(long long ml)
338{
register bios_memmap_t *p;

for (p = bios_memmap; p->type != BIOS_MAP_END0x00; p++) {
register int64_t sp = p->addr, ep = p->addr + p->size;

if (p->type != BIOS_MAP_FREE0x01)
	continue;

/* Wholly above limit, nuke it */
if ((sp >= ml) && (ep >= ml)) {
	bcopy (p + 1, p, (char *)bios_memmap +((void)memmove((p),(p + 1),((char *)bios_memmap + sizeof(bios_memmap
) - (char *)p)))
	       sizeof(bios_memmap) - (char *)p)((void)memmove((p),(p + 1),((char *)bios_memmap + sizeof(bios_memmap
) - (char *)p)));
} else if ((sp < ml) && (ep >= ml)) {
	p->size -= (ep - ml);
}
}
return 0;
356}

358int
359mem_delete(long long sa, long long ea)
360{
register bios_memmap_t *p;

for (p = bios_memmap; p->type != BIOS_MAP_END0x00; p++) {
if (p->type == BIOS_MAP_FREE0x01) {
	register int64_t sp = p->addr, ep = p->addr + p->size;

	/* can we eat it as a whole? */
	if ((sa - sp) <= PAGE_SIZE(1 << 12) && (ep - ea) <= PAGE_SIZE(1 << 12)) {
		bcopy(p + 1, p, (char *)bios_memmap +((void)memmove((p),(p + 1),((char *)bios_memmap + sizeof(bios_memmap
) - (char *)p)))
		    sizeof(bios_memmap) - (char *)p)((void)memmove((p),(p + 1),((char *)bios_memmap + sizeof(bios_memmap
) - (char *)p)));
		break;
	/* eat head or legs */
	} else if (sa <= sp && sp < ea) {
		p->addr = ea;
		p->size = ep - ea;
		break;
	} else if (sa < ep && ep <= ea) {
		p->size = sa - sp;
		break;
	} else if (sp < sa && ea < ep) {
		/* bite in half */
		bcopy(p, p + 1, (char *)bios_memmap +((void)memmove((p + 1),(p),((char *)bios_memmap + sizeof(bios_memmap
) - (char *)p - sizeof(bios_memmap[0]))))
		    sizeof(bios_memmap) - (char *)p -((void)memmove((p + 1),(p),((char *)bios_memmap + sizeof(bios_memmap
) - (char *)p - sizeof(bios_memmap[0]))))
		    sizeof(bios_memmap[0]))((void)memmove((p + 1),(p),((char *)bios_memmap + sizeof(bios_memmap
) - (char *)p - sizeof(bios_memmap[0]))));
		p[1].addr = ea;
		p[1].size = ep - ea;
		p->size = sa - sp;
		break;
	}
}
}
return 0;
393}

395int
396mem_add(long long sa, long long ea)
397{
register bios_memmap_t *p;

for (p = bios_memmap; p->type != BIOS_MAP_END0x00; p++) {
if (p->type == BIOS_MAP_FREE0x01) {
	register int64_t sp = p->addr, ep = p->addr + p->size;

	/* is it already there? */
	if (sp <= sa && ea <= ep) {
		break;
	/* join head or legs */
	} else if (sa < sp && sp <= ea) {
		p->addr = sa;
		p->size = ep - sa;
		break;
	} else if (sa <= ep && ep < ea) {
		p->size = ea - sp;
		break;
	} else if (ea < sp) {
		/* insert before */
		bcopy(p, p + 1, (char *)bios_memmap +((void)memmove((p + 1),(p),((char *)bios_memmap + sizeof(bios_memmap
) - (char *)(p - 1))))
		    sizeof(bios_memmap) - (char *)(p - 1))((void)memmove((p + 1),(p),((char *)bios_memmap + sizeof(bios_memmap
) - (char *)(p - 1))));
		p->addr = sa;
		p->size = ea - sa;
		break;
	}
}
}

/* meaning add new item at the end of the list */
if (p->type == BIOS_MAP_END0x00) {
p[1] = p[0];
p->type = BIOS_MAP_FREE0x01;
p->addr = sa;
p->size = ea - sa;
}

return 0;
435}

437void
438mem_pass(void)
439{
bios_memmap_t *p;

for (p = bios_memmap; p->type != BIOS_MAP_END0x00; p++)
;
addbootarg(BOOTARG_MEMMAP0, (p - bios_memmap + 1) * sizeof *bios_memmap,
   bios_memmap);
446}