From 3b657538dc4e83cc304b4036dc5d63969a0c10db Mon Sep 17 00:00:00 2001 From: Star Zeng Date: Wed, 26 Aug 2015 01:10:39 +0000 Subject: MdeModulePkg PiSmmCore: Prevent overlap for gSmmCorePrivate and CommBuffer InternalIsBufferOverlapped() is created to check overlap between buffers. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng Reviewed-by: Jiewen Yao git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18312 6f19259b-4bc3-4df7-8a09-765794883524 --- MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 44 +++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c index 55dcf31713..496638a17e 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c @@ -378,6 +378,37 @@ SmmEndOfDxeHandler ( return Status; } +/** + Determine if two buffers overlap in memory. + + @param[in] Buff1 Pointer to first buffer + @param[in] Size1 Size of Buff1 + @param[in] Buff2 Pointer to second buffer + @param[in] Size2 Size of Buff2 + + @retval TRUE Buffers overlap in memory. + @retval FALSE Buffer doesn't overlap. + +**/ +BOOLEAN +InternalIsBufferOverlapped ( + IN UINT8 *Buff1, + IN UINTN Size1, + IN UINT8 *Buff2, + IN UINTN Size2 + ) +{ + // + // If buff1's end is less than the start of buff2, then it's ok. + // Also, if buff1's start is beyond buff2's end, then it's ok. + // + if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) { + return FALSE; + } + + return TRUE; +} + /** The main entry point to SMM Foundation. @@ -396,6 +427,7 @@ SmmEntryPoint ( EFI_STATUS Status; EFI_SMM_COMMUNICATE_HEADER *CommunicateHeader; BOOLEAN InLegacyBoot; + BOOLEAN IsOverlapped; PERF_START (NULL, "SMM", NULL, 0) ; @@ -427,9 +459,17 @@ SmmEntryPoint ( // // Synchronous SMI for SMM Core or request from Communicate protocol // - if (!SmmIsBufferOutsideSmmValid ((UINTN)gSmmCorePrivate->CommunicationBuffer, gSmmCorePrivate->BufferSize)) { + IsOverlapped = InternalIsBufferOverlapped ( + (UINT8 *) gSmmCorePrivate->CommunicationBuffer, + gSmmCorePrivate->BufferSize, + (UINT8 *) gSmmCorePrivate, + sizeof (*gSmmCorePrivate) + ); + if (!SmmIsBufferOutsideSmmValid ((UINTN)gSmmCorePrivate->CommunicationBuffer, gSmmCorePrivate->BufferSize) || IsOverlapped) { // - // If CommunicationBuffer is not in valid address scope, return EFI_INVALID_PARAMETER + // If CommunicationBuffer is not in valid address scope, + // or there is overlap between gSmmCorePrivate and CommunicationBuffer, + // return EFI_INVALID_PARAMETER // gSmmCorePrivate->CommunicationBuffer = NULL; gSmmCorePrivate->ReturnStatus = EFI_INVALID_PARAMETER; -- cgit v1.2.3