MdeModulePkg Variable: Add missing warning annotation.

[mirror_edk2.git] / MdeModulePkg / Universal / Variable / RuntimeDxe / VariableSmmRuntimeDxe.c

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
index 2fca25981aaa1f1c945c330ac9d5fd1a6b51b491..14e421cb793f6e9b19dad8b70d829ce4db4a3f24 100644 (file)
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
@@ -4,7 +4,17 @@
   and volatile storage space and install variable architecture protocol\r
   based on SMM variable module.\r
 \r
-Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>\r
+  Caution: This module requires additional review when modified.\r
+  This driver will have external input - variable data.\r
+  This external input must be validated carefully to avoid security issue like\r
+  buffer overflow, integer overflow.\r
+\r
+  RuntimeServiceGetVariable() and RuntimeServiceSetVariable() are external API\r
+  to receive data buffer. The size should be checked carefully.\r
+\r
+  InitCommunicateBuffer() is really function to check the variable data size.\r
+\r
+Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>\r
 This program and the accompanying materials                          \r
 are licensed and made available under the terms and conditions of the BSD License         \r
 which accompanies this distribution.  The full text of the license may be found at        \r
@@ -19,6 +29,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Protocol/Variable.h>\r
 #include <Protocol/SmmCommunication.h>\r
 #include <Protocol/SmmVariable.h>\r
+#include <Protocol/VariableLock.h>\r
 \r
 #include <Library/UefiBootServicesTableLib.h>\r
 #include <Library/UefiRuntimeServicesTableLib.h>\r
@@ -42,7 +53,9 @@ EFI_SMM_COMMUNICATION_PROTOCOL  *mSmmCommunication          = NULL;
 UINT8                           *mVariableBuffer            = NULL;\r
 UINT8                           *mVariableBufferPhysical    = NULL;\r
 UINTN                            mVariableBufferSize;\r
+UINTN                            mVariableBufferPayloadSize;\r
 EFI_LOCK                         mVariableServicesLock;\r
+EDKII_VARIABLE_LOCK_PROTOCOL     mVariableLock;\r
 \r
 /**\r
   Acquires lock only at boot time. Simply returns at runtime.\r
@@ -94,6 +107,9 @@ ReleaseLockOnlyAtBootTime (
   The communicate size is: SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE +\r
   DataSize.\r
 \r
+  Caution: This function may receive untrusted input.\r
+  The data size external input, so this function will validate it carefully to avoid buffer overflow.\r
+\r
   @param[out]      DataPtr          Points to the data in the communicate buffer.\r
   @param[in]       DataSize         The data size to send to SMM.\r
   @param[in]       Function         The function number to initialize the communicate header.\r
@@ -159,10 +175,81 @@ SendCommunicateBuffer (
   return  SmmVariableFunctionHeader->ReturnStatus;\r
 }\r
 \r
+/**\r
+  Mark a variable that will become read-only after leaving the DXE phase of execution.\r
+\r
+  @param[in] This          The VARIABLE_LOCK_PROTOCOL instance.\r
+  @param[in] VariableName  A pointer to the variable name that will be made read-only subsequently.\r
+  @param[in] VendorGuid    A pointer to the vendor GUID that will be made read-only subsequently.\r
+\r
+  @retval EFI_SUCCESS           The variable specified by the VariableName and the VendorGuid was marked\r
+                                as pending to be read-only.\r
+  @retval EFI_INVALID_PARAMETER VariableName or VendorGuid is NULL.\r
+                                Or VariableName is an empty string.\r
+  @retval EFI_ACCESS_DENIED     EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has\r
+                                already been signaled.\r
+  @retval EFI_OUT_OF_RESOURCES  There is not enough resource to hold the lock request.\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+VariableLockRequestToLock (\r
+  IN CONST EDKII_VARIABLE_LOCK_PROTOCOL *This,\r
+  IN       CHAR16                       *VariableName,\r
+  IN       EFI_GUID                     *VendorGuid\r
+  )\r
+{\r
+  EFI_STATUS                                Status;\r
+  UINTN                                     VariableNameSize;\r
+  UINTN                                     PayloadSize;\r
+  SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE    *VariableToLock;\r
+\r
+  if (VariableName == NULL || VariableName[0] == 0 || VendorGuid == NULL) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
+  VariableNameSize = StrSize (VariableName);\r
+  VariableToLock   = NULL;\r
+\r
+  //\r
+  // If VariableName exceeds SMM payload limit. Return failure\r
+  //\r
+  if (VariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name)) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
+  AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
+\r
+  //\r
+  // Init the communicate buffer. The buffer data size is:\r
+  // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
+  //\r
+  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + VariableNameSize;\r
+  Status = InitCommunicateBuffer ((VOID **) &VariableToLock, PayloadSize, SMM_VARIABLE_FUNCTION_LOCK_VARIABLE);\r
+  if (EFI_ERROR (Status)) {\r
+    goto Done;\r
+  }\r
+  ASSERT (VariableToLock != NULL);\r
+\r
+  CopyGuid (&VariableToLock->Guid, VendorGuid);\r
+  VariableToLock->NameSize = VariableNameSize;\r
+  CopyMem (VariableToLock->Name, VariableName, VariableToLock->NameSize);\r
+\r
+  //\r
+  // Send data to SMM.\r
+  //\r
+  Status = SendCommunicateBuffer (PayloadSize);\r
+\r
+Done:\r
+  ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r
+  return Status;\r
+}\r
 \r
 /**\r
   This code finds variable in storage blocks (Volatile or Non-Volatile).\r
 \r
+  Caution: This function may receive untrusted input.\r
+  The data size is external input, so this function will validate it carefully to avoid buffer overflow.\r
+\r
   @param[in]      VariableName       Name of Variable to be found.\r
   @param[in]      VendorGuid         Variable vendor GUID.\r
   @param[out]     Attributes         Attribute value of the variable found.\r
@@ -189,6 +276,8 @@ RuntimeServiceGetVariable (
   EFI_STATUS                                Status;\r
   UINTN                                     PayloadSize;\r
   SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE  *SmmVariableHeader;\r
+  UINTN                                     TempDataSize;\r
+  UINTN                                     VariableNameSize;\r
 \r
   if (VariableName == NULL || VendorGuid == NULL || DataSize == NULL) {\r
     return EFI_INVALID_PARAMETER;\r
@@ -198,13 +287,14 @@ RuntimeServiceGetVariable (
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
-  if (*DataSize >= mVariableBufferSize) {\r
-    //\r
-    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
-    // overflow to a small value and pass the check in InitCommunicateBuffer().\r
-    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.\r
-    // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
-    //\r
+  TempDataSize          = *DataSize;\r
+  VariableNameSize      = StrSize (VariableName);\r
+  SmmVariableHeader     = NULL;\r
+\r
+  //\r
+  // If VariableName exceeds SMM payload limit. Return failure\r
+  //\r
+  if (VariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {\r
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
@@ -214,7 +304,14 @@ RuntimeServiceGetVariable (
   // Init the communicate buffer. The buffer data size is:\r
   // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
   //\r
-  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + StrSize (VariableName) + *DataSize;\r
+  if (TempDataSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - VariableNameSize) {\r
+    //\r
+    // If output data buffer exceed SMM payload limit. Trim output buffer to SMM payload size\r
+    //\r
+    TempDataSize = mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - VariableNameSize;\r
+  }\r
+  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + VariableNameSize + TempDataSize;\r
+\r
   Status = InitCommunicateBuffer ((VOID **)&SmmVariableHeader, PayloadSize, SMM_VARIABLE_FUNCTION_GET_VARIABLE);\r
   if (EFI_ERROR (Status)) {\r
     goto Done;\r
@@ -222,8 +319,8 @@ RuntimeServiceGetVariable (
   ASSERT (SmmVariableHeader != NULL);\r
 \r
   CopyGuid (&SmmVariableHeader->Guid, VendorGuid);\r
-  SmmVariableHeader->DataSize   = *DataSize;\r
-  SmmVariableHeader->NameSize   = StrSize (VariableName);\r
+  SmmVariableHeader->DataSize   = TempDataSize;\r
+  SmmVariableHeader->NameSize   = VariableNameSize;\r
   if (Attributes == NULL) {\r
     SmmVariableHeader->Attributes = 0;\r
   } else {\r
@@ -239,7 +336,13 @@ RuntimeServiceGetVariable (
   //\r
   // Get data from SMM.\r
   //\r
-  *DataSize = SmmVariableHeader->DataSize;\r
+  if (Status == EFI_SUCCESS || Status == EFI_BUFFER_TOO_SMALL) {\r
+    //\r
+    // SMM CommBuffer DataSize can be a trimed value\r
+    // Only update DataSize when needed\r
+    //\r
+    *DataSize = SmmVariableHeader->DataSize;\r
+  }\r
   if (Attributes != NULL) {\r
     *Attributes = SmmVariableHeader->Attributes;\r
   }\r
@@ -280,18 +383,21 @@ RuntimeServiceGetNextVariableName (
   EFI_STATUS                                      Status;\r
   UINTN                                           PayloadSize;\r
   SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *SmmGetNextVariableName;\r
+  UINTN                                           OutVariableNameSize;\r
+  UINTN                                           InVariableNameSize;\r
 \r
   if (VariableNameSize == NULL || VariableName == NULL || VendorGuid == NULL) {\r
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
-  if (*VariableNameSize >= mVariableBufferSize) {\r
-    //\r
-    // VariableNameSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
-    // overflow to a small value and pass the check in InitCommunicateBuffer().\r
-    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if VariableNameSize is >= mVariableBufferSize.\r
-    // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
-    //\r
+  OutVariableNameSize   = *VariableNameSize;\r
+  InVariableNameSize    = StrSize (VariableName);\r
+  SmmGetNextVariableName = NULL;\r
+\r
+  //\r
+  // If input string exceeds SMM payload limit. Return failure\r
+  //\r
+  if (InVariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
@@ -301,16 +407,37 @@ RuntimeServiceGetNextVariableName (
   // Init the communicate buffer. The buffer data size is:\r
   // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
   //\r
-  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + *VariableNameSize; \r
+  if (OutVariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
+    //\r
+    // If output buffer exceed SMM payload limit. Trim output buffer to SMM payload size\r
+    //\r
+    OutVariableNameSize = mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);\r
+  }\r
+  //\r
+  // Payload should be Guid + NameSize + MAX of Input & Output buffer\r
+  //\r
+  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + MAX (OutVariableNameSize, InVariableNameSize);\r
+\r
+\r
   Status = InitCommunicateBuffer ((VOID **)&SmmGetNextVariableName, PayloadSize, SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME);\r
   if (EFI_ERROR (Status)) {\r
     goto Done;\r
   }\r
   ASSERT (SmmGetNextVariableName != NULL);\r
 \r
-  SmmGetNextVariableName->NameSize = *VariableNameSize;\r
+  //\r
+  // SMM comm buffer->NameSize is buffer size for return string\r
+  //\r
+  SmmGetNextVariableName->NameSize = OutVariableNameSize;\r
+\r
   CopyGuid (&SmmGetNextVariableName->Guid, VendorGuid);\r
-  CopyMem (SmmGetNextVariableName->Name, VariableName, *VariableNameSize);\r
+  //\r
+  // Copy whole string\r
+  //\r
+  CopyMem (SmmGetNextVariableName->Name, VariableName, InVariableNameSize);\r
+  if (OutVariableNameSize > InVariableNameSize) {\r
+    ZeroMem ((UINT8 *) SmmGetNextVariableName->Name + InVariableNameSize, OutVariableNameSize - InVariableNameSize);\r
+  }\r
 \r
   //\r
   // Send data to SMM\r
@@ -320,7 +447,13 @@ RuntimeServiceGetNextVariableName (
   //\r
   // Get data from SMM.\r
   //\r
-  *VariableNameSize = SmmGetNextVariableName->NameSize;    \r
+  if (Status == EFI_SUCCESS || Status == EFI_BUFFER_TOO_SMALL) {\r
+    //\r
+    // SMM CommBuffer NameSize can be a trimed value\r
+    // Only update VariableNameSize when needed\r
+    //\r
+    *VariableNameSize = SmmGetNextVariableName->NameSize;\r
+  }\r
   if (EFI_ERROR (Status)) {\r
     goto Done;\r
   }\r
@@ -336,6 +469,9 @@ Done:
 /**\r
   This code sets variable in storage blocks (Volatile or Non-Volatile).\r
 \r
+  Caution: This function may receive untrusted input.\r
+  The data size and data are external input, so this function will validate it carefully to avoid buffer overflow.\r
+\r
   @param[in] VariableName                 Name of Variable to be found.\r
   @param[in] VendorGuid                   Variable vendor GUID.\r
   @param[in] Attributes                   Attribute value of the variable found\r
@@ -363,6 +499,7 @@ RuntimeServiceSetVariable (
   EFI_STATUS                                Status;\r
   UINTN                                     PayloadSize; \r
   SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE  *SmmVariableHeader;\r
+  UINTN                                     VariableNameSize;\r
     \r
   //\r
   // Check input parameters.\r
@@ -375,13 +512,14 @@ RuntimeServiceSetVariable (
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
-  if (DataSize >= mVariableBufferSize) {\r
-    //\r
-    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
-    // overflow to a small value and pass the check in InitCommunicateBuffer().\r
-    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.\r
-    // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
-    //\r
+  VariableNameSize      = StrSize (VariableName);\r
+  SmmVariableHeader     = NULL;\r
+\r
+  //\r
+  // If VariableName or DataSize exceeds SMM payload limit. Return failure\r
+  //\r
+  if ((VariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||\r
+      (DataSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - VariableNameSize)){\r
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
@@ -391,7 +529,7 @@ RuntimeServiceSetVariable (
   // Init the communicate buffer. The buffer data size is:\r
   // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r
   //\r
-  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + StrSize (VariableName) + DataSize;\r
+  PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + VariableNameSize + DataSize;\r
   Status = InitCommunicateBuffer ((VOID **)&SmmVariableHeader, PayloadSize, SMM_VARIABLE_FUNCTION_SET_VARIABLE);\r
   if (EFI_ERROR (Status)) {\r
     goto Done;\r
@@ -400,7 +538,7 @@ RuntimeServiceSetVariable (
 \r
   CopyGuid ((EFI_GUID *) &SmmVariableHeader->Guid, VendorGuid);\r
   SmmVariableHeader->DataSize   = DataSize;\r
-  SmmVariableHeader->NameSize   = StrSize (VariableName);\r
+  SmmVariableHeader->NameSize   = VariableNameSize;\r
   SmmVariableHeader->Attributes = Attributes;\r
   CopyMem (SmmVariableHeader->Name, VariableName, SmmVariableHeader->NameSize);\r
   CopyMem ((UINT8 *) SmmVariableHeader->Name + SmmVariableHeader->NameSize, Data, DataSize);\r
@@ -446,6 +584,8 @@ RuntimeServiceQueryVariableInfo (
   UINTN                                     PayloadSize;\r
   SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *SmmQueryVariableInfo;\r
 \r
+  SmmQueryVariableInfo = NULL;\r
+\r
   if(MaximumVariableStorageSize == NULL || RemainingVariableStorageSize == NULL || MaximumVariableSize == NULL || Attributes == 0) {\r
     return EFI_INVALID_PARAMETER;\r
   }\r
@@ -591,10 +731,11 @@ SmmVariableReady (
   ASSERT_EFI_ERROR (Status);\r
   \r
   //\r
-  // Allocate memory for variable store.\r
+  // Allocate memory for variable communicate buffer.\r
   //\r
-  mVariableBufferSize  = SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r
-  mVariableBufferSize += MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize));\r
+  mVariableBufferPayloadSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) +\r
+                               OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - sizeof (VARIABLE_HEADER);\r
+  mVariableBufferSize  = SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + mVariableBufferPayloadSize;\r
   mVariableBuffer      = AllocateRuntimePool (mVariableBufferSize);\r
   ASSERT (mVariableBuffer != NULL);\r
 \r
@@ -675,6 +816,7 @@ VariableSmmRuntimeInitialize (
   IN EFI_SYSTEM_TABLE                       *SystemTable\r
   )\r
 {\r
+  EFI_STATUS                                Status;\r
   VOID                                      *SmmVariableRegistration;\r
   VOID                                      *SmmVariableWriteRegistration;\r
   EFI_EVENT                                 OnReadyToBootEvent;\r
@@ -682,6 +824,15 @@ VariableSmmRuntimeInitialize (
 \r
   EfiInitializeLock (&mVariableServicesLock, TPL_NOTIFY);\r
 \r
+  mVariableLock.RequestToLock = VariableLockRequestToLock;\r
+  Status = gBS->InstallMultipleProtocolInterfaces (\r
+                  &mHandle,\r
+                  &gEdkiiVariableLockProtocolGuid,\r
+                  &mVariableLock,\r
+                  NULL\r
+                  );\r
+  ASSERT_EFI_ERROR (Status);\r
+\r
   //\r
   // Smm variable service is ready\r
   //\r