From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=h2ZVurpD; spf=pass (domain: arm.com, ip: 40.107.4.59, mailfrom: krzysztof.koch@arm.com) Received: from EUR03-DB5-obe.outbound.protection.outlook.com (EUR03-DB5-obe.outbound.protection.outlook.com [40.107.4.59]) by groups.io with SMTP; Thu, 18 Jul 2019 05:32:51 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AlePnR+0wh5zc1QFSuE3WI/89phww3J/gWexsctDsJflwHh5zwvBJaxbQ3xaukTwjKzgPQ/zRFxURN6ni7KhAldMLgNh4SUkQO3oZjdB1YoRE2LPsueLC/gUB3Hr8emkBrSGugADKlUQC2Ek3Fh8PFHT2W3dtYE1+eA7t6vemFdnQP/MgerrRLaXeOAOru08TkGnFfow5fyC9oWSlGt22BrZZzJlVB2dSUSGIUXoCaENAXeJ2dMoUNLlbHNeAwntan2dBmxTo5c8a+akUjN8fSOwcjGxBBvjbCwUFIkIEfj9No9GN/QrJCJDURETgX3+Ts6w4qkfQn4NqjP389ZVbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lylIpgI9rHQ6ynk6i8l8KYZ9nRhw30+IuINQ5W1OiI4=; b=hgsxrdj7/9BqhCIcuXt3zS4sXp6J58wsNpIHagOvLOMcJc4YEcR2lhVf+zTYBJFQzWgvKJpamvFkjRUg1Mvocn+LEbQoxZJSbYt1O6ukVYeZRQDMyOgxXQqEDsjqUxa2E3hzmdSyvCAwfhd2PowNJXSzRQ3f1uvBV9Pq1Q9udN/LQPD8IrdJ4qykS0DPYury72s19CxBGj/J1wpM/0pHrUStx3+Hk24Fmlts31/2W+8b0mLbR/8TJ2REhYQjZtWRZNXG86KWlnamw4GsiTBso5MCjeH1Z4y6S7XKppTg6b9PLZ4lUr0u57n0WwyKvKovPAMqpYnVZLcBwtLrvt9ojw== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lylIpgI9rHQ6ynk6i8l8KYZ9nRhw30+IuINQ5W1OiI4=; b=h2ZVurpDVvfIqETR49RV0klqaHixbckw4K+7K8yRaURZ/gmxLORTz/TZsDNW2SejZwJUVjcyEy4ZynPV2D4d0SWq6LtycR2kRCUHq2wafb3Zlka70IOueSZ0UBF9bAgcHt9oWn8OJx0/VBi84wKln78bo1KQjYG8UhqsW4HIhUs= Received: from VI1PR08CA0111.eurprd08.prod.outlook.com (2603:10a6:800:d4::13) by VE1PR08MB4960.eurprd08.prod.outlook.com (2603:10a6:803:110::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.14; Thu, 18 Jul 2019 12:32:46 +0000 Received: from AM5EUR03FT057.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::205) by VI1PR08CA0111.outlook.office365.com (2603:10a6:800:d4::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.11 via Frontend Transport; Thu, 18 Jul 2019 12:32:46 +0000 Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from nebula.arm.com (40.67.248.234) by AM5EUR03FT057.mail.protection.outlook.com (10.152.17.44) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 18 Jul 2019 12:32:45 +0000 Received: from AZ-NEU-EX01.Emea.Arm.com (10.251.26.4) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1415.2; Thu, 18 Jul 2019 12:31:52 +0000 Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX01.Emea.Arm.com (10.251.26.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1415.2; Thu, 18 Jul 2019 12:31:52 +0000 Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 18 Jul 2019 12:31:52 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [PATCH v1 5/6] ShellPkg: acpiview: MADT: Split structure length validation Date: Thu, 18 Jul 2019 13:31:41 +0100 Message-ID: <20190718123142.5696-6-krzysztof.koch@arm.com> X-Mailer: git-send-email 2.16.2.windows.1 In-Reply-To: <20190718123142.5696-1-krzysztof.koch@arm.com> References: <20190718123142.5696-1-krzysztof.koch@arm.com> Return-Path: Krzysztof.Koch@arm.com MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(396003)(346002)(39860400002)(136003)(376002)(2980300002)(199004)(189003)(486006)(1076003)(36756003)(47776003)(86362001)(478600001)(54906003)(316002)(44832011)(26005)(53416004)(16586007)(7696005)(6916009)(5660300002)(126002)(2906002)(81156014)(81166006)(6666004)(356004)(305945005)(70206006)(76176011)(51416003)(68736007)(8676002)(48376002)(2616005)(476003)(446003)(63350400001)(63370400001)(426003)(11346002)(2351001)(4326008)(336012)(53936002)(186003)(8936002)(70586007)(50466002)(50226002);DIR:OUT;SFP:1101;SCL:1;SRVR:VE1PR08MB4960;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ce7c2040-d9a4-45a9-9943-08d70b7c095d X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:VE1PR08MB4960; X-MS-TrafficTypeDiagnostic: VE1PR08MB4960: X-Microsoft-Antispam-PRVS: NoDisclaimer: True X-MS-Oob-TLC-OOBClassifiers: OLM:3826; X-Forefront-PRVS: 01026E1310 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: ojPabcoZA9yjrCh5Jw36Kr1VpOxSgEcAdZYuqCzcDJgtQ7W5xX5saxDo8BrvvEyFGABIVU22bmRsTApAYcjIaSSwwEfXEm5LVliT/YNK5nx53bLEL8wwuGuxM5ptB5gXmESTG2qR/xpGw/zm4g2VKmA/C4Ao2ACwgd7gNAit41GLc0Gn+ZuqndknTH62ufnkjLO316NddEiHC1R9DtWNlxFIUAYT2E5ci1I7TdMUEhQ3LZmnAFVb4XLnEQW4P5zy+7F6nuEiuU5Bzc1B6JjX/Vpu6GGkobmHtoGJzovQurOiRda1YVV6e1v19Ik9FBSvvLZMcqrW04mSQJ6qE9K8GHy9Y4n7lRUnCJGSVTdIiOz/SSrRkNn0z/iRgKPMwNK72lsnV/vsxJbnpVsEk8FN06fbkTIlkLtrJ51LhjmbCSo= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jul 2019 12:32:45.5862 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ce7c2040-d9a4-45a9-9943-08d70b7c095d X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[40.67.248.234];Helo=[nebula.arm.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB4960 Content-Type: text/plain Split the Interrupt Controller Structure length validation in the acpiview UEFI shell tool into two logical parts: 1. Ensuring MADT table parser forward progress. 2. Preventing MADT table buffer overruns. Also, make the condition for infinite loop detection applicable to all types of Interrupt Controller Structures (for all interrupt models which can be represented in MADT). Check if the controller length specified is shorter than the byte size of the first two fields ('Type' and 'Length') present in every valid Interrupt Controller Structure. Signed-off-by: Krzysztof Koch --- Notes: v1: - split MADT structure length validation [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c | 30 ++++++++++++++------ 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c index 59c3df0cc8a080497b517baf36fc63f1e4ab866f..52b71f37a40733de2029373306658ca08c78c42d 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c @@ -290,16 +290,30 @@ ParseAcpiMadt ( PARSER_PARAMS (MadtInterruptControllerHeaderParser) ); - if (((Offset + (*MadtInterruptControllerLength)) > AcpiTableLength) || - (*MadtInterruptControllerLength < 4)) { + // Make sure forward progress is made. + if (*MadtInterruptControllerLength < 2) { IncrementErrorCount (); Print ( - L"ERROR: Invalid Interrupt Controller Length," - L" Type = %d, Length = %d\n", - *MadtInterruptControllerType, - *MadtInterruptControllerLength - ); - break; + L"ERROR: Structure length is too small: " \ + L"MadtInterruptControllerLength = %d. " \ + L"MadtInterruptControllerType = %d. MADT parsing aborted.\n", + *MadtInterruptControllerLength, + *MadtInterruptControllerType + ); + return; + } + + // Make sure the MADT structure lies inside the table + if ((Offset + *MadtInterruptControllerLength) > AcpiTableLength) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid MADT structure length. " \ + L"MadtInterruptControllerLength = %d. " \ + L"RemainingTableBufferLength = %d. MADT parsing aborted.\n", + *MadtInterruptControllerLength, + AcpiTableLength - Offset + ); + return; } switch (*MadtInterruptControllerType) { -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'