From 51547bb879f66d3b4e46d69c112047d39dc234cc Mon Sep 17 00:00:00 2001 From: niruiyu Date: Mon, 20 May 2013 07:04:56 +0000 Subject: [PATCH] Remove the complex buffer since the _LOCK_VARIABLE won't be allowed after leaving DXE phase. Add the variable name size check in the RequestToLock wrapper. Signed-off-by: Ruiyu Ni Reviewed-by: Star Zeng git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14377 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Variable/RuntimeDxe/VariableDxe.c | 1 - .../Variable/RuntimeDxe/VariableSmm.c | 48 ++++--------------- .../RuntimeDxe/VariableSmmRuntimeDxe.c | 14 +++++- 3 files changed, 20 insertions(+), 43 deletions(-) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c index 9e371c0a85..3cb2c6bcf3 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c @@ -22,7 +22,6 @@ EFI_HANDLE mHandle = NULL; EFI_EVENT mVirtualAddressChangeEvent = NULL; EFI_EVENT mFtwRegistration = NULL; extern BOOLEAN mEndOfDxe; -extern BOOLEAN mEnableLocking; EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock = { VariableLockRequestToLock }; /** diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c index 4009fcb171..aea9d4bcfe 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c @@ -717,48 +717,16 @@ SmmVariableHandler ( break; case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE: - if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name)) { - DEBUG ((EFI_D_ERROR, "RequestToLock: SMM communication buffer size invalid!\n")); - return EFI_SUCCESS; - } - // - // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload. - // - CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize); - VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) mVariableBufferPayload; - - if (VariableToLock->NameSize > MAX_ADDRESS - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name)) { - // - // Prevent InfoSize overflow happen - // + if (mEndOfDxe) { Status = EFI_ACCESS_DENIED; - goto EXIT; + } else { + VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) SmmVariableFunctionHeader->Data; + Status = VariableLockRequestToLock ( + NULL, + VariableToLock->Name, + &VariableToLock->Guid + ); } - - if (VariableToLock->NameSize < sizeof (CHAR16) || VariableToLock->Name[VariableToLock->NameSize/sizeof (CHAR16) - 1] != L'\0') { - // - // Make sure VariableName is A Null-terminated string. - // - Status = EFI_ACCESS_DENIED; - goto EXIT; - } - - InfoSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + VariableToLock->NameSize; - - // - // SMRAM range check already covered before - // - if (InfoSize > CommBufferPayloadSize) { - DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n")); - Status = EFI_ACCESS_DENIED; - goto EXIT; - } - - Status = VariableLockRequestToLock ( - NULL, - VariableToLock->Name, - &VariableToLock->Guid - ); break; default: diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c index 865b9ad1a4..e7b10149fb 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c @@ -186,6 +186,7 @@ VariableLockRequestToLock ( ) { EFI_STATUS Status; + UINTN VariableNameSize; UINTN PayloadSize; SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock; @@ -193,13 +194,22 @@ VariableLockRequestToLock ( return EFI_INVALID_PARAMETER; } + VariableNameSize = StrSize (VariableName); + + // + // If VariableName exceeds SMM payload limit. Return failure + // + if (VariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name)) { + return EFI_INVALID_PARAMETER; + } + AcquireLockOnlyAtBootTime(&mVariableServicesLock); // // Init the communicate buffer. The buffer data size is: // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize. // - PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + StrSize (VariableName); + PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + VariableNameSize; Status = InitCommunicateBuffer ((VOID **) &VariableToLock, PayloadSize, SMM_VARIABLE_FUNCTION_LOCK_VARIABLE); if (EFI_ERROR (Status)) { goto Done; @@ -207,7 +217,7 @@ VariableLockRequestToLock ( ASSERT (VariableToLock != NULL); CopyGuid (&VariableToLock->Guid, VendorGuid); - VariableToLock->NameSize = StrSize (VariableName); + VariableToLock->NameSize = VariableNameSize; CopyMem (VariableToLock->Name, VariableName, VariableToLock->NameSize); // -- 2.39.2