Reviewed-by: Jian J Wang <jian.j.w...@intel.com> Regards, Jian
> -----Original Message----- > From: Bi, Dandan <dandan...@intel.com> > Sent: Thursday, February 13, 2020 12:03 PM > To: devel@edk2.groups.io > Cc: Gao, Liming <liming....@intel.com>; Dong, Eric <eric.d...@intel.com>; > Wang, Jian J <jian.j.w...@intel.com> > Subject: [patch] MdeModulePkg/HiiDB: Remove configuration table when it's > freed (CVE-2019-14586) > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1995 > > Fix the corner case issue that the original configuration runtime > memory is freed, but it is still exposed to the OS runtime. > So this patch is to remove the configuration table to avoid being > used in OS runtime when the configuration runtime memory is freed. > > Cc: Liming Gao <liming....@intel.com> > Cc: Eric Dong <eric.d...@intel.com> > Cc: Jian J Wang <jian.j.w...@intel.com> > Signed-off-by: Dandan Bi <dandan...@intel.com> > Reviewed-by: Eric Dong <eric.d...@intel.com> > --- > MdeModulePkg/Universal/HiiDatabaseDxe/Database.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c > b/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c > index d3791ca68b..36265b8ff9 100644 > --- a/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c > +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c > @@ -3374,10 +3374,14 @@ HiiGetConfigRespInfo( > } > gRTConfigRespBuffer = (EFI_STRING) AllocateRuntimeZeroPool > (gConfigRespSize); > if (gRTConfigRespBuffer == NULL){ > FreePool(ConfigAltResp); > DEBUG ((DEBUG_ERROR, "[HiiDatabase]: No enough memory resource to > store the ConfigResp string.\n")); > + // > + // Remove from the System Table when the configuration runtime > buffer is > freed. > + // > + gBS->InstallConfigurationTable (&gEfiHiiConfigRoutingProtocolGuid, > NULL); > return EFI_OUT_OF_RESOURCES; > } > } else { > ZeroMem(gRTConfigRespBuffer,gConfigRespSize); > } > @@ -3429,10 +3433,14 @@ HiiGetDatabaseInfo( > DEBUG ((DEBUG_WARN, "[HiiDatabase]: Memory allocation is required > after ReadyToBoot, which may change memory map and cause S4 resume > issue.\n")); > } > gRTDatabaseInfoBuffer = AllocateRuntimeZeroPool (gDatabaseInfoSize); > if (gRTDatabaseInfoBuffer == NULL){ > DEBUG ((DEBUG_ERROR, "[HiiDatabase]: No enough memory resource to > store the HiiDatabase info.\n")); > + // > + // Remove from the System Table when the configuration runtime buffer > is > freed. > + // > + gBS->InstallConfigurationTable (&gEfiHiiDatabaseProtocolGuid, NULL); > return EFI_OUT_OF_RESOURCES; > } > } else { > ZeroMem(gRTDatabaseInfoBuffer,gDatabaseInfoSize); > } > -- > 2.18.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54335): https://edk2.groups.io/g/devel/message/54335 Mute This Topic: https://groups.io/mt/71232485/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
