diff options
author | Laszlo Ersek <lersek@redhat.com> | 2020-11-19 11:53:40 +0100 |
---|---|---|
committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2020-11-21 01:40:53 +0000 |
commit | 47343af30435302c087027177613412a1a83e919 (patch) | |
tree | 9cf0e86e43a1f26ee190d1dcd575bd8c020ee571 /MdeModulePkg/MdeModulePkg.dec | |
parent | b9bdfc72853fe97bd24401f8873ca61524dd2dc6 (diff) | |
download | edk2-47343af30435302c087027177613412a1a83e919.tar.gz edk2-47343af30435302c087027177613412a1a83e919.tar.bz2 edk2-47343af30435302c087027177613412a1a83e919.zip |
MdeModulePkg/Core/Dxe: limit FwVol encapsulation section recursion
The DXE Core sets up a protocol notify function in its entry point, for
instances of the Firmware Volume Block2 Protocol:
DxeMain() [DxeMain/DxeMain.c]
FwVolDriverInit() [FwVol/FwVol.c]
Assume that a 3rd party UEFI driver or application installs an FVB
instance, with crafted contents. The notification function runs:
NotifyFwVolBlock() [FwVol/FwVol.c]
installing an instance of the Firmware Volume 2 Protocol on the handle.
(Alternatively, assume that a 3rd party application calls
gDS->ProcessFirmwareVolume(), which may also produce a Firmware Volume 2
Protocol instance.)
The EFI_FIRMWARE_VOLUME2_PROTOCOL.ReadSection() member performs "a
depth-first, left-to-right search algorithm through all sections found in
the specified file" (quoting the PI spec), as follows:
FvReadFileSection() [FwVol/FwVolRead.c]
GetSection() [SectionExtraction/CoreSectionExtraction.c]
FindChildNode() [SectionExtraction/CoreSectionExtraction.c]
FindChildNode() // recursive call
FindChildNode() is called recursively for encapsulation sections.
Currently this recursion is not limited. Introduce a new PCD
(fixed-at-build, or patchable-in-module), and make FindChildNode() track
the section nesting depth against that PCD.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1743
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20201119105340.16225-3-lersek@redhat.com>
Diffstat (limited to 'MdeModulePkg/MdeModulePkg.dec')
-rw-r--r-- | MdeModulePkg/MdeModulePkg.dec | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index 0007552819..9b52b34494 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -1529,6 +1529,12 @@ # @Prompt Enable Capsule On Disk support.
gEfiMdeModulePkgTokenSpaceGuid.PcdCapsuleOnDiskSupport|FALSE|BOOLEAN|0x0000002d
+ ## Maximum permitted encapsulation levels of sections in a firmware volume,
+ # in the DXE phase. Minimum value is 1. Sections nested more deeply are
+ # rejected.
+ # @Prompt Maximum permitted FwVol section nesting depth (exclusive).
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFwVolDxeMaxEncapsulationDepth|0x10|UINT32|0x00000030
+
[PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## This PCD defines the Console output row. The default value is 25 according to UEFI spec.
# This PCD could be set to 0 then console output would be at max column and max row.
|