Improve robustness when scanning PCI Option ROM.

Signed-off-by: rsun3
Reviewed-by: geekboy15a


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13095 6f19259b-4bc3-4df7-8a09-765794883524

2 files changed, 39 insertions, 6 deletions

diff --git a/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c b/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c
index 2ae8daca73..744a7e3453 100644
--- a/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c
+++ b/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c
@@ -1,6 +1,6 @@
 /** @file

 

-Copyright (c) 1999 - 2010, Intel Corporation. All rights reserved.<BR>

+Copyright (c) 1999 - 2012, Intel Corporation. All rights reserved.<BR>

 

 This program and the accompanying materials

 are licensed and made available under the terms and conditions

@@ -1226,6 +1226,16 @@ Undi16SimpleNetworkLoadUndi (
 

     DEBUG ((DEBUG_INIT, "Option ROM found at %X\n", RomAddress));

 

+    //

+    // If the pointer to the PCI Data Structure is invalid, no further images can be located. 

+    // The PCI Data Structure must be DWORD aligned. 

+    //

+    if (PciExpansionRomHeader->PcirOffset == 0 ||

+        (PciExpansionRomHeader->PcirOffset & 3) != 0 ||

+        RomAddress + PciExpansionRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > 0x100000) {

+      break;

+    }

+

     PciDataStructure = (PCI_DATA_STRUCTURE *) (RomAddress + PciExpansionRomHeader->PcirOffset);

 

     if (PciDataStructure->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {

diff --git a/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c b/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c
index 59f6d905dc..45cdd037e6 100644
--- a/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c
+++ b/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c
@@ -1,6 +1,6 @@
 /** @file

 

-Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>

+Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>

 

 This program and the accompanying materials

 are licensed and made available under the terms and conditions

@@ -304,14 +304,24 @@ GetPciLegacyRom (
   BackupImage   = NULL;

   RomHeader.Raw = *Rom;

   while (RomHeader.Generic->Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE) {

-    if (*ImageSize < 

-        RomHeader.Raw - (UINT8 *) *Rom + RomHeader.Generic->PcirOffset + sizeof (PCI_DATA_STRUCTURE)

-        ) {

-      return EFI_NOT_FOUND;

+    if (RomHeader.Generic->PcirOffset == 0 ||

+        (RomHeader.Generic->PcirOffset & 3) !=0 ||

+        *ImageSize < RomHeader.Raw - (UINT8 *) *Rom + RomHeader.Generic->PcirOffset + sizeof (PCI_DATA_STRUCTURE)) {

+      break;

     }

 

     Pcir = (PCI_3_0_DATA_STRUCTURE *) (RomHeader.Raw + RomHeader.Generic->PcirOffset);

+    //

+    // Check signature in the PCI Data Structure.

+    //

+    if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {

+      break;

+    }

 

+    if ((UINTN)(RomHeader.Raw - (UINT8 *) *Rom) + Pcir->ImageLength * 512 > *ImageSize) {

+      break;

+    }

+    

     if (Pcir->CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {

       Match = FALSE;

       if (Pcir->VendorId == VendorId) {

@@ -2875,8 +2885,21 @@ LegacyBiosInstallPciRom (
     }

 

     LocalRomImage = *RomImage;

+    if (((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE ||

+        ((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset == 0 ||

+        (((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset & 3 ) != 0) {

+      mVgaInstallationInProgress = FALSE;

+      return EFI_UNSUPPORTED;

+    }

+    

     Pcir = (PCI_3_0_DATA_STRUCTURE *)

            ((UINT8 *) LocalRomImage + ((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset);

+

+    if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {

+      mVgaInstallationInProgress = FALSE;

+      return EFI_UNSUPPORTED;

+    }

+

     ImageSize = Pcir->ImageLength * 512;

     if (Pcir->Length >= 0x1C) {

       OpromRevision = Pcir->Revision;