diff options
| author | jyao1 <jyao1@6f19259b-4bc3-4df7-8a09-765794883524> | 2010-03-21 04:17:16 +0000 |
|---|---|---|
| committer | jyao1 <jyao1@6f19259b-4bc3-4df7-8a09-765794883524> | 2010-03-21 04:17:16 +0000 |
| commit | ab780ebf909941e589c93a03ebaf6797ef6c8567 (patch) | |
| tree | 9057e94ef567707dc046dc897e9176a6aaa744eb /MdeModulePkg/Core | |
| parent | 59a4bd4037529c86dc31215e38a13d68b929c932 (diff) | |
| download | edk2-platforms-ab780ebf909941e589c93a03ebaf6797ef6c8567.tar.xz | |
Change BufferSize from UINTN * to UINTN to eliminate pointer to pointer in SmmCore for security consideration.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@10299 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'MdeModulePkg/Core')
| -rw-r--r-- | MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 6 | ||||
| -rw-r--r-- | MdeModulePkg/Core/PiSmmCore/PiSmmCorePrivateData.h | 2 | ||||
| -rw-r--r-- | MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 12 |
3 files changed, 14 insertions, 6 deletions
diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c index e49661a006..b391ecf61f 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c @@ -276,19 +276,19 @@ SmmEntryPoint ( // Synchronous SMI for SMM Core or request from Communicate protocol
//
CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)gSmmCorePrivate->CommunicationBuffer;
- *gSmmCorePrivate->BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
+ gSmmCorePrivate->BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
Status = SmiManage (
&CommunicateHeader->HeaderGuid,
NULL,
CommunicateHeader->Data,
- gSmmCorePrivate->BufferSize
+ &gSmmCorePrivate->BufferSize
);
//
// Update CommunicationBuffer, BufferSize and ReturnStatus
// Communicate service finished, reset the pointer to CommBuffer to NULL
//
- *gSmmCorePrivate->BufferSize += OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
+ gSmmCorePrivate->BufferSize += OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
gSmmCorePrivate->CommunicationBuffer = NULL;
gSmmCorePrivate->ReturnStatus = (Status == EFI_WARN_INTERRUPT_SOURCE_QUIESCED) ? EFI_SUCCESS : EFI_NOT_FOUND;
} else {
diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCorePrivateData.h b/MdeModulePkg/Core/PiSmmCore/PiSmmCorePrivateData.h index ce007015a1..b8bc758824 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCorePrivateData.h +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCorePrivateData.h @@ -93,7 +93,7 @@ typedef struct { /// in bytes, into a software SMI handler and for the software SMI handler to pass the
/// size, in bytes, of a buffer back to the caller of the SMM Communication Protocol.
///
- UINTN *BufferSize;
+ UINTN BufferSize;
///
/// This field is used by the SMM Communication Protocol to pass the return status from
diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c index 608fedfcbe..6b89ab3aa3 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c @@ -210,8 +210,8 @@ SMM_CORE_PRIVATE_DATA mSmmCorePrivateData = { FALSE, // SmmEntryPointRegistered
FALSE, // InSmm
NULL, // Smst
- 0, // BufferSize
NULL, // CommunicationBuffer
+ 0, // BufferSize
EFI_SUCCESS // ReturnStatus
};
@@ -411,6 +411,13 @@ SmmCommunicationCommunicate ( }
//
+ // CommSize must hold HeaderGuid and MessageLength
+ //
+ if (*CommSize < OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
// If not already in SMM, then generate a Software SMI
//
if (!gSmmCorePrivate->InSmm && gSmmCorePrivate->SmmEntryPointRegistered) {
@@ -418,7 +425,7 @@ SmmCommunicationCommunicate ( // Put arguments for Software SMI in gSmmCorePrivate
//
gSmmCorePrivate->CommunicationBuffer = CommBuffer;
- gSmmCorePrivate->BufferSize = CommSize;
+ gSmmCorePrivate->BufferSize = *CommSize;
//
// Generate Software SMI
@@ -431,6 +438,7 @@ SmmCommunicationCommunicate ( //
// Return status from software SMI
//
+ *CommSize = gSmmCorePrivate->BufferSize;
return gSmmCorePrivate->ReturnStatus;
}
|