Revision: 14382
http://edk2.svn.sourceforge.net/edk2/?rev=14382&view=rev
Author: vanjeff
Date: 2013-05-22 01:21:58 +0000 (Wed, 22 May 2013)
Log Message:
-----------
Sync patch r14379 from main trunk.
Fix the TOCTOU issue of CommBufferSize itself for SMM communicate handler input.
Revision Links:
--------------
http://edk2.svn.sourceforge.net/edk2/?rev=14379&view=rev
Modified Paths:
--------------
branches/UDK2010.SR1/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
branches/UDK2010.SR1/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
branches/UDK2010.SR1/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
branches/UDK2010.SR1/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
branches/UDK2010.SR1/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
Modified:
branches/UDK2010.SR1/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
===================================================================
---
branches/UDK2010.SR1/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
2013-05-21 06:15:58 UTC (rev 14381)
+++
branches/UDK2010.SR1/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
2013-05-22 01:21:58 UTC (rev 14382)
@@ -543,6 +543,7 @@
GAUGE_DATA_ENTRY_EX *GaugeDataEx;
UINTN NumberOfEntries;
UINTN LogEntryKey;
+ UINTN TempCommBufferSize;
GaugeEntryExArray = NULL;
@@ -553,11 +554,13 @@
return EFI_SUCCESS;
}
- if(*CommBufferSize < sizeof (SMM_PERF_COMMUNICATE_EX)) {
+ TempCommBufferSize = *CommBufferSize;
+
+ if(TempCommBufferSize < sizeof (SMM_PERF_COMMUNICATE_EX)) {
return EFI_SUCCESS;
}
- if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+ if (!IsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandlerEx: SMM communcation data
buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -649,7 +652,8 @@
GAUGE_DATA_ENTRY *GaugeData;
UINTN NumberOfEntries;
UINTN LogEntryKey;
-
+ UINTN TempCommBufferSize;
+
GaugeEntryExArray = NULL;
//
@@ -659,11 +663,13 @@
return EFI_SUCCESS;
}
- if(*CommBufferSize < sizeof (SMM_PERF_COMMUNICATE)) {
+ TempCommBufferSize = *CommBufferSize;
+
+ if(TempCommBufferSize < sizeof (SMM_PERF_COMMUNICATE)) {
return EFI_SUCCESS;
}
- if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+ if (!IsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM communcation data buffer
in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
Modified:
branches/UDK2010.SR1/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
===================================================================
---
branches/UDK2010.SR1/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
2013-05-21 06:15:58 UTC (rev 14381)
+++
branches/UDK2010.SR1/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
2013-05-22 01:21:58 UTC (rev 14382)
@@ -269,6 +269,7 @@
SMM_BOOT_RECORD_COMMUNICATE *SmmCommData;
UINTN BootRecordSize;
VOID *BootRecordData;
+ UINTN TempCommBufferSize;
//
// If input is invalid, stop processing this SMI
@@ -277,11 +278,13 @@
return EFI_SUCCESS;
}
- if(*CommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {
+ TempCommBufferSize = *CommBufferSize;
+
+ if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {
return EFI_SUCCESS;
}
- if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+ if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM communication data buffer in
SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
Modified:
branches/UDK2010.SR1/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
===================================================================
---
branches/UDK2010.SR1/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
2013-05-21 06:15:58 UTC (rev 14381)
+++
branches/UDK2010.SR1/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
2013-05-22 01:21:58 UTC (rev 14382)
@@ -372,8 +372,8 @@
UINTN CommBufferPayloadSize;
UINTN PrivateDataSize;
UINTN Length;
+ UINTN TempCommBufferSize;
-
//
// If input is invalid, stop processing this SMI
//
@@ -381,13 +381,15 @@
return EFI_SUCCESS;
}
- if (*CommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) {
+ TempCommBufferSize = *CommBufferSize;
+
+ if (TempCommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) {
DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer size
invalid!\n"));
return EFI_SUCCESS;
}
- CommBufferPayloadSize = *CommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE;
+ CommBufferPayloadSize = TempCommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE;
- if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+ if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer in SMRAM or
overflow!\n"));
return EFI_SUCCESS;
}
Modified:
branches/UDK2010.SR1/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
===================================================================
--- branches/UDK2010.SR1/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
2013-05-21 06:15:58 UTC (rev 14381)
+++ branches/UDK2010.SR1/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
2013-05-22 01:21:58 UTC (rev 14382)
@@ -321,17 +321,27 @@
)
{
EFI_SMM_LOCK_BOX_PARAMETER_HEADER *LockBoxParameterHeader;
+ UINTN TempCommBufferSize;
DEBUG ((EFI_D_ERROR, "SmmLockBox SmmLockBoxHandler Enter\n"));
//
+ // If input is invalid, stop processing this SMI
+ //
+ if (CommBuffer == NULL || CommBufferSize == NULL) {
+ return EFI_SUCCESS;
+ }
+
+ TempCommBufferSize = *CommBufferSize;
+
+ //
// Sanity check
//
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_HEADER)) {
+ if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_HEADER)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size invalid!\n"));
return EFI_SUCCESS;
}
- if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+ if (!IsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -346,35 +356,35 @@
switch (LockBoxParameterHeader->Command) {
case EFI_SMM_LOCK_BOX_COMMAND_SAVE:
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SAVE)) {
+ if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SAVE)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for SAVE
invalid!\n"));
break;
}
SmmLockBoxSave ((EFI_SMM_LOCK_BOX_PARAMETER_SAVE
*)(UINTN)LockBoxParameterHeader);
break;
case EFI_SMM_LOCK_BOX_COMMAND_UPDATE:
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_UPDATE)) {
+ if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_UPDATE)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for UPDATE
invalid!\n"));
break;
}
SmmLockBoxUpdate ((EFI_SMM_LOCK_BOX_PARAMETER_UPDATE
*)(UINTN)LockBoxParameterHeader);
break;
case EFI_SMM_LOCK_BOX_COMMAND_RESTORE:
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE)) {
+ if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for RESTORE
invalid!\n"));
break;
}
SmmLockBoxRestore ((EFI_SMM_LOCK_BOX_PARAMETER_RESTORE
*)(UINTN)LockBoxParameterHeader);
break;
case EFI_SMM_LOCK_BOX_COMMAND_SET_ATTRIBUTES:
- if (*CommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES)) {
+ if (TempCommBufferSize <
sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for SET_ATTRIBUTES
invalid!\n"));
break;
}
SmmLockBoxSetAttributes ((EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES
*)(UINTN)LockBoxParameterHeader);
break;
case EFI_SMM_LOCK_BOX_COMMAND_RESTORE_ALL_IN_PLACE:
- if (*CommBufferSize <
sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE_ALL_IN_PLACE)) {
+ if (TempCommBufferSize <
sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE_ALL_IN_PLACE)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for
RESTORE_ALL_IN_PLACE invalid!\n"));
break;
}
Modified:
branches/UDK2010.SR1/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
===================================================================
---
branches/UDK2010.SR1/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
2013-05-21 06:15:58 UTC (rev 14381)
+++
branches/UDK2010.SR1/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
2013-05-22 01:21:58 UTC (rev 14382)
@@ -453,6 +453,7 @@
UINTN InfoSize;
UINTN NameBufferSize;
UINTN CommBufferPayloadSize;
+ UINTN TempCommBufferSize;
//
// If input is invalid, stop processing this SMI
@@ -461,17 +462,19 @@
return EFI_SUCCESS;
}
- if (*CommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
+ TempCommBufferSize = *CommBufferSize;
+
+ if (TempCommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size
invalid!\n"));
return EFI_SUCCESS;
}
- CommBufferPayloadSize = *CommBufferSize -
SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
+ CommBufferPayloadSize = TempCommBufferSize -
SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
if (CommBufferPayloadSize > mVariableBufferPayloadSize) {
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload
size invalid!\n"));
return EFI_SUCCESS;
}
- if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+ if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in
SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -650,7 +653,7 @@
case SMM_VARIABLE_FUNCTION_GET_STATISTICS:
VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data;
- InfoSize = *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
+ InfoSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
//
// Do not need to check SmmVariableFunctionHeader->Data in SMRAM here.
Modified:
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
===================================================================
---
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
2013-05-21 06:15:58 UTC (rev 14381)
+++
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
2013-05-22 01:21:58 UTC (rev 14382)
@@ -458,6 +458,7 @@
UINTN InfoSize;
UINTN NameBufferSize;
UINTN CommBufferPayloadSize;
+ UINTN TempCommBufferSize;
//
// If input is invalid, stop processing this SMI
@@ -466,17 +467,19 @@
return EFI_SUCCESS;
}
- if (*CommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
+ TempCommBufferSize = *CommBufferSize;
+
+ if (TempCommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size
invalid!\n"));
return EFI_SUCCESS;
}
- CommBufferPayloadSize = *CommBufferSize -
SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
+ CommBufferPayloadSize = TempCommBufferSize -
SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
if (CommBufferPayloadSize > mVariableBufferPayloadSize) {
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload
size invalid!\n"));
return EFI_SUCCESS;
}
- if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+ if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in
SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -656,7 +659,7 @@
case SMM_VARIABLE_FUNCTION_GET_STATISTICS:
VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data;
- InfoSize = *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
+ InfoSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
//
// Do not need to check SmmVariableFunctionHeader->Data in SMRAM here.
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
