From 48d5d6d5e09e5089d1c95c2d0812449e87f4ef7e Mon Sep 17 00:00:00 2001 From: Krzysztof Koch Date: Thu, 1 Aug 2019 16:44:07 -0700 Subject: [PATCH] ShellPkg: acpiview: SRAT: Prevent buffer overruns Modify the SRAT parsing logic to prevent reading past the table buffer length provided. Check if the Static Resource Allocation Structure's buffer fits in the SRAT table buffer before its contents are dumped. Prevent buffer overruns when reading the Static Resource Allocation Structure's header. References: - ACPI 6.3, January 2019, Section 5.2.16 Signed-off-by: Krzysztof Koch Reviewed-by: Alexei Fedorov Reviewed-by: Zhichao Gao Reviewed-by: Sami Mujawar --- .../Parsers/Srat/SratParser.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c index 59c77401ea..a8aa420487 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c @@ -215,10 +215,22 @@ ParseAcpiSrat ( 0, NULL, ResourcePtr, - 2, // The length is 1 byte at offset 1 + AcpiTableLength - Offset, PARSER_PARAMS (SratResourceAllocationParser) ); + // Make sure the SRAT structure lies inside the table + if ((Offset + *SratRALength) > AcpiTableLength) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid SRAT structure length. SratRALength = %d. " \ + L"RemainingTableBufferLength = %d. SRAT parsing aborted.\n", + *SratRALength, + AcpiTableLength - Offset + ); + return; + } + switch (*SratRAType) { case EFI_ACPI_6_2_GICC_AFFINITY: AsciiSPrint ( -- 2.39.2