VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(), \r
SmmVariableGetStatistics() should also do validation based on its own knowledge.\r
\r
-Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials \r
are licensed and made available under the terms and conditions of the BSD License \r
which accompanies this distribution. The full text of the license may be found at \r
#include <Protocol/SmmVariable.h>\r
#include <Protocol/SmmFirmwareVolumeBlock.h>\r
#include <Protocol/SmmFaultTolerantWrite.h>\r
+#include <Protocol/SmmAccess2.h>\r
+\r
#include <Library/SmmServicesTableLib.h>\r
\r
#include <Guid/AuthenticatedVariableFormat.h>\r
#include <Guid/SmmVariableCommon.h>\r
#include "Variable.h"\r
\r
+EFI_SMRAM_DESCRIPTOR *mSmramRanges;\r
+UINTN mSmramRangeCount;\r
+\r
extern VARIABLE_INFO_ENTRY *gVariableInfo;\r
EFI_HANDLE mSmmVariableHandle = NULL;\r
EFI_HANDLE mVariableHandle = NULL;\r
BOOLEAN mAtRuntime = FALSE;\r
EFI_GUID mZeroGuid = {0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0}};\r
- \r
+UINT8 *mVariableBufferPayload = NULL;\r
+UINTN mVariableBufferPayloadSize;\r
+\r
EFI_SMM_VARIABLE_PROTOCOL gSmmVariable = {\r
VariableServiceGetVariable,\r
VariableServiceGetNextVariableName,\r
return mAtRuntime;\r
}\r
\r
+/**\r
+ This function check if the address is in SMRAM.\r
+\r
+ @param Buffer the buffer address to be checked.\r
+ @param Length the buffer length to be checked.\r
+\r
+ @retval TRUE this address is in SMRAM.\r
+ @retval FALSE this address is NOT in SMRAM.\r
+**/\r
+BOOLEAN\r
+InternalIsAddressInSmram (\r
+ IN EFI_PHYSICAL_ADDRESS Buffer,\r
+ IN UINT64 Length\r
+ )\r
+{\r
+ UINTN Index;\r
+\r
+ for (Index = 0; Index < mSmramRangeCount; Index ++) {\r
+ if (((Buffer >= mSmramRanges[Index].CpuStart) && (Buffer < mSmramRanges[Index].CpuStart + mSmramRanges[Index].PhysicalSize)) ||\r
+ ((mSmramRanges[Index].CpuStart >= Buffer) && (mSmramRanges[Index].CpuStart < Buffer + Length))) {\r
+ return TRUE;\r
+ }\r
+ }\r
+\r
+ return FALSE;\r
+}\r
+\r
+/**\r
+ This function check if the address refered by Buffer and Length is valid.\r
+\r
+ @param Buffer the buffer address to be checked.\r
+ @param Length the buffer length to be checked.\r
+\r
+ @retval TRUE this address is valid.\r
+ @retval FALSE this address is NOT valid.\r
+**/\r
+BOOLEAN\r
+InternalIsAddressValid (\r
+ IN UINTN Buffer,\r
+ IN UINTN Length\r
+ )\r
+{\r
+ if (Buffer > (MAX_ADDRESS - Length)) {\r
+ //\r
+ // Overflow happen\r
+ //\r
+ return FALSE;\r
+ }\r
+ if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)Buffer, (UINT64)Length)) {\r
+ return FALSE;\r
+ }\r
+ return TRUE;\r
+}\r
+\r
/**\r
Initializes a basic mutual exclusion lock.\r
\r
*NumberHandles = BufferSize / sizeof(EFI_HANDLE);\r
if (EFI_ERROR(Status)) {\r
*NumberHandles = 0;\r
+ FreePool (*Buffer);\r
+ *Buffer = NULL;\r
}\r
\r
return Status;\r
UINTN NameLength;\r
UINTN StatisticsInfoSize;\r
CHAR16 *InfoName;\r
+ EFI_GUID VendorGuid;\r
\r
if (InfoEntry == NULL) {\r
return EFI_INVALID_PARAMETER;\r
}\r
InfoName = (CHAR16 *)(InfoEntry + 1);\r
\r
- if (CompareGuid (&InfoEntry->VendorGuid, &mZeroGuid)) {\r
+ CopyGuid (&VendorGuid, &InfoEntry->VendorGuid);\r
+\r
+ if (CompareGuid (&VendorGuid, &mZeroGuid)) {\r
//\r
// Return the first variable info\r
//\r
// Get the next variable info\r
//\r
while (VariableInfo != NULL) {\r
- if (CompareGuid (&VariableInfo->VendorGuid, &InfoEntry->VendorGuid)) {\r
+ if (CompareGuid (&VariableInfo->VendorGuid, &VendorGuid)) {\r
NameLength = StrSize (VariableInfo->Name);\r
if (NameLength == StrSize (InfoName)) {\r
if (CompareMem (VariableInfo->Name, InfoName, NameLength) == 0) {\r
@retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still \r
be called.\r
@retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.\r
- @retval EFI_INVALID_PARAMETER Input parameter is invalid.\r
\r
**/\r
EFI_STATUS\r
SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *QueryVariableInfo;\r
VARIABLE_INFO_ENTRY *VariableInfo;\r
UINTN InfoSize;\r
+ UINTN NameBufferSize;\r
+ UINTN CommBufferPayloadSize;\r
\r
- if (CommBuffer == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
+ //\r
+ // If input is invalid, stop processing this SMI\r
+ //\r
+ if (CommBuffer == NULL || CommBufferSize == NULL) {\r
+ return EFI_SUCCESS;\r
+ }\r
+\r
+ if (*CommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {\r
+ DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size invalid!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+ CommBufferPayloadSize = *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r
+ if (CommBufferPayloadSize > mVariableBufferPayloadSize) {\r
+ DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload size invalid!\n"));\r
+ return EFI_SUCCESS;\r
}\r
\r
+ if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+ \r
SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)CommBuffer;\r
+ \r
switch (SmmVariableFunctionHeader->Function) {\r
case SMM_VARIABLE_FUNCTION_GET_VARIABLE:\r
- SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data; \r
+ if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {\r
+ DEBUG ((EFI_D_ERROR, "GetVariable: SMM communication buffer size invalid!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+ //\r
+ // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.\r
+ //\r
+ CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);\r
+ SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;\r
+ if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||\r
+ ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {\r
+ //\r
+ // Prevent InfoSize overflow happen\r
+ //\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+ InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) \r
+ + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;\r
+\r
+ //\r
+ // SMRAM range check already covered before\r
+ //\r
+ if (InfoSize > CommBufferPayloadSize) {\r
+ DEBUG ((EFI_D_ERROR, "GetVariable: Data size exceed communication buffer size limit!\n"));\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+\r
+ if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {\r
+ //\r
+ // Make sure VariableName is A Null-terminated string.\r
+ //\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+\r
Status = VariableServiceGetVariable (\r
SmmVariableHeader->Name,\r
&SmmVariableHeader->Guid,\r
&SmmVariableHeader->DataSize,\r
(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize\r
);\r
+ CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);\r
break;\r
\r
case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME:\r
- GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) SmmVariableFunctionHeader->Data;\r
+ if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
+ DEBUG ((EFI_D_ERROR, "GetNextVariableName: SMM communication buffer size invalid!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+ //\r
+ // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.\r
+ //\r
+ CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);\r
+ GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) mVariableBufferPayload;\r
+ if ((UINTN)(~0) - GetNextVariableName->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
+ //\r
+ // Prevent InfoSize overflow happen\r
+ //\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+ InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + GetNextVariableName->NameSize;\r
+\r
+ //\r
+ // SMRAM range check already covered before\r
+ //\r
+ if (InfoSize > CommBufferPayloadSize) {\r
+ DEBUG ((EFI_D_ERROR, "GetNextVariableName: Data size exceed communication buffer size limit!\n"));\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+\r
+ NameBufferSize = CommBufferPayloadSize - OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);\r
+ if (NameBufferSize < sizeof (CHAR16) || GetNextVariableName->Name[NameBufferSize/sizeof (CHAR16) - 1] != L'\0') {\r
+ //\r
+ // Make sure input VariableName is A Null-terminated string.\r
+ //\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+\r
Status = VariableServiceGetNextVariableName (\r
&GetNextVariableName->NameSize,\r
GetNextVariableName->Name,\r
&GetNextVariableName->Guid\r
);\r
+ CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);\r
break;\r
\r
case SMM_VARIABLE_FUNCTION_SET_VARIABLE:\r
- SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data;\r
+ if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {\r
+ DEBUG ((EFI_D_ERROR, "SetVariable: SMM communication buffer size invalid!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+ //\r
+ // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.\r
+ //\r
+ CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);\r
+ SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;\r
+ if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||\r
+ ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {\r
+ //\r
+ // Prevent InfoSize overflow happen\r
+ //\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+ InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)\r
+ + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;\r
+\r
+ //\r
+ // SMRAM range check already covered before\r
+ // Data buffer should not contain SMM range\r
+ //\r
+ if (InfoSize > CommBufferPayloadSize) {\r
+ DEBUG ((EFI_D_ERROR, "SetVariable: Data size exceed communication buffer size limit!\n"));\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+\r
+ if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {\r
+ //\r
+ // Make sure VariableName is A Null-terminated string.\r
+ //\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+\r
Status = VariableServiceSetVariable (\r
SmmVariableHeader->Name,\r
&SmmVariableHeader->Guid,\r
break;\r
\r
case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO:\r
+ if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO)) {\r
+ DEBUG ((EFI_D_ERROR, "QueryVariableInfo: SMM communication buffer size invalid!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data;\r
+ \r
Status = VariableServiceQueryVariableInfo (\r
QueryVariableInfo->Attributes,\r
&QueryVariableInfo->MaximumVariableStorageSize,\r
break;\r
\r
case SMM_VARIABLE_FUNCTION_READY_TO_BOOT:\r
+ if (AtRuntime()) {\r
+ Status = EFI_UNSUPPORTED;\r
+ break;\r
+ }\r
ReclaimForOS ();\r
Status = EFI_SUCCESS;\r
break;\r
\r
case SMM_VARIABLE_FUNCTION_GET_STATISTICS:\r
VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data;\r
- InfoSize = *CommBufferSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_HEADER, Data);\r
+ InfoSize = *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r
+\r
+ //\r
+ // Do not need to check SmmVariableFunctionHeader->Data in SMRAM here. \r
+ // It is covered by previous CommBuffer check \r
+ //\r
+ \r
+ if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) {\r
+ DEBUG ((EFI_D_ERROR, "GetStatistics: SMM communication buffer in SMRAM!\n"));\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ } \r
+\r
Status = SmmVariableGetStatistics (VariableInfo, &InfoSize);\r
- *CommBufferSize = InfoSize + OFFSET_OF (SMM_VARIABLE_COMMUNICATE_HEADER, Data);\r
+ *CommBufferSize = InfoSize + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r
break;\r
\r
default:\r
- ASSERT (FALSE);\r
Status = EFI_UNSUPPORTED;\r
}\r
\r
- SmmVariableFunctionHeader->ReturnStatus = Status;\r
+EXIT:\r
\r
+ SmmVariableFunctionHeader->ReturnStatus = Status;\r
return EFI_SUCCESS;\r
}\r
\r
EFI_STATUS Status;\r
EFI_HANDLE VariableHandle;\r
VOID *SmmFtwRegistration;\r
- \r
+ EFI_SMM_ACCESS2_PROTOCOL *SmmAccess;\r
+ UINTN Size;\r
+\r
//\r
// Variable initialize.\r
//\r
);\r
ASSERT_EFI_ERROR (Status);\r
\r
+ //\r
+ // Get SMRAM information\r
+ //\r
+ Status = gBS->LocateProtocol (&gEfiSmmAccess2ProtocolGuid, NULL, (VOID **)&SmmAccess);\r
+ ASSERT_EFI_ERROR (Status);\r
+\r
+ Size = 0;\r
+ Status = SmmAccess->GetCapabilities (SmmAccess, &Size, NULL);\r
+ ASSERT (Status == EFI_BUFFER_TOO_SMALL);\r
+\r
+ Status = gSmst->SmmAllocatePool (\r
+ EfiRuntimeServicesData,\r
+ Size,\r
+ (VOID **)&mSmramRanges\r
+ );\r
+ ASSERT_EFI_ERROR (Status);\r
+\r
+ Status = SmmAccess->GetCapabilities (SmmAccess, &Size, mSmramRanges);\r
+ ASSERT_EFI_ERROR (Status);\r
+\r
+ mSmramRangeCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);\r
+\r
+ mVariableBufferPayloadSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) +\r
+ OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - sizeof (VARIABLE_HEADER);\r
+\r
+ Status = gSmst->SmmAllocatePool (\r
+ EfiRuntimeServicesData,\r
+ mVariableBufferPayloadSize,\r
+ (VOID **)&mVariableBufferPayload\r
+ );\r
+ ASSERT_EFI_ERROR (Status);\r
+\r
///\r
/// Register SMM variable SMI handler\r
///\r
projects / mirror_edk2.git / blobdiff