Fix the TOCTOU issue of CommBufferSize itself for SMM communicate handler input.

Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14379 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 5 insertions, 2 deletions

diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
index f3472e26f3..9c5fd4db85 100644
--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
+++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
@@ -268,6 +268,7 @@ FpdtSmiHandler (
   SMM_BOOT_RECORD_COMMUNICATE  *SmmCommData;

   UINTN                        BootRecordSize;

   VOID                         *BootRecordData;

+  UINTN                        TempCommBufferSize;

 

   //

   // If input is invalid, stop processing this SMI

@@ -276,11 +277,13 @@ FpdtSmiHandler (
     return EFI_SUCCESS;

   }

 

-  if(*CommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {

+  TempCommBufferSize = *CommBufferSize;

+

+  if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {

     return EFI_SUCCESS;

   }

   

-  if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {

+  if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {

     DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM communication data buffer in SMRAM or overflow!\n"));

     return EFI_SUCCESS;

   }