/** @file\r
\r
-Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>\r
+\r
+ Caution: This module requires additional review when modified.\r
+ This driver will have external input - communicate buffer in SMM mode.\r
+ This external input must be validated carefully to avoid security issue like\r
+ buffer overflow, integer overflow.\r
+\r
+ SmmLockBoxHandler(), SmmLockBoxRestore(), SmmLockBoxUpdate(), SmmLockBoxSave()\r
+ will receive untrusted input and do basic validation.\r
\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions\r
return FALSE;\r
}\r
\r
+/**\r
+ This function check if the address refered by Buffer and Length is valid.\r
+\r
+ @param Buffer the buffer address to be checked.\r
+ @param Length the buffer length to be checked.\r
+\r
+ @retval TRUE this address is valid.\r
+ @retval FALSE this address is NOT valid.\r
+**/\r
+BOOLEAN\r
+IsAddressValid (\r
+ IN UINTN Buffer,\r
+ IN UINTN Length\r
+ )\r
+{\r
+ if (Buffer > (MAX_ADDRESS - Length)) {\r
+ //\r
+ // Overflow happen\r
+ //\r
+ return FALSE;\r
+ }\r
+ if (IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)Buffer, (UINT64)Length)) {\r
+ return FALSE;\r
+ }\r
+ return TRUE;\r
+}\r
+\r
/**\r
Dispatch function for SMM lock box save.\r
\r
+ Caution: This function may receive untrusted input.\r
+ Restore buffer and length are external input, so this function will validate\r
+ it is in SMRAM.\r
+\r
@param LockBoxParameterSave parameter of lock box save \r
**/\r
VOID\r
return ;\r
}\r
\r
+ //\r
+ // Sanity check\r
+ //\r
+ if (!IsAddressValid ((UINTN)LockBoxParameterSave->Buffer, (UINTN)LockBoxParameterSave->Length)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Save address in SMRAM!\n"));\r
+ LockBoxParameterSave->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;\r
+ return ;\r
+ }\r
+\r
//\r
// Save data\r
//\r
/**\r
Dispatch function for SMM lock box update.\r
\r
+ Caution: This function may receive untrusted input.\r
+ Restore buffer and length are external input, so this function will validate\r
+ it is in SMRAM.\r
+\r
@param LockBoxParameterUpdate parameter of lock box update \r
**/\r
VOID\r
return ;\r
}\r
\r
+ //\r
+ // Sanity check\r
+ //\r
+ if (!IsAddressValid ((UINTN)LockBoxParameterUpdate->Buffer, (UINTN)LockBoxParameterUpdate->Length)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Update address in SMRAM!\n"));\r
+ LockBoxParameterUpdate->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;\r
+ return ;\r
+ }\r
+\r
//\r
// Update data\r
//\r
/**\r
Dispatch function for SMM lock box restore.\r
\r
+ Caution: This function may receive untrusted input.\r
+ Restore buffer and length are external input, so this function will validate\r
+ it is in SMRAM.\r
+\r
@param LockBoxParameterRestore parameter of lock box restore \r
**/\r
VOID\r
//\r
// Sanity check\r
//\r
- if (IsAddressInSmram (LockBoxParameterRestore->Buffer, LockBoxParameterRestore->Length)) {\r
+ if (!IsAddressValid ((UINTN)LockBoxParameterRestore->Buffer, (UINTN)LockBoxParameterRestore->Length)) {\r
DEBUG ((EFI_D_ERROR, "SmmLockBox Restore address in SMRAM!\n"));\r
LockBoxParameterRestore->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;\r
return ;\r
/**\r
Dispatch function for a Software SMI handler.\r
\r
+ Caution: This function may receive untrusted input.\r
+ Communicate buffer and buffer size are external input, so this function will do basic validation.\r
+\r
@param DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().\r
@param Context Points to an optional handler context which was specified when the\r
handler was registered.\r
\r
DEBUG ((EFI_D_ERROR, "SmmLockBox SmmLockBoxHandler Enter\n"));\r
\r
+ //\r
+ // Sanity check\r
+ //\r
+ if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_HEADER)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size invalid!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+ if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer in SMRAM!\n"));\r
+ return EFI_SUCCESS;\r
+ }\r
+\r
LockBoxParameterHeader = (EFI_SMM_LOCK_BOX_PARAMETER_HEADER *)((UINTN)CommBuffer);\r
\r
LockBoxParameterHeader->ReturnStatus = (UINT64)-1;\r
\r
switch (LockBoxParameterHeader->Command) {\r
case EFI_SMM_LOCK_BOX_COMMAND_SAVE:\r
+ if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SAVE)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for SAVE invalid!\n"));\r
+ break;\r
+ }\r
SmmLockBoxSave ((EFI_SMM_LOCK_BOX_PARAMETER_SAVE *)(UINTN)LockBoxParameterHeader);\r
break;\r
case EFI_SMM_LOCK_BOX_COMMAND_UPDATE:\r
+ if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_UPDATE)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for UPDATE invalid!\n"));\r
+ break;\r
+ }\r
SmmLockBoxUpdate ((EFI_SMM_LOCK_BOX_PARAMETER_UPDATE *)(UINTN)LockBoxParameterHeader);\r
break;\r
case EFI_SMM_LOCK_BOX_COMMAND_RESTORE:\r
+ if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for RESTORE invalid!\n"));\r
+ break;\r
+ }\r
SmmLockBoxRestore ((EFI_SMM_LOCK_BOX_PARAMETER_RESTORE *)(UINTN)LockBoxParameterHeader);\r
break;\r
case EFI_SMM_LOCK_BOX_COMMAND_SET_ATTRIBUTES:\r
+ if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for SET_ATTRIBUTES invalid!\n"));\r
+ break;\r
+ }\r
SmmLockBoxSetAttributes ((EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES *)(UINTN)LockBoxParameterHeader);\r
break;\r
case EFI_SMM_LOCK_BOX_COMMAND_RESTORE_ALL_IN_PLACE:\r
+ if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE_ALL_IN_PLACE)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for RESTORE_ALL_IN_PLACE invalid!\n"));\r
+ break;\r
+ }\r
SmmLockBoxRestoreAllInPlace ((EFI_SMM_LOCK_BOX_PARAMETER_RESTORE_ALL_IN_PLACE *)(UINTN)LockBoxParameterHeader);\r
break;\r
default:\r
+ DEBUG ((EFI_D_ERROR, "SmmLockBox Command invalid!\n"));\r
break;\r
}\r
\r