Today's implementation doesn't check whether the length of
descriptor is valid before using it.
The patch fixes this issue by syncing the similar fix to UsbBusDxe.
70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79
*MdeModulePkg/UsbBus: Reject descriptor whose length is bad
Additionally the patch also rejects the data when length is
larger than sizeof (PeiUsbDevice->ConfigurationData).
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu...@intel.com>
Cc: Star Zeng <star.z...@intel.com>
Cc: Jiewen Yao <jiewen....@intel.com>
---
MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
index 86734f2f73..c31247abfe 100644
--- a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
@@ -816,6 +816,20 @@ PeiUsbGetAllConfiguration (
ConfigDesc = (EFI_USB_CONFIG_DESCRIPTOR *)
PeiUsbDevice->ConfigurationData;
ConfigDescLength = ConfigDesc->TotalLength;
+ //
+ // Reject if TotalLength even cannot cover itself.
+ //
+ if (ConfigDescLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) +
sizeof (ConfigDesc->TotalLength)) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // Reject if TotalLength exceeds the PeiUsbDevice->ConfigurationData.
+ //
+ if (ConfigDescLength > sizeof (PeiUsbDevice->ConfigurationData)) {
+ return EFI_DEVICE_ERROR;
+ }
+
//
// Then we get the total descriptors for this configuration
//
--
2.16.1.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
