MdeModulePkg/Variable: Check if there is a NV Variable Storage header prior to use its attributes

The Variable PEI and RuntimeDxe drivers were using the attribute 'HeaderLength' of
EFI_FIRMWARE_VOLUME_HEADER without checking if a Firmware Volume Header was existing at
the base address.
In case the Firmware Volume Header does not exist or is corrupted, the attribute 'HeaderLength'
is a non valid value that can lead to a non valid physical address when accessing produces an
access error.

Signed-off-by: oliviermartin
Reviewed-by: niruiyu



git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12836 6f19259b-4bc3-4df7-8a09-765794883524

6 files changed, 25 insertions, 1 deletions

diff --git a/MdeModulePkg/Universal/Variable/Pei/Variable.c b/MdeModulePkg/Universal/Variable/Pei/Variable.c
index 4c8b9bbc38..5040f8208d 100644
--- a/MdeModulePkg/Universal/Variable/Pei/Variable.c
+++ b/MdeModulePkg/Universal/Variable/Pei/Variable.c
@@ -361,6 +361,15 @@ GetVariableStore (
                                                            PcdGet64 (PcdFlashNvStorageVariableBase64) : 

                                                            PcdGet32 (PcdFlashNvStorageVariableBase)

                                                           );

+

+        //

+        // Check if the Firmware Volume is not corrupted

+        //

+        if ((FvHeader->Signature != EFI_FVH_SIGNATURE) || (!CompareGuid (&gEfiSystemNvDataFvGuid, &FvHeader->FileSystemGuid))) {

+          DEBUG ((EFI_D_ERROR, "Firmware Volume for Variable Store is corrupted\n"));

+          break;

+        }

+

         VariableStoreHeader = (VARIABLE_STORE_HEADER *) ((UINT8 *) FvHeader + FvHeader->HeaderLength);

 

         if (IndexTable != NULL) {

diff --git a/MdeModulePkg/Universal/Variable/Pei/Variable.h b/MdeModulePkg/Universal/Variable/Pei/Variable.h
index 292acb974c..e0d8679d63 100644
--- a/MdeModulePkg/Universal/Variable/Pei/Variable.h
+++ b/MdeModulePkg/Universal/Variable/Pei/Variable.h
@@ -30,6 +30,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 

 #include <Guid/VariableFormat.h>

 #include <Guid/VariableIndexTable.h>

+#include <Guid/SystemNvDataGuid.h>

 

 typedef enum {

   VariableStoreTypeHob,

diff --git a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
index b86c0d1554..da07cf7b7a 100644
--- a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
+++ b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
@@ -48,6 +48,7 @@
 [Guids]

   gEfiVariableGuid

   gEfiVariableIndexTableGuid

+  gEfiSystemNvDataFvGuid

 

 [Ppis]

   gEfiPeiReadOnlyVariable2PpiGuid                ## SOMETIMES_PRODUCES (Not for boot mode RECOVERY)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
index 14d5d9c128..5aa6e3273d 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
@@ -1153,7 +1153,7 @@ VariableGetBestLanguage (
 

 **/

 VOID

-AutoUpdateLangVariable(

+AutoUpdateLangVariable (

   IN  CHAR16             *VariableName,

   IN  VOID               *Data,

   IN  UINTN              DataSize

@@ -2463,6 +2463,17 @@ VariableCommonInitialize (
   if (TempVariableStoreHeader == 0) {

     TempVariableStoreHeader = (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdFlashNvStorageVariableBase);

   }

+

+  //

+  // Check if the Firmware Volume is not corrupted

+  //

+  if ((((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader))->Signature != EFI_FVH_SIGNATURE) ||

+      (!CompareGuid (&gEfiSystemNvDataFvGuid, &((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader))->FileSystemGuid))) {

+    Status = EFI_VOLUME_CORRUPTED;

+    DEBUG ((EFI_D_ERROR, "Firmware Volume for Variable Store is corrupted\n"));

+    goto Done;

+  }

+

   VariableStoreBase       = TempVariableStoreHeader + \

                               (((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader)) -> HeaderLength);

   VariableStoreLength     = (UINT64) PcdGet32 (PcdFlashNvStorageVariableSize) - \

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h
index 22aa5004ca..76c6205978 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h
@@ -37,6 +37,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Guid/GlobalVariable.h>

 #include <Guid/EventGroup.h>

 #include <Guid/VariableFormat.h>

+#include <Guid/SystemNvDataGuid.h>

 

 #define VARIABLE_RECLAIM_THRESHOLD (1024)

 

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
index 582baf570e..0acc7ed1b2 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -64,6 +64,7 @@
   gEfiVariableGuid                              ## PRODUCES ## Configuration Table Guid 

   gEfiGlobalVariableGuid                        ## PRODUCES ## Variable Guid

   gEfiEventVirtualAddressChangeGuid             ## PRODUCES ## Event

+  gEfiSystemNvDataFvGuid                        ## CONSUMES

 

 [Pcd]

   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize