This commit adds serveral checks for the 'Packet' parameter passed to the EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL.PassThru() API:
The check for the 'TransferLength' field in EFI_NVM_EXPRESS_PASS_THRU_COMMAND_PACKET to make sure the value will not exceed the maximum data transfer size allowed by a controller. The check for the 'TransferBuffer' and 'TransferLength' fields in EFI_NVM_EXPRESS_PASS_THRU_COMMAND_PACKET when the Opcode of an NVME command indicates a data transfer between controller and host. The check for the 'MetadataLength' field in EFI_NVM_EXPRESS_PASS_THRU_COMMAND_PACKET to make sure the value is not 0 when the corresponding 'MetadataBuffer' field has a non-NULL value. Cc: Feng Tian <[email protected]> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <[email protected]> --- .../Bus/Pci/NvmExpressDxe/NvmExpressPassthru.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressPassthru.c b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressPassthru.c index c7ead21..2209ee6 100644 --- a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressPassthru.c +++ b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressPassthru.c @@ -377,6 +377,7 @@ NvmExpressPassThru ( UINTN PrpListNo; UINT32 Attributes; UINT32 IoAlign; + UINT32 MaxTransLen; UINT32 Data; NVME_PASS_THRU_ASYNC_REQ *AsyncRequest; EFI_TPL OldTpl; @@ -420,6 +421,19 @@ NvmExpressPassThru ( } Private = NVME_CONTROLLER_PRIVATE_DATA_FROM_PASS_THRU (This); + + // + // Check whether TransferLength exceeds the maximum data transfer size. + // + if (Private->ControllerData->Mdts != 0) { + MaxTransLen = (1 << (Private->ControllerData->Mdts)) * + (1 << (Private->Cap.Mpsmin + 12)); + if (Packet->TransferLength > MaxTransLen) { + Packet->TransferLength = MaxTransLen; + return EFI_BAD_BUFFER_SIZE; + } + } + PciIo = Private->PciIo; MapData = NULL; MapMeta = NULL; @@ -477,6 +491,10 @@ NvmExpressPassThru ( // processor and a PCI Bus Master. It's caller's responsbility to ensure this. // if (((Sq->Opc & (BIT0 | BIT1)) != 0) && (Sq->Opc != NVME_ADMIN_CRIOCQ_CMD) && (Sq->Opc != NVME_ADMIN_CRIOSQ_CMD)) { + if ((Packet->TransferLength == 0) || (Packet->TransferBuffer == NULL)) { + return EFI_INVALID_PARAMETER; + } + if ((Sq->Opc & BIT0) != 0) { Flag = EfiPciIoOperationBusMasterRead; } else { @@ -499,8 +517,7 @@ NvmExpressPassThru ( Sq->Prp[0] = PhyAddr; Sq->Prp[1] = 0; - MapLength = Packet->MetadataLength; - if(Packet->MetadataBuffer != NULL) { + if((Packet->MetadataLength != 0) && (Packet->MetadataBuffer != NULL)) { MapLength = Packet->MetadataLength; Status = PciIo->Map ( PciIo, -- 1.9.5.msysgit.0 _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
