]> git.proxmox.com Git - mirror_edk2.git/blobdiff - SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
projects / mirror_edk2.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
1. Update AuthVarialbe driver to avoid integer overflow when using EFI_VARIABLE_AUTHE...
[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / RuntimeDxe / Variable.c
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
index 7d0d21502af63e9383625168f8ce6cf45aa91902..c84a2f62d3d70c6aa43f7df96c41fac631b59004 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
@@ -2,7 +2,7 @@
   The common variable operation routines shared by DXE_RINTIME variable\r
   module and DXE_SMM variable module.\r
 \r
-Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>\r
 This program and the accompanying materials\r
 are licensed and made available under the terms and conditions of the BSD License\r
 which accompanies this distribution.  The full text of the license may be found at\r
@@ -1157,7 +1157,7 @@ VariableGetBestLanguage (
 \r
 **/\r
 VOID\r
-AutoUpdateLangVariable(\r
+AutoUpdateLangVariable (\r
   IN  CHAR16             *VariableName,\r
   IN  VOID               *Data,\r
   IN  UINTN              DataSize\r
@@ -2163,8 +2163,8 @@ VariableServiceSetVariable (
     // Sanity check for EFI_VARIABLE_AUTHENTICATION_2 descriptor.\r
     //\r
     if (DataSize < OFFSET_OF_AUTHINFO2_CERT_DATA ||\r
-       DataSize < AUTHINFO2_SIZE (Data) ||\r
-       ((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->AuthInfo.Hdr.dwLength < OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) {\r
+      ((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->AuthInfo.Hdr.dwLength > DataSize - (OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) ||\r
+      ((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->AuthInfo.Hdr.dwLength < OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) {\r
       return EFI_SECURITY_VIOLATION;\r
     }\r
     PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
@@ -2616,6 +2616,17 @@ VariableCommonInitialize (
   if (TempVariableStoreHeader == 0) {\r
     TempVariableStoreHeader = (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdFlashNvStorageVariableBase);\r
   }\r
+  \r
+  //\r
+  // Check if the Firmware Volume is not corrupted\r
+  //\r
+  if ((((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader))->Signature != EFI_FVH_SIGNATURE) ||\r
+      (!CompareGuid (&gEfiSystemNvDataFvGuid, &((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader))->FileSystemGuid))) {\r
+    Status = EFI_VOLUME_CORRUPTED;\r
+    DEBUG ((EFI_D_ERROR, "Firmware Volume for Variable Store is corrupted\n"));\r
+    goto Done;\r
+  }\r
+\r
   VariableStoreBase       = TempVariableStoreHeader + \\r
                               (((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader)) -> HeaderLength);\r
   VariableStoreLength     = (UINT64) PcdGet32 (PcdFlashNvStorageVariableSize) - \\r
EFI Development Kit II mirror for PVE