From 94020bb40f12a9057aed2dfaa89ad35d644d704e Mon Sep 17 00:00:00 2001
From: rsun3 <rsun3@6f19259b-4bc3-4df7-8a09-765794883524>
Date: Wed, 14 Mar 2012 03:17:17 +0000
Subject: Improve robustness when scanning PCI Option ROM.

Signed-off-by: rsun3
Reviewed-by: geekboy15a


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13095 6f19259b-4bc3-4df7-8a09-765794883524
---
 .../Csm/BiosThunk/Snp16Dxe/BiosSnp16.c             | 12 +++++++-
 .../Csm/LegacyBiosDxe/LegacyPci.c                  | 33 ++++++++++++++++++----
 2 files changed, 39 insertions(+), 6 deletions(-)

(limited to 'IntelFrameworkModulePkg')

diff --git a/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c b/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c
index 2ae8daca73..744a7e3453 100644
--- a/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c
+++ b/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c
@@ -1,6 +1,6 @@
 /** @file
 
-Copyright (c) 1999 - 2010, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 1999 - 2012, Intel Corporation. All rights reserved.<BR>
 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions
@@ -1226,6 +1226,16 @@ Undi16SimpleNetworkLoadUndi (
 
     DEBUG ((DEBUG_INIT, "Option ROM found at %X\n", RomAddress));
 
+    //
+    // If the pointer to the PCI Data Structure is invalid, no further images can be located. 
+    // The PCI Data Structure must be DWORD aligned. 
+    //
+    if (PciExpansionRomHeader->PcirOffset == 0 ||
+        (PciExpansionRomHeader->PcirOffset & 3) != 0 ||
+        RomAddress + PciExpansionRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > 0x100000) {
+      break;
+    }
+
     PciDataStructure = (PCI_DATA_STRUCTURE *) (RomAddress + PciExpansionRomHeader->PcirOffset);
 
     if (PciDataStructure->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
diff --git a/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c b/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c
index 59f6d905dc..45cdd037e6 100644
--- a/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c
+++ b/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c
@@ -1,6 +1,6 @@
 /** @file
 
-Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions
@@ -304,14 +304,24 @@ GetPciLegacyRom (
   BackupImage   = NULL;
   RomHeader.Raw = *Rom;
   while (RomHeader.Generic->Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
-    if (*ImageSize < 
-        RomHeader.Raw - (UINT8 *) *Rom + RomHeader.Generic->PcirOffset + sizeof (PCI_DATA_STRUCTURE)
-        ) {
-      return EFI_NOT_FOUND;
+    if (RomHeader.Generic->PcirOffset == 0 ||
+        (RomHeader.Generic->PcirOffset & 3) !=0 ||
+        *ImageSize < RomHeader.Raw - (UINT8 *) *Rom + RomHeader.Generic->PcirOffset + sizeof (PCI_DATA_STRUCTURE)) {
+      break;
     }
 
     Pcir = (PCI_3_0_DATA_STRUCTURE *) (RomHeader.Raw + RomHeader.Generic->PcirOffset);
+    //
+    // Check signature in the PCI Data Structure.
+    //
+    if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+      break;
+    }
 
+    if ((UINTN)(RomHeader.Raw - (UINT8 *) *Rom) + Pcir->ImageLength * 512 > *ImageSize) {
+      break;
+    }
+    
     if (Pcir->CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
       Match = FALSE;
       if (Pcir->VendorId == VendorId) {
@@ -2875,8 +2885,21 @@ LegacyBiosInstallPciRom (
     }
 
     LocalRomImage = *RomImage;
+    if (((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE ||
+        ((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset == 0 ||
+        (((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset & 3 ) != 0) {
+      mVgaInstallationInProgress = FALSE;
+      return EFI_UNSUPPORTED;
+    }
+    
     Pcir = (PCI_3_0_DATA_STRUCTURE *)
            ((UINT8 *) LocalRomImage + ((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset);
+
+    if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+      mVgaInstallationInProgress = FALSE;
+      return EFI_UNSUPPORTED;
+    }
+
     ImageSize = Pcir->ImageLength * 512;
     if (Pcir->Length >= 0x1C) {
       OpromRevision = Pcir->Revision;
-- 
cgit v1.2.3