From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org, feng.tian@intel.com
Cc: Hao Wu <hao.a.wu@intel.com>
Subject: [PATCH v2 07/10] MdeModulePkg NvmExpressDxe: Add check for command packet in PassThru
Date: Thu, 1 Sep 2016 10:33:04 +0800 [thread overview]
Message-ID: <1472697187-16092-8-git-send-email-hao.a.wu@intel.com> (raw)
In-Reply-To: <1472697187-16092-1-git-send-email-hao.a.wu@intel.com>
This commit adds serveral checks for the 'Packet' parameter passed to the
EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL.PassThru() API:
The check for the 'TransferLength' field in
EFI_NVM_EXPRESS_PASS_THRU_COMMAND_PACKET to make sure the value will not
exceed the maximum data transfer size allowed by a controller.
The check for the 'TransferBuffer' and 'TransferLength' fields in
EFI_NVM_EXPRESS_PASS_THRU_COMMAND_PACKET when the Opcode of an NVME
command indicates a data transfer between controller and host.
The check for the 'MetadataLength' field in
EFI_NVM_EXPRESS_PASS_THRU_COMMAND_PACKET to make sure the value is not 0
when the corresponding 'MetadataBuffer' field has a non-NULL value.
Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
.../Bus/Pci/NvmExpressDxe/NvmExpressPassthru.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressPassthru.c b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressPassthru.c
index c7ead21..2209ee6 100644
--- a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressPassthru.c
+++ b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressPassthru.c
@@ -377,6 +377,7 @@ NvmExpressPassThru (
UINTN PrpListNo;
UINT32 Attributes;
UINT32 IoAlign;
+ UINT32 MaxTransLen;
UINT32 Data;
NVME_PASS_THRU_ASYNC_REQ *AsyncRequest;
EFI_TPL OldTpl;
@@ -420,6 +421,19 @@ NvmExpressPassThru (
}
Private = NVME_CONTROLLER_PRIVATE_DATA_FROM_PASS_THRU (This);
+
+ //
+ // Check whether TransferLength exceeds the maximum data transfer size.
+ //
+ if (Private->ControllerData->Mdts != 0) {
+ MaxTransLen = (1 << (Private->ControllerData->Mdts)) *
+ (1 << (Private->Cap.Mpsmin + 12));
+ if (Packet->TransferLength > MaxTransLen) {
+ Packet->TransferLength = MaxTransLen;
+ return EFI_BAD_BUFFER_SIZE;
+ }
+ }
+
PciIo = Private->PciIo;
MapData = NULL;
MapMeta = NULL;
@@ -477,6 +491,10 @@ NvmExpressPassThru (
// processor and a PCI Bus Master. It's caller's responsbility to ensure this.
//
if (((Sq->Opc & (BIT0 | BIT1)) != 0) && (Sq->Opc != NVME_ADMIN_CRIOCQ_CMD) && (Sq->Opc != NVME_ADMIN_CRIOSQ_CMD)) {
+ if ((Packet->TransferLength == 0) || (Packet->TransferBuffer == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
if ((Sq->Opc & BIT0) != 0) {
Flag = EfiPciIoOperationBusMasterRead;
} else {
@@ -499,8 +517,7 @@ NvmExpressPassThru (
Sq->Prp[0] = PhyAddr;
Sq->Prp[1] = 0;
- MapLength = Packet->MetadataLength;
- if(Packet->MetadataBuffer != NULL) {
+ if((Packet->MetadataLength != 0) && (Packet->MetadataBuffer != NULL)) {
MapLength = Packet->MetadataLength;
Status = PciIo->Map (
PciIo,
--
1.9.5.msysgit.0
next prev parent reply other threads:[~2016-09-01 2:33 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-01 2:32 [PATCH v2 00/10] Fix some bugs in NvmExpressDxe driver Hao Wu
2016-09-01 2:32 ` [PATCH v2 01/10] MdeModulePkg NvmExpressDxe: Avoid crashing 'Mode' during OpenProtocol Hao Wu
2016-09-01 2:32 ` [PATCH v2 02/10] MdeModulePkg NvmExpressDxe: Refine BuildDevicePath API to follow spec Hao Wu
2016-09-01 2:33 ` [PATCH v2 03/10] MdeModulePkg NvmExpressDxe: Refine GetNameSpace " Hao Wu
2016-09-01 2:33 ` [PATCH v2 04/10] MdeModulePkg NvmExpressDxe: Refine GetNextNamespace " Hao Wu
2016-09-01 2:33 ` [PATCH v2 05/10] MdeModulePkg NvmExpressDxe: Add buffer alignment check in PassThru API Hao Wu
2016-09-01 2:33 ` [PATCH v2 06/10] MdeModulePkg NvmExpressDxe: Add check on the attributes of NVME controller Hao Wu
2016-09-01 2:33 ` Hao Wu [this message]
2016-09-01 2:33 ` [PATCH v2 08/10] MdeModulePkg NvmExpressDxe: Add NamespaceId validity check in PassThru Hao Wu
2016-09-01 2:33 ` [PATCH v2 09/10] MdeModulePkg NvmExpressDxe: Fix 'Event' won't be signaled for Admin cmds Hao Wu
2016-09-01 2:33 ` [PATCH v2 10/10] MdeModulePkg NvmExpressDxe: Set the non-blocking I/O feature support bit Hao Wu
2016-09-06 7:13 ` [PATCH v2 00/10] Fix some bugs in NvmExpressDxe driver Tian, Feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1472697187-16092-8-git-send-email-hao.a.wu@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox