Fix memory overflow & VariableSize check issue for SetVariable append write.

[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / RuntimeDxe / AuthService.c
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c

index 6f8808a756f67d8c036db67e436465f2a1b80221..440ede9144db4cecde60dc730b50352deffe9875 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -192,7 +192,7 @@ AutenticatedVariableServiceInitialize (
    //\r
    // Reserved runtime buffer for "Append" operation in virtual mode.\r
    //\r
-  mStorageArea  = AllocateRuntimePool (PcdGet32 (PcdMaxVariableSize));\r
+  mStorageArea  = AllocateRuntimePool (MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)));\r
    if (mStorageArea == NULL) {\r
      return EFI_OUT_OF_RESOURCES;\r
    }\r
@@ -1316,20 +1316,24 @@ ProcessVariable (
    will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA\r
    will be ignored.\r
  \r
-  @param[in, out]  Data            Pointer to original EFI_SIGNATURE_LIST.\r
-  @param[in]       DataSize        Size of Data buffer.\r
-  @param[in]       NewData         Pointer to new EFI_SIGNATURE_LIST to be appended.\r
-  @param[in]       NewDataSize     Size of NewData buffer.\r
+  @param[in, out]  Data              Pointer to original EFI_SIGNATURE_LIST.\r
+  @param[in]       DataSize          Size of Data buffer.\r
+  @param[in]       FreeBufSize       Size of free data buffer \r
+  @param[in]       NewData           Pointer to new EFI_SIGNATURE_LIST to be appended.\r
+  @param[in]       NewDataSize       Size of NewData buffer.\r
+  @param[out]      MergedBufSize     Size of the merged buffer\r
  \r
-  @return Size of the merged buffer.\r
+  @return EFI_BUFFER_TOO_SMALL if input Data buffer overflowed\r
  \r
  **/\r
-UINTN\r
+EFI_STATUS\r
  AppendSignatureList (\r
    IN  OUT VOID            *Data,\r
    IN  UINTN               DataSize,\r
+  IN  UINTN               FreeBufSize,\r
    IN  VOID                *NewData,\r
-  IN  UINTN               NewDataSize\r
+  IN  UINTN               NewDataSize,\r
+  OUT UINTN               *MergedBufSize\r
    )\r
  {\r
    EFI_SIGNATURE_LIST  *CertList;\r
@@ -1388,15 +1392,25 @@ AppendSignatureList (
          // New EFI_SIGNATURE_DATA, append it.\r
          //\r
          if (CopiedCount == 0) {\r
+          if (FreeBufSize < sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize) {\r
+            return EFI_BUFFER_TOO_SMALL;\r
+          }\r
+\r
            //\r
            // Copy EFI_SIGNATURE_LIST header for only once.\r
            //\r
+\r
            CopyMem (Tail, NewCertList, sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize);\r
            Tail = Tail + sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize;\r
+          FreeBufSize -= sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize;\r
          }\r
  \r
+        if (FreeBufSize < NewCertList->SignatureSize) {\r
+          return EFI_BUFFER_TOO_SMALL;\r
+        }\r
          CopyMem (Tail, NewCert, NewCertList->SignatureSize);\r
          Tail += NewCertList->SignatureSize;\r
+        FreeBufSize -= NewCertList->SignatureSize;\r
          CopiedCount++;\r
        }\r
  \r
@@ -1416,7 +1430,8 @@ AppendSignatureList (
      NewCertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) NewCertList + NewCertList->SignatureListSize);\r
    }\r
  \r
-  return (Tail - (UINT8 *) Data);\r
+  *MergedBufSize = (Tail - (UINT8 *) Data);\r
+  return EFI_SUCCESS;\r
  }\r
  \r
  /**\r