Fix an issue in the PCD service to prevent potential out of bound array access

[mirror_edk2.git] / MdeModulePkg / Universal / CapsulePei / UefiCapsule.c

diff --git a/MdeModulePkg/Universal/CapsulePei/UefiCapsule.c b/MdeModulePkg/Universal/CapsulePei/UefiCapsule.c
index f5dd85b2b60072e839fa38e3b95745cfe6556357..23bf2026d461fa3b1a74165010e76c2389b5e811 100644 (file)
--- a/MdeModulePkg/Universal/CapsulePei/UefiCapsule.c
+++ b/MdeModulePkg/Universal/CapsulePei/UefiCapsule.c
@@ -1,7 +1,7 @@
 /** @file\r
   Capsule update PEIM for UEFI2.0\r
 \r
 /** @file\r
   Capsule update PEIM for UEFI2.0\r
 \r

-Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2006 - 2014, Intel Corporation. All rights reserved.<BR>\r

 \r
 This program and the accompanying materials\r
 are licensed and made available under the terms and conditions\r
 \r
 This program and the accompanying materials\r
 are licensed and made available under the terms and conditions\r


@@ -574,6 +574,7 @@ GetCapsuleDescriptors (
   TempVarName       = NULL;\r
   CapsuleVarName[0] = 0;\r
   ValidIndex        = 0;\r
   TempVarName       = NULL;\r
   CapsuleVarName[0] = 0;\r
   ValidIndex        = 0;\r

+  CapsuleDataPtr64  = 0;\r

   \r
   Status = PeiServicesLocatePpi (\r
               &gEfiPeiReadOnlyVariable2PpiGuid,\r
   \r
   Status = PeiServicesLocatePpi (\r
               &gEfiPeiReadOnlyVariable2PpiGuid,\r


@@ -745,6 +746,7 @@ CapsuleCoalesce (
   Index                   = 0;\r
   VariableCount           = 0;\r
   CapsuleVarName[0]       = 0;\r
   Index                   = 0;\r
   VariableCount           = 0;\r
   CapsuleVarName[0]       = 0;\r

+  CapsuleDataPtr64        = 0;\r

 \r
   //\r
   // Someone should have already ascertained the boot mode. If it's not\r
 \r
   //\r
   // Someone should have already ascertained the boot mode. If it's not\r


@@ -987,25 +989,28 @@ CreateState (
   EFI_CAPSULE_PEIM_PRIVATE_DATA *PrivateData;\r
   UINTN                         Size;\r
   EFI_PHYSICAL_ADDRESS          NewBuffer;\r
   EFI_CAPSULE_PEIM_PRIVATE_DATA *PrivateData;\r
   UINTN                         Size;\r
   EFI_PHYSICAL_ADDRESS          NewBuffer;\r

-  UINT32                        *DataPtr;\r
-  UINT32                        CapsuleNumber;\r
+  UINTN                         CapsuleNumber;\r

   UINT32                        Index;\r
   EFI_PHYSICAL_ADDRESS          BaseAddress;\r
   UINT64                        Length;\r
  \r
   UINT32                        Index;\r
   EFI_PHYSICAL_ADDRESS          BaseAddress;\r
   UINT64                        Length;\r
  \r

-  DataPtr        = NULL;\r
-  CapsuleNumber  = 0;\r

   PrivateData    = (EFI_CAPSULE_PEIM_PRIVATE_DATA *) CapsuleBase;\r
   if (PrivateData->Signature != EFI_CAPSULE_PEIM_PRIVATE_DATA_SIGNATURE) {\r
     return EFI_VOLUME_CORRUPTED;\r
   }\r
   PrivateData    = (EFI_CAPSULE_PEIM_PRIVATE_DATA *) CapsuleBase;\r
   if (PrivateData->Signature != EFI_CAPSULE_PEIM_PRIVATE_DATA_SIGNATURE) {\r
     return EFI_VOLUME_CORRUPTED;\r
   }\r

+  if (PrivateData->CapsuleAllImageSize >= MAX_ADDRESS) {\r
+    DEBUG ((EFI_D_ERROR, "CapsuleAllImageSize too big - 0x%lx\n", PrivateData->CapsuleAllImageSize));\r
+    return EFI_OUT_OF_RESOURCES;\r
+  }\r
+  if (PrivateData->CapsuleNumber >= MAX_ADDRESS) {\r
+    DEBUG ((EFI_D_ERROR, "CapsuleNumber too big - 0x%lx\n", PrivateData->CapsuleNumber));\r
+    return EFI_OUT_OF_RESOURCES;\r
+  }\r

   //\r
   // Capsule Number and Capsule Offset is in the tail of Capsule data.\r
   //\r
   //\r
   // Capsule Number and Capsule Offset is in the tail of Capsule data.\r
   //\r

-  Size    = (UINTN) PrivateData->CapsuleSize;\r
-  DataPtr = (UINT32*)((UINTN)CapsuleBase + (UINTN)sizeof(EFI_CAPSULE_PEIM_PRIVATE_DATA)+ Size);\r
-  DataPtr = (UINT32*)(((UINTN) DataPtr + sizeof(UINT32) - 1) & ~(sizeof (UINT32) - 1));\r
-  CapsuleNumber = *DataPtr++;\r
+  Size          = (UINTN)PrivateData->CapsuleAllImageSize;\r
+  CapsuleNumber = (UINTN)PrivateData->CapsuleNumber;\r

   //\r
   // Allocate the memory so that it gets preserved into DXE\r
   //\r
   //\r
   // Allocate the memory so that it gets preserved into DXE\r
   //\r


@@ -1022,8 +1027,8 @@ CreateState (
   //\r
   // Copy to our new buffer for DXE\r
   //\r
   //\r
   // Copy to our new buffer for DXE\r
   //\r

-  DEBUG ((EFI_D_INFO, "Capsule copy from 0x%8X to 0x%8X with size 0x%8X\n", (UINTN) (PrivateData + 1), (UINTN) NewBuffer, Size));\r
-  CopyMem ((VOID *) (UINTN) NewBuffer, (VOID *) (UINTN) (PrivateData + 1), Size);\r
+  DEBUG ((EFI_D_INFO, "Capsule copy from 0x%8X to 0x%8X with size 0x%8X\n", (UINTN)((UINT8 *)PrivateData + sizeof(EFI_CAPSULE_PEIM_PRIVATE_DATA) + (CapsuleNumber - 1) * sizeof(UINT64)), (UINTN) NewBuffer, Size));\r
+  CopyMem ((VOID *) (UINTN) NewBuffer, (VOID *) (UINTN) ((UINT8 *)PrivateData + sizeof(EFI_CAPSULE_PEIM_PRIVATE_DATA) + (CapsuleNumber - 1) * sizeof(UINT64)), Size);\r

   //\r
   // Check for test data pattern. If it is the test pattern, then we'll\r
   // test it ans still create the HOB so that it can be used to verify\r
   //\r
   // Check for test data pattern. If it is the test pattern, then we'll\r
   // test it ans still create the HOB so that it can be used to verify\r


@@ -1039,7 +1044,7 @@ CreateState (
   // Build the UEFI Capsule Hob for each capsule image.\r
   //\r
   for (Index = 0; Index < CapsuleNumber; Index ++) {\r
   // Build the UEFI Capsule Hob for each capsule image.\r
   //\r
   for (Index = 0; Index < CapsuleNumber; Index ++) {\r

-    BaseAddress = NewBuffer + DataPtr[Index];\r
+    BaseAddress = NewBuffer + PrivateData->CapsuleOffset[Index];\r

     Length      = ((EFI_CAPSULE_HEADER *)((UINTN) BaseAddress))->CapsuleImageSize;\r
 \r
     BuildCvHob (BaseAddress, Length);\r
     Length      = ((EFI_CAPSULE_HEADER *)((UINTN) BaseAddress))->CapsuleImageSize;\r
 \r
     BuildCvHob (BaseAddress, Length);\r