]> git.proxmox.com Git - mirror_edk2.git/commitdiff
projects / mirror_edk2.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2072c22)
UefiCpuPkg: PiSmmCpuDxeSmm: Check buffer size before accessing
authorKun Qin <kuqin12@gmail.com>
Tue, 6 Apr 2021 19:52:54 +0000 (12:52 -0700)
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Mon, 12 Apr 2021 17:23:54 +0000 (17:23 +0000)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3283

Current SMM Save State routine does not check the number of bytes to be
read, when it comse to read IO_INFO, before casting the incoming buffer
to EFI_SMM_SAVE_STATE_IO_INFO. This could potentially cause memory
corruption due to extra bytes are written out of buffer boundary.

This change adds a width check before copying IoInfo into output buffer.

Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Kun Qin <kuqin12@gmail.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20210406195254.1018-2-kuqin12@gmail.com>

UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h patch | blob | blame | history
UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c patch | blob | blame | history

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
index b8aa9e1769d317b3e2b0abcd116bf7507d0fc762..2248a8c5ee667948c25b31d0795998c105705de6 100644 (file)
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
@@ -337,7 +337,7 @@ This function supports reading a CPU Save State register in SMBase relocation ha
 \r
 @retval EFI_SUCCESS           The register was read from Save State.\r
 @retval EFI_NOT_FOUND         The register is not defined for the Save State of Processor.\r
-@retval EFI_INVALID_PARAMETER  This or Buffer is NULL.\r
+@retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requirement per Register type.\r
 \r
 **/\r
 EFI_STATUS\r
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
index 661cc51f361a2932495d31c71e3b849c153507d4..fc418c2500a995f2a35b96a7153f8706777531c6 100644 (file)
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
@@ -343,7 +343,7 @@ ReadSaveStateRegisterByIndex (
 \r
   @retval EFI_SUCCESS           The register was read from Save State.\r
   @retval EFI_NOT_FOUND         The register is not defined for the Save State of Processor.\r
-  @retval EFI_INVALID_PARAMETER  This or Buffer is NULL.\r
+  @retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requirement per Register type.\r
 \r
 **/\r
 EFI_STATUS\r
@@ -418,6 +418,13 @@ ReadSaveStateRegister (
       return EFI_NOT_FOUND;\r
     }\r
 \r
+    //\r
+    // Make sure the incoming buffer is large enough to hold IoInfo before accessing\r
+    //\r
+    if (Width < sizeof (EFI_SMM_SAVE_STATE_IO_INFO)) {\r
+      return EFI_INVALID_PARAMETER;\r
+    }\r
+\r
     //\r
     // Zero the IoInfo structure that will be returned in Buffer\r
     //\r
EFI Development Kit II mirror for PVE