From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=nVJLamNa; spf=pass (domain: arm.com, ip: 40.107.5.69, mailfrom: krzysztof.koch@arm.com) Received: from EUR03-VE1-obe.outbound.protection.outlook.com (EUR03-VE1-obe.outbound.protection.outlook.com [40.107.5.69]) by groups.io with SMTP; Thu, 01 Aug 2019 01:46:13 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mb/tWhKHLEfh9STsJ6gNcfMP40Dci16GXNSOgcUVdnw=; b=nVJLamNa7rglw3hdjs6ll3Gzd2mTzXD8JCVd8xZXYrTcBWEEFuvlDMtkhtj0utjcDO9RQhMwD/XEmee8HVysEEz0pe7QnmucEkdsEBcydOj6/5fg4oZ7f2fyJptJXdC4pCUqC7y+hLrn6+81fqlFGMra/D1ATcaydUSsb/DWhds= Received: from VI1PR08CA0248.eurprd08.prod.outlook.com (2603:10a6:803:dc::21) by VI1PR0801MB1853.eurprd08.prod.outlook.com (2603:10a6:800:5a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.16; Thu, 1 Aug 2019 08:46:09 +0000 Received: from AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::202) by VI1PR08CA0248.outlook.office365.com (2603:10a6:803:dc::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.14 via Frontend Transport; Thu, 1 Aug 2019 08:46:09 +0000 Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT039.mail.protection.outlook.com (10.152.17.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:46:07 +0000 Received: ("Tessian outbound 40a263b748b4:v26"); Thu, 01 Aug 2019 08:46:07 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: dbc755c2332fe114 X-CR-MTA-TID: 64aa7808 Received: from f9d10c67884f.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.10.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 08F1ECFB-1D46-4AAA-947B-8C1A796CCF7D.1; Thu, 01 Aug 2019 08:46:02 +0000 Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp2056.outbound.protection.outlook.com [104.47.10.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id f9d10c67884f.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384); Thu, 01 Aug 2019 08:46:02 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L7htZJVmlYuGGkOfEmP/T+C02WuzjFYG2LvqBnnpv1spB1XOzv3jvW1tJkVeo9PRqqcuDaC6D8xoxILW9c8DK2/wkt5XMHfS36abR4XAmDvXnsph5jcRu0dwpZlZcJ2rEiO5CUUa7uE4KslxmQWw92VUD8h5uOuLIX05tAimyrxLEF0pECwJrtBxwiSSVyiB+7ff3qdLow+nhEgZGVkBRwymDNsa8FKlKju98hoP8tpyrk5ZTjli5Gw6MZLOqJ+nJD36/fLlUt7y1I4cyvf2v6NgrxQjpiEi/MCl71zHH11RF41qeL56LdUBRZCDET38m1HjsRrIgCvkuxyeayyUYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mb/tWhKHLEfh9STsJ6gNcfMP40Dci16GXNSOgcUVdnw=; b=MDY3Unf5YyufqecYbP8Nhk9PLLZ3t1Wb/OVjbz/kN+Zy5TXhw+pamZvgJv+j8qTtWm7sFu/CYTH6elTez8s99xoZtNcx3kk3mmcM+qrXwc8BHu/CESlmS7dATx03TJ/Ut3uCJuRBS5fv0YNBNb6J+KgMpAbZLYMEpUOG+0cc6GVswbyY+0g/tBfMUIwtK1RrRf0D6xGETN5T35OvwRtzmvI10v1iW5gROu9dDeY2lj8aO5ieuf8c/G87HNbu4iRll6icbhztZC4rGlSlfD03VSKdzam6mTDN+/dMFkfL9Hr2NgLq05UlDa8k+hg4Lg68fCGWXZe1k6oV/NfuZT9TOQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mb/tWhKHLEfh9STsJ6gNcfMP40Dci16GXNSOgcUVdnw=; b=nVJLamNa7rglw3hdjs6ll3Gzd2mTzXD8JCVd8xZXYrTcBWEEFuvlDMtkhtj0utjcDO9RQhMwD/XEmee8HVysEEz0pe7QnmucEkdsEBcydOj6/5fg4oZ7f2fyJptJXdC4pCUqC7y+hLrn6+81fqlFGMra/D1ATcaydUSsb/DWhds= Received: from VI1PR0801CA0070.eurprd08.prod.outlook.com (2603:10a6:800:7d::14) by AM5PR0801MB1842.eurprd08.prod.outlook.com (2603:10a6:203:3c::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.13; Thu, 1 Aug 2019 08:45:59 +0000 Received: from DB5EUR03FT017.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::208) by VI1PR0801CA0070.outlook.office365.com (2603:10a6:800:7d::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.12 via Frontend Transport; Thu, 1 Aug 2019 08:45:59 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from nebula.arm.com (40.67.248.234) by DB5EUR03FT017.mail.protection.outlook.com (10.152.20.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:45:57 +0000 Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:17 +0000 Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:17 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [PATCH v1 5/6] ShellPkg: acpiview: PPTT: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:06 +0100 Message-ID: <20190801084407.48712-6-krzysztof.koch@arm.com> X-Mailer: git-send-email 2.16.2.windows.1 In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(396003)(136003)(39860400002)(346002)(376002)(2980300002)(199004)(189003)(478600001)(63350400001)(50226002)(11346002)(26005)(16586007)(126002)(446003)(316002)(63370400001)(476003)(2616005)(426003)(8936002)(336012)(486006)(81166006)(8676002)(6916009)(36756003)(53936002)(356004)(86362001)(81156014)(186003)(76176011)(4326008)(50466002)(2906002)(1076003)(53416004)(51416003)(6666004)(2351001)(5660300002)(48376002)(70586007)(68736007)(54906003)(44832011)(7696005)(305945005)(70206006)(47776003);DIR:OUT;SFP:1101;SCL:1;SRVR:AM5PR0801MB1842;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 50214dff-7bed-4539-07f0-08d7165cb248 X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:AM5PR0801MB1842; X-MS-TrafficTypeDiagnostic: AM5PR0801MB1842:|VI1PR0801MB1853: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:3383;OLM:3383; X-Forefront-PRVS: 01165471DB X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: auWt+HKFqjLLVPeGIVCv9INXyMhC5LjeNfErCvEhzo3F2VkhkKzQFHSNXHiUeNjbJOP50WLJo/6Q7IAtEpsAp5DkHwlIPsa9gxyq2eYcPSqpJaIk38W43fJ2LdvepeKJnyEH0hnIeYFPFlAxIn+w79zIsbx6/8A3+/v5XbSmC1JuwAQ2+upFIeTlOI10CIWxqSS4+r4CYgN8Nu3ukYWaBo8+5oWIrU7LrcVDcueSwsPfkPUwNyZTy0tCetIjYpsLQ4Yv+n5KJ8gj6CmuquNDD+HzZTwPTYGScmn+htsO3mMPQ662piNLJjxe1/i7qAX718FmWNnvPUi71FhrqboObRLD9GHlMYAu3ZqB/GmJNNQXqLbeFKe+WKQtpGuwSVsr74/GM68b3i/BMxgUB+BRNvOM1DtWU3a2v3858K7GcpU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB1842 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Return-Path: Krzysztof.Koch@arm.com X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:63.35.35.123;IPV:CAL;SCL:-1;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(346002)(39860400002)(376002)(396003)(136003)(2980300002)(189003)(199004)(50226002)(47776003)(48376002)(70206006)(50466002)(70586007)(2616005)(446003)(305945005)(11346002)(186003)(126002)(476003)(478600001)(86362001)(26826003)(2351001)(44832011)(486006)(53416004)(2906002)(81166006)(81156014)(6916009)(22756006)(4326008)(426003)(336012)(8676002)(8936002)(316002)(26005)(16586007)(5660300002)(36906005)(36756003)(6666004)(51416003)(7696005)(1076003)(76176011)(63350400001)(63370400001)(54906003)(76130400001);DIR:OUT;SFP:1101;SCL:1;SRVR:VI1PR0801MB1853;H:64aa7808-outbound-1.mta.getcheckrecipient.com;FPR:;SPF:TempError;LANG:en;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;MX:1;A:1; X-MS-Office365-Filtering-Correlation-Id-Prvs: d736e8de-51ed-43a3-afa7-08d7165cac36 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(710020)(711020)(4605104)(1401327)(2017052603328);SRVR:VI1PR0801MB1853; NoDisclaimer: True X-Forefront-PRVS: 01165471DB X-Microsoft-Antispam-Message-Info: xP1U2rN20RBUyQd5ddU2EnTzw0yUBWtJ2HSLcV4NBSLsE1K95qTKJ0+vQHe0BJ5norLPT/FMU0hLXeb5SK/rZjjWIj1xDxfq9uSURPReT7gH1PCOuv3PthgUnjLqMmVasJXH8qlQFzXkp2nj8Ca+I09WqBX/3sHXJPZYapeml0LxLS2aZW7sF726L71KO4Pi3n1KOHrRoUD2SnvQxJ0ukVdSdv7lYyOBHj9cpb3KNFmHJ8fDvAAoqxtSi3bDyl09qKSOPeYIvmaIVtiEilWFANy8Zkmjj6xj5XSzyZCBT3VMFPxZG/mBKaPMA1jVIaPml1TTEpkjBqnGHobXo7+ZrPWG3qHvNjPZWNP4/GxtzqYoPdJcTibNIRq3kBHC3XkTtFCxyxYOV54cDilQuK2onAOAzC+dzw9mrKuqLT0HJgs= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:46:07.9261 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 50214dff-7bed-4539-07f0-08d7165cb248 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1853 Content-Type: text/plain Modify the PPTT table parsing logic to prevent reading past the ACPI buffer lengths provided. Check if the Number of Private Resources specified in the Processor Hierarchy Node (Type 0) is possible given the Type 0 Structure's buffer length. Make sure that the processor topology structure's buffer fits in the PPTT table buffer before its contents are dumped. Prevent buffer overruns when reading the processor topology structure's header. References: - ACPI 6.3, January 2019, Section 5.2.29 Signed-off-by: Krzysztof Koch --- Notes: v1: - Prevent buffer overruns in PPTT acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c | 38 ++++++++++++++------ 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c index cec57be55e77096f9448f637ea129af2b42111ad..6254b9913fffb429fc54bb1301bf3e4b2e5bf161 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c @@ -252,7 +252,6 @@ DumpProcessorHierarchyNodeStructure ( ) { UINT32 Offset; - UINT8* PrivateResourcePtr; UINT32 Index; CHAR16 Buffer[OUTPUT_FIELD_COLUMN_WIDTH]; @@ -265,8 +264,23 @@ DumpProcessorHierarchyNodeStructure ( PARSER_PARAMS (ProcessorHierarchyNodeStructureParser) ); - PrivateResourcePtr = Ptr + Offset; + // Make sure the Private Resource array lies inside this structure + if (Offset + (*NumberOfPrivateResources * sizeof (UINT32)) > Length) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid Number of Private Resources. " \ + L"PrivateResourceCount = %d. RemainingBufferLength = %d. " \ + L"Parsing of this structure aborted.\n", + *NumberOfPrivateResources, + Length - Offset + ); + return; + } + Index = 0; + + // Parse the specified number of private resource references or the Processor + // Hierarchy Node length. Whichever is minimum. while (Index < *NumberOfPrivateResources) { UnicodeSPrint ( Buffer, @@ -278,10 +292,10 @@ DumpProcessorHierarchyNodeStructure ( PrintFieldName (4, Buffer); Print ( L"0x%x\n", - *((UINT32*) PrivateResourcePtr) + *((UINT32*)(Ptr + Offset)) ); - PrivateResourcePtr += sizeof(UINT32); + Offset += sizeof (UINT32); Index++; } } @@ -382,19 +396,21 @@ ParseAcpiPptt ( 0, NULL, ProcessorTopologyStructurePtr, - 4, // Length of the processor topology structure header is 4 bytes + AcpiTableLength - Offset, PARSER_PARAMS (ProcessorTopologyStructureHeaderParser) ); - if ((Offset + (*ProcessorTopologyStructureLength)) > AcpiTableLength) { + // Make sure the PPTT structure lies inside the table + if ((Offset + *ProcessorTopologyStructureLength) > AcpiTableLength) { IncrementErrorCount (); Print ( - L"ERROR: Invalid processor topology structure length:" - L" Type = %d, Length = %d\n", - *ProcessorTopologyStructureType, - *ProcessorTopologyStructureLength + L"ERROR: Invalid PPTT structure length. " \ + L"ProcessorTopologyStructureLength = %d. " \ + L"RemainingTableBufferLength = %d. PPTT parsing aborted.\n", + *ProcessorTopologyStructureLength, + AcpiTableLength - Offset ); - break; + return; } PrintFieldName (2, L"* Structure Offset *"); -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'