VariableServiceSetVariable() should also check authenticate data to avoid buffer overflow,\r
integer overflow. It should also check attribute to avoid authentication bypass.\r
\r
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>\r
(C) Copyright 2015-2018 Hewlett Packard Enterprise Development LP<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
UINT8 *CurrBuffer;\r
EFI_LBA LbaNumber;\r
UINTN Size;\r
- EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;\r
VARIABLE_STORE_HEADER *VolatileBase;\r
EFI_PHYSICAL_ADDRESS FvVolHdr;\r
EFI_PHYSICAL_ADDRESS DataPtr;\r
EFI_STATUS Status;\r
\r
- FwVolHeader = NULL;\r
+ FvVolHdr = 0;\r
DataPtr = DataPtrIndex;\r
\r
//\r
Status = Fvb->GetPhysicalAddress(Fvb, &FvVolHdr);\r
ASSERT_EFI_ERROR (Status);\r
\r
- FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *) ((UINTN) FvVolHdr);\r
//\r
// Data Pointer should point to the actual Address where data is to be\r
// written.\r
DataPtr += mVariableModuleGlobal->VariableGlobal.NonVolatileVariableBase;\r
}\r
\r
- if ((DataPtr + DataSize) > ((EFI_PHYSICAL_ADDRESS) (UINTN) ((UINT8 *) FwVolHeader + FwVolHeader->FvLength))) {\r
+ if ((DataPtr + DataSize) > (FvVolHdr + mNvFvHeaderCache->FvLength)) {\r
return EFI_OUT_OF_RESOURCES;\r
}\r
} else {\r
//\r
// If we are here we are dealing with Non-Volatile Variables.\r
//\r
- LinearOffset = (UINTN) FwVolHeader;\r
+ LinearOffset = (UINTN) FvVolHdr;\r
CurrWritePtr = (UINTN) DataPtr;\r
CurrWriteSize = DataSize;\r
CurrBuffer = Buffer;\r
)\r
{\r
//\r
- // The end of variable store.\r
+ // The start of variable store.\r
//\r
return (VARIABLE_HEADER *) HEADER_ALIGN (VarStoreHeader + 1);\r
}\r
if (Variable->CurrPtr != NULL) {\r
if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) {\r
CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME));\r
+ } else {\r
+ CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME));\r
}\r
}\r
}\r
}\r
}\r
\r
- State = Variable->CurrPtr->State;\r
+ State = CacheVariable->CurrPtr->State;\r
State &= VAR_DELETED;\r
\r
Status = UpdateVariableStore (\r
((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->AuthInfo.Hdr.dwLength < OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) {\r
return EFI_SECURITY_VIOLATION;\r
}\r
+ //\r
+ // The VariableSpeculationBarrier() call here is to ensure the above sanity\r
+ // check for the EFI_VARIABLE_AUTHENTICATION_2 descriptor has been completed\r
+ // before the execution of subsequent codes.\r
+ //\r
+ VariableSpeculationBarrier ();\r
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
} else {\r
PayloadSize = DataSize;\r
//\r
if ((Attributes & VARIABLE_ATTRIBUTE_AT_AW) != 0) {\r
if (StrSize (VariableName) + PayloadSize > mVariableModuleGlobal->MaxAuthVariableSize - GetVariableHeaderSize ()) {\r
+ DEBUG ((DEBUG_ERROR,\r
+ "%a: Failed to set variable '%s' with Guid %g\n",\r
+ __FUNCTION__, VariableName, VendorGuid));\r
+ DEBUG ((DEBUG_ERROR,\r
+ "NameSize(0x%x) + PayloadSize(0x%x) > "\r
+ "MaxAuthVariableSize(0x%x) - HeaderSize(0x%x)\n",\r
+ StrSize (VariableName), PayloadSize,\r
+ mVariableModuleGlobal->MaxAuthVariableSize,\r
+ GetVariableHeaderSize ()\r
+ ));\r
return EFI_INVALID_PARAMETER;\r
}\r
} else if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {\r
if (StrSize (VariableName) + PayloadSize > mVariableModuleGlobal->MaxVariableSize - GetVariableHeaderSize ()) {\r
+ DEBUG ((DEBUG_ERROR,\r
+ "%a: Failed to set variable '%s' with Guid %g\n",\r
+ __FUNCTION__, VariableName, VendorGuid));\r
+ DEBUG ((DEBUG_ERROR,\r
+ "NameSize(0x%x) + PayloadSize(0x%x) > "\r
+ "MaxVariableSize(0x%x) - HeaderSize(0x%x)\n",\r
+ StrSize (VariableName), PayloadSize,\r
+ mVariableModuleGlobal->MaxVariableSize,\r
+ GetVariableHeaderSize ()\r
+ ));\r
return EFI_INVALID_PARAMETER;\r
}\r
} else {\r
if (StrSize (VariableName) + PayloadSize > mVariableModuleGlobal->MaxVolatileVariableSize - GetVariableHeaderSize ()) {\r
+ DEBUG ((DEBUG_ERROR,\r
+ "%a: Failed to set variable '%s' with Guid %g\n",\r
+ __FUNCTION__, VariableName, VendorGuid));\r
+ DEBUG ((DEBUG_ERROR,\r
+ "NameSize(0x%x) + PayloadSize(0x%x) > "\r
+ "MaxVolatileVariableSize(0x%x) - HeaderSize(0x%x)\n",\r
+ StrSize (VariableName), PayloadSize,\r
+ mVariableModuleGlobal->MaxVolatileVariableSize,\r
+ GetVariableHeaderSize ()\r
+ ));\r
return EFI_INVALID_PARAMETER;\r
}\r
}\r
/**\r
Get HOB variable store.\r
\r
- @param[out] VariableGuid NV variable store signature.\r
+ @param[in] VariableGuid NV variable store signature.\r
\r
@retval EFI_SUCCESS Function successfully executed.\r
@retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resource.\r