]> git.proxmox.com Git - mirror_edk2.git/commitdiff
projects / mirror_edk2.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6f501a7)
MdeModulePkg/Core/Pei: Fix pointer size mismatch in EvacuateTempRam()
authorMichael Kubacki <michael.kubacki@microsoft.com>
Thu, 9 Sep 2021 03:46:01 +0000 (11:46 +0800)
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Thu, 16 Sep 2021 01:51:36 +0000 (01:51 +0000)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3512

In 32-bit PEI, the local variable pointers MigratedFvHeader and
RawDataFvHeader in EvacuateTempRam() will be 32-bit in size. The
pointers are currently passed to PeiServicesAllocatePages() which
expects a 64-bit output buffer of type EFI_PHYSICAL_ADDRESS.

When PeiServicesAllocatePages() writes to the buffer, the data
can overflow.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c patch | blob | blame | history

diff --git a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
index a050a6ed964613f48b75f66313ef98e821287dcd..f6bb906f38f31d302dfaf9b4d16f5d2755f2febf 100644 (file)
--- a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
+++ b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
@@ -1135,6 +1135,7 @@ EvacuateTempRam (
   volatile UINTN                FvIndex;\r
   volatile UINTN                FvChildIndex;\r
   UINTN                         ChildFvOffset;\r
+  EFI_PHYSICAL_ADDRESS          FvHeaderAddress;\r
   EFI_FIRMWARE_VOLUME_HEADER    *FvHeader;\r
   EFI_FIRMWARE_VOLUME_HEADER    *ChildFvHeader;\r
   EFI_FIRMWARE_VOLUME_HEADER    *MigratedFvHeader;\r
@@ -1186,9 +1187,10 @@ EvacuateTempRam (
       Status =  PeiServicesAllocatePages (\r
                   EfiBootServicesCode,\r
                   EFI_SIZE_TO_PAGES ((UINTN) FvHeader->FvLength),\r
-                  (EFI_PHYSICAL_ADDRESS *) &MigratedFvHeader\r
+                  &FvHeaderAddress\r
                   );\r
       ASSERT_EFI_ERROR (Status);\r
+      MigratedFvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvHeaderAddress;\r
 \r
       //\r
       // Allocate pool to save the raw PEIMs, which is used to keep consistent context across\r
@@ -1197,9 +1199,10 @@ EvacuateTempRam (
       Status =  PeiServicesAllocatePages (\r
                   EfiBootServicesCode,\r
                   EFI_SIZE_TO_PAGES ((UINTN) FvHeader->FvLength),\r
-                  (EFI_PHYSICAL_ADDRESS *) &RawDataFvHeader\r
+                  &FvHeaderAddress\r
                   );\r
       ASSERT_EFI_ERROR (Status);\r
+      RawDataFvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvHeaderAddress;\r
 \r
       DEBUG ((\r
         DEBUG_VERBOSE,\r
EFI Development Kit II mirror for PVE