Fix memory overflow & VariableSize check issue for SetVariable append write.

Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by  : Fu Siyuan  <siyuan.fu@intel.com>
Reviewed-by  : Dong Guo   <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14323 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 24 insertions, 9 deletions

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 6f8808a756..440ede9144 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -192,7 +192,7 @@ AutenticatedVariableServiceInitialize (
   //

   // Reserved runtime buffer for "Append" operation in virtual mode.

   //

-  mStorageArea  = AllocateRuntimePool (PcdGet32 (PcdMaxVariableSize));

+  mStorageArea  = AllocateRuntimePool (MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)));

   if (mStorageArea == NULL) {

     return EFI_OUT_OF_RESOURCES;

   }

@@ -1316,20 +1316,24 @@ ProcessVariable (
   will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA

   will be ignored.

 

-  @param[in, out]  Data            Pointer to original EFI_SIGNATURE_LIST.

-  @param[in]       DataSize        Size of Data buffer.

-  @param[in]       NewData         Pointer to new EFI_SIGNATURE_LIST to be appended.

-  @param[in]       NewDataSize     Size of NewData buffer.

+  @param[in, out]  Data              Pointer to original EFI_SIGNATURE_LIST.

+  @param[in]       DataSize          Size of Data buffer.

+  @param[in]       FreeBufSize       Size of free data buffer 

+  @param[in]       NewData           Pointer to new EFI_SIGNATURE_LIST to be appended.

+  @param[in]       NewDataSize       Size of NewData buffer.

+  @param[out]      MergedBufSize     Size of the merged buffer

 

-  @return Size of the merged buffer.

+  @return EFI_BUFFER_TOO_SMALL if input Data buffer overflowed

 

 **/

-UINTN

+EFI_STATUS

 AppendSignatureList (

   IN  OUT VOID            *Data,

   IN  UINTN               DataSize,

+  IN  UINTN               FreeBufSize,

   IN  VOID                *NewData,

-  IN  UINTN               NewDataSize

+  IN  UINTN               NewDataSize,

+  OUT UINTN               *MergedBufSize

   )

 {

   EFI_SIGNATURE_LIST  *CertList;

@@ -1388,15 +1392,25 @@ AppendSignatureList (
         // New EFI_SIGNATURE_DATA, append it.

         //

         if (CopiedCount == 0) {

+          if (FreeBufSize < sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize) {

+            return EFI_BUFFER_TOO_SMALL;

+          }

+

           //

           // Copy EFI_SIGNATURE_LIST header for only once.

           //

+

           CopyMem (Tail, NewCertList, sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize);

           Tail = Tail + sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize;

+          FreeBufSize -= sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize;

         }

 

+        if (FreeBufSize < NewCertList->SignatureSize) {

+          return EFI_BUFFER_TOO_SMALL;

+        }

         CopyMem (Tail, NewCert, NewCertList->SignatureSize);

         Tail += NewCertList->SignatureSize;

+        FreeBufSize -= NewCertList->SignatureSize;

         CopiedCount++;

       }

 

@@ -1416,7 +1430,8 @@ AppendSignatureList (
     NewCertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) NewCertList + NewCertList->SignatureListSize);

   }

 

-  return (Tail - (UINT8 *) Data);

+  *MergedBufSize = (Tail - (UINT8 *) Data);

+  return EFI_SUCCESS;

 }

 

 /**