From ab780ebf909941e589c93a03ebaf6797ef6c8567 Mon Sep 17 00:00:00 2001 From: jyao1 Date: Sun, 21 Mar 2010 04:17:16 +0000 Subject: Change BufferSize from UINTN * to UINTN to eliminate pointer to pointer in SmmCore for security consideration. git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@10299 6f19259b-4bc3-4df7-8a09-765794883524 --- MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 6 +++--- MdeModulePkg/Core/PiSmmCore/PiSmmCorePrivateData.h | 2 +- MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 12 ++++++++++-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c index e49661a006..b391ecf61f 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c @@ -276,19 +276,19 @@ SmmEntryPoint ( // Synchronous SMI for SMM Core or request from Communicate protocol // CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)gSmmCorePrivate->CommunicationBuffer; - *gSmmCorePrivate->BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data); + gSmmCorePrivate->BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data); Status = SmiManage ( &CommunicateHeader->HeaderGuid, NULL, CommunicateHeader->Data, - gSmmCorePrivate->BufferSize + &gSmmCorePrivate->BufferSize ); // // Update CommunicationBuffer, BufferSize and ReturnStatus // Communicate service finished, reset the pointer to CommBuffer to NULL // - *gSmmCorePrivate->BufferSize += OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data); + gSmmCorePrivate->BufferSize += OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data); gSmmCorePrivate->CommunicationBuffer = NULL; gSmmCorePrivate->ReturnStatus = (Status == EFI_WARN_INTERRUPT_SOURCE_QUIESCED) ? EFI_SUCCESS : EFI_NOT_FOUND; } else { diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCorePrivateData.h b/MdeModulePkg/Core/PiSmmCore/PiSmmCorePrivateData.h index ce007015a1..b8bc758824 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCorePrivateData.h +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCorePrivateData.h @@ -93,7 +93,7 @@ typedef struct { /// in bytes, into a software SMI handler and for the software SMI handler to pass the /// size, in bytes, of a buffer back to the caller of the SMM Communication Protocol. /// - UINTN *BufferSize; + UINTN BufferSize; /// /// This field is used by the SMM Communication Protocol to pass the return status from diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c index 608fedfcbe..6b89ab3aa3 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c @@ -210,8 +210,8 @@ SMM_CORE_PRIVATE_DATA mSmmCorePrivateData = { FALSE, // SmmEntryPointRegistered FALSE, // InSmm NULL, // Smst - 0, // BufferSize NULL, // CommunicationBuffer + 0, // BufferSize EFI_SUCCESS // ReturnStatus }; @@ -410,6 +410,13 @@ SmmCommunicationCommunicate ( return EFI_INVALID_PARAMETER; } + // + // CommSize must hold HeaderGuid and MessageLength + // + if (*CommSize < OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data)) { + return EFI_INVALID_PARAMETER; + } + // // If not already in SMM, then generate a Software SMI // @@ -418,7 +425,7 @@ SmmCommunicationCommunicate ( // Put arguments for Software SMI in gSmmCorePrivate // gSmmCorePrivate->CommunicationBuffer = CommBuffer; - gSmmCorePrivate->BufferSize = CommSize; + gSmmCorePrivate->BufferSize = *CommSize; // // Generate Software SMI @@ -431,6 +438,7 @@ SmmCommunicationCommunicate ( // // Return status from software SMI // + *CommSize = gSmmCorePrivate->BufferSize; return gSmmCorePrivate->ReturnStatus; } -- cgit v1.2.3