MdeModulePkg/SecurityPkg Variable: If a preexisting variable is rewritten with different attributes, SetVariable() shall not modify the variable and shall return EFI_INVALID_PARAMETER.

Two exceptions to this rule:
1. No access attributes specified
2. The only attribute differing is EFI_VARIABLE_APPEND_WRITE

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14552 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 10 insertions, 0 deletions

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
index ef123d2d5c..53ef092aff 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
@@ -2831,6 +2831,16 @@ VariableServiceSetVariable (
       Status = EFI_WRITE_PROTECTED;

       goto Done;

     }

+    if (Attributes != 0 && (Attributes & (~EFI_VARIABLE_APPEND_WRITE)) != Variable.CurrPtr->Attributes) {

+      //

+      // If a preexisting variable is rewritten with different attributes, SetVariable() shall not

+      // modify the variable and shall return EFI_INVALID_PARAMETER. Two exceptions to this rule:

+      // 1. No access attributes specified

+      // 2. The only attribute differing is EFI_VARIABLE_APPEND_WRITE

+      //

+      Status = EFI_INVALID_PARAMETER;

+      goto Done;

+    }

   }

   

   //