Revision: 14305
http://edk2.svn.sourceforge.net/edk2/?rev=14305&view=rev
Author: czhang46
Date: 2013-04-22 08:52:58 +0000 (Mon, 22 Apr 2013)
Log Message:
-----------
Fix potential overflow for SetVariable interface
Signed-off-by: Chao Zhang <[email protected]>
Reviewed-by : Guo Dong <[email protected]>
Reviewed-by : Siyuan Fu <[email protected]>
Modified Paths:
--------------
trunk/edk2/MdeModulePkg/Universal/Variable/EmuRuntimeDxe/EmuVariable.c
trunk/edk2/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
trunk/edk2/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
trunk/edk2/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
Modified: trunk/edk2/MdeModulePkg/Universal/Variable/EmuRuntimeDxe/EmuVariable.c
===================================================================
--- trunk/edk2/MdeModulePkg/Universal/Variable/EmuRuntimeDxe/EmuVariable.c
2013-04-20 04:32:58 UTC (rev 14304)
+++ trunk/edk2/MdeModulePkg/Universal/Variable/EmuRuntimeDxe/EmuVariable.c
2013-04-22 08:52:58 UTC (rev 14305)
@@ -3,7 +3,7 @@
Emulation Variable services operate on the runtime volatile memory.
The nonvolatile variable space doesn't exist.
-Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -1397,14 +1397,22 @@
if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS |
EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) {
return EFI_INVALID_PARAMETER;
}
+
+
+ if ((UINTN)(~0) - DataSize < StrSize(VariableName)){
+ //
+ // Prevent whole variable size overflow
+ //
+ return EFI_INVALID_PARAMETER;
+ }
+
//
// The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32
(PcdMaxHardwareErrorVariableSize)
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the
others.
//
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) ==
EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
- if ((DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) ||
- (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize >
PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
+ if (StrSize (VariableName) + DataSize > PcdGet32
(PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
//
@@ -1418,8 +1426,7 @@
// The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize)
bytes.
//
- if ((DataSize > PcdGet32 (PcdMaxVariableSize)) ||
- (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize >
PcdGet32 (PcdMaxVariableSize))) {
+ if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize) -
sizeof (VARIABLE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
}
Modified: trunk/edk2/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
===================================================================
--- trunk/edk2/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
2013-04-20 04:32:58 UTC (rev 14304)
+++ trunk/edk2/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
2013-04-22 08:52:58 UTC (rev 14305)
@@ -2218,14 +2218,20 @@
return EFI_INVALID_PARAMETER;
}
+ if ((UINTN)(~0) - DataSize < StrSize(VariableName)){
+ //
+ // Prevent whole variable size overflow
+ //
+ return EFI_INVALID_PARAMETER;
+ }
+
//
// The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32
(PcdMaxHardwareErrorVariableSize)
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the
others.
//
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) ==
EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
- if ((DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) ||
- (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize >
PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
+ if ( StrSize (VariableName) + DataSize > PcdGet32
(PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
@@ -2236,8 +2242,7 @@
// The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32
(PcdMaxVariableSize) bytes.
//
- if ((DataSize > PcdGet32 (PcdMaxVariableSize)) ||
- (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize >
PcdGet32 (PcdMaxVariableSize))) {
+ if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize) -
sizeof (VARIABLE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
}
Modified:
trunk/edk2/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
===================================================================
---
trunk/edk2/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
2013-04-20 04:32:58 UTC (rev 14304)
+++
trunk/edk2/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
2013-04-22 08:52:58 UTC (rev 14305)
@@ -424,6 +424,13 @@
return EFI_INVALID_PARAMETER;
}
+ if ((UINTN)(~0) - StrSize (VariableName) < OFFSET_OF
(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {
+ //
+ // Prevent PayloadSize overflow
+ //
+ return EFI_INVALID_PARAMETER;
+ }
+
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
//
Modified:
trunk/edk2/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c
===================================================================
--- trunk/edk2/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c
2013-04-20 04:32:58 UTC (rev 14304)
+++ trunk/edk2/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c
2013-04-22 08:52:58 UTC (rev 14305)
@@ -1,7 +1,7 @@
/** @file
The implementation of Extended SAL variable services.
-Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -2591,6 +2591,14 @@
PayloadSize = DataSize;
}
+
+ if ((UINTN)(~0) - PayloadSize < StrSize(VariableName)){
+ //
+ // Prevent whole variable size overflow
+ //
+ return EFI_INVALID_PARAMETER;
+ }
+
VariableGlobal = &Global->VariableGlobal[VirtualMode];
Instance = Global->FvbInstance;
@@ -2599,8 +2607,7 @@
// For variable for hardware error record, the size of the VariableName,
including the Unicode Null
// in bytes plus the DataSize is limited to maximum size of
PcdGet32(PcdMaxHardwareErrorVariableSize) bytes.
//
- if ((PayloadSize > PcdGet32(PcdMaxHardwareErrorVariableSize)) ||
- (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize >
PcdGet32(PcdMaxHardwareErrorVariableSize))) {
+ if (StrSize (VariableName) + PayloadSize >
PcdGet32(PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
//
@@ -2616,8 +2623,7 @@
// For variable not for hardware error record, the size of the
VariableName, including the
// Unicode Null in bytes plus the DataSize is limited to maximum size of
PcdGet32(PcdMaxVariableSize) bytes.
//
- if ((PayloadSize > PcdGet32(PcdMaxVariableSize)) ||
- (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize >
PcdGet32(PcdMaxVariableSize))) {
+ if (StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxVariableSize) -
sizeof (VARIABLE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
}
Modified: trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
===================================================================
--- trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
2013-04-20 04:32:58 UTC (rev 14304)
+++ trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
2013-04-22 08:52:58 UTC (rev 14305)
@@ -2664,14 +2664,20 @@
PayloadSize = DataSize;
}
+ if ((UINTN)(~0) - PayloadSize < StrSize(VariableName)){
+ //
+ // Prevent whole variable size overflow
+ //
+ return EFI_INVALID_PARAMETER;
+ }
+
//
// The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32
(PcdMaxHardwareErrorVariableSize)
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the
others.
//
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) ==
EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
- if ((PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) ||
- (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize >
PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
+ if (StrSize (VariableName) + PayloadSize > PcdGet32
(PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
@@ -2682,8 +2688,7 @@
// The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32
(PcdMaxVariableSize) bytes.
//
- if ((PayloadSize > PcdGet32 (PcdMaxVariableSize)) ||
- (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize >
PcdGet32 (PcdMaxVariableSize))) {
+ if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize) -
sizeof (VARIABLE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
}
Modified:
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
===================================================================
---
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
2013-04-20 04:32:58 UTC (rev 14304)
+++
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
2013-04-22 08:52:58 UTC (rev 14305)
@@ -442,8 +442,15 @@
return EFI_INVALID_PARAMETER;
}
+ if ((UINTN)(~0) - StrSize (VariableName) < OFFSET_OF
(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {
+ //
+ // Prevent PayloadSize overflow
+ //
+ return EFI_INVALID_PARAMETER;
+ }
+
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
-
+
//
// Init the communicate buffer. The buffer data size is:
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE +
PayloadSize.
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
