From 219e560c20034843ac9917146c60db99bd01b6f4 Mon Sep 17 00:00:00 2001
From: Chen A Chen <chen.a.chen@intel.com>
Date: Tue, 5 Mar 2019 08:21:18 +0800
Subject: UefiCpuPkg/Microcode.c: Add verification before calculate CheckSum32

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1020

Should make sure the TotalSize of Microcode is aligned with 4 bytes
before calling CalculateSum32 function.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chen A Chen <chen.a.chen@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
---
 UefiCpuPkg/Library/MpInitLib/Microcode.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/UefiCpuPkg/Library/MpInitLib/Microcode.c b/UefiCpuPkg/Library/MpInitLib/Microcode.c
index 5f9ae22794..643a6f94f4 100644
--- a/UefiCpuPkg/Library/MpInitLib/Microcode.c
+++ b/UefiCpuPkg/Library/MpInitLib/Microcode.c
@@ -166,20 +166,29 @@ MicrocodeDetect (
     //
     CorrectMicrocode = FALSE;
 
-    //
-    // Save an in-complete CheckSum32 from CheckSum Part1 for common parts.
-    //
     if (MicrocodeEntryPoint->DataSize == 0) {
-      InCompleteCheckSum32 = CalculateSum32 (
-                               (UINT32 *) MicrocodeEntryPoint,
-                               sizeof (CPU_MICROCODE_HEADER) + 2000
-                               );
+      TotalSize = sizeof (CPU_MICROCODE_HEADER) + 2000;
     } else {
-      InCompleteCheckSum32 = CalculateSum32 (
-                               (UINT32 *) MicrocodeEntryPoint,
-                               sizeof (CPU_MICROCODE_HEADER) + MicrocodeEntryPoint->DataSize
-                               );
+      TotalSize = sizeof (CPU_MICROCODE_HEADER) + MicrocodeEntryPoint->DataSize;
     }
+
+    ///
+    /// Check overflow and whether TotalSize is aligned with 4 bytes.
+    ///
+    if ( ((UINTN)MicrocodeEntryPoint + TotalSize) > MicrocodeEnd ||
+         (TotalSize & 0x3) != 0
+       ) {
+      MicrocodeEntryPoint = (CPU_MICROCODE_HEADER *) (((UINTN) MicrocodeEntryPoint) + SIZE_1KB);
+      continue;
+    }
+
+    //
+    // Save an in-complete CheckSum32 from CheckSum Part1 for common parts.
+    //
+    InCompleteCheckSum32 = CalculateSum32 (
+                             (UINT32 *) MicrocodeEntryPoint,
+                             TotalSize
+                             );
     InCompleteCheckSum32 -= MicrocodeEntryPoint->ProcessorSignature.Uint32;
     InCompleteCheckSum32 -= MicrocodeEntryPoint->ProcessorFlags;
     InCompleteCheckSum32 -= MicrocodeEntryPoint->Checksum;
-- 
cgit v1.2.3