From 732d199d8f996a483f7718ba28928dae5cc354ea Mon Sep 17 00:00:00 2001
From: czhang46 <czhang46@6f19259b-4bc3-4df7-8a09-765794883524>
Date: Thu, 2 May 2013 01:42:39 +0000
Subject: Fix memory overflow & VariableSize check issue for SetVariable append
 write.

Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by  : Fu Siyuan  <siyuan.fu@intel.com>
Reviewed-by  : Dong Guo   <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14323 6f19259b-4bc3-4df7-8a09-765794883524
---
 .../VariableAuthenticated/RuntimeDxe/AuthService.c | 33 ++++++++++++++++------
 1 file changed, 24 insertions(+), 9 deletions(-)

(limited to 'SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c')

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 6f8808a756..440ede9144 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -192,7 +192,7 @@ AutenticatedVariableServiceInitialize (
   //
   // Reserved runtime buffer for "Append" operation in virtual mode.
   //
-  mStorageArea  = AllocateRuntimePool (PcdGet32 (PcdMaxVariableSize));
+  mStorageArea  = AllocateRuntimePool (MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)));
   if (mStorageArea == NULL) {
     return EFI_OUT_OF_RESOURCES;
   }
@@ -1316,20 +1316,24 @@ ProcessVariable (
   will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA
   will be ignored.
 
-  @param[in, out]  Data            Pointer to original EFI_SIGNATURE_LIST.
-  @param[in]       DataSize        Size of Data buffer.
-  @param[in]       NewData         Pointer to new EFI_SIGNATURE_LIST to be appended.
-  @param[in]       NewDataSize     Size of NewData buffer.
+  @param[in, out]  Data              Pointer to original EFI_SIGNATURE_LIST.
+  @param[in]       DataSize          Size of Data buffer.
+  @param[in]       FreeBufSize       Size of free data buffer 
+  @param[in]       NewData           Pointer to new EFI_SIGNATURE_LIST to be appended.
+  @param[in]       NewDataSize       Size of NewData buffer.
+  @param[out]      MergedBufSize     Size of the merged buffer
 
-  @return Size of the merged buffer.
+  @return EFI_BUFFER_TOO_SMALL if input Data buffer overflowed
 
 **/
-UINTN
+EFI_STATUS
 AppendSignatureList (
   IN  OUT VOID            *Data,
   IN  UINTN               DataSize,
+  IN  UINTN               FreeBufSize,
   IN  VOID                *NewData,
-  IN  UINTN               NewDataSize
+  IN  UINTN               NewDataSize,
+  OUT UINTN               *MergedBufSize
   )
 {
   EFI_SIGNATURE_LIST  *CertList;
@@ -1388,15 +1392,25 @@ AppendSignatureList (
         // New EFI_SIGNATURE_DATA, append it.
         //
         if (CopiedCount == 0) {
+          if (FreeBufSize < sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize) {
+            return EFI_BUFFER_TOO_SMALL;
+          }
+
           //
           // Copy EFI_SIGNATURE_LIST header for only once.
           //
+
           CopyMem (Tail, NewCertList, sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize);
           Tail = Tail + sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize;
+          FreeBufSize -= sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize;
         }
 
+        if (FreeBufSize < NewCertList->SignatureSize) {
+          return EFI_BUFFER_TOO_SMALL;
+        }
         CopyMem (Tail, NewCert, NewCertList->SignatureSize);
         Tail += NewCertList->SignatureSize;
+        FreeBufSize -= NewCertList->SignatureSize;
         CopiedCount++;
       }
 
@@ -1416,7 +1430,8 @@ AppendSignatureList (
     NewCertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) NewCertList + NewCertList->SignatureListSize);
   }
 
-  return (Tail - (UINT8 *) Data);
+  *MergedBufSize = (Tail - (UINT8 *) Data);
+  return EFI_SUCCESS;
 }
 
 /**
-- 
cgit v1.2.3