If DataSize or VariableNameSize is near MAX_ADDRESS, this can cause the computed...

author lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524>

Mon, 8 Apr 2013 06:56:08 +0000 (06:56 +0000)

committer lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524>

Mon, 8 Apr 2013 06:56:08 +0000 (06:56 +0000)
author lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524>
Mon, 8 Apr 2013 06:56:08 +0000 (06:56 +0000)
committer lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524>
Mon, 8 Apr 2013 06:56:08 +0000 (06:56 +0000)
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c

index 8f10425ebbbc8a8961df8d219b07b155f27addb9..956c1f2ae1682dc531cdb910e6bc856cc6afb4f2 100644 (file)
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
@@ -2755,6 +2755,11 @@ VariableCommonInitialize (
    }  \r
    ASSERT(VariableStoreHeader->Size == VariableStoreLength);\r
      \r
+  //\r
+  // The max variable or hardware error variable size should be < variable store size.\r
+  //\r
+  ASSERT(MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) < VariableStoreLength);\r
+\r
    //\r
    // Parse non-volatile variable data and get last variable offset.\r
    //\r
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c

index 2a59ac16f9cd08eac39ab1377eb0764e68bb11fd..2fca25981aaa1f1c945c330ac9d5fd1a6b51b491 100644 (file)
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
@@ -198,6 +198,16 @@ RuntimeServiceGetVariable (
      return EFI_INVALID_PARAMETER;\r
    }\r
  \r
+  if (*DataSize >= mVariableBufferSize) {\r
+    //\r
+    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
+    // overflow to a small value and pass the check in InitCommunicateBuffer().\r
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.\r
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
+    //\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
    AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
  \r
    //\r
@@ -275,6 +285,16 @@ RuntimeServiceGetNextVariableName (
      return EFI_INVALID_PARAMETER;\r
    }\r
  \r
+  if (*VariableNameSize >= mVariableBufferSize) {\r
+    //\r
+    // VariableNameSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
+    // overflow to a small value and pass the check in InitCommunicateBuffer().\r
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if VariableNameSize is >= mVariableBufferSize.\r
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
+    //\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
    AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
  \r
    //\r
@@ -355,6 +375,16 @@ RuntimeServiceSetVariable (
      return EFI_INVALID_PARAMETER;\r
    }\r
  \r
+  if (DataSize >= mVariableBufferSize) {\r
+    //\r
+    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
+    // overflow to a small value and pass the check in InitCommunicateBuffer().\r
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.\r
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
+    //\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
    AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
   \r
    //\r
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c

index 10915e45b0f55151f6fc275ff028115ec314a3a8..1595c8c206e76bd3f9b858bd3d1d41eaae79fae0 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
@@ -3223,6 +3223,11 @@ VariableCommonInitialize (
    }\r
    ASSERT(VariableStoreHeader->Size == VariableStoreLength);\r
  \r
+  //\r
+  // The max variable or hardware error variable size should be < variable store size.\r
+  //\r
+  ASSERT(MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) < VariableStoreLength);\r
+\r
    //\r
    // Parse non-volatile variable data and get last variable offset.\r
    //\r
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c

index a785476ff301866f76c871e559b489b754943ccf..103a12914a1c0a841f363d321ce8f90722e259be 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
@@ -214,6 +214,16 @@ RuntimeServiceGetVariable (
      return EFI_INVALID_PARAMETER;\r
    }\r
  \r
+  if (*DataSize >= mVariableBufferSize) {\r
+    //\r
+    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
+    // overflow to a small value and pass the check in InitCommunicateBuffer().\r
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.\r
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
+    //\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
    AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
  \r
    //\r
@@ -291,6 +301,16 @@ RuntimeServiceGetNextVariableName (
      return EFI_INVALID_PARAMETER;\r
    }\r
  \r
+  if (*VariableNameSize >= mVariableBufferSize) {\r
+    //\r
+    // VariableNameSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
+    // overflow to a small value and pass the check in InitCommunicateBuffer().\r
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if VariableNameSize is >= mVariableBufferSize.\r
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
+    //\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
    AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
  \r
    //\r
@@ -374,6 +394,16 @@ RuntimeServiceSetVariable (
      return EFI_INVALID_PARAMETER;\r
    }\r
  \r
+  if (DataSize >= mVariableBufferSize) {\r
+    //\r
+    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r
+    // overflow to a small value and pass the check in InitCommunicateBuffer().\r
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.\r
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r
+    //\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
    AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r
   \r
    //\r
author	lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524>
	Mon, 8 Apr 2013 06:56:08 +0000 (06:56 +0000)
committer	lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524>
	Mon, 8 Apr 2013 06:56:08 +0000 (06:56 +0000)
MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c		patch \| blob \| blame \| history
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c		patch \| blob \| blame \| history
SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c		patch \| blob \| blame \| history
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c		patch \| blob \| blame \| history