The Variable PEI and RuntimeDxe drivers were using the attribute 'HeaderLength' of
EFI_FIRMWARE_VOLUME_HEADER without checking if a Firmware Volume Header was existing at
the base address.
In case the Firmware Volume Header does not exist or is corrupted, the attribute 'HeaderLength'
is a non valid value that can lead to a non valid physical address when accessing produces an
access error.
Signed-off-by: oliviermartin
Reviewed-by: rsun3
Reviewed-by: niruiyu
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12845
6f19259b-4bc3-4df7-8a09-
765794883524
PcdGet64 (PcdFlashNvStorageVariableBase64) : \r
PcdGet32 (PcdFlashNvStorageVariableBase)\r
);\r
+\r
+ //\r
+ // Check if the Firmware Volume is not corrupted\r
+ //\r
+ if ((FvHeader->Signature != EFI_FVH_SIGNATURE) || (!CompareGuid (&gEfiSystemNvDataFvGuid, &FvHeader->FileSystemGuid))) {\r
+ DEBUG ((EFI_D_ERROR, "Firmware Volume for Variable Store is corrupted\n"));\r
+ break;\r
+ }\r
+ \r
VariableStoreHeader = (VARIABLE_STORE_HEADER *) ((UINT8 *) FvHeader + FvHeader->HeaderLength);\r
\r
if (IndexTable != NULL) {\r
\r
#include <Guid/AuthenticatedVariableFormat.h>\r
#include <Guid/VariableIndexTable.h>\r
+#include <Guid/SystemNvDataGuid.h>\r
\r
typedef enum {\r
VariableStoreTypeHob,\r
[Guids]\r
gEfiAuthenticatedVariableGuid\r
gEfiVariableIndexTableGuid\r
+ gEfiSystemNvDataFvGuid\r
\r
[Ppis]\r
gEfiPeiReadOnlyVariable2PpiGuid ## SOMETIMES_PRODUCES (Not for boot mode RECOVERY)\r
\r
**/\r
VOID\r
-AutoUpdateLangVariable(\r
+AutoUpdateLangVariable (\r
IN CHAR16 *VariableName,\r
IN VOID *Data,\r
IN UINTN DataSize\r
if (TempVariableStoreHeader == 0) {\r
TempVariableStoreHeader = (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdFlashNvStorageVariableBase);\r
}\r
+ \r
+ //\r
+ // Check if the Firmware Volume is not corrupted\r
+ //\r
+ if ((((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader))->Signature != EFI_FVH_SIGNATURE) ||\r
+ (!CompareGuid (&gEfiSystemNvDataFvGuid, &((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader))->FileSystemGuid))) {\r
+ Status = EFI_VOLUME_CORRUPTED;\r
+ DEBUG ((EFI_D_ERROR, "Firmware Volume for Variable Store is corrupted\n"));\r
+ goto Done;\r
+ }\r
+\r
VariableStoreBase = TempVariableStoreHeader + \\r
(((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader)) -> HeaderLength);\r
VariableStoreLength = (UINT64) PcdGet32 (PcdFlashNvStorageVariableSize) - \\r
#include <Guid/EventGroup.h>\r
#include <Guid/AuthenticatedVariableFormat.h>\r
#include <Guid/ImageAuthentication.h>\r
+#include <Guid/SystemNvDataGuid.h>\r
\r
#define VARIABLE_RECLAIM_THRESHOLD (1024)\r
\r
gEfiCertPkcs7Guid\r
gEfiCertRsa2048Guid\r
gEfiSecureBootEnableDisableGuid\r
+ gEfiSystemNvDataFvGuid ## CONSUMES\r
\r
[Pcd]\r
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize\r
gEfiCertPkcs7Guid\r
gEfiCertRsa2048Guid\r
gEfiSecureBootEnableDisableGuid\r
+ gEfiSystemNvDataFvGuid ## CONSUMES\r
\r
[Pcd]\r
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize\r