REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3283
Current SMM Save State routine does not check the number of bytes to be
read, when it comse to read IO_INFO, before casting the incoming buffer
to EFI_SMM_SAVE_STATE_IO_INFO. This could potentially cause memory
corruption due to extra bytes are written out of buffer boundary.
This change adds a width check before copying IoInfo into output buffer.
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Kun Qin <kuqin12@gmail.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <
20210406195254.1018-2-kuqin12@gmail.com>
\r
@retval EFI_SUCCESS The register was read from Save State.\r
@retval EFI_NOT_FOUND The register is not defined for the Save State of Processor.\r
-@retval EFI_INVALID_PARAMETER This or Buffer is NULL.\r
+@retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requirement per Register type.\r
\r
**/\r
EFI_STATUS\r
\r
@retval EFI_SUCCESS The register was read from Save State.\r
@retval EFI_NOT_FOUND The register is not defined for the Save State of Processor.\r
- @retval EFI_INVALID_PARAMETER This or Buffer is NULL.\r
+ @retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requirement per Register type.\r
\r
**/\r
EFI_STATUS\r
return EFI_NOT_FOUND;\r
}\r
\r
+ //\r
+ // Make sure the incoming buffer is large enough to hold IoInfo before accessing\r
+ //\r
+ if (Width < sizeof (EFI_SMM_SAVE_STATE_IO_INFO)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
//\r
// Zero the IoInfo structure that will be returned in Buffer\r
//\r