lzeng14 [Tue, 7 May 2013 05:38:32 +0000 (05:38 +0000)]
1. Fix TOCTOU issue in VariableSmm, FtwSmm, FpdtSmm, SmmCorePerformance SMM handler. For VariableSmm, pre-allocate a mVariableBufferPayload buffer with mVariableBufferPayloadSize(match with mVariableBufferPayloadSize in VariableSmmRuntimeDxe) to hold communicate buffer payload to avoid TOCTOU issue.
2. Add check to ensure CommBufferPayloadSize not exceed mVariableBufferPayloadSize or is enough to hold function structure in VariableSmm and FtwSmm.
3. Align FtwGetLastWrite() in FaultTolerantWriteSmmDxe.c to FtwGetLastWrite() in FaultTolerantWrite.c.
Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14325 6f19259b-4bc3-4df7-8a09-765794883524
vanjeff [Mon, 6 May 2013 07:36:32 +0000 (07:36 +0000)]
Read/Write memory space including MMIO range with the width requested from HOST.
Signed-off-by: Jeff Fan <jeff.fan@intel.com> Reviewed-by: Kinney, Michael D <michael.d.kinney@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14324 6f19259b-4bc3-4df7-8a09-765794883524
1. Use the check IsAddressValid() to prevent SMM communication buffer overflow in SmmVariable, FtwSmm, FpdtSmm, SmmCorePerformance and SmmBaseHelper, and add check to prevent InfoSize overflows in SmmVariableHandler.
2. Refine the debug message.
3. Add check to make sure the input VariableName is A Null-terminated string.
4. Use local variable to hold StrSize (VariableName) to avoid duplicated StrSize calculation.
Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14317 6f19259b-4bc3-4df7-8a09-765794883524
Check for NULL pointer before free it. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Dong Guo <guo.dong@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14316 6f19259b-4bc3-4df7-8a09-765794883524
Get ParentDevicePath by using attribute EFI_OPEN_PROTOCOL_GET_PROTOCOL instead of BY_CHILD. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Ouyang Qian <qian.ouyang@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14313 6f19259b-4bc3-4df7-8a09-765794883524
Mallicious code may use SmmFaultTolerantWriteHandler() to update some flash area directly, like Variable region, so return EFI_ACCESS_DENIED after End Of Dxe in SmmFaultTolerantWriteHandler().
And add code to prevent InfoSize overflow.
Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14312 6f19259b-4bc3-4df7-8a09-765794883524
The openssl API RSA_public_decrypt() and RSA_private_encrypt() are deprecated, use RSA_sign(), RSA_verify() instead. Signed-off-by: Long Qin < qin.long@intel.com > Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Dong Guo <guo.dong@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14309 6f19259b-4bc3-4df7-8a09-765794883524
Enhance InitializeLanguage() to set PcdUefiVariableDefaultPlatformLang to PlatformLang variable if the value of PlatformLang variable has been set an unsupported value(not one of PlatformLangCodes variable), and assert when default (Platform)Lang PCD value is not set to one of (Platform)LangCodes PCD value.
Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14307 6f19259b-4bc3-4df7-8a09-765794883524
Signed-off-by: Jeff Fan <jeff.fan@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14306 6f19259b-4bc3-4df7-8a09-765794883524
1. Add CPU arch type in Mailbox, debug agent will not access HOB if CPU arch changed.
2. Updated DxeDebugAgentLib instance to copy DebugPortHandler buffer into allocated ACPIMemoryNVS besides the mailbox.
3. Remove deprecated SendingPacket from mailbox.
Signed-off-by: Jeff Fan <jeff.fan@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14302 6f19259b-4bc3-4df7-8a09-765794883524
Fix a potential SMM memory dump issue. If pass communication buffer with DataBuffer to SMM SetVariable which is big enough to cover SMM range. Then GetVariable can dump SMM memory contents. Add more range check for SetVariable
Allocate ACPImemoryNVS type memory to save mailbox and debug port handle buffer since original allocated pool memory may be marked as free by DXE Core.
Signed-off-by: Jeff Fan <jeff.fan@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14285 6f19259b-4bc3-4df7-8a09-765794883524
Split browser with browser core and display engine.
First Version, goal:
1.Display Engine has the framework.
2.Browser core ready.(PasswordCheck, ValidateQuestionV not ready)
Signed-off-by: Eric Dong
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14281 6f19259b-4bc3-4df7-8a09-765794883524
MdeMdeModulePkg/BootScriptExecutorDxe: Replaces absolute addressing that requires a relocation entry with PC relative addressing that does not require a relocation entry. This patch is required to make this file assemble and link with Xcode
Signed-off-by: Andrew Fish <afish@apple.com> Reviewed-by: Feng Tian <feng.tian@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14279 6f19259b-4bc3-4df7-8a09-765794883524
This patch corrects a problem detecting uInitrd signature when booting
with FDT.
BdsBootLinuxFdt was attempting to read the signature from InitrdImage which
is zero at this point in the code. The code now reads the signature from
InitrdImageBase.
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org> Reviewed-by: Olivier Martin <olivier.martin@arm.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14272 6f19259b-4bc3-4df7-8a09-765794883524
Update SMM variable DXE driver GetNextVariable interface to comply with UEFI spec
VariableNameSize is the returned buffer size. GetNextVariable should behavior correct if it is bigger than SMM communication buffer or less than string size of VariableName.
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by : Dong Guo <guo.dong@intel.com>
Reviewed-by : Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by : Zeng Star <star.zeng@intel.com>
Update secure boot UI driver to handle “reset to default” hot key. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14257 6f19259b-4bc3-4df7-8a09-765794883524
Fix several bugs in the implementation of converting SAS/SASEX device path node from/to text.
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14256 6f19259b-4bc3-4df7-8a09-765794883524
If DataSize or VariableNameSize is near MAX_ADDRESS, this can cause the computed PayLoadSize to overflow to a small value and pass the check in InitCommunicateBuffer(). To protect against this vulnerability, check DataSize and VariableNameSize to make sure PayloadSize doesn't overflow.
Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14252 6f19259b-4bc3-4df7-8a09-765794883524
MdeMdeModulePkg/UsbBusDxe: Fixed a possible memory leak bug introduced at r14226
The r14226 check-in indeed has memory leak in allocated "Child" pointer. UsbBusDriverBindingStop() may dereference this pointer and may bring exception on invalid memory access
Don't assume HiiDatabase has been present at the entrypoint and don't assume HiiDatabase and HiiFont are on the same handle according to the UEFI spec.
Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Elvin Li <elvin.li@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14236 6f19259b-4bc3-4df7-8a09-765794883524
erictian [Fri, 29 Mar 2013 09:32:55 +0000 (09:32 +0000)]
MdeMdeModulePkg/Usb: two tunings for better device identification behind hub
1.enlarge the recovery time from 10ms to 20ms after port reset to make set address request success for better device compatibility.
2.another enhancement is to use RESET_C bit rather than RESET bit to judge if hub reset port operation is done.
erictian [Fri, 29 Mar 2013 06:53:57 +0000 (06:53 +0000)]
MdeMdeModulePkg/Usb: Fixed two usb issues
1.Fix the bug in interface parser logic for usb camera device. Reserve device address if the device doesn’t get disconnected.
2.Some usb 1.1 devices require the context evaluation immediately with actual max packet size after detecting the device max packet size.
niruiyu [Thu, 28 Mar 2013 07:02:01 +0000 (07:02 +0000)]
Fix SourceLevelDebugPkg build failure when the debug port is USB.
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Reviewed-by: Jeff Fan <jeff.fan@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14222 6f19259b-4bc3-4df7-8a09-765794883524
mdkinney [Fri, 22 Mar 2013 21:20:07 +0000 (21:20 +0000)]
Guarantee that free memory in the 4K page starting at address 0 is always cleared to 0. The algorithm is to clear page zero if it is registered with the DXE Core with type EfiConventionalMemory, and to also clear page zero if it is freed using the UEFI Boot Service FreePages(). This patch improves OS compatibility for OSes that may evaluate page 0 for legacy data structures. Before this patch, free memory may contain random values which induces random boot failures for some OSes. This patch may also help find NULL pointer bugs sooner because all of the fields in a data structure dereferenced through NULL will also be NULL now.
Signed-off-by: Michael Kinney <michael.d.kinney@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14218 6f19259b-4bc3-4df7-8a09-765794883524
mdkinney [Fri, 22 Mar 2013 21:18:02 +0000 (21:18 +0000)]
Fix a bug in the DXE Core that generates an ASSERT() when the page at address zero is freed and DEBUG_CLEAR_MEMORY() macros are enabled. If DEBUG_CLEAR_MEMORY() is enabled and the page at address 0 is freed, then DEBUG_CLEAR_MEMORY() is invoked skipping over the first 4K page.
Signed-off-by: Michael Kinney <michael.d.kinney@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14217 6f19259b-4bc3-4df7-8a09-765794883524
sfu5 [Wed, 20 Mar 2013 08:35:24 +0000 (08:35 +0000)]
Making the IP6_CONFIG_DATA_RECORD the same size for both IA32 and X64 builds. Signed-off-by: Kinney, Michael D <michael.d.kinney@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14216 6f19259b-4bc3-4df7-8a09-765794883524
sfu5 [Wed, 20 Mar 2013 08:30:05 +0000 (08:30 +0000)]
Remove HiiUpdateForm from ExtractConfig fucntion. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Dong Eric <eric.dong@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14215 6f19259b-4bc3-4df7-8a09-765794883524
niruiyu [Tue, 19 Mar 2013 07:10:51 +0000 (07:10 +0000)]
Remove BdsLibConnectConsoleVariableWithoutDispatch() and enhance BdsLibConnectDevicePath() to only call gDS->Dispatch() when the current TPL is TPL_APPLICATION
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14211 6f19259b-4bc3-4df7-8a09-765794883524
oliviermartin [Tue, 12 Mar 2013 01:04:10 +0000 (01:04 +0000)]
ArmPkg/BdsLib: Fixed TFTP and PXE Boot
- An Ascii filename must be passed to the TFTP service (was a Unicode filename)
- If the PXE service had already configured the connection we need to restart
when we want to download a new file or do a do a PXE Boot.
oliviermartin [Tue, 12 Mar 2013 01:03:23 +0000 (01:03 +0000)]
ArmPlatformPkg/Bds: Fixed adding support for new boot entry when the generated DevicePath is bigger than one node
The initial support was only considering the added Device Path will be a single node.
TFTP for instance requires two new nodes on the top of the ethernet Device Path; a first
one for the IP address of the server and a second one for the file to download.
This change replace the return argument from a DevicePath node by a DevicePath.
It means the End Device Path node is now required.
oliviermartin [Tue, 12 Mar 2013 01:01:55 +0000 (01:01 +0000)]
ArmPkg/BdsLinuxFdt.c: Check that FDT blob is correctly loaded.
Add some checks in the code loading an FDT blob from a memory-mapped device
so that UEFI will detect and print an error message if the address
range doesn't cover the whole file.