Today's implementation doesn't check whether the length of descriptor is valid before using it.
The patch fixes this issue by syncing the similar fix to UsbBusDxe. 70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79 *MdeModulePkg/UsbBus: Reject descriptor whose length is bad Additionally the patch also rejects the data when length is larger than sizeof (PeiUsbDevice->ConfigurationData). Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu...@intel.com> Cc: Star Zeng <star.z...@intel.com> Cc: Jiewen Yao <jiewen....@intel.com> --- MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c index 86734f2f73..c31247abfe 100644 --- a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c +++ b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c @@ -816,6 +816,20 @@ PeiUsbGetAllConfiguration ( ConfigDesc = (EFI_USB_CONFIG_DESCRIPTOR *) PeiUsbDevice->ConfigurationData; ConfigDescLength = ConfigDesc->TotalLength; + // + // Reject if TotalLength even cannot cover itself. + // + if (ConfigDescLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + sizeof (ConfigDesc->TotalLength)) { + return EFI_DEVICE_ERROR; + } + + // + // Reject if TotalLength exceeds the PeiUsbDevice->ConfigurationData. + // + if (ConfigDescLength > sizeof (PeiUsbDevice->ConfigurationData)) { + return EFI_DEVICE_ERROR; + } + // // Then we get the total descriptors for this configuration // -- 2.16.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel