VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(), \r
SmmVariableGetStatistics() should also do validation based on its own knowledge.\r
\r
-Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials \r
are licensed and made available under the terms and conditions of the BSD License \r
which accompanies this distribution. The full text of the license may be found at \r
EFI_HANDLE mVariableHandle = NULL;\r
BOOLEAN mAtRuntime = FALSE;\r
EFI_GUID mZeroGuid = {0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0}};\r
- \r
+UINT8 *mVariableBufferPayload = NULL;\r
+UINTN mVariableBufferPayloadSize;\r
+\r
EFI_SMM_VARIABLE_PROTOCOL gSmmVariable = {\r
VariableServiceGetVariable,\r
VariableServiceGetNextVariableName,\r
*NumberHandles = BufferSize / sizeof(EFI_HANDLE);\r
if (EFI_ERROR(Status)) {\r
*NumberHandles = 0;\r
+ FreePool (*Buffer);\r
+ *Buffer = NULL;\r
}\r
\r
return Status;\r
UINTN NameLength;\r
UINTN StatisticsInfoSize;\r
CHAR16 *InfoName;\r
- \r
+ EFI_GUID VendorGuid;\r
+\r
ASSERT (InfoEntry != NULL);\r
VariableInfo = gVariableInfo; \r
if (VariableInfo == NULL) {\r
}\r
InfoName = (CHAR16 *)(InfoEntry + 1);\r
\r
- if (CompareGuid (&InfoEntry->VendorGuid, &mZeroGuid)) {\r
+ CopyGuid (&VendorGuid, &InfoEntry->VendorGuid);\r
+\r
+ if (CompareGuid (&VendorGuid, &mZeroGuid)) {\r
//\r
// Return the first variable info\r
//\r
// Get the next variable info\r
//\r
while (VariableInfo != NULL) {\r
- if (CompareGuid (&VariableInfo->VendorGuid, &InfoEntry->VendorGuid)) {\r
+ if (CompareGuid (&VariableInfo->VendorGuid, &VendorGuid)) {\r
NameLength = StrSize (VariableInfo->Name);\r
if (NameLength == StrSize (InfoName)) {\r
if (CompareMem (VariableInfo->Name, InfoName, NameLength) == 0) {\r
VARIABLE_INFO_ENTRY *VariableInfo;\r
UINTN InfoSize;\r
UINTN NameBufferSize;\r
+ UINTN CommBufferPayloadSize;\r
\r
//\r
// If input is invalid, stop processing this SMI\r
}\r
\r
if (*CommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {\r
+ DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size invalid!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+ CommBufferPayloadSize = *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r
+ if (CommBufferPayloadSize > mVariableBufferPayloadSize) {\r
+ DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload size invalid!\n"));\r
return EFI_SUCCESS;\r
}\r
\r
if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {\r
- DEBUG ((EFI_D_ERROR, "SMM communication buffer in SMRAM or overflow!\n"));\r
+ DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));\r
return EFI_SUCCESS;\r
}\r
\r
SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)CommBuffer;\r
switch (SmmVariableFunctionHeader->Function) {\r
case SMM_VARIABLE_FUNCTION_GET_VARIABLE:\r
- SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data;\r
+ if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {\r
+ DEBUG ((EFI_D_ERROR, "GetVariable: SMM communication buffer size invalid!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+ //\r
+ // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.\r
+ //\r
+ CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);\r
+ SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;\r
if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||\r
((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {\r
//\r
//\r
// SMRAM range check already covered before\r
//\r
- if (InfoSize > *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {\r
- DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));\r
+ if (InfoSize > CommBufferPayloadSize) {\r
+ DEBUG ((EFI_D_ERROR, "GetVariable: Data size exceed communication buffer size limit!\n"));\r
Status = EFI_ACCESS_DENIED;\r
goto EXIT;\r
}\r
&SmmVariableHeader->DataSize,\r
(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize\r
);\r
+ CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);\r
break;\r
\r
case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME:\r
- GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) SmmVariableFunctionHeader->Data;\r
+ if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
+ DEBUG ((EFI_D_ERROR, "GetNextVariableName: SMM communication buffer size invalid!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+ //\r
+ // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.\r
+ //\r
+ CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);\r
+ GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) mVariableBufferPayload;\r
if ((UINTN)(~0) - GetNextVariableName->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
//\r
// Prevent InfoSize overflow happen\r
//\r
// SMRAM range check already covered before\r
//\r
- if (InfoSize > *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {\r
- DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));\r
+ if (InfoSize > CommBufferPayloadSize) {\r
+ DEBUG ((EFI_D_ERROR, "GetNextVariableName: Data size exceed communication buffer size limit!\n"));\r
Status = EFI_ACCESS_DENIED;\r
goto EXIT;\r
}\r
\r
- NameBufferSize = *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE - OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);\r
+ NameBufferSize = CommBufferPayloadSize - OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);\r
if (NameBufferSize < sizeof (CHAR16) || GetNextVariableName->Name[NameBufferSize/sizeof (CHAR16) - 1] != L'\0') {\r
//\r
// Make sure input VariableName is A Null-terminated string.\r
GetNextVariableName->Name,\r
&GetNextVariableName->Guid\r
);\r
+ CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);\r
break;\r
\r
case SMM_VARIABLE_FUNCTION_SET_VARIABLE:\r
- SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data;\r
+ if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {\r
+ DEBUG ((EFI_D_ERROR, "SetVariable: SMM communication buffer size invalid!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+ //\r
+ // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.\r
+ //\r
+ CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);\r
+ SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;\r
if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||\r
((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {\r
//\r
// SMRAM range check already covered before\r
// Data buffer should not contain SMM range\r
//\r
- if (InfoSize > *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {\r
- DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));\r
+ if (InfoSize > CommBufferPayloadSize) {\r
+ DEBUG ((EFI_D_ERROR, "SetVariable: Data size exceed communication buffer size limit!\n"));\r
Status = EFI_ACCESS_DENIED;\r
goto EXIT;\r
}\r
break;\r
\r
case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO:\r
- QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data;\r
- InfoSize = sizeof(SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO);\r
-\r
- //\r
- // SMRAM range check already covered before\r
- //\r
- if (InfoSize > *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {\r
- DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));\r
- Status = EFI_ACCESS_DENIED;\r
- goto EXIT;\r
+ if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO)) {\r
+ DEBUG ((EFI_D_ERROR, "QueryVariableInfo: SMM communication buffer size invalid!\n"));\r
+ return EFI_SUCCESS;\r
}\r
+ QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data;\r
\r
Status = VariableServiceQueryVariableInfo (\r
QueryVariableInfo->Attributes,\r
//\r
\r
if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) {\r
- DEBUG ((EFI_D_ERROR, "SMM communication buffer in SMRAM!\n"));\r
+ DEBUG ((EFI_D_ERROR, "GetStatistics: SMM communication buffer in SMRAM!\n"));\r
Status = EFI_ACCESS_DENIED;\r
goto EXIT;\r
} \r
\r
mSmramRangeCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);\r
\r
+ mVariableBufferPayloadSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) +\r
+ OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - sizeof (VARIABLE_HEADER);\r
+\r
+ Status = gSmst->SmmAllocatePool (\r
+ EfiRuntimeServicesData,\r
+ mVariableBufferPayloadSize,\r
+ (VOID **)&mVariableBufferPayload\r
+ );\r
+ ASSERT_EFI_ERROR (Status);\r
+\r
///\r
/// Register SMM variable SMI handler\r
///\r
projects / mirror_edk2.git / blobdiff