From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=HzWzDNTJ;
 spf=pass (domain: arm.com, ip: 40.107.15.50, mailfrom: krzysztof.koch@arm.com)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (EUR01-DB5-obe.outbound.protection.outlook.com [40.107.15.50])
 by groups.io with SMTP; Thu, 11 Jul 2019 23:54:57 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com;
 s=selector2-armh-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=VZKdjEDsgHmNs/O2nR3tfrNqqziSJIfNfoP3RT1wSHk=;
 b=HzWzDNTJNIPC7m+WffH311/LyCxhM2Jz49HRgKNZnKRAzRivPHvv+1EbsLQfoLhPshwbU41zMQ2rKJ6RP/jjlZohlxZx3DO7P024CrYzcmDLY8PNr93jpA57YYyr1mLplXtjaqRSUzjPcQ3FH9Cc7mi07gs0hfYAAvf9K7AZ5lg=
Received: from VI1PR08CA0165.eurprd08.prod.outlook.com (2603:10a6:800:d1::19)
 by VE1PR08MB4957.eurprd08.prod.outlook.com (2603:10a6:803:110::18) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.19; Fri, 12 Jul
 2019 06:54:52 +0000
Received: from DB5EUR03FT010.eop-EUR03.prod.protection.outlook.com
 (2a01:111:f400:7e0a::207) by VI1PR08CA0165.outlook.office365.com
 (2603:10a6:800:d1::19) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2073.10 via Frontend
 Transport; Fri, 12 Jul 2019 06:54:52 +0000
Authentication-Results: spf=temperror (sender IP is 40.67.248.234)
 smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed)
 header.d=none;edk2.groups.io; dmarc=temperror action=none
 header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during
 lookup of arm.com: DNS Timeout)
Received: from nebula.arm.com (40.67.248.234) by
 DB5EUR03FT010.mail.protection.outlook.com (10.152.20.96) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id
 15.20.2052.18 via Frontend Transport; Fri, 12 Jul 2019 06:54:50 +0000
Received: from AZ-NEU-EX03.Arm.com (10.251.24.31) by AZ-NEU-EX04.Arm.com
 (10.251.24.32) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Fri, 12 Jul
 2019 06:53:21 +0000
Received: from E119924.Arm.com (10.37.8.167) by mail.arm.com (10.251.24.31)
 with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Fri, 12 Jul
 2019 06:53:21 +0000
From: "Krzysztof Koch" <krzysztof.koch@arm.com>
To: <devel@edk2.groups.io>
CC: <jaben.carsey@intel.com>, <ray.ni@intel.com>, <zhichao.gao@intel.com>,
	<Sami.Mujawar@arm.com>, <Matteo.Carlini@arm.com>, <nd@arm.com>
Subject: [PATCH v1 08/11] ShellPkg: acpiview: PPTT: Add error-checking in the parsing logic
Date: Fri, 12 Jul 2019 07:52:40 +0100
Message-ID: <20190712065243.3812-9-krzysztof.koch@arm.com>
X-Mailer: git-send-email 2.16.2.windows.1
In-Reply-To: <20190712065243.3812-1-krzysztof.koch@arm.com>
References: <20190712065243.3812-1-krzysztof.koch@arm.com>
Return-Path: Krzysztof.Koch@arm.com
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: 
	CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(376002)(136003)(39860400002)(396003)(346002)(2980300002)(199004)(189003)(6916009)(50226002)(336012)(26005)(4326008)(44832011)(68736007)(478600001)(63370400001)(446003)(486006)(2616005)(476003)(126002)(11346002)(63350400001)(6306002)(186003)(8676002)(53416004)(47776003)(305945005)(70586007)(70206006)(76176011)(2351001)(1076003)(2906002)(53936002)(36756003)(86362001)(6666004)(51416003)(54906003)(8936002)(50466002)(16586007)(48376002)(316002)(81156014)(5660300002)(356004)(7696005)(966005)(426003)(81166006);DIR:OUT;SFP:1101;SCL:1;SRVR:VE1PR08MB4957;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 358243bc-00a3-40bd-6fa8-08d70695d62a
X-Microsoft-Antispam: 
	BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:VE1PR08MB4957;
X-MS-TrafficTypeDiagnostic: VE1PR08MB4957:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Antispam-PRVS: 
	<VE1PR08MB4957A266D9CF67681D7CAA5284F20@VE1PR08MB4957.eurprd08.prod.outlook.com>
NoDisclaimer: True
X-MS-Oob-TLC-OOBClassifiers: OLM:3276;
X-Forefront-PRVS: 00963989E5
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 
	MMBTn1ZrIqJyjmajuQgG5yO2S6skmyZW+J6XVLuKRL6xzBVxXY17ULopop57gBTnl3ajkvWOQ47hE8qt9R6L/yWjghjDVnE/wMZn53pl5o+5V3EMqLwrtPpAQE38bSs91n2VfEH3BO4wKs3BIxvJFDe26aXsm/6+j5CWOpHEWofnuiD35A4hEc4iC8hUkybR596XEIMgfahDwbKOAqq7qjNCXs/9zhCIsrMW17n6pQrvzaSJxh4obIXGQa4tE7BO/N1VkiY4ATsAqct6+QRjHOe/IeefahFjs4wRepWC85b/GnXibYcnkpyOBUaievcoabZe+Kw5KxtE88SrPpS5uo2Xu8g9toWbA2NvV7zVqOMzDCejn56jBdDz8lPVZnhxlS6uOqSw43tPe7vVYihkIFjvk8lcJdbvGIxP8jwAayU=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jul 2019 06:54:50.9093
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 358243bc-00a3-40bd-6fa8-08d70695d62a
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[40.67.248.234];Helo=[nebula.arm.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB4957
Content-Type: text/plain

1. Check if the global pointers (in the scope of this ACPI table parser)
have been successfully updated before they are later used to control
the parsing logic.

2. Give forward progress guarantee when parsing the PPTT table. Report
an error if a PPTT structure is too small to be valid. Without this
check, there is a possibility for the parser to enter an ifninite loop.

3. Test against buffer overruns.

4. Allow silencing ACPI table content validation errors which do not
cause table parsing to fail.

Signed-off-by: Krzysztof Koch <krzysztof.koch@arm.com>
---

Changes can be seen at: https://github.com/KrzysztofKoch1/edk2/commit/e4789351e111fa1ed6a2c55759f190166b08fc8c

Notes:
    v1:
    - improve the logic in the PPTT parser [Krzysztof]

 ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c | 95 ++++++++++++++++----
 1 file changed, 76 insertions(+), 19 deletions(-)

diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c
index cec57be55e77096f9448f637ea129af2b42111ad..8d8760940b493eb94c91da3d46f9a844930c1738 100644
--- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c
+++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c
@@ -252,7 +252,6 @@ DumpProcessorHierarchyNodeStructure (
   )
 {
   UINT32 Offset;
-  UINT8* PrivateResourcePtr;
   UINT32 Index;
   CHAR16 Buffer[OUTPUT_FIELD_COLUMN_WIDTH];
 
@@ -265,8 +264,34 @@ DumpProcessorHierarchyNodeStructure (
              PARSER_PARAMS (ProcessorHierarchyNodeStructureParser)
              );
 
-  PrivateResourcePtr = Ptr + Offset;
+  // Check if the values used to control the parsing logic have been
+  // successfully read.
+  if (NumberOfPrivateResources == NULL) {
+    IncrementErrorCount ();
+    Print (
+      L"ERROR: Insufficient Processor Hierarchy Node length. Length = %d.\n",
+      Length
+      );
+    return;
+  }
+
+  // Make sure the Private Resource array lies inside this structure
+  if (Offset + (*NumberOfPrivateResources * sizeof (UINT32)) > Length) {
+    IncrementErrorCount ();
+    Print (
+      L"ERROR: Invalid Number of Private Resources. " \
+        L"PrivateResourceCount = %d. RemainingBufferLength = %d. " \
+        L"Parsing of this structure aborted.\n",
+      *NumberOfPrivateResources,
+      Length - Offset
+      );
+    return;
+  }
+
   Index = 0;
+
+  // Parse the specified number of private resource references or the Processor
+  // Hierarchy Node length. Whichever is minimum.
   while (Index < *NumberOfPrivateResources) {
     UnicodeSPrint (
       Buffer,
@@ -278,10 +303,10 @@ DumpProcessorHierarchyNodeStructure (
     PrintFieldName (4, Buffer);
     Print (
       L"0x%x\n",
-      *((UINT32*) PrivateResourcePtr)
+      *((UINT32*)(Ptr + Offset))
       );
 
-    PrivateResourcePtr += sizeof(UINT32);
+    Offset += sizeof (UINT32);
     Index++;
   }
 }
@@ -373,6 +398,7 @@ ParseAcpiPptt (
              AcpiTableLength,
              PARSER_PARAMS (PpttParser)
              );
+
   ProcessorTopologyStructurePtr = Ptr + Offset;
 
   while (Offset < AcpiTableLength) {
@@ -382,19 +408,47 @@ ParseAcpiPptt (
       0,
       NULL,
       ProcessorTopologyStructurePtr,
-      4,  // Length of the processor topology structure header is 4 bytes
+      AcpiTableLength - Offset,
       PARSER_PARAMS (ProcessorTopologyStructureHeaderParser)
       );
 
-    if ((Offset + (*ProcessorTopologyStructureLength)) > AcpiTableLength) {
+    // Check if the values used to control the parsing logic have been
+    // successfully read.
+    if ((ProcessorTopologyStructureType == NULL) ||
+        (ProcessorTopologyStructureLength == NULL)) {
       IncrementErrorCount ();
       Print (
-        L"ERROR: Invalid processor topology structure length:"
-          L" Type = %d, Length = %d\n",
-        *ProcessorTopologyStructureType,
-        *ProcessorTopologyStructureLength
+        L"ERROR: Insufficient remaining table buffer length to read the " \
+          L"processor topology structure header. Length = %d.\n",
+        AcpiTableLength - Offset
         );
-      break;
+      return;
+    }
+
+    // Make sure forward progress is made.
+    if (*ProcessorTopologyStructureLength < 2) {
+      IncrementErrorCount ();
+      Print (
+        L"ERROR: Structure length is too small: " \
+          L"ProcessorTopologyStructureLength = %d. " \
+          L"ProcessorTopologyStructureType = %d. PPTT parsing aborted.\n",
+        *ProcessorTopologyStructureLength,
+        *ProcessorTopologyStructureType
+        );
+      return;
+    }
+
+    // Make sure the PPTT structure lies inside the table
+    if ((Offset + *ProcessorTopologyStructureLength) > AcpiTableLength) {
+      IncrementErrorCount ();
+      Print (
+        L"ERROR: Invalid PPTT structure length. " \
+          L"ProcessorTopologyStructureLength = %d. " \
+          L"RemainingTableBufferLength = %d. PPTT parsing aborted.\n",
+        *ProcessorTopologyStructureLength,
+        AcpiTableLength - Offset
+        );
+      return;
     }
 
     PrintFieldName (2, L"* Structure Offset *");
@@ -420,14 +474,17 @@ ParseAcpiPptt (
           );
         break;
       default:
-        IncrementErrorCount ();
-        Print (
-          L"ERROR: Unknown processor topology structure:"
-            L" Type = %d, Length = %d\n",
-          *ProcessorTopologyStructureType,
-          *ProcessorTopologyStructureLength
-          );
-    }
+        if (GetConsistencyChecking ()) {
+          IncrementErrorCount ();
+          Print (
+            L"ERROR: Unknown processor topology structure:"
+              L" Type = %d, Length = %d\n",
+            *ProcessorTopologyStructureType,
+            *ProcessorTopologyStructureLength
+            );
+        }
+        break;
+    } // switch
 
     ProcessorTopologyStructurePtr += *ProcessorTopologyStructureLength;
     Offset += *ProcessorTopologyStructureLength;
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'