From 94020bb40f12a9057aed2dfaa89ad35d644d704e Mon Sep 17 00:00:00 2001 From: rsun3 Date: Wed, 14 Mar 2012 03:17:17 +0000 Subject: Improve robustness when scanning PCI Option ROM. Signed-off-by: rsun3 Reviewed-by: geekboy15a git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13095 6f19259b-4bc3-4df7-8a09-765794883524 --- OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c | 36 +++++++++++++++++++++------- 1 file changed, 28 insertions(+), 8 deletions(-) (limited to 'OvmfPkg/Library/PlatformBdsLib') diff --git a/OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c index b0d045df9b..58531a800b 100644 --- a/OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c +++ b/OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c @@ -1,7 +1,7 @@ /** @file Platform BDS customizations. - Copyright (c) 2004 - 2009, Intel Corporation. All rights reserved.
+ Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1489,6 +1489,7 @@ PciRomLoadEfiDriversFromRomImage ( VOID *DecompressedImageBuffer; UINT32 ImageLength; EFI_DECOMPRESS_PROTOCOL *Decompress; + UINT32 InitializationSize; FileName = L"PciRomInMemory"; @@ -1503,24 +1504,43 @@ PciRomLoadEfiDriversFromRomImage ( EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) (UINTN) RomOffset; - if (EfiRomHeader->Signature != 0xaa55) { + if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) { return retStatus; } + // + // If the pointer to the PCI Data Structure is invalid, no further images can be located. + // The PCI Data Structure must be DWORD aligned. + // + if (EfiRomHeader->PcirOffset == 0 || + (EfiRomHeader->PcirOffset & 3) != 0 || + RomOffset - (UINTN)Rom + EfiRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > RomSize) { + break; + } Pcir = (PCI_DATA_STRUCTURE *) (UINTN) (RomOffset + EfiRomHeader->PcirOffset); + // + // If a valid signature is not present in the PCI Data Structure, no further images can be located. + // + if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) { + break; + } ImageSize = Pcir->ImageLength * 512; + if (RomOffset - (UINTN)Rom + ImageSize > RomSize) { + break; + } if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) && - (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) ) { + (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) && + ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) || + (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER))) { - if ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) || - (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER) ) { + ImageOffset = EfiRomHeader->EfiImageHeaderOffset; + InitializationSize = EfiRomHeader->InitializationSize * 512; - ImageOffset = EfiRomHeader->EfiImageHeaderOffset; - ImageSize = EfiRomHeader->InitializationSize * 512; + if (InitializationSize <= ImageSize && ImageOffset < InitializationSize) { ImageBuffer = (VOID *) (UINTN) (RomOffset + ImageOffset); - ImageLength = ImageSize - ImageOffset; + ImageLength = InitializationSize - ImageOffset; DecompressedImageBuffer = NULL; // -- cgit v1.2.3