and volatile storage space and install variable architecture protocol\r
based on SMM variable module.\r
\r
-Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>\r
+ Caution: This module requires additional review when modified.\r
+ This driver will have external input - variable data.\r
+ This external input must be validated carefully to avoid security issue like\r
+ buffer overflow, integer overflow.\r
+\r
+ RuntimeServiceGetVariable() and RuntimeServiceSetVariable() are external API\r
+ to receive data buffer. The size should be checked carefully.\r
+\r
+ InitCommunicateBuffer() is really function to check the variable data size.\r
+\r
+Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials \r
are licensed and made available under the terms and conditions of the BSD License \r
which accompanies this distribution. The full text of the license may be found at \r
UINT8 *mVariableBuffer = NULL;\r
UINT8 *mVariableBufferPhysical = NULL;\r
UINTN mVariableBufferSize;\r
+EFI_LOCK mVariableServicesLock;\r
+\r
+/**\r
+ Acquires lock only at boot time. Simply returns at runtime.\r
+\r
+ This is a temperary function that will be removed when\r
+ EfiAcquireLock() in UefiLib can handle the call in UEFI\r
+ Runtimer driver in RT phase.\r
+ It calls EfiAcquireLock() at boot time, and simply returns\r
+ at runtime.\r
\r
+ @param Lock A pointer to the lock to acquire.\r
+\r
+**/\r
+VOID\r
+AcquireLockOnlyAtBootTime (\r
+ IN EFI_LOCK *Lock\r
+ )\r
+{\r
+ if (!EfiAtRuntime ()) {\r
+ EfiAcquireLock (Lock);\r
+ }\r
+}\r
+\r
+/**\r
+ Releases lock only at boot time. Simply returns at runtime.\r
+\r
+ This is a temperary function which will be removed when\r
+ EfiReleaseLock() in UefiLib can handle the call in UEFI\r
+ Runtimer driver in RT phase.\r
+ It calls EfiReleaseLock() at boot time and simply returns\r
+ at runtime.\r
+\r
+ @param Lock A pointer to the lock to release.\r
+\r
+**/\r
+VOID\r
+ReleaseLockOnlyAtBootTime (\r
+ IN EFI_LOCK *Lock\r
+ )\r
+{\r
+ if (!EfiAtRuntime ()) {\r
+ EfiReleaseLock (Lock);\r
+ }\r
+}\r
\r
/**\r
Initialize the communicate buffer using DataSize and Function.\r
The communicate size is: SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE +\r
DataSize.\r
\r
+ Caution: This function may receive untrusted input.\r
+ The data size external input, so this function will validate it carefully to avoid buffer overflow.\r
+\r
@param[out] DataPtr Points to the data in the communicate buffer.\r
@param[in] DataSize The data size to send to SMM.\r
@param[in] Function The function number to initialize the communicate header.\r
/**\r
This code finds variable in storage blocks (Volatile or Non-Volatile).\r
\r
+ Caution: This function may receive untrusted input.\r
+ The data size is external input, so this function will validate it carefully to avoid buffer overflow.\r
+\r
@param[in] VariableName Name of Variable to be found.\r
@param[in] VendorGuid Variable vendor GUID.\r
@param[out] Attributes Attribute value of the variable found.\r
EFI_STATUS Status;\r
UINTN PayloadSize;\r
SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;\r
+ UINTN SmmCommBufPayloadSize;\r
+ UINTN TempDataSize;\r
+ UINTN VariableNameSize;\r
\r
if (VariableName == NULL || VendorGuid == NULL || DataSize == NULL) {\r
return EFI_INVALID_PARAMETER;\r
if ((*DataSize != 0) && (Data == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
- \r
+\r
+ //\r
+ // SMM Communication Buffer max payload size\r
+ //\r
+ SmmCommBufPayloadSize = mVariableBufferSize - (SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE);\r
+ TempDataSize = *DataSize;\r
+ VariableNameSize = StrSize (VariableName);\r
+\r
+ //\r
+ // If VariableName exceeds SMM payload limit. Return failure\r
+ //\r
+ if (VariableNameSize > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
+\r
//\r
// Init the communicate buffer. The buffer data size is:\r
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
//\r
- PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + StrSize (VariableName);\r
+ if (TempDataSize > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - VariableNameSize) {\r
+ //\r
+ // If output data buffer exceed SMM payload limit. Trim output buffer to SMM payload size\r
+ //\r
+ TempDataSize = SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - VariableNameSize;\r
+ }\r
+ PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + VariableNameSize + TempDataSize;\r
+\r
Status = InitCommunicateBuffer ((VOID **)&SmmVariableHeader, PayloadSize, SMM_VARIABLE_FUNCTION_GET_VARIABLE);\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
ASSERT (SmmVariableHeader != NULL);\r
\r
CopyGuid (&SmmVariableHeader->Guid, VendorGuid);\r
- SmmVariableHeader->DataSize = *DataSize;\r
- SmmVariableHeader->NameSize = StrSize (VariableName);\r
+ SmmVariableHeader->DataSize = TempDataSize;\r
+ SmmVariableHeader->NameSize = VariableNameSize;\r
if (Attributes == NULL) {\r
SmmVariableHeader->Attributes = 0;\r
} else {\r
//\r
// Get data from SMM.\r
//\r
- *DataSize = SmmVariableHeader->DataSize;\r
+ if (Status == EFI_SUCCESS || Status == EFI_BUFFER_TOO_SMALL) {\r
+ //\r
+ // SMM CommBuffer DataSize can be a trimed value\r
+ // Only update DataSize when needed\r
+ //\r
+ *DataSize = SmmVariableHeader->DataSize;\r
+ }\r
if (Attributes != NULL) {\r
*Attributes = SmmVariableHeader->Attributes;\r
}\r
\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
\r
CopyMem (Data, (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize, SmmVariableHeader->DataSize);\r
\r
+Done:\r
+ ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
return Status;\r
}\r
\r
EFI_STATUS Status;\r
UINTN PayloadSize;\r
SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *SmmGetNextVariableName;\r
+ UINTN SmmCommBufPayloadSize;\r
+ UINTN OutVariableNameSize;\r
+ UINTN InVariableNameSize;\r
\r
if (VariableNameSize == NULL || VariableName == NULL || VendorGuid == NULL) {\r
return EFI_INVALID_PARAMETER;\r
}\r
- \r
+\r
+ //\r
+ // SMM Communication Buffer max payload size\r
+ //\r
+ SmmCommBufPayloadSize = mVariableBufferSize - (SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE);\r
+ OutVariableNameSize = *VariableNameSize;\r
+ InVariableNameSize = StrSize (VariableName);\r
+\r
+ //\r
+ // If input string exceeds SMM payload limit. Return failure\r
+ //\r
+ if (InVariableNameSize > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
+\r
//\r
// Init the communicate buffer. The buffer data size is:\r
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
//\r
- PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + *VariableNameSize; \r
+ if (OutVariableNameSize > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
+ //\r
+ // If output buffer exceed SMM payload limit. Trim output buffer to SMM payload size\r
+ //\r
+ OutVariableNameSize = SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);\r
+ }\r
+ //\r
+ // Payload should be Guid + NameSize + MAX of Input & Output buffer\r
+ //\r
+ PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + MAX (OutVariableNameSize, InVariableNameSize);\r
+\r
Status = InitCommunicateBuffer ((VOID **)&SmmGetNextVariableName, PayloadSize, SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME);\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
ASSERT (SmmGetNextVariableName != NULL);\r
\r
- SmmGetNextVariableName->NameSize = *VariableNameSize;\r
+ //\r
+ // SMM comm buffer->NameSize is buffer size for return string\r
+ //\r
+ SmmGetNextVariableName->NameSize = OutVariableNameSize;\r
+\r
CopyGuid (&SmmGetNextVariableName->Guid, VendorGuid);\r
- CopyMem (SmmGetNextVariableName->Name, VariableName, *VariableNameSize);\r
+ //\r
+ // Copy whole string\r
+ //\r
+ CopyMem (SmmGetNextVariableName->Name, VariableName, InVariableNameSize);\r
+ if (OutVariableNameSize > InVariableNameSize) {\r
+ ZeroMem ((UINT8 *) SmmGetNextVariableName->Name + InVariableNameSize, OutVariableNameSize - InVariableNameSize);\r
+ }\r
\r
//\r
// Send data to SMM\r
//\r
// Get data from SMM.\r
//\r
- *VariableNameSize = SmmGetNextVariableName->NameSize; \r
+ if (Status == EFI_SUCCESS || Status == EFI_BUFFER_TOO_SMALL) {\r
+ //\r
+ // SMM CommBuffer NameSize can be a trimed value\r
+ // Only update VariableNameSize when needed\r
+ //\r
+ *VariableNameSize = SmmGetNextVariableName->NameSize;\r
+ }\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
\r
CopyGuid (VendorGuid, &SmmGetNextVariableName->Guid);\r
CopyMem (VariableName, SmmGetNextVariableName->Name, SmmGetNextVariableName->NameSize); \r
\r
+Done:\r
+ ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
return Status;\r
}\r
\r
/**\r
This code sets variable in storage blocks (Volatile or Non-Volatile).\r
\r
+ Caution: This function may receive untrusted input.\r
+ The data size and data are external input, so this function will validate it carefully to avoid buffer overflow.\r
+\r
@param[in] VariableName Name of Variable to be found.\r
@param[in] VendorGuid Variable vendor GUID.\r
@param[in] Attributes Attribute value of the variable found\r
EFI_STATUS Status;\r
UINTN PayloadSize; \r
SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;\r
+ UINTN VariableNameSize;\r
\r
//\r
// Check input parameters.\r
if (DataSize != 0 && Data == NULL) {\r
return EFI_INVALID_PARAMETER;\r
}\r
- \r
+\r
+ if (DataSize >= mVariableBufferSize) {\r
+ //\r
+ // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
+ // overflow to a small value and pass the check in InitCommunicateBuffer().\r
+ // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.\r
+ // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
+ //\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ VariableNameSize = StrSize (VariableName);\r
+\r
+ if ((UINTN)(~0) - VariableNameSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {\r
+ //\r
+ // Prevent PayloadSize overflow\r
+ //\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
+\r
//\r
// Init the communicate buffer. The buffer data size is:\r
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
//\r
- PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + StrSize (VariableName) + DataSize;\r
+ PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + VariableNameSize + DataSize;\r
Status = InitCommunicateBuffer ((VOID **)&SmmVariableHeader, PayloadSize, SMM_VARIABLE_FUNCTION_SET_VARIABLE);\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
ASSERT (SmmVariableHeader != NULL);\r
\r
CopyGuid ((EFI_GUID *) &SmmVariableHeader->Guid, VendorGuid);\r
SmmVariableHeader->DataSize = DataSize;\r
- SmmVariableHeader->NameSize = StrSize (VariableName);\r
+ SmmVariableHeader->NameSize = VariableNameSize;\r
SmmVariableHeader->Attributes = Attributes;\r
CopyMem (SmmVariableHeader->Name, VariableName, SmmVariableHeader->NameSize);\r
CopyMem ((UINT8 *) SmmVariableHeader->Name + SmmVariableHeader->NameSize, Data, DataSize);\r
// Send data to SMM.\r
//\r
Status = SendCommunicateBuffer (PayloadSize);\r
- \r
+\r
+Done:\r
+ ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
return Status;\r
}\r
\r
if(MaximumVariableStorageSize == NULL || RemainingVariableStorageSize == NULL || MaximumVariableSize == NULL || Attributes == 0) {\r
return EFI_INVALID_PARAMETER;\r
}\r
- \r
+\r
+ AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
+\r
//\r
// Init the communicate buffer. The buffer data size is:\r
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize;\r
PayloadSize = sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO);\r
Status = InitCommunicateBuffer ((VOID **)&SmmQueryVariableInfo, PayloadSize, SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO);\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
ASSERT (SmmQueryVariableInfo != NULL);\r
\r
//\r
Status = SendCommunicateBuffer (PayloadSize);\r
if (EFI_ERROR (Status)) {\r
- return Status;\r
+ goto Done;\r
}\r
\r
//\r
*MaximumVariableSize = SmmQueryVariableInfo->MaximumVariableSize;\r
*MaximumVariableStorageSize = SmmQueryVariableInfo->MaximumVariableStorageSize;\r
*RemainingVariableStorageSize = SmmQueryVariableInfo->RemainingVariableStorageSize; \r
- \r
- return EFI_SUCCESS;\r
+\r
+Done:\r
+ ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
+ return Status;\r
}\r
\r
\r
VOID *SmmVariableWriteRegistration;\r
EFI_EVENT OnReadyToBootEvent;\r
EFI_EVENT ExitBootServiceEvent;\r
- \r
+\r
+ EfiInitializeLock (&mVariableServicesLock, TPL_NOTIFY);\r
+\r
//\r
// Smm variable service is ready\r
//\r