and volatile storage space and install variable architecture protocol\r
based on SMM variable module.\r
\r
-Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials \r
are licensed and made available under the terms and conditions of the BSD License \r
which accompanies this distribution. The full text of the license may be found at \r
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. \r
\r
**/\r
-\r
+#include <PiDxe.h>\r
#include <Protocol/VariableWrite.h>\r
#include <Protocol/Variable.h>\r
#include <Protocol/SmmCommunication.h>\r
+#include <Protocol/SmmVariable.h>\r
\r
#include <Library/UefiBootServicesTableLib.h>\r
#include <Library/UefiRuntimeServicesTableLib.h>\r
#include <Library/BaseLib.h>\r
\r
#include <Guid/EventGroup.h>\r
-#include "VariableSmmCommon.h"\r
+#include <Guid/VariableFormat.h>\r
+#include <Guid/SmmVariableCommon.h>\r
\r
EFI_HANDLE mHandle = NULL; \r
EFI_SMM_VARIABLE_PROTOCOL *mSmmVariable = NULL;\r
EFI_SMM_COMMUNICATION_PROTOCOL *mSmmCommunication = NULL;\r
UINT8 *mVariableBuffer = NULL;\r
UINT8 *mVariableBufferPhysical = NULL;\r
-EFI_GUID mSmmVariableWriteGuid = EFI_SMM_VARIABLE_WRITE_GUID;\r
UINTN mVariableBufferSize;\r
+EFI_LOCK mVariableServicesLock;\r
+\r
+/**\r
+ Acquires lock only at boot time. Simply returns at runtime.\r
+\r
+ This is a temperary function that will be removed when\r
+ EfiAcquireLock() in UefiLib can handle the call in UEFI\r
+ Runtimer driver in RT phase.\r
+ It calls EfiAcquireLock() at boot time, and simply returns\r
+ at runtime.\r
+\r
+ @param Lock A pointer to the lock to acquire.\r
\r
+**/\r
+VOID\r
+AcquireLockOnlyAtBootTime (\r
+ IN EFI_LOCK *Lock\r
+ )\r
+{\r
+ if (!EfiAtRuntime ()) {\r
+ EfiAcquireLock (Lock);\r
+ }\r
+}\r
+\r
+/**\r
+ Releases lock only at boot time. Simply returns at runtime.\r
+\r
+ This is a temperary function which will be removed when\r
+ EfiReleaseLock() in UefiLib can handle the call in UEFI\r
+ Runtimer driver in RT phase.\r
+ It calls EfiReleaseLock() at boot time and simply returns\r
+ at runtime.\r
+\r
+ @param Lock A pointer to the lock to release.\r
+\r
+**/\r
+VOID\r
+ReleaseLockOnlyAtBootTime (\r
+ IN EFI_LOCK *Lock\r
+ )\r
+{\r
+ if (!EfiAtRuntime ()) {\r
+ EfiReleaseLock (Lock);\r
+ }\r
+}\r
\r
/**\r
Initialize the communicate buffer using DataSize and Function.\r
EFI_STATUS Status;\r
UINTN PayloadSize;\r
SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;\r
+ UINTN SmmCommBufPayloadSize;\r
+ UINTN TempDataSize;\r
\r
if (VariableName == NULL || VendorGuid == NULL || DataSize == NULL) {\r
return EFI_INVALID_PARAMETER;\r
if ((*DataSize != 0) && (Data == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
- \r
+\r
+ //\r
+ // SMM Communication Buffer max payload size\r
+ //\r
+ SmmCommBufPayloadSize = mVariableBufferSize - (SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE);\r
+ TempDataSize = *DataSize;\r
+\r
+ //\r
+ // If VariableName exceeds SMM payload limit. Return failure\r
+ //\r
+ if (StrSize (VariableName) > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
+\r
//\r
// Init the communicate buffer. The buffer data size is:\r
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
//\r
- PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + StrSize (VariableName);\r
+ if (TempDataSize > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - StrSize (VariableName)) {\r
+ //\r
+ // If output data buffer exceed SMM payload limit. Trim output buffer to SMM payload size\r
+ //\r
+ TempDataSize = SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - StrSize (VariableName);\r
+ }\r
+ PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + StrSize (VariableName) + TempDataSize;\r
+\r
Status = InitCommunicateBuffer ((VOID **)&SmmVariableHeader, PayloadSize, SMM_VARIABLE_FUNCTION_GET_VARIABLE);\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
ASSERT (SmmVariableHeader != NULL);\r
\r
CopyGuid (&SmmVariableHeader->Guid, VendorGuid);\r
- SmmVariableHeader->DataSize = *DataSize;\r
+ SmmVariableHeader->DataSize = TempDataSize;\r
SmmVariableHeader->NameSize = StrSize (VariableName);\r
if (Attributes == NULL) {\r
SmmVariableHeader->Attributes = 0;\r
//\r
// Get data from SMM.\r
//\r
- *DataSize = SmmVariableHeader->DataSize;\r
+ if (Status == EFI_SUCCESS || Status == EFI_BUFFER_TOO_SMALL) {\r
+ //\r
+ // SMM CommBuffer DataSize can be a trimed value\r
+ // Only update DataSize when needed\r
+ //\r
+ *DataSize = SmmVariableHeader->DataSize;\r
+ }\r
if (Attributes != NULL) {\r
*Attributes = SmmVariableHeader->Attributes;\r
}\r
\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
\r
CopyMem (Data, (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize, SmmVariableHeader->DataSize);\r
\r
+Done:\r
+ ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
return Status;\r
}\r
\r
EFI_STATUS Status;\r
UINTN PayloadSize;\r
SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *SmmGetNextVariableName;\r
+ UINTN SmmCommBufPayloadSize;\r
\r
if (VariableNameSize == NULL || VariableName == NULL || VendorGuid == NULL) {\r
return EFI_INVALID_PARAMETER;\r
}\r
- \r
+\r
+ //\r
+ // SMM Communication Buffer max payload size\r
+ //\r
+ SmmCommBufPayloadSize = mVariableBufferSize - (SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE);\r
+\r
+ //\r
+ // If input string exceeds SMM payload limit. Return failure\r
+ //\r
+ if (StrSize (VariableName) > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
+\r
//\r
// Init the communicate buffer. The buffer data size is:\r
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
//\r
- PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + *VariableNameSize; \r
+ if (*VariableNameSize > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
+ //\r
+ // If output buffer exceed SMM payload limit. Trim output buffer to SMM payload size\r
+ //\r
+ *VariableNameSize = SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);\r
+ }\r
+ //\r
+ // Payload should be Guid + NameSize + MAX of Input & Output buffer\r
+ //\r
+ PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + MAX (*VariableNameSize, StrSize (VariableName));\r
+\r
+\r
Status = InitCommunicateBuffer ((VOID **)&SmmGetNextVariableName, PayloadSize, SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME);\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
ASSERT (SmmGetNextVariableName != NULL);\r
\r
+ //\r
+ // SMM comm buffer->NameSize is buffer size for return string\r
+ //\r
SmmGetNextVariableName->NameSize = *VariableNameSize;\r
+\r
CopyGuid (&SmmGetNextVariableName->Guid, VendorGuid);\r
- CopyMem (SmmGetNextVariableName->Name, VariableName, *VariableNameSize);\r
+ //\r
+ // Copy whole string\r
+ //\r
+ CopyMem (SmmGetNextVariableName->Name, VariableName, StrSize (VariableName));\r
\r
//\r
// Send data to SMM\r
//\r
*VariableNameSize = SmmGetNextVariableName->NameSize; \r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
\r
CopyGuid (VendorGuid, &SmmGetNextVariableName->Guid);\r
CopyMem (VariableName, SmmGetNextVariableName->Name, SmmGetNextVariableName->NameSize); \r
\r
+Done:\r
+ ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
return Status;\r
}\r
\r
if (DataSize != 0 && Data == NULL) {\r
return EFI_INVALID_PARAMETER;\r
}\r
- \r
+\r
+ if (DataSize >= mVariableBufferSize) {\r
+ //\r
+ // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
+ // overflow to a small value and pass the check in InitCommunicateBuffer().\r
+ // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.\r
+ // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
+ //\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
+ \r
//\r
// Init the communicate buffer. The buffer data size is:\r
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + StrSize (VariableName) + DataSize;\r
Status = InitCommunicateBuffer ((VOID **)&SmmVariableHeader, PayloadSize, SMM_VARIABLE_FUNCTION_SET_VARIABLE);\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
ASSERT (SmmVariableHeader != NULL);\r
\r
// Send data to SMM.\r
//\r
Status = SendCommunicateBuffer (PayloadSize);\r
- \r
+\r
+Done:\r
+ ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
return Status;\r
}\r
\r
if(MaximumVariableStorageSize == NULL || RemainingVariableStorageSize == NULL || MaximumVariableSize == NULL || Attributes == 0) {\r
return EFI_INVALID_PARAMETER;\r
}\r
- \r
+\r
+ AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
+\r
//\r
// Init the communicate buffer. The buffer data size is:\r
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize;\r
//\r
- PayloadSize = sizeof (SMM_VARIABLE_COMMUNICATE_VARIABLE_INFO_ENTRY);\r
+ PayloadSize = sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO);\r
Status = InitCommunicateBuffer ((VOID **)&SmmQueryVariableInfo, PayloadSize, SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO);\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
ASSERT (SmmQueryVariableInfo != NULL);\r
\r
//\r
Status = SendCommunicateBuffer (PayloadSize);\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
\r
//\r
*MaximumVariableSize = SmmQueryVariableInfo->MaximumVariableSize;\r
*MaximumVariableStorageSize = SmmQueryVariableInfo->MaximumVariableStorageSize;\r
*RemainingVariableStorageSize = SmmQueryVariableInfo->RemainingVariableStorageSize; \r
- \r
- return EFI_SUCCESS;\r
+\r
+Done:\r
+ ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
+ return Status;\r
}\r
\r
\r
//\r
// Check whether the protocol is installed or not.\r
//\r
- Status = gBS->LocateProtocol (&mSmmVariableWriteGuid, NULL, (VOID **) &ProtocolOps);\r
+ Status = gBS->LocateProtocol (&gSmmVariableWriteGuid, NULL, (VOID **) &ProtocolOps);\r
if (EFI_ERROR (Status)) {\r
return;\r
}\r
/**\r
Variable Driver main entry point. The Variable driver places the 4 EFI\r
runtime services in the EFI System Table and installs arch protocols \r
- for variable read and write services being availible. It also registers\r
+ for variable read and write services being available. It also registers\r
a notification function for an EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.\r
\r
@param[in] ImageHandle The firmware allocated handle for the EFI image. \r
VOID *SmmVariableWriteRegistration;\r
EFI_EVENT OnReadyToBootEvent;\r
EFI_EVENT ExitBootServiceEvent;\r
- \r
+\r
+ EfiInitializeLock (&mVariableServicesLock, TPL_NOTIFY);\r
+\r
//\r
// Smm variable service is ready\r
//\r
// Smm Non-Volatile variable write service is ready\r
//\r
EfiCreateProtocolNotifyEvent (\r
- &mSmmVariableWriteGuid, \r
+ &gSmmVariableWriteGuid, \r
TPL_CALLBACK, \r
SmmVariableWriteReady, \r
NULL, \r
projects / mirror_edk2.git / blobdiff