diff options
| author | Laszlo Ersek <lersek@redhat.com> | 2016-04-26 13:57:32 +0200 |
|---|---|---|
| committer | Laszlo Ersek <lersek@redhat.com> | 2016-04-26 17:59:40 +0200 |
| commit | 0b448dd8b27c9efac370576b18edada004ab560a (patch) | |
| tree | ac7eb5a652c7d3100d71c524a1413914a193002b | |
| parent | 81310a62be3190b2e49b7b188469d0f463c9a866 (diff) | |
| download | edk2-0b448dd8b27c9efac370576b18edada004ab560a.tar.gz edk2-0b448dd8b27c9efac370576b18edada004ab560a.tar.bz2 edk2-0b448dd8b27c9efac370576b18edada004ab560a.zip | |
OvmfPkg: SataControllerDxe: SataControllerStop: fix use after free
It would be possible to remove the UAF without local variables, by calling
SataPrivateData->PciIo->Attributes() before releasing SataPrivateData.
However, by keeping the location of the call (for which temporary
variables are necessary), we continue to match the error path logic in
SataControllerStart(), which is always recommended.
Reported-by: wang xiaofeng <winggundum82@163.com>
Fixes: bcab71413407e61c144994925556725dd65eede9
Cc: wang xiaofeng <winggundum82@163.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
| -rw-r--r-- | OvmfPkg/SataControllerDxe/SataController.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/OvmfPkg/SataControllerDxe/SataController.c b/OvmfPkg/SataControllerDxe/SataController.c index e5ee63a0ab..1f84ad034e 100644 --- a/OvmfPkg/SataControllerDxe/SataController.c +++ b/OvmfPkg/SataControllerDxe/SataController.c @@ -570,6 +570,8 @@ SataControllerStop ( EFI_STATUS Status;
EFI_IDE_CONTROLLER_INIT_PROTOCOL *IdeInit;
EFI_SATA_CONTROLLER_PRIVATE_DATA *SataPrivateData;
+ EFI_PCI_IO_PROTOCOL *PciIo;
+ UINT64 OriginalPciAttributes;
//
// Open the produced protocol
@@ -589,6 +591,9 @@ SataControllerStop ( SataPrivateData = SATA_CONTROLLER_PRIVATE_DATA_FROM_THIS (IdeInit);
ASSERT (SataPrivateData != NULL);
+ PciIo = SataPrivateData->PciIo;
+ OriginalPciAttributes = SataPrivateData->OriginalPciAttributes;
+
//
// Uninstall the IDE Controller Init Protocol from this instance
//
@@ -616,12 +621,12 @@ SataControllerStop ( //
// Restore original PCI attributes
//
- SataPrivateData->PciIo->Attributes (
- SataPrivateData->PciIo,
- EfiPciIoAttributeOperationSet,
- SataPrivateData->OriginalPciAttributes,
- NULL
- );
+ PciIo->Attributes (
+ PciIo,
+ EfiPciIoAttributeOperationSet,
+ OriginalPciAttributes,
+ NULL
+ );
//
// Close protocols opened by Sata Controller driver
|