Fix a potential SMM memory dump issue. If pass communication buffer with DataBuffer to SMM SetVariable which is big enough to cover SMM range. Then GetVariable can dump SMM memory contents. Add more range check for SetVariable

Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by  : Dong Guo   <guo.dong@intel.com>
Reviewed-by  : Jiewen Yao <jiewen.yao@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14292 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 13 insertions, 0 deletions

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
index 316845f045..678cff3c7d 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
@@ -488,6 +488,19 @@ SmmVariableHandler (
       

     case SMM_VARIABLE_FUNCTION_SET_VARIABLE:

       SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data;

+      InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)

+                 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;

+

+      //

+      // SMRAM range check already covered before

+      // Data buffer should not contain SMM range

+      //

+      if (InfoSize > *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {

+        DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));

+        Status = EFI_ACCESS_DENIED;

+        goto EXIT;

+      }

+

       Status = VariableServiceSetVariable (

                  SmmVariableHeader->Name,

                  &SmmVariableHeader->Guid,