From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=ZvhE2603; spf=pass (domain: arm.com, ip: 40.107.15.83, mailfrom: krzysztof.koch@arm.com) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (EUR01-DB5-obe.outbound.protection.outlook.com [40.107.15.83]) by groups.io with SMTP; Thu, 01 Aug 2019 01:44:55 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YufE/O+5YlFa96Q5PVYGh+HW1JHTt0HeiJnTH6jP0Yw=; b=ZvhE2603pScYj666ngVAcNZw9fIW1twcnFCmKLDX3bfufJfGu3Ey9KQhik92EP/httA17ektRjJg757MCsDXkJGwq5a2PdPxmdXlqx5fHpwktEsQKJDfi9vCUpOK+Gej9CRMblIcvJLBoq+nIUEyjTh21AbaSEzijeUxUCB7WWg= Received: from VI1PR08CA0203.eurprd08.prod.outlook.com (2603:10a6:800:d2::33) by AM6PR08MB4950.eurprd08.prod.outlook.com (2603:10a6:20b:e1::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.14; Thu, 1 Aug 2019 08:44:50 +0000 Received: from DB5EUR03FT060.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::200) by VI1PR08CA0203.outlook.office365.com (2603:10a6:800:d2::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.16 via Frontend Transport; Thu, 1 Aug 2019 08:44:50 +0000 Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT060.mail.protection.outlook.com (10.152.21.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:44:48 +0000 Received: ("Tessian outbound cc8a947d4660:v26"); Thu, 01 Aug 2019 08:44:48 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 3e6760ba91f5e74c X-CR-MTA-TID: 64aa7808 Received: from c4f05d6a3f09.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.9.58]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id DBF61013-C564-44F4-A371-65988AB0F2F5.1; Thu, 01 Aug 2019 08:44:43 +0000 Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03lp2058.outbound.protection.outlook.com [104.47.9.58]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id c4f05d6a3f09.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384); Thu, 01 Aug 2019 08:44:43 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cAB3FEF9sARjIV12bJ5cY0TAF/X9MQi4lCCU4fXNW1msGweLxg5fiOCe+WEwAgYIxLtQK9kSyqUNWd8uRVYoZIudnjnyvV5PA5NUozWsJrztM3elHYtSguln5V8qyvrMtEOL2Mu/lUemJ+4JnBH9/yBkZMbXDEdBUnOYXG49/ALyIgJP14APwwcbw5fBp59LgvF5m0TXIe0962Dw/NQYc2mnL0g6oCgsse0gRjy5rUePSrJ8m/mNhSc3hpUJL/Cfv8IjcVdZKVIoDttZcMZMFZltayLSSpaqUoWxTzCh26BhS2rudI9/PfSrTQImZFtwN9JjFALCtLeZbUzuXmaYoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YufE/O+5YlFa96Q5PVYGh+HW1JHTt0HeiJnTH6jP0Yw=; b=cWwxuRiIq2pb2LC4i579zoJWqsTNGxbrweXpMw0OlELackXqo9lcWZR2/+LeAXKy1vpf+Pbwq0p9IIyx2i2m3JpQwz2OB/hOQ4z0fB+fQQ4JA55K1zIEcJwDbJm+TpxxabuptuNbJHMxwKcr9g/TiQq3tW2u2Yw6HL7QYeXjiFkGkihlWcUANhxgVYxrQDnfDZ2VWaUsF4IjJujUIb+Ub2ANds2cZZcY3oWSz8k8MkqfmBR7Ntea26lbvBgGnSqWGqwAjxhJuUePXs14pqGcf4n0ZvI/bcgfPiVbBvEyCoLghqv25DfMmMJB2IjiLc/23kmyFfSVGGFCDjOC/kQeoQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YufE/O+5YlFa96Q5PVYGh+HW1JHTt0HeiJnTH6jP0Yw=; b=ZvhE2603pScYj666ngVAcNZw9fIW1twcnFCmKLDX3bfufJfGu3Ey9KQhik92EP/httA17ektRjJg757MCsDXkJGwq5a2PdPxmdXlqx5fHpwktEsQKJDfi9vCUpOK+Gej9CRMblIcvJLBoq+nIUEyjTh21AbaSEzijeUxUCB7WWg= Received: from VI1PR08CA0176.eurprd08.prod.outlook.com (2603:10a6:800:d1::30) by VI1PR0801MB1853.eurprd08.prod.outlook.com (2603:10a6:800:5a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.16; Thu, 1 Aug 2019 08:44:40 +0000 Received: from VE1EUR03FT036.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::204) by VI1PR08CA0176.outlook.office365.com (2603:10a6:800:d1::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.12 via Frontend Transport; Thu, 1 Aug 2019 08:44:40 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from nebula.arm.com (40.67.248.234) by VE1EUR03FT036.mail.protection.outlook.com (10.152.19.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:44:37 +0000 Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:16 +0000 Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:15 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [PATCH v1 2/6] ShellPkg: acpiview: GTDT: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:03 +0100 Message-ID: <20190801084407.48712-3-krzysztof.koch@arm.com> X-Mailer: git-send-email 2.16.2.windows.1 In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(346002)(39860400002)(376002)(396003)(136003)(2980300002)(189003)(199004)(50226002)(47776003)(48376002)(70206006)(50466002)(70586007)(2616005)(446003)(305945005)(11346002)(186003)(126002)(476003)(478600001)(86362001)(2351001)(44832011)(486006)(53416004)(2906002)(81166006)(81156014)(6916009)(4326008)(426003)(336012)(8676002)(8936002)(68736007)(316002)(26005)(16586007)(5660300002)(53936002)(356004)(36756003)(6666004)(51416003)(7696005)(1076003)(76176011)(63350400001)(63370400001)(54906003);DIR:OUT;SFP:1101;SCL:1;SRVR:VI1PR0801MB1853;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;MX:1;A:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7fef9e59-c183-4a3e-fff8-08d7165c8318 X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:VI1PR0801MB1853; X-MS-TrafficTypeDiagnostic: VI1PR0801MB1853:|AM6PR08MB4950: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:8882;OLM:8882; X-Forefront-PRVS: 01165471DB X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: vLQFEGmoxx9YQMZ1hCW7KBPRbCdO5uCqsll15zUOdnRqJHYbP8N9osXX/+Y+XokT6eIcX4eAM2J+HEZTv/NpAE60u4arL1Io40IGpoany3PIT6DzyjgU40GIRLdvy3eIAI5k3bbNe6k0VeAVbo1xXJ5phkeUM/AZyLv9K1ywjLEMdQx9DonwYLGwviLh6yZ3e/KV+4OSn8UBVkaHRiOcmlttWN5FUHtBBzmyx3qeyk6DGWF9W5PHKRLssT/H7OF9IdSoQFtbSB7IJf830FD9EAwX2ynxari46wKy7LB2vaYOt9oxNYcg9lJNl2lOAW7A6IJGfiUv/oepYOvkWFOQ//BJUZ19JhNgdMhfrAcQqKyQOd9uv2LlVTHWXPsFzkgLDrm0vqJU7y8mQn9Xnr5G6B7uiK8GxbP6ebrP3755mi0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1853 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Return-Path: Krzysztof.Koch@arm.com X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT060.eop-EUR03.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:63.35.35.123;IPV:CAL;SCL:-1;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(376002)(136003)(396003)(346002)(39860400002)(2980300002)(189003)(199004)(86362001)(8936002)(70586007)(6666004)(50466002)(6916009)(81156014)(81166006)(186003)(48376002)(1076003)(426003)(486006)(126002)(476003)(63350400001)(11346002)(44832011)(76130400001)(305945005)(8676002)(26005)(5660300002)(63370400001)(22756006)(47776003)(446003)(16586007)(51416003)(53416004)(70206006)(50226002)(36756003)(2616005)(54906003)(26826003)(478600001)(2351001)(336012)(316002)(7696005)(76176011)(4326008)(2906002);DIR:OUT;SFP:1101;SCL:1;SRVR:AM6PR08MB4950;H:64aa7808-outbound-1.mta.getcheckrecipient.com;FPR:;SPF:TempError;LANG:en;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;MX:1;A:1; X-MS-Office365-Filtering-Correlation-Id-Prvs: b0cdf8df-b995-49e9-5e86-08d7165c7cf4 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(710020)(711020)(4605104)(1401327)(2017052603328);SRVR:AM6PR08MB4950; NoDisclaimer: True X-Forefront-PRVS: 01165471DB X-Microsoft-Antispam-Message-Info: cr15tMJXxgEodz7VcycaICc5Dq06pJftup1UTJZJ1PpwcW8+Zp2dyP1Pqu6esfetXDuR7JJMqtBJcKL0fC11gbWMKG28/+k/EOFu7g/+nTb+X2F5msqJ/CySxLVaiRYGutPurESvR/9ZK+AVD1w2gZgZYKdM7RCA0AAvLLzJbyzmxfec14vJruCIprXbZdiL6EJV6GQL/jtj3tGFjb//74LmuK6k8bawRftm8z1T2ZMQ6ny0m60AjIhIjh46p6QMNedXTWTFJzuFCmzyErUcVI0ppCsY8sUyTE7XClESTAXLEv/xznMofMdjYUVTQtXPeLEtzR8nKNmunm3QNaAlJoEared9qKSPkFBi8eixAD3TF90/hWB/DzPuabCYHQe9CXG/lVetchOdzt6PWpZIT3E/AYNNnQcuaRYfWGEBUYA= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:44:48.7759 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7fef9e59-c183-4a3e-fff8-08d7165c8318 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4950 Content-Type: text/plain Modify the GTDT table parsing logic to prevent reading past the ACPI buffer lengths provided and to make it consistent with other table parsers. This includes converting the do-while loop in ParseAcpiGtdt() into a while loop. Remove a check which ensures that the entire Platform GT Block Structure buffer has been parsed. The ACPI specification does not ban from defining buffers which are larger than the size indicated by the count and sizes of substructures which constitute it. Change the data type of the Length parameter to the DumpGTBlock() function to reflect the width of the respective ACPI structure's field. References: - ACPI 6.3, January 2019, Table 5-124 Signed-off-by: Krzysztof Koch --- Notes: v1: - Prevent buffer overruns in GTDT acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c | 147 ++++++++++---------- 1 file changed, 76 insertions(+), 71 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c index 1e5b5764f50a2d29aa904c889bc89af5bdc3af5c..57174e14c80072f12b90e1996ebe8f0002d0c404 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c @@ -23,7 +23,6 @@ STATIC CONST UINT8* PlatformTimerType; STATIC CONST UINT16* PlatformTimerLength; STATIC CONST UINT32* GtBlockTimerCount; STATIC CONST UINT32* GtBlockTimerOffset; -STATIC CONST UINT16* GtBlockLength; STATIC ACPI_DESCRIPTION_HEADER_INFO AcpiHdrInfo; /** @@ -127,7 +126,7 @@ STATIC CONST ACPI_PARSER GtPlatformTimerHeaderParser[] = { **/ STATIC CONST ACPI_PARSER GtBlockParser[] = { {L"Type", 1, 0, L"%d", NULL, NULL, NULL, NULL}, - {L"Length", 2, 1, L"%d", NULL, (VOID**)&GtBlockLength, NULL, NULL}, + {L"Length", 2, 1, L"%d", NULL, NULL, NULL, NULL}, {L"Reserved", 1, 3, L"%x", NULL, NULL, NULL, NULL}, {L"Physical address (CntCtlBase)", 8, 4, L"0x%lx", NULL, NULL, NULL, NULL}, {L"Timer Count", 4, 12, L"%d", NULL, (VOID**)&GtBlockTimerCount, @@ -168,56 +167,43 @@ STATIC CONST ACPI_PARSER SBSAGenericWatchdogParser[] = { /** This function parses the Platform GT Block. - @param [in] Ptr Pointer to the start of the GT Block data. - @param [in] Length Length of the GT Block structure. + @param [in] Ptr Pointer to the start of the GT Block data. + @param [in] Length Length of the GT Block structure. **/ STATIC VOID DumpGTBlock ( IN UINT8* Ptr, - IN UINT32 Length + IN UINT16 Length ) { UINT32 Index; UINT32 Offset; - UINT32 GTBlockTimerLength; - Offset = ParseAcpi ( - TRUE, - 2, - "GT Block", - Ptr, - Length, - PARSER_PARAMS (GtBlockParser) - ); - GTBlockTimerLength = (*GtBlockLength - Offset) / (*GtBlockTimerCount); - Length -= Offset; + ParseAcpi ( + TRUE, + 2, + "GT Block", + Ptr, + Length, + PARSER_PARAMS (GtBlockParser) + ); - if (*GtBlockTimerCount != 0) { - Ptr += (*GtBlockTimerOffset); - Index = 0; - while ((Index < (*GtBlockTimerCount)) && (Length >= GTBlockTimerLength)) { - Offset = ParseAcpi ( - TRUE, - 2, - "GT Block Timer", - Ptr, - GTBlockTimerLength, - PARSER_PARAMS (GtBlockTimerParser) - ); - // Increment by GT Block Timer structure size - Ptr += Offset; - Length -= Offset; - Index++; - } + Offset = *GtBlockTimerOffset; + Index = 0; - if (Length != 0) { - IncrementErrorCount (); - Print ( - L"ERROR:GT Block Timer length mismatch. Unparsed %d bytes.\n", - Length - ); - } + // Parse the specified number of GT Block Timer Structures or the GT Block + // Structure buffer length. Whichever is minimum. + while ((Index++ < *GtBlockTimerCount) && + (Offset < Length)) { + Offset += ParseAcpi ( + TRUE, + 2, + "GT Block Timer", + Ptr + Offset, + Length - Offset, + PARSER_PARAMS (GtBlockTimerParser) + ); } } @@ -270,6 +256,7 @@ ParseAcpiGtdt ( ) { UINT32 Index; + UINT32 Offset; UINT8* TimerPtr; if (!Trace) { @@ -285,36 +272,54 @@ ParseAcpiGtdt ( PARSER_PARAMS (GtdtParser) ); - if (*GtdtPlatformTimerCount != 0) { - TimerPtr = Ptr + (*GtdtPlatformTimerOffset); - Index = 0; - do { - // Parse the Platform Timer Header - ParseAcpi ( - FALSE, - 0, - NULL, - TimerPtr, - 4, // GT Platform Timer structure header length. - PARSER_PARAMS (GtPlatformTimerHeaderParser) + TimerPtr = Ptr + *GtdtPlatformTimerOffset; + Offset = *GtdtPlatformTimerOffset; + Index = 0; + + // Parse the specified number of Platform Timer Structures or the GTDT + // buffer length. Whichever is minimum. + while ((Index++ < *GtdtPlatformTimerCount) && + (Offset < AcpiTableLength)) { + // Parse the Platform Timer Header to obtain Length and Type + ParseAcpi ( + FALSE, + 0, + NULL, + TimerPtr, + AcpiTableLength - Offset, + PARSER_PARAMS (GtPlatformTimerHeaderParser) + ); + + // Make sure the Platform Timer is inside the table. + if ((Offset + *PlatformTimerLength) > AcpiTableLength) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid Platform Timer Structure length. " \ + L"PlatformTimerLength = %d. RemainingTableBufferLength = %d. " \ + L"GTDT parsing aborted.\n", + *PlatformTimerLength, + AcpiTableLength - Offset ); - switch (*PlatformTimerType) { - case EFI_ACPI_6_2_GTDT_GT_BLOCK: - DumpGTBlock (TimerPtr, *PlatformTimerLength); - break; - case EFI_ACPI_6_2_GTDT_SBSA_GENERIC_WATCHDOG: - DumpWatchdogTimer (TimerPtr, *PlatformTimerLength); - break; - default: - IncrementErrorCount (); - Print ( - L"ERROR: INVALID Platform Timer Type = %d\n", - *PlatformTimerType - ); - break; - } // switch - TimerPtr += (*PlatformTimerLength); - Index++; - } while (Index < *GtdtPlatformTimerCount); - } + return; + } + + switch (*PlatformTimerType) { + case EFI_ACPI_6_3_GTDT_GT_BLOCK: + DumpGTBlock (TimerPtr, *PlatformTimerLength); + break; + case EFI_ACPI_6_3_GTDT_SBSA_GENERIC_WATCHDOG: + DumpWatchdogTimer (TimerPtr, *PlatformTimerLength); + break; + default: + IncrementErrorCount (); + Print ( + L"ERROR: Invalid Platform Timer Type = %d\n", + *PlatformTimerType + ); + break; + } // switch + + TimerPtr += *PlatformTimerLength; + Offset += *PlatformTimerLength; + } // while } -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'