diff options
| author | Kun Qin <kuqin12@gmail.com> | 2021-04-06 12:52:54 -0700 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2021-04-12 17:23:54 +0000 |
| commit | a7d8e28b29f2e7496357a161ba86219e4b4d815c (patch) | |
| tree | acbfe13a5cd0367b8d27094ae843d4801442a33a /UefiCpuPkg | |
| parent | 2072c22a0d63c780b0cc6377f6d4ffb116ad6144 (diff) | |
| download | edk2-a7d8e28b29f2e7496357a161ba86219e4b4d815c.tar.gz edk2-a7d8e28b29f2e7496357a161ba86219e4b4d815c.tar.bz2 edk2-a7d8e28b29f2e7496357a161ba86219e4b4d815c.zip | |
UefiCpuPkg: PiSmmCpuDxeSmm: Check buffer size before accessing
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3283
Current SMM Save State routine does not check the number of bytes to be
read, when it comse to read IO_INFO, before casting the incoming buffer
to EFI_SMM_SAVE_STATE_IO_INFO. This could potentially cause memory
corruption due to extra bytes are written out of buffer boundary.
This change adds a width check before copying IoInfo into output buffer.
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Kun Qin <kuqin12@gmail.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20210406195254.1018-2-kuqin12@gmail.com>
Diffstat (limited to 'UefiCpuPkg')
| -rw-r--r-- | UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 2 | ||||
| -rw-r--r-- | UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 9 |
2 files changed, 9 insertions, 2 deletions
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h index b8aa9e1769..2248a8c5ee 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h @@ -337,7 +337,7 @@ This function supports reading a CPU Save State register in SMBase relocation ha @retval EFI_SUCCESS The register was read from Save State.
@retval EFI_NOT_FOUND The register is not defined for the Save State of Processor.
-@retval EFI_INVALID_PARAMETER This or Buffer is NULL.
+@retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requirement per Register type.
**/
EFI_STATUS
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c index 661cc51f36..fc418c2500 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c @@ -343,7 +343,7 @@ ReadSaveStateRegisterByIndex ( @retval EFI_SUCCESS The register was read from Save State.
@retval EFI_NOT_FOUND The register is not defined for the Save State of Processor.
- @retval EFI_INVALID_PARAMETER This or Buffer is NULL.
+ @retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requirement per Register type.
**/
EFI_STATUS
@@ -419,6 +419,13 @@ ReadSaveStateRegister ( }
//
+ // Make sure the incoming buffer is large enough to hold IoInfo before accessing
+ //
+ if (Width < sizeof (EFI_SMM_SAVE_STATE_IO_INFO)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
// Zero the IoInfo structure that will be returned in Buffer
//
IoInfo = (EFI_SMM_SAVE_STATE_IO_INFO *)Buffer;
|