MdeModulePkg/HiiDB: Remove configuration table when it's freed (CVE-2019-14586)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1995

Fix the corner case issue that the original configuration runtime
memory is freed, but it is still exposed to the OS runtime.
So this patch is to remove the configuration table to avoid being
used in OS runtime when the configuration runtime memory is freed.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
index d3791ca68be17a9898af0aaeb20f4e4cd64deac6..174770bdbb46cfc2f799330e9a574ed3e8890f01 100644 (file)
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
@@ -1,7 +1,7 @@
 /** @file\r
 Implementation for EFI_HII_DATABASE_PROTOCOL.\r
 \r
-Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2007 - 2020, Intel Corporation. All rights reserved.<BR>\r
 SPDX-License-Identifier: BSD-2-Clause-Patent\r
 \r
 **/\r
@@ -3376,6 +3376,10 @@ HiiGetConfigRespInfo(
       if (gRTConfigRespBuffer == NULL){\r
         FreePool(ConfigAltResp);\r
         DEBUG ((DEBUG_ERROR, "[HiiDatabase]: No enough memory resource to store the ConfigResp string.\n"));\r
+        //\r
+        // Remove from the System Table when the configuration runtime buffer is freed.\r
+        //\r
+        gBS->InstallConfigurationTable (&gEfiHiiConfigRoutingProtocolGuid, NULL);\r
         return EFI_OUT_OF_RESOURCES;\r
       }\r
     } else {\r
@@ -3431,6 +3435,10 @@ HiiGetDatabaseInfo(
     gRTDatabaseInfoBuffer = AllocateRuntimeZeroPool (gDatabaseInfoSize);\r
     if (gRTDatabaseInfoBuffer == NULL){\r
       DEBUG ((DEBUG_ERROR, "[HiiDatabase]: No enough memory resource to store the HiiDatabase info.\n"));\r
+      //\r
+      // Remove from the System Table when the configuration runtime buffer is freed.\r
+      //\r
+      gBS->InstallConfigurationTable (&gEfiHiiDatabaseProtocolGuid, NULL);\r
       return EFI_OUT_OF_RESOURCES;\r
     }\r
   } else {\r