Fix potential NULL pointer dereference in vboot_kernel.c

In the unlikely case that params is not set or the LoadKernelParams
structure is not initialized correctly, LoadKernel will exit before
initializing shcall. However, in LoadKernelExit it will be used to
stire the function's return code, thus potentially dereferencing a
NULL pointer.

BUG=chrome-os-partner:6307
TEST=compile tested.

Change-Id: I691c6b5054d8f77296de86834b3125de06e0e398
Reviewed-on: http://gerrit.chromium.org/gerrit/9791
Tested-by: Stefan Reinauer <reinauer@google.com>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Ready: Stefan Reinauer <reinauer@chromium.org>

1 files changed, 4 insertions, 1 deletions

diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c
index 6f8029a9..e38c4704 100644
--- a/firmware/lib/vboot_kernel.c
+++ b/firmware/lib/vboot_kernel.c
@@ -538,7 +538,10 @@ LoadKernelExit:
   VbNvSet(vnc, VBNV_RECOVERY_REQUEST, VBERROR_SUCCESS != retval ?
           recovery : VBNV_RECOVERY_NOT_REQUESTED);
 
-  shcall->return_code = (uint8_t)retval;
+  /* If LoadKernel was called with bad parameters,
+   * shcall may not be initialized. */
+  if (shcall)
+    shcall->return_code = (uint8_t)retval;
 
   /* Save whether the good partition's key block was fully verified */
   if (good_partition_key_block_valid)