From: Ruiyu Ni Date: Fri, 10 Jul 2015 02:16:42 +0000 (+0000) Subject: MdeModulePkg: Fix potential integer overflow issue X-Git-Tag: edk2-stable201903~9369 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=579b5ef204947defbd6fc60c11bdd740ad09d6e9 MdeModulePkg: Fix potential integer overflow issue In certain rare circumstance, the data passed from outside of SMM may be invalid resulting the integer overflow. The issue are found by code review. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ruiyu Ni Reviewed-by: Star Zeng git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17908 6f19259b-4bc3-4df7-8a09-765794883524 --- diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c index f28b657c94..e59cc28d53 100644 --- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c +++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c @@ -482,7 +482,8 @@ SmmPerformanceHandlerEx ( EFI_STATUS Status; SMM_PERF_COMMUNICATE_EX *SmmPerfCommData; GAUGE_DATA_ENTRY_EX *GaugeEntryExArray; - UINTN DataSize; + UINT64 DataSize; + UINTN Index; GAUGE_DATA_ENTRY_EX *GaugeDataEx; UINTN NumberOfEntries; UINTN LogEntryKey; @@ -521,7 +522,7 @@ SmmPerformanceHandlerEx ( NumberOfEntries = SmmPerfCommData->NumberOfEntries; LogEntryKey = SmmPerfCommData->LogEntryKey; if (GaugeDataEx == NULL || NumberOfEntries == 0 || LogEntryKey > mGaugeData->NumberOfEntries || - NumberOfEntries > mGaugeData->NumberOfEntries || (LogEntryKey + NumberOfEntries) > mGaugeData->NumberOfEntries) { + NumberOfEntries > mGaugeData->NumberOfEntries || LogEntryKey > (mGaugeData->NumberOfEntries - NumberOfEntries)) { Status = EFI_INVALID_PARAMETER; break; } @@ -529,19 +530,22 @@ SmmPerformanceHandlerEx ( // // Sanity check // - DataSize = NumberOfEntries * sizeof(GAUGE_DATA_ENTRY_EX); - if (!SmmIsBufferOutsideSmmValid ((UINTN)GaugeDataEx, DataSize)) { + DataSize = MultU64x32 (NumberOfEntries, sizeof(GAUGE_DATA_ENTRY_EX)); + if (!SmmIsBufferOutsideSmmValid ((UINTN) GaugeDataEx, DataSize)) { DEBUG ((EFI_D_ERROR, "SmmPerformanceHandlerEx: SMM Performance Data buffer in SMRAM or overflow!\n")); Status = EFI_ACCESS_DENIED; break; } GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); - CopyMem( - (UINT8 *) GaugeDataEx, - (UINT8 *) &GaugeEntryExArray[LogEntryKey], - DataSize - ); + + for (Index = 0; Index < NumberOfEntries; Index++) { + CopyMem ( + (UINT8 *) &GaugeDataEx[Index], + (UINT8 *) &GaugeEntryExArray[LogEntryKey++], + sizeof (GAUGE_DATA_ENTRY_EX) + ); + } Status = EFI_SUCCESS; break; @@ -590,7 +594,7 @@ SmmPerformanceHandler ( EFI_STATUS Status; SMM_PERF_COMMUNICATE *SmmPerfCommData; GAUGE_DATA_ENTRY_EX *GaugeEntryExArray; - UINTN DataSize; + UINT64 DataSize; UINTN Index; GAUGE_DATA_ENTRY *GaugeData; UINTN NumberOfEntries; @@ -630,7 +634,7 @@ SmmPerformanceHandler ( NumberOfEntries = SmmPerfCommData->NumberOfEntries; LogEntryKey = SmmPerfCommData->LogEntryKey; if (GaugeData == NULL || NumberOfEntries == 0 || LogEntryKey > mGaugeData->NumberOfEntries || - NumberOfEntries > mGaugeData->NumberOfEntries || (LogEntryKey + NumberOfEntries) > mGaugeData->NumberOfEntries) { + NumberOfEntries > mGaugeData->NumberOfEntries || LogEntryKey > (mGaugeData->NumberOfEntries - NumberOfEntries)) { Status = EFI_INVALID_PARAMETER; break; } @@ -638,8 +642,8 @@ SmmPerformanceHandler ( // // Sanity check // - DataSize = NumberOfEntries * sizeof(GAUGE_DATA_ENTRY); - if (!SmmIsBufferOutsideSmmValid ((UINTN)GaugeData, DataSize)) { + DataSize = MultU64x32 (NumberOfEntries, sizeof(GAUGE_DATA_ENTRY)); + if (!SmmIsBufferOutsideSmmValid ((UINTN) GaugeData, DataSize)) { DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM Performance Data buffer in SMRAM or overflow!\n")); Status = EFI_ACCESS_DENIED; break; @@ -648,7 +652,7 @@ SmmPerformanceHandler ( GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); for (Index = 0; Index < NumberOfEntries; Index++) { - CopyMem( + CopyMem ( (UINT8 *) &GaugeData[Index], (UINT8 *) &GaugeEntryExArray[LogEntryKey++], sizeof (GAUGE_DATA_ENTRY) diff --git a/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c b/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c index a789daf9a8..23a786d56e 100644 --- a/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c +++ b/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c @@ -1,6 +1,6 @@ /** @file -Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions @@ -394,6 +394,7 @@ UpdateLockBox ( DEBUG ((EFI_D_INFO, "SmmLockBoxSmmLib UpdateLockBox - Exit (%r)\n", EFI_BUFFER_TOO_SMALL)); return EFI_BUFFER_TOO_SMALL; } + ASSERT ((UINTN)LockBox->SmramBuffer <= (MAX_ADDRESS - Offset)); CopyMem ((VOID *)((UINTN)LockBox->SmramBuffer + Offset), Buffer, Length); //