summaryrefslogtreecommitdiff
path: root/MdeModulePkg/Universal/Variable/Pei
diff options
context:
space:
mode:
authorStar Zeng <star.zeng@intel.com>2014-10-31 10:26:54 +0000
committerlzeng14 <lzeng14@Edk2>2014-10-31 10:26:54 +0000
commit6ebffb67c8eca68cf5eb36bd308b305ab84fdd99 (patch)
tree36c6df7361066fe2ca73914c31679d77f46841d8 /MdeModulePkg/Universal/Variable/Pei
parenta75cf433d167aba7674e4b230f59ee915ebe64a8 (diff)
downloadedk2-platforms-6ebffb67c8eca68cf5eb36bd308b305ab84fdd99.tar.xz
MdeModulePkg/SecurityPkg Variable: Add boundary check for while (IsValidVariableHeader (Variable)).
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16280 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'MdeModulePkg/Universal/Variable/Pei')
-rw-r--r--MdeModulePkg/Universal/Variable/Pei/Variable.c22
1 files changed, 20 insertions, 2 deletions
diff --git a/MdeModulePkg/Universal/Variable/Pei/Variable.c b/MdeModulePkg/Universal/Variable/Pei/Variable.c
index df0304748c..4716cc5124 100644
--- a/MdeModulePkg/Universal/Variable/Pei/Variable.c
+++ b/MdeModulePkg/Universal/Variable/Pei/Variable.c
@@ -3,7 +3,7 @@
Implement ReadOnly Variable Services required by PEIM and install
PEI ReadOnly Varaiable2 PPI. These services operates the non volatile storage space.
-Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2014, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -547,14 +547,25 @@ GetVariableHeader (
EFI_HOB_GUID_TYPE *GuidHob;
UINTN PartialHeaderSize;
+ if (Variable == NULL) {
+ return FALSE;
+ }
+
//
// First assume variable header pointed by Variable is consecutive.
//
*VariableHeader = Variable;
- if ((Variable != NULL) && (StoreInfo->FtwLastWriteData != NULL)) {
+ if (StoreInfo->FtwLastWriteData != NULL) {
TargetAddress = StoreInfo->FtwLastWriteData->TargetAddress;
SpareAddress = StoreInfo->FtwLastWriteData->SpareAddress;
+ if (((UINTN) Variable > (UINTN) SpareAddress) &&
+ (((UINTN) Variable - (UINTN) SpareAddress + (UINTN) TargetAddress) >= (UINTN) GetEndPointer (StoreInfo->VariableStoreHeader))) {
+ //
+ // Reach the end of variable store.
+ //
+ return FALSE;
+ }
if (((UINTN) Variable < (UINTN) TargetAddress) && (((UINTN) Variable + sizeof (VARIABLE_HEADER)) > (UINTN) TargetAddress)) {
//
// Variable header pointed by Variable is inconsecutive,
@@ -576,6 +587,13 @@ GetVariableHeader (
CopyMem ((UINT8 *) *VariableHeader + PartialHeaderSize, (UINT8 *) (UINTN) SpareAddress, sizeof (VARIABLE_HEADER) - PartialHeaderSize);
}
}
+ } else {
+ if (Variable >= GetEndPointer (StoreInfo->VariableStoreHeader)) {
+ //
+ // Reach the end of variable store.
+ //
+ return FALSE;
+ }
}
return IsValidVariableHeader (*VariableHeader);