From 5e5bb2a9baefcd2f231696ea94576dab5565fbfb Mon Sep 17 00:00:00 2001 From: lzeng14 Date: Tue, 7 May 2013 05:38:32 +0000 Subject: 1. Fix TOCTOU issue in VariableSmm, FtwSmm, FpdtSmm, SmmCorePerformance SMM handler. For VariableSmm, pre-allocate a mVariableBufferPayload buffer with mVariableBufferPayloadSize(match with mVariableBufferPayloadSize in VariableSmmRuntimeDxe) to hold communicate buffer payload to avoid TOCTOU issue. 2. Add check to ensure CommBufferPayloadSize not exceed mVariableBufferPayloadSize or is enough to hold function structure in VariableSmm and FtwSmm. 3. Align FtwGetLastWrite() in FaultTolerantWriteSmmDxe.c to FtwGetLastWrite() in FaultTolerantWrite.c. Signed-off-by: Star Zeng Reviewed-by: Jiewen Yao git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14325 6f19259b-4bc3-4df7-8a09-765794883524 --- .../SmmCorePerformanceLib/SmmCorePerformanceLib.c | 44 +++++++++++++--------- 1 file changed, 27 insertions(+), 17 deletions(-) (limited to 'MdeModulePkg/Library/SmmCorePerformanceLib') diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c index 5755f2affc..2bfd62a2b9 100644 --- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c +++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c @@ -540,6 +540,9 @@ SmmPerformanceHandlerEx ( SMM_PERF_COMMUNICATE_EX *SmmPerfCommData; GAUGE_DATA_ENTRY_EX *GaugeEntryExArray; UINTN DataSize; + GAUGE_DATA_ENTRY_EX *GaugeDataEx; + UINTN NumberOfEntries; + UINTN LogEntryKey; GaugeEntryExArray = NULL; @@ -555,7 +558,7 @@ SmmPerformanceHandlerEx ( } if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) { - DEBUG ((EFI_D_ERROR, "SMM communcation data buffer in SMRAM or overflow!\n")); + DEBUG ((EFI_D_ERROR, "SmmPerformanceHandlerEx: SMM communcation data buffer in SMRAM or overflow!\n")); return EFI_SUCCESS; } @@ -568,8 +571,11 @@ SmmPerformanceHandlerEx ( break; case SMM_PERF_FUNCTION_GET_GAUGE_DATA : - if ( SmmPerfCommData->GaugeDataEx == NULL || SmmPerfCommData->NumberOfEntries == 0 || - (SmmPerfCommData->LogEntryKey + SmmPerfCommData->NumberOfEntries) > mGaugeData->NumberOfEntries) { + GaugeDataEx = SmmPerfCommData->GaugeDataEx; + NumberOfEntries = SmmPerfCommData->NumberOfEntries; + LogEntryKey = SmmPerfCommData->LogEntryKey; + if (GaugeDataEx == NULL || NumberOfEntries == 0 || LogEntryKey > mGaugeData->NumberOfEntries || + NumberOfEntries > mGaugeData->NumberOfEntries || (LogEntryKey + NumberOfEntries) > mGaugeData->NumberOfEntries) { Status = EFI_INVALID_PARAMETER; break; } @@ -577,17 +583,17 @@ SmmPerformanceHandlerEx ( // // Sanity check // - DataSize = SmmPerfCommData->NumberOfEntries * sizeof(GAUGE_DATA_ENTRY_EX); - if (!IsAddressValid ((UINTN)SmmPerfCommData->GaugeDataEx, DataSize)) { - DEBUG ((EFI_D_ERROR, "SMM Performance Data buffer in SMRAM or overflow!\n")); + DataSize = NumberOfEntries * sizeof(GAUGE_DATA_ENTRY_EX); + if (!IsAddressValid ((UINTN)GaugeDataEx, DataSize)) { + DEBUG ((EFI_D_ERROR, "SmmPerformanceHandlerEx: SMM Performance Data buffer in SMRAM or overflow!\n")); Status = EFI_ACCESS_DENIED; break; } GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); CopyMem( - (UINT8 *) (SmmPerfCommData->GaugeDataEx), - (UINT8 *) &GaugeEntryExArray[SmmPerfCommData->LogEntryKey], + (UINT8 *) GaugeDataEx, + (UINT8 *) &GaugeEntryExArray[LogEntryKey], DataSize ); Status = EFI_SUCCESS; @@ -640,6 +646,8 @@ SmmPerformanceHandler ( GAUGE_DATA_ENTRY_EX *GaugeEntryExArray; UINTN DataSize; UINTN Index; + GAUGE_DATA_ENTRY *GaugeData; + UINTN NumberOfEntries; UINTN LogEntryKey; GaugeEntryExArray = NULL; @@ -656,7 +664,7 @@ SmmPerformanceHandler ( } if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) { - DEBUG ((EFI_D_ERROR, "SMM communcation data buffer in SMRAM or overflow!\n")); + DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM communcation data buffer in SMRAM or overflow!\n")); return EFI_SUCCESS; } @@ -669,8 +677,11 @@ SmmPerformanceHandler ( break; case SMM_PERF_FUNCTION_GET_GAUGE_DATA : - if ( SmmPerfCommData->GaugeData == NULL || SmmPerfCommData->NumberOfEntries == 0 || - (SmmPerfCommData->LogEntryKey + SmmPerfCommData->NumberOfEntries) > mGaugeData->NumberOfEntries) { + GaugeData = SmmPerfCommData->GaugeData; + NumberOfEntries = SmmPerfCommData->NumberOfEntries; + LogEntryKey = SmmPerfCommData->LogEntryKey; + if (GaugeData == NULL || NumberOfEntries == 0 || LogEntryKey > mGaugeData->NumberOfEntries || + NumberOfEntries > mGaugeData->NumberOfEntries || (LogEntryKey + NumberOfEntries) > mGaugeData->NumberOfEntries) { Status = EFI_INVALID_PARAMETER; break; } @@ -678,19 +689,18 @@ SmmPerformanceHandler ( // // Sanity check // - DataSize = SmmPerfCommData->NumberOfEntries * sizeof(GAUGE_DATA_ENTRY); - if (!IsAddressValid ((UINTN)SmmPerfCommData->GaugeData, DataSize)) { - DEBUG ((EFI_D_ERROR, "SMM Performance Data buffer in SMRAM or overflow!\n")); + DataSize = NumberOfEntries * sizeof(GAUGE_DATA_ENTRY); + if (!IsAddressValid ((UINTN)GaugeData, DataSize)) { + DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM Performance Data buffer in SMRAM or overflow!\n")); Status = EFI_ACCESS_DENIED; break; } GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); - LogEntryKey = SmmPerfCommData->LogEntryKey; - for (Index = 0; Index < SmmPerfCommData->NumberOfEntries; Index++) { + for (Index = 0; Index < NumberOfEntries; Index++) { CopyMem( - (UINT8 *) &(SmmPerfCommData->GaugeData[Index]), + (UINT8 *) &GaugeData[Index], (UINT8 *) &GaugeEntryExArray[LogEntryKey++], sizeof (GAUGE_DATA_ENTRY) ); -- cgit v1.2.3