X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=MdeModulePkg%2FUniversal%2FLockBox%2FSmmLockBox%2FSmmLockBox.c;h=f1880d464d1f143200488e8a884374d6737810d0;hb=b4e09b0f628dcf85128787de5ed0275430ccaf33;hp=e8b831e1fb5ba576a795412a5a243ab48f7c297f;hpb=e8c758dc9252adaefa0d13c5702e32e0402d18e8;p=mirror_edk2.git
diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
index e8b831e1fb..f1880d464d 100644
--- a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
+++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
@@ -9,7 +9,7 @@
SmmLockBoxHandler(), SmmLockBoxRestore(), SmmLockBoxUpdate(), SmmLockBoxSave()
will receive untrusted input and do basic validation.
-Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.
+Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions
@@ -30,72 +30,16 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include
#include
#include
+#include
#include
+
#include
#include
-#include
#include
#include
BOOLEAN mLocked = FALSE;
-EFI_SMRAM_DESCRIPTOR *mSmramRanges;
-UINTN mSmramRangeCount;
-
-/**
- This function check if the address is in SMRAM.
-
- @param Buffer the buffer address to be checked.
- @param Length the buffer length to be checked.
-
- @retval TRUE this address is in SMRAM.
- @retval FALSE this address is NOT in SMRAM.
-**/
-BOOLEAN
-IsAddressInSmram (
- IN EFI_PHYSICAL_ADDRESS Buffer,
- IN UINT64 Length
- )
-{
- UINTN Index;
-
- for (Index = 0; Index < mSmramRangeCount; Index ++) {
- if (((Buffer >= mSmramRanges[Index].CpuStart) && (Buffer < mSmramRanges[Index].CpuStart + mSmramRanges[Index].PhysicalSize)) ||
- ((mSmramRanges[Index].CpuStart >= Buffer) && (mSmramRanges[Index].CpuStart < Buffer + Length))) {
- return TRUE;
- }
- }
-
- return FALSE;
-}
-
-/**
- This function check if the address refered by Buffer and Length is valid.
-
- @param Buffer the buffer address to be checked.
- @param Length the buffer length to be checked.
-
- @retval TRUE this address is valid.
- @retval FALSE this address is NOT valid.
-**/
-BOOLEAN
-IsAddressValid (
- IN UINTN Buffer,
- IN UINTN Length
- )
-{
- if (Buffer > (MAX_ADDRESS - Length)) {
- //
- // Overflow happen
- //
- return FALSE;
- }
- if (IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)Buffer, (UINT64)Length)) {
- return FALSE;
- }
- return TRUE;
-}
-
/**
Dispatch function for SMM lock box save.
@@ -111,6 +55,7 @@ SmmLockBoxSave (
)
{
EFI_STATUS Status;
+ EFI_SMM_LOCK_BOX_PARAMETER_SAVE TempLockBoxParameterSave;
//
// Sanity check
@@ -121,11 +66,13 @@ SmmLockBoxSave (
return ;
}
+ CopyMem (&TempLockBoxParameterSave, LockBoxParameterSave, sizeof (EFI_SMM_LOCK_BOX_PARAMETER_SAVE));
+
//
// Sanity check
//
- if (!IsAddressValid ((UINTN)LockBoxParameterSave->Buffer, (UINTN)LockBoxParameterSave->Length)) {
- DEBUG ((EFI_D_ERROR, "SmmLockBox Save address in SMRAM!\n"));
+ if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterSave.Buffer, (UINTN)TempLockBoxParameterSave.Length)) {
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Save address in SMRAM or buffer overflow!\n"));
LockBoxParameterSave->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
return ;
}
@@ -134,9 +81,9 @@ SmmLockBoxSave (
// Save data
//
Status = SaveLockBox (
- &LockBoxParameterSave->Guid,
- (VOID *)(UINTN)LockBoxParameterSave->Buffer,
- (UINTN)LockBoxParameterSave->Length
+ &TempLockBoxParameterSave.Guid,
+ (VOID *)(UINTN)TempLockBoxParameterSave.Buffer,
+ (UINTN)TempLockBoxParameterSave.Length
);
LockBoxParameterSave->Header.ReturnStatus = (UINT64)Status;
return ;
@@ -153,6 +100,7 @@ SmmLockBoxSetAttributes (
)
{
EFI_STATUS Status;
+ EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES TempLockBoxParameterSetAttributes;
//
// Sanity check
@@ -163,12 +111,14 @@ SmmLockBoxSetAttributes (
return ;
}
+ CopyMem (&TempLockBoxParameterSetAttributes, LockBoxParameterSetAttributes, sizeof (EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES));
+
//
// Update data
//
Status = SetLockBoxAttributes (
- &LockBoxParameterSetAttributes->Guid,
- LockBoxParameterSetAttributes->Attributes
+ &TempLockBoxParameterSetAttributes.Guid,
+ TempLockBoxParameterSetAttributes.Attributes
);
LockBoxParameterSetAttributes->Header.ReturnStatus = (UINT64)Status;
return ;
@@ -189,6 +139,7 @@ SmmLockBoxUpdate (
)
{
EFI_STATUS Status;
+ EFI_SMM_LOCK_BOX_PARAMETER_UPDATE TempLockBoxParameterUpdate;
//
// Sanity check
@@ -199,11 +150,13 @@ SmmLockBoxUpdate (
return ;
}
+ CopyMem (&TempLockBoxParameterUpdate, LockBoxParameterUpdate, sizeof (EFI_SMM_LOCK_BOX_PARAMETER_UPDATE));
+
//
// Sanity check
//
- if (!IsAddressValid ((UINTN)LockBoxParameterUpdate->Buffer, (UINTN)LockBoxParameterUpdate->Length)) {
- DEBUG ((EFI_D_ERROR, "SmmLockBox Update address in SMRAM!\n"));
+ if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterUpdate.Buffer, (UINTN)TempLockBoxParameterUpdate.Length)) {
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Update address in SMRAM or buffer overflow!\n"));
LockBoxParameterUpdate->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
return ;
}
@@ -212,10 +165,10 @@ SmmLockBoxUpdate (
// Update data
//
Status = UpdateLockBox (
- &LockBoxParameterUpdate->Guid,
- (UINTN)LockBoxParameterUpdate->Offset,
- (VOID *)(UINTN)LockBoxParameterUpdate->Buffer,
- (UINTN)LockBoxParameterUpdate->Length
+ &TempLockBoxParameterUpdate.Guid,
+ (UINTN)TempLockBoxParameterUpdate.Offset,
+ (VOID *)(UINTN)TempLockBoxParameterUpdate.Buffer,
+ (UINTN)TempLockBoxParameterUpdate.Length
);
LockBoxParameterUpdate->Header.ReturnStatus = (UINT64)Status;
return ;
@@ -236,12 +189,15 @@ SmmLockBoxRestore (
)
{
EFI_STATUS Status;
+ EFI_SMM_LOCK_BOX_PARAMETER_RESTORE TempLockBoxParameterRestore;
+
+ CopyMem (&TempLockBoxParameterRestore, LockBoxParameterRestore, sizeof (EFI_SMM_LOCK_BOX_PARAMETER_RESTORE));
//
// Sanity check
//
- if (!IsAddressValid ((UINTN)LockBoxParameterRestore->Buffer, (UINTN)LockBoxParameterRestore->Length)) {
- DEBUG ((EFI_D_ERROR, "SmmLockBox Restore address in SMRAM!\n"));
+ if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterRestore.Buffer, (UINTN)TempLockBoxParameterRestore.Length)) {
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Restore address in SMRAM or buffer overflow!\n"));
LockBoxParameterRestore->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
return ;
}
@@ -249,17 +205,17 @@ SmmLockBoxRestore (
//
// Restore data
//
- if ((LockBoxParameterRestore->Length == 0) && (LockBoxParameterRestore->Buffer == 0)) {
+ if ((TempLockBoxParameterRestore.Length == 0) && (TempLockBoxParameterRestore.Buffer == 0)) {
Status = RestoreLockBox (
- &LockBoxParameterRestore->Guid,
+ &TempLockBoxParameterRestore.Guid,
NULL,
NULL
);
} else {
Status = RestoreLockBox (
- &LockBoxParameterRestore->Guid,
- (VOID *)(UINTN)LockBoxParameterRestore->Buffer,
- (UINTN *)&LockBoxParameterRestore->Length
+ &TempLockBoxParameterRestore.Guid,
+ (VOID *)(UINTN)TempLockBoxParameterRestore.Buffer,
+ (UINTN *)&TempLockBoxParameterRestore.Length
);
}
LockBoxParameterRestore->Header.ReturnStatus = (UINT64)Status;
@@ -309,18 +265,28 @@ SmmLockBoxHandler (
)
{
EFI_SMM_LOCK_BOX_PARAMETER_HEADER *LockBoxParameterHeader;
+ UINTN TempCommBufferSize;
DEBUG ((EFI_D_ERROR, "SmmLockBox SmmLockBoxHandler Enter\n"));
+ //
+ // If input is invalid, stop processing this SMI
+ //
+ if (CommBuffer == NULL || CommBufferSize == NULL) {
+ return EFI_SUCCESS;
+ }
+
+ TempCommBufferSize = *CommBufferSize;
+
//
// Sanity check
//
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_HEADER)) {
+ if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_HEADER)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size invalid!\n"));
return EFI_SUCCESS;
}
- if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
- DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer in SMRAM!\n"));
+ if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -334,35 +300,35 @@ SmmLockBoxHandler (
switch (LockBoxParameterHeader->Command) {
case EFI_SMM_LOCK_BOX_COMMAND_SAVE:
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SAVE)) {
+ if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SAVE)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for SAVE invalid!\n"));
break;
}
SmmLockBoxSave ((EFI_SMM_LOCK_BOX_PARAMETER_SAVE *)(UINTN)LockBoxParameterHeader);
break;
case EFI_SMM_LOCK_BOX_COMMAND_UPDATE:
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_UPDATE)) {
+ if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_UPDATE)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for UPDATE invalid!\n"));
break;
}
SmmLockBoxUpdate ((EFI_SMM_LOCK_BOX_PARAMETER_UPDATE *)(UINTN)LockBoxParameterHeader);
break;
case EFI_SMM_LOCK_BOX_COMMAND_RESTORE:
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE)) {
+ if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for RESTORE invalid!\n"));
break;
}
SmmLockBoxRestore ((EFI_SMM_LOCK_BOX_PARAMETER_RESTORE *)(UINTN)LockBoxParameterHeader);
break;
case EFI_SMM_LOCK_BOX_COMMAND_SET_ATTRIBUTES:
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES)) {
+ if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for SET_ATTRIBUTES invalid!\n"));
break;
}
SmmLockBoxSetAttributes ((EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES *)(UINTN)LockBoxParameterHeader);
break;
case EFI_SMM_LOCK_BOX_COMMAND_RESTORE_ALL_IN_PLACE:
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE_ALL_IN_PLACE)) {
+ if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE_ALL_IN_PLACE)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for RESTORE_ALL_IN_PLACE invalid!\n"));
break;
}
@@ -422,30 +388,6 @@ SmmLockBoxEntryPoint (
EFI_STATUS Status;
EFI_HANDLE DispatchHandle;
VOID *Registration;
- EFI_SMM_ACCESS2_PROTOCOL *SmmAccess;
- UINTN Size;
-
- //
- // Get SMRAM information
- //
- Status = gBS->LocateProtocol (&gEfiSmmAccess2ProtocolGuid, NULL, (VOID **)&SmmAccess);
- ASSERT_EFI_ERROR (Status);
-
- Size = 0;
- Status = SmmAccess->GetCapabilities (SmmAccess, &Size, NULL);
- ASSERT (Status == EFI_BUFFER_TOO_SMALL);
-
- Status = gSmst->SmmAllocatePool (
- EfiRuntimeServicesData,
- Size,
- (VOID **)&mSmramRanges
- );
- ASSERT_EFI_ERROR (Status);
-
- Status = SmmAccess->GetCapabilities (SmmAccess, &Size, mSmramRanges);
- ASSERT_EFI_ERROR (Status);
-
- mSmramRangeCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);
//
// Register LockBox communication handler