From 9d00d20ed40fb56d8b5a8e1a3f7ae3e491ceaf94 Mon Sep 17 00:00:00 2001 From: lzeng14 Date: Thu, 25 Apr 2013 10:49:45 +0000 Subject: 1. Use the check IsAddressValid() to prevent SMM communication buffer overflow in SmmVariable, FtwSmm, FpdtSmm, SmmCorePerformance and SmmBaseHelper, and add check to prevent InfoSize overflows in SmmVariableHandler. 2. Refine the debug message. 3. Add check to make sure the input VariableName is A Null-terminated string. 4. Use local variable to hold StrSize (VariableName) to avoid duplicated StrSize calculation. Signed-off-by: Star Zeng Reviewed-by: Jiewen Yao Reviewed-by: Chao Zhang git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14317 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Compatibility/SmmBaseHelper/SmmBaseHelper.c | 31 ++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) (limited to 'EdkCompatibilityPkg') diff --git a/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.c b/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.c index 193ab19756..a2d89eaa21 100644 --- a/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.c +++ b/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.c @@ -11,7 +11,7 @@ SmmHandlerEntry() will receive untrusted input and do validation. - Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
+ Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -732,6 +732,33 @@ IsAddressInSmram ( return FALSE; } +/** + This function check if the address refered by Buffer and Length is valid. + + @param Buffer the buffer address to be checked. + @param Length the buffer length to be checked. + + @retval TRUE this address is valid. + @retval FALSE this address is NOT valid. +**/ +BOOLEAN +IsAddressValid ( + IN UINTN Buffer, + IN UINTN Length + ) +{ + if (Buffer > (MAX_ADDRESS - Length)) { + // + // Overflow happen + // + return FALSE; + } + if (IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)Buffer, (UINT64)Length)) { + return FALSE; + } + return TRUE; +} + /** Thunk service of EFI_SMM_BASE_PROTOCOL.Register(). @@ -1068,7 +1095,7 @@ SmmHandlerEntry ( ASSERT (CommBufferSize != NULL); if (*CommBufferSize == sizeof (SMMBASE_FUNCTION_DATA) && - !IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBuffer, *CommBufferSize)) { + IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) { FunctionData = (SMMBASE_FUNCTION_DATA *)CommBuffer; switch (FunctionData->Function) { -- cgit v1.2.3