diff options
| author | lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524> | 2013-04-25 10:49:45 +0000 |
|---|---|---|
| committer | lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524> | 2013-04-25 10:49:45 +0000 |
| commit | 9d00d20ed40fb56d8b5a8e1a3f7ae3e491ceaf94 (patch) | |
| tree | 7b26c9457fbaea4c9309c31d5089181ed364a8b6 /MdeModulePkg/Universal/FaultTolerantWriteDxe | |
| parent | 968e143192174bd1e6e68660540b32484b30c417 (diff) | |
| download | edk2-9d00d20ed40fb56d8b5a8e1a3f7ae3e491ceaf94.tar.gz edk2-9d00d20ed40fb56d8b5a8e1a3f7ae3e491ceaf94.tar.bz2 edk2-9d00d20ed40fb56d8b5a8e1a3f7ae3e491ceaf94.zip | |
1. Use the check IsAddressValid() to prevent SMM communication buffer overflow in SmmVariable, FtwSmm, FpdtSmm, SmmCorePerformance and SmmBaseHelper, and add check to prevent InfoSize overflows in SmmVariableHandler.
2. Refine the debug message.
3. Add check to make sure the input VariableName is A Null-terminated string.
4. Use local variable to hold StrSize (VariableName) to avoid duplicated StrSize calculation.
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14317 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'MdeModulePkg/Universal/FaultTolerantWriteDxe')
| -rw-r--r-- | MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c index 13c709658f..8b88ae41ee 100644 --- a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c +++ b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c @@ -99,6 +99,32 @@ InternalIsAddressInSmram ( return FALSE;
}
+/**
+ This function check if the address refered by Buffer and Length is valid.
+
+ @param Buffer the buffer address to be checked.
+ @param Length the buffer length to be checked.
+
+ @retval TRUE this address is valid.
+ @retval FALSE this address is NOT valid.
+**/
+BOOLEAN
+InternalIsAddressValid (
+ IN UINTN Buffer,
+ IN UINTN Length
+ )
+{
+ if (Buffer > (MAX_ADDRESS - Length)) {
+ //
+ // Overflow happen
+ //
+ return FALSE;
+ }
+ if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)Buffer, (UINT64)Length)) {
+ return FALSE;
+ }
+ return TRUE;
+}
/**
Retrive the SMM FVB protocol interface by HANDLE.
@@ -356,8 +382,8 @@ SmmFaultTolerantWriteHandler ( return EFI_SUCCESS;
}
- if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBuffer, *CommBufferSize)) {
- DEBUG ((EFI_D_ERROR, "SMM communication buffer size is in SMRAM!\n"));
+ if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+ DEBUG ((EFI_D_ERROR, "SMM communication buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
|