MdeModulePkg Variable: Prevent BS variable update in legacy OS runtime.

[mirror_edk2.git] / MdeModulePkg / Universal / Variable / RuntimeDxe / VariableSmmRuntimeDxe.c

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
index 865b9ad1a408a30bab9ee5b5f8852d5cad919567..0e0a7c5c3b5ac541e35b92ae6a5f886443a43b20 100644 (file)
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
@@ -4,7 +4,17 @@
   and volatile storage space and install variable architecture protocol\r
   based on SMM variable module.\r
 \r
-Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>\r
+  Caution: This module requires additional review when modified.\r
+  This driver will have external input - variable data.\r
+  This external input must be validated carefully to avoid security issue like\r
+  buffer overflow, integer overflow.\r
+\r
+  RuntimeServiceGetVariable() and RuntimeServiceSetVariable() are external API\r
+  to receive data buffer. The size should be checked carefully.\r
+\r
+  InitCommunicateBuffer() is really function to check the variable data size.\r
+\r
+Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>\r
 This program and the accompanying materials                          \r
 are licensed and made available under the terms and conditions of the BSD License         \r
 which accompanies this distribution.  The full text of the license may be found at        \r
@@ -20,6 +30,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Protocol/SmmCommunication.h>\r
 #include <Protocol/SmmVariable.h>\r
 #include <Protocol/VariableLock.h>\r
+#include <Protocol/VarCheck.h>\r
 \r
 #include <Library/UefiBootServicesTableLib.h>\r
 #include <Library/UefiRuntimeServicesTableLib.h>\r
@@ -46,6 +57,7 @@ UINTN                            mVariableBufferSize;
 UINTN                            mVariableBufferPayloadSize;\r
 EFI_LOCK                         mVariableServicesLock;\r
 EDKII_VARIABLE_LOCK_PROTOCOL     mVariableLock;\r
+EDKII_VAR_CHECK_PROTOCOL         mVarCheck;\r
 \r
 /**\r
   Acquires lock only at boot time. Simply returns at runtime.\r
@@ -97,6 +109,9 @@ ReleaseLockOnlyAtBootTime (
   The communicate size is: SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE +\r
   DataSize.\r
 \r
+  Caution: This function may receive untrusted input.\r
+  The data size external input, so this function will validate it carefully to avoid buffer overflow.\r
+\r
   @param[out]      DataPtr          Points to the data in the communicate buffer.\r
   @param[in]       DataSize         The data size to send to SMM.\r
   @param[in]       Function         The function number to initialize the communicate header.\r
@@ -186,6 +201,7 @@ VariableLockRequestToLock (
   )\r
 {\r
   EFI_STATUS                                Status;\r
+  UINTN                                     VariableNameSize;\r
   UINTN                                     PayloadSize;\r
   SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE    *VariableToLock;\r
 \r
@@ -193,13 +209,23 @@ VariableLockRequestToLock (
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
+  VariableNameSize = StrSize (VariableName);\r
+  VariableToLock   = NULL;\r
+\r
+  //\r
+  // If VariableName exceeds SMM payload limit. Return failure\r
+  //\r
+  if (VariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name)) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
   AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
 \r
   //\r
   // Init the communicate buffer. The buffer data size is:\r
   // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
   //\r
-  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + StrSize (VariableName);\r
+  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + VariableNameSize;\r
   Status = InitCommunicateBuffer ((VOID **) &VariableToLock, PayloadSize, SMM_VARIABLE_FUNCTION_LOCK_VARIABLE);\r
   if (EFI_ERROR (Status)) {\r
     goto Done;\r
@@ -207,7 +233,7 @@ VariableLockRequestToLock (
   ASSERT (VariableToLock != NULL);\r
 \r
   CopyGuid (&VariableToLock->Guid, VendorGuid);\r
-  VariableToLock->NameSize = StrSize (VariableName);\r
+  VariableToLock->NameSize = VariableNameSize;\r
   CopyMem (VariableToLock->Name, VariableName, VariableToLock->NameSize);\r
 \r
   //\r
@@ -220,9 +246,186 @@ Done:
   return Status;\r
 }\r
 \r
+/**\r
+  Register SetVariable check handler.\r
+\r
+  @param[in] Handler            Pointer to check handler.\r
+\r
+  @retval EFI_SUCCESS           The SetVariable check handler was registered successfully.\r
+  @retval EFI_INVALID_PARAMETER Handler is NULL.\r
+  @retval EFI_ACCESS_DENIED     EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has\r
+                                already been signaled.\r
+  @retval EFI_OUT_OF_RESOURCES  There is not enough resource for the SetVariable check handler register request.\r
+  @retval EFI_UNSUPPORTED       This interface is not implemented.\r
+                                For example, it is unsupported in VarCheck protocol if both VarCheck and SmmVarCheck protocols are present.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+VarCheckRegisterSetVariableCheckHandler (\r
+  IN VAR_CHECK_SET_VARIABLE_CHECK_HANDLER   Handler\r
+  )\r
+{\r
+  return EFI_UNSUPPORTED;\r
+}\r
+\r
+/**\r
+  Variable property set.\r
+\r
+  @param[in] Name               Pointer to the variable name.\r
+  @param[in] Guid               Pointer to the vendor GUID.\r
+  @param[in] VariableProperty   Pointer to the input variable property.\r
+\r
+  @retval EFI_SUCCESS           The property of variable specified by the Name and Guid was set successfully.\r
+  @retval EFI_INVALID_PARAMETER Name, Guid or VariableProperty is NULL, or Name is an empty string,\r
+                                or the fields of VariableProperty are not valid.\r
+  @retval EFI_ACCESS_DENIED     EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has\r
+                                already been signaled.\r
+  @retval EFI_OUT_OF_RESOURCES  There is not enough resource for the variable property set request.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+VarCheckVariablePropertySet (\r
+  IN CHAR16                         *Name,\r
+  IN EFI_GUID                       *Guid,\r
+  IN VAR_CHECK_VARIABLE_PROPERTY    *VariableProperty\r
+  )\r
+{\r
+  EFI_STATUS                                Status;\r
+  UINTN                                     VariableNameSize;\r
+  UINTN                                     PayloadSize;\r
+  SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *CommVariableProperty;\r
+\r
+  if (Name == NULL || Name[0] == 0 || Guid == NULL) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
+  if (VariableProperty == NULL) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
+  if (VariableProperty->Revision != VAR_CHECK_VARIABLE_PROPERTY_REVISION) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
+  VariableNameSize = StrSize (Name);\r
+  CommVariableProperty = NULL;\r
+\r
+  //\r
+  // If VariableName exceeds SMM payload limit. Return failure\r
+  //\r
+  if (VariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
+  AcquireLockOnlyAtBootTime (&mVariableServicesLock);\r
+\r
+  //\r
+  // Init the communicate buffer. The buffer data size is:\r
+  // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
+  //\r
+  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) + VariableNameSize;\r
+  Status = InitCommunicateBuffer ((VOID **) &CommVariableProperty, PayloadSize, SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_SET);\r
+  if (EFI_ERROR (Status)) {\r
+    goto Done;\r
+  }\r
+  ASSERT (CommVariableProperty != NULL);\r
+\r
+  CopyGuid (&CommVariableProperty->Guid, Guid);\r
+  CopyMem (&CommVariableProperty->VariableProperty, VariableProperty, sizeof (*VariableProperty));\r
+  CommVariableProperty->NameSize = VariableNameSize;\r
+  CopyMem (CommVariableProperty->Name, Name, CommVariableProperty->NameSize);\r
+\r
+  //\r
+  // Send data to SMM.\r
+  //\r
+  Status = SendCommunicateBuffer (PayloadSize);\r
+\r
+Done:\r
+  ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
+  return Status;\r
+}\r
+\r
+/**\r
+  Variable property get.\r
+\r
+  @param[in]  Name              Pointer to the variable name.\r
+  @param[in]  Guid              Pointer to the vendor GUID.\r
+  @param[out] VariableProperty  Pointer to the output variable property.\r
+\r
+  @retval EFI_SUCCESS           The property of variable specified by the Name and Guid was got successfully.\r
+  @retval EFI_INVALID_PARAMETER Name, Guid or VariableProperty is NULL, or Name is an empty string.\r
+  @retval EFI_NOT_FOUND         The property of variable specified by the Name and Guid was not found.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+VarCheckVariablePropertyGet (\r
+  IN CHAR16                         *Name,\r
+  IN EFI_GUID                       *Guid,\r
+  OUT VAR_CHECK_VARIABLE_PROPERTY   *VariableProperty\r
+  )\r
+{\r
+  EFI_STATUS                                Status;\r
+  UINTN                                     VariableNameSize;\r
+  UINTN                                     PayloadSize;\r
+  SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *CommVariableProperty;\r
+\r
+  if (Name == NULL || Name[0] == 0 || Guid == NULL) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
+  if (VariableProperty == NULL) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
+  VariableNameSize = StrSize (Name);\r
+  CommVariableProperty = NULL;\r
+\r
+  //\r
+  // If VariableName exceeds SMM payload limit. Return failure\r
+  //\r
+  if (VariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
+  AcquireLockOnlyAtBootTime (&mVariableServicesLock);\r
+\r
+  //\r
+  // Init the communicate buffer. The buffer data size is:\r
+  // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
+  //\r
+  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) + VariableNameSize;\r
+  Status = InitCommunicateBuffer ((VOID **) &CommVariableProperty, PayloadSize, SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET);\r
+  if (EFI_ERROR (Status)) {\r
+    goto Done;\r
+  }\r
+  ASSERT (CommVariableProperty != NULL);\r
+\r
+  CopyGuid (&CommVariableProperty->Guid, Guid);\r
+  CommVariableProperty->NameSize = VariableNameSize;\r
+  CopyMem (CommVariableProperty->Name, Name, CommVariableProperty->NameSize);\r
+\r
+  //\r
+  // Send data to SMM.\r
+  //\r
+  Status = SendCommunicateBuffer (PayloadSize);\r
+  if (Status == EFI_SUCCESS) {\r
+    CopyMem (VariableProperty, &CommVariableProperty->VariableProperty, sizeof (*VariableProperty));\r
+  }\r
+\r
+Done:\r
+  ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
+  return Status;\r
+}\r
+\r
 /**\r
   This code finds variable in storage blocks (Volatile or Non-Volatile).\r
 \r
+  Caution: This function may receive untrusted input.\r
+  The data size is external input, so this function will validate it carefully to avoid buffer overflow.\r
+\r
   @param[in]      VariableName       Name of Variable to be found.\r
   @param[in]      VendorGuid         Variable vendor GUID.\r
   @param[out]     Attributes         Attribute value of the variable found.\r
@@ -256,12 +459,9 @@ RuntimeServiceGetVariable (
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
-  if ((*DataSize != 0) && (Data == NULL)) {\r
-    return EFI_INVALID_PARAMETER;\r
-  }\r
-\r
   TempDataSize          = *DataSize;\r
   VariableNameSize      = StrSize (VariableName);\r
+  SmmVariableHeader     = NULL;\r
 \r
   //\r
   // If VariableName exceeds SMM payload limit. Return failure\r
@@ -323,7 +523,11 @@ RuntimeServiceGetVariable (
     goto Done;\r
   }\r
 \r
-  CopyMem (Data, (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize, SmmVariableHeader->DataSize);\r
+  if (Data != NULL) {\r
+    CopyMem (Data, (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize, SmmVariableHeader->DataSize);\r
+  } else {\r
+    Status = EFI_INVALID_PARAMETER;\r
+  }\r
 \r
 Done:\r
   ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
@@ -364,6 +568,7 @@ RuntimeServiceGetNextVariableName (
 \r
   OutVariableNameSize   = *VariableNameSize;\r
   InVariableNameSize    = StrSize (VariableName);\r
+  SmmGetNextVariableName = NULL;\r
 \r
   //\r
   // If input string exceeds SMM payload limit. Return failure\r
@@ -440,6 +645,9 @@ Done:
 /**\r
   This code sets variable in storage blocks (Volatile or Non-Volatile).\r
 \r
+  Caution: This function may receive untrusted input.\r
+  The data size and data are external input, so this function will validate it carefully to avoid buffer overflow.\r
+\r
   @param[in] VariableName                 Name of Variable to be found.\r
   @param[in] VendorGuid                   Variable vendor GUID.\r
   @param[in] Attributes                   Attribute value of the variable found\r
@@ -481,6 +689,7 @@ RuntimeServiceSetVariable (
   }\r
 \r
   VariableNameSize      = StrSize (VariableName);\r
+  SmmVariableHeader     = NULL;\r
 \r
   //\r
   // If VariableName or DataSize exceeds SMM payload limit. Return failure\r
@@ -551,6 +760,8 @@ RuntimeServiceQueryVariableInfo (
   UINTN                                     PayloadSize;\r
   SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *SmmQueryVariableInfo;\r
 \r
+  SmmQueryVariableInfo = NULL;\r
+\r
   if(MaximumVariableStorageSize == NULL || RemainingVariableStorageSize == NULL || MaximumVariableSize == NULL || Attributes == 0) {\r
     return EFI_INVALID_PARAMETER;\r
   }\r
@@ -699,7 +910,7 @@ SmmVariableReady (
   // Allocate memory for variable communicate buffer.\r
   //\r
   mVariableBufferPayloadSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) +\r
-                               OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - sizeof (VARIABLE_HEADER);\r
+                               OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) - sizeof (VARIABLE_HEADER);\r
   mVariableBufferSize  = SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + mVariableBufferPayloadSize;\r
   mVariableBuffer      = AllocateRuntimePool (mVariableBufferSize);\r
   ASSERT (mVariableBuffer != NULL);\r
@@ -786,6 +997,7 @@ VariableSmmRuntimeInitialize (
   VOID                                      *SmmVariableWriteRegistration;\r
   EFI_EVENT                                 OnReadyToBootEvent;\r
   EFI_EVENT                                 ExitBootServiceEvent;\r
+  EFI_EVENT                                 LegacyBootEvent;\r
 \r
   EfiInitializeLock (&mVariableServicesLock, TPL_NOTIFY);\r
 \r
@@ -798,6 +1010,17 @@ VariableSmmRuntimeInitialize (
                   );\r
   ASSERT_EFI_ERROR (Status);\r
 \r
+  mVarCheck.RegisterSetVariableCheckHandler = VarCheckRegisterSetVariableCheckHandler;\r
+  mVarCheck.VariablePropertySet = VarCheckVariablePropertySet;\r
+  mVarCheck.VariablePropertyGet = VarCheckVariablePropertyGet;\r
+  Status = gBS->InstallMultipleProtocolInterfaces (\r
+                  &mHandle,\r
+                  &gEdkiiVarCheckProtocolGuid,\r
+                  &mVarCheck,\r
+                  NULL\r
+                  );\r
+  ASSERT_EFI_ERROR (Status);\r
+\r
   //\r
   // Smm variable service is ready\r
   //\r
@@ -842,6 +1065,17 @@ VariableSmmRuntimeInitialize (
          &ExitBootServiceEvent\r
          ); \r
 \r
+  //\r
+  // Register the event to inform SMM variable that it is at runtime for legacy boot.\r
+  // Reuse OnExitBootServices() here.\r
+  //\r
+  EfiCreateEventLegacyBootEx(\r
+    TPL_NOTIFY,\r
+    OnExitBootServices,\r
+    NULL,\r
+    &LegacyBootEvent\r
+    );\r
+\r
   //\r
   // Register the event to convert the pointer for runtime.\r
   //\r