Revision: 14298
http://edk2.svn.sourceforge.net/edk2/?rev=14298&view=rev
Author: vanjeff
Date: 2013-04-19 06:58:47 +0000 (Fri, 19 Apr 2013)
Log Message:
-----------
Sync patch r13472 from main trunk.
EdkCompatibilityPkg SmmBaseHelper: In SmmHandlerEntry(), add check to ensure
CommBuff+CommBuffSize is outside of SMRAM.
Revision Links:
--------------
http://edk2.svn.sourceforge.net/edk2/?rev=13472&view=rev
Modified Paths:
--------------
branches/UDK2010.SR1/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.c
branches/UDK2010.SR1/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.inf
Modified:
branches/UDK2010.SR1/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.c
===================================================================
---
branches/UDK2010.SR1/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.c
2013-04-19 06:39:43 UTC (rev 14297)
+++
branches/UDK2010.SR1/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.c
2013-04-19 06:58:47 UTC (rev 14298)
@@ -4,7 +4,14 @@
This driver is the counterpart of the SMM Base On SMM Base2 Thunk driver. It
provides helping services in SMM to the SMM Base On SMM Base2 Thunk driver.
- Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
+ Caution: This module requires additional review when modified.
+ This driver will have external input - communicate buffer in SMM mode.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ SmmHandlerEntry() will receive untrusted input and do validation.
+
+ Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -35,6 +42,7 @@
#include <Protocol/MpService.h>
#include <Protocol/LoadPe32Image.h>
#include <Protocol/SmmReadyToLock.h>
+#include <Protocol/SmmAccess2.h>
///
/// Structure for tracking paired information of registered Framework SMI
handler
@@ -78,6 +86,8 @@
UINT64 mPhyMask;
VOID *mOriginalHandler;
EFI_SMM_CPU_SAVE_STATE *mShadowSaveState;
+EFI_SMRAM_DESCRIPTOR *mSmramRanges;
+UINTN mSmramRangeCount;
LIST_ENTRY mCallbackInfoListHead = INITIALIZE_LIST_HEAD_VARIABLE
(mCallbackInfoListHead);
@@ -695,7 +705,33 @@
return Status;
}
+/**
+ This function check if the address is in SMRAM.
+ @param Buffer the buffer address to be checked.
+ @param Length the buffer length to be checked.
+
+ @retval TRUE this address is in SMRAM.
+ @retval FALSE this address is NOT in SMRAM.
+**/
+BOOLEAN
+IsAddressInSmram (
+ IN EFI_PHYSICAL_ADDRESS Buffer,
+ IN UINT64 Length
+ )
+{
+ UINTN Index;
+
+ for (Index = 0; Index < mSmramRangeCount; Index ++) {
+ if (((Buffer >= mSmramRanges[Index].CpuStart) && (Buffer <
mSmramRanges[Index].CpuStart + mSmramRanges[Index].PhysicalSize)) ||
+ ((mSmramRanges[Index].CpuStart >= Buffer) &&
(mSmramRanges[Index].CpuStart < Buffer + Length))) {
+ return TRUE;
+ }
+ }
+
+ return FALSE;
+}
+
/**
Thunk service of EFI_SMM_BASE_PROTOCOL.Register().
@@ -998,6 +1034,10 @@
This SMI handler provides services for the SMM Base Thunk driver.
+ Caution: This function may receive untrusted input during runtime.
+ The communicate buffer is external input, so this function will do
operations only if the communicate
+ buffer is outside of SMRAM so that returning the status code in the buffer
won't overwrite anywhere in SMRAM.
+
@param[in] DispatchHandle The unique handle assigned to this handler by
SmiHandlerRegister().
@param[in] RegisterContext Points to an optional handler context which
was specified when the
handler was registered.
@@ -1025,32 +1065,35 @@
SMMBASE_FUNCTION_DATA *FunctionData;
ASSERT (CommBuffer != NULL);
- ASSERT (*CommBufferSize == sizeof (SMMBASE_FUNCTION_DATA));
+ ASSERT (CommBufferSize != NULL);
- FunctionData = (SMMBASE_FUNCTION_DATA *)CommBuffer;
+ if (*CommBufferSize == sizeof (SMMBASE_FUNCTION_DATA) &&
+ !IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBuffer,
*CommBufferSize)) {
+ FunctionData = (SMMBASE_FUNCTION_DATA *)CommBuffer;
- switch (FunctionData->Function) {
- case SmmBaseFunctionRegister:
- Register (FunctionData);
- break;
- case SmmBaseFunctionUnregister:
- UnRegister (FunctionData);
- break;
- case SmmBaseFunctionRegisterCallback:
- RegisterCallback (FunctionData);
- break;
- case SmmBaseFunctionAllocatePool:
- HelperAllocatePool (FunctionData);
- break;
- case SmmBaseFunctionFreePool:
- HelperFreePool (FunctionData);
- break;
- case SmmBaseFunctionCommunicate:
- HelperCommunicate (FunctionData);
- break;
- default:
- ASSERT (FALSE);
- FunctionData->Status = EFI_UNSUPPORTED;
+ switch (FunctionData->Function) {
+ case SmmBaseFunctionRegister:
+ Register (FunctionData);
+ break;
+ case SmmBaseFunctionUnregister:
+ UnRegister (FunctionData);
+ break;
+ case SmmBaseFunctionRegisterCallback:
+ RegisterCallback (FunctionData);
+ break;
+ case SmmBaseFunctionAllocatePool:
+ HelperAllocatePool (FunctionData);
+ break;
+ case SmmBaseFunctionFreePool:
+ HelperFreePool (FunctionData);
+ break;
+ case SmmBaseFunctionCommunicate:
+ HelperCommunicate (FunctionData);
+ break;
+ default:
+ DEBUG ((EFI_D_WARN, "SmmBaseHelper: invalid SMM Base function.\n"));
+ FunctionData->Status = EFI_UNSUPPORTED;
+ }
}
return EFI_SUCCESS;
}
@@ -1099,6 +1142,8 @@
EFI_HANDLE Handle;
UINTN NumberOfEnabledProcessors;
VOID *Registration;
+ EFI_SMM_ACCESS2_PROTOCOL *SmmAccess;
+ UINTN Size;
Handle = NULL;
///
@@ -1144,6 +1189,28 @@
mSmmBaseHelperReady->ServiceEntry = SmmHandlerEntry;
//
+ // Get SMRAM information
+ //
+ Status = gBS->LocateProtocol (&gEfiSmmAccess2ProtocolGuid, NULL, (VOID
**)&SmmAccess);
+ ASSERT_EFI_ERROR (Status);
+
+ Size = 0;
+ Status = SmmAccess->GetCapabilities (SmmAccess, &Size, NULL);
+ ASSERT (Status == EFI_BUFFER_TOO_SMALL);
+
+ Status = gSmst->SmmAllocatePool (
+ EfiRuntimeServicesData,
+ Size,
+ (VOID **)&mSmramRanges
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ Status = SmmAccess->GetCapabilities (SmmAccess, &Size, mSmramRanges);
+ ASSERT_EFI_ERROR (Status);
+
+ mSmramRangeCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);
+
+ //
// Register SMM Ready To Lock Protocol notification
//
Status = gSmst->SmmRegisterProtocolNotify (
Modified:
branches/UDK2010.SR1/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.inf
===================================================================
---
branches/UDK2010.SR1/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.inf
2013-04-19 06:39:43 UTC (rev 14297)
+++
branches/UDK2010.SR1/EdkCompatibilityPkg/Compatibility/SmmBaseHelper/SmmBaseHelper.inf
2013-04-19 06:58:47 UTC (rev 14298)
@@ -1,7 +1,7 @@
## @file
# Component description file for SMM Base Helper SMM driver.
#
-# Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD
License
@@ -72,9 +72,10 @@
gEfiSmmCpuIo2ProtocolGuid # PROTOCOL ALWAYS_CONSUMED
gEfiLoadPeImageProtocolGuid # PROTOCOL ALWAYS_CONSUMED
gEfiSmmReadyToLockProtocolGuid # PROTOCOL ALWAYS_CONSUMED
+ gEfiSmmAccess2ProtocolGuid # PROTOCOL ALWAYS_CONSUMED
[Depex]
gEfiSmmCpuProtocolGuid AND
gEfiMpServiceProtocolGuid AND
gEfiSmmCpuIo2ProtocolGuid AND
- gEfiLoadPeImageProtocolGuid
\ No newline at end of file
+ gEfiLoadPeImageProtocolGuid
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
