Revision: 15393
http://sourceforge.net/p/edk2/code/15393
Author: lgao4
Date: 2014-03-26 09:27:01 +0000 (Wed, 26 Mar 2014)
Log Message:
-----------
Add check to make sure the data be valid.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gao, Liming <[email protected]>
Reviewed-by: Zeng, Star <[email protected]>
Modified Paths:
--------------
trunk/edk2/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideDxe.c
trunk/edk2/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
Modified:
trunk/edk2/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideDxe.c
===================================================================
---
trunk/edk2/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideDxe.c
2014-03-26 07:08:12 UTC (rev 15392)
+++
trunk/edk2/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideDxe.c
2014-03-26 09:27:01 UTC (rev 15393)
@@ -13,7 +13,7 @@
4. It save all the mapping info in NV variables which will be consumed
by platform override protocol driver to publish the platform override
protocol.
-Copyright (c) 2007 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -1240,6 +1240,7 @@
EFI_CALLBACK_INFO *Private;
UINT16 KeyValue;
PLAT_OVER_MNGR_DATA *FakeNvData;
+ EFI_STATUS Status;
if (Configuration == NULL || Progress == NULL) {
return EFI_INVALID_PARAMETER;
@@ -1260,11 +1261,12 @@
return EFI_SUCCESS;
}
+ Status = EFI_SUCCESS;
if (mCurrentPage == FORM_ID_DRIVER) {
KeyValue = KEY_VALUE_DRIVER_GOTO_ORDER;
UpdatePrioritySelectPage (Private, KeyValue, FakeNvData);
KeyValue = KEY_VALUE_ORDER_SAVE_AND_EXIT;
- CommintChanges (Private, KeyValue, FakeNvData);
+ Status = CommintChanges (Private, KeyValue, FakeNvData);
//
// Since UpdatePrioritySelectPage will change mCurrentPage,
// should ensure the mCurrentPage still indicate the second page here
@@ -1274,10 +1276,10 @@
if (mCurrentPage == FORM_ID_ORDER) {
KeyValue = KEY_VALUE_ORDER_SAVE_AND_EXIT;
- CommintChanges (Private, KeyValue, FakeNvData);
+ Status = CommintChanges (Private, KeyValue, FakeNvData);
}
- return EFI_SUCCESS;
+ return Status;
}
/**
Modified:
trunk/edk2/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
===================================================================
---
trunk/edk2/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
2014-03-26 07:08:12 UTC (rev 15392)
+++
trunk/edk2/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
2014-03-26 09:27:01 UTC (rev 15393)
@@ -1,7 +1,7 @@
/** @file
Implementation of the shared functions to do the platform driver vverride
mapping.
- Copyright (c) 2007 - 2009, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -691,13 +691,18 @@
//
VariableNum = 1;
Corrupted = FALSE;
+ NotEnd = 0;
do {
VariableIndex = VariableBuffer;
+ if (VariableIndex + sizeof (UINT32) > (UINT8 *) VariableBuffer +
BufferSize) {
+ Corrupted = TRUE;
+ } else {
+ //
+ // End flag
+ //
+ NotEnd = *(UINT32*) VariableIndex;
+ }
//
- // End flag
- //
- NotEnd = *(UINT32*) VariableIndex;
- //
// Traverse the entries containing the mapping that Controller Device Path
// to a set of Driver Device Paths within this variable.
//
@@ -706,6 +711,10 @@
//
// Check signature of this entry
//
+ if (VariableIndex + sizeof (UINT32) > (UINT8 *) VariableBuffer +
BufferSize) {
+ Corrupted = TRUE;
+ break;
+ }
Signature = *(UINT32 *) VariableIndex;
if (Signature != PLATFORM_OVERRIDE_ITEM_SIGNATURE) {
Corrupted = TRUE;
@@ -722,6 +731,10 @@
//
// Get DriverNum
//
+ if (VariableIndex + sizeof (UINT32) >= (UINT8 *) VariableBuffer +
BufferSize) {
+ Corrupted = TRUE;
+ break;
+ }
DriverNumber = *(UINT32*) VariableIndex;
OverrideItem->DriverInfoNum = DriverNumber;
VariableIndex = VariableIndex + sizeof (UINT32);
@@ -735,6 +748,14 @@
// Align the VariableIndex since the controller device path may not be
aligned, refer to the SaveOverridesMapping()
//
VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) &
(sizeof(UINT32) - 1));
+ //
+ // Check buffer overflow.
+ //
+ if ((OverrideItem->ControllerDevicePath == NULL) || (VariableIndex <
(UINT8 *) ControllerDevicePath) ||
+ (VariableIndex > (UINT8 *) VariableBuffer + BufferSize)) {
+ Corrupted = TRUE;
+ break;
+ }
//
// Get all DriverImageDevicePath[]
@@ -756,8 +777,20 @@
VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) &
(sizeof(UINT32) - 1));
InsertTailList (&OverrideItem->DriverInfoList, &DriverImageInfo->Link);
+
+ //
+ // Check buffer overflow
+ //
+ if ((DriverImageInfo->DriverImagePath == NULL) || (VariableIndex <
(UINT8 *) DriverDevicePath) ||
+ (VariableIndex < (UINT8 *) VariableBuffer + BufferSize)) {
+ Corrupted = TRUE;
+ break;
+ }
}
InsertTailList (MappingDataBase, &OverrideItem->Link);
+ if (Corrupted) {
+ break;
+ }
}
FreePool (VariableBuffer);
@@ -866,11 +899,11 @@
//
// Check NotEnd to get all PlatDriOverX variable(s)
//
- while ((*(UINT32*)VariableBuffer) != 0) {
+ while ((VariableBuffer != NULL) && ((*(UINT32*)VariableBuffer) != 0)) {
+ FreePool (VariableBuffer);
UnicodeSPrint (OverrideVariableName, sizeof (OverrideVariableName),
L"PlatDriOver%d", VariableNum);
VariableBuffer = GetVariableAndSize (OverrideVariableName,
&gEfiCallerIdGuid, &BufferSize);
VariableNum++;
- ASSERT (VariableBuffer != NULL);
}
//
@@ -1057,10 +1090,19 @@
VariableNeededSize,
VariableBuffer
);
- ASSERT (!EFI_ERROR(Status));
+ FreePool (VariableBuffer);
+ if (EFI_ERROR (Status)) {
+ if (NumIndex > 0) {
+ //
+ // Delete all PlatDriOver variables when full mapping can't be set.
+ //
+ DeleteOverridesVariables ();
+ }
+ return Status;
+ }
+
NumIndex ++;
- FreePool (VariableBuffer);
}
return EFI_SUCCESS;
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
