From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=lscxrSAq; spf=pass (domain: arm.com, ip: 40.107.0.42, mailfrom: krzysztof.koch@arm.com) Received: from EUR02-AM5-obe.outbound.protection.outlook.com (EUR02-AM5-obe.outbound.protection.outlook.com [40.107.0.42]) by groups.io with SMTP; Thu, 01 Aug 2019 01:46:27 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sC4B431h8aFM8Q0V84Qxcov0xJG0Auocll/MtcesJ/0=; b=lscxrSAqtabkA435b0l4SJ2PYkSbEzOlqsNPWArrDfShFmUe80d6Tg2A4PC2IjzatMiaJzBscjXq1WRYpY4842GyicFhh6x3wUSOnih/WuN+2LKAEldjwNJdPtFcGcVrXFJPvFC9zrsfyIxthOMS+RJ1AbSoCBIjhW+BZhwVvg4= Received: from DB6PR0802CA0042.eurprd08.prod.outlook.com (2603:10a6:4:a3::28) by VI1PR0802MB2605.eurprd08.prod.outlook.com (2603:10a6:800:b0::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.14; Thu, 1 Aug 2019 08:46:23 +0000 Received: from DB5EUR03FT003.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::209) by DB6PR0802CA0042.outlook.office365.com (2603:10a6:4:a3::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2115.15 via Frontend Transport; Thu, 1 Aug 2019 08:46:23 +0000 Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT003.mail.protection.outlook.com (10.152.20.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:46:21 +0000 Received: ("Tessian outbound 1e6e633a5b56:v26"); Thu, 01 Aug 2019 08:46:21 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 4e274b27aeed8ebf X-CR-MTA-TID: 64aa7808 Received: from 0fd72d287953.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.13.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id E46C5FE8-E59A-4792-958A-54E69F37AF28.1; Thu, 01 Aug 2019 08:46:21 +0000 Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04lp2056.outbound.protection.outlook.com [104.47.13.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 0fd72d287953.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 01 Aug 2019 08:46:21 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JnW24mD+GYaBsyXbS1Jj3zzMp0kBDUWg8rWkg9JZk23F6/ZVYEgvlNWSVJMePeG/wbWZl3YjHVe1QuSHGAulvU2vPUhbvhzC3boVb5YVR83wVKQIiQacgg/EeRnJQoH4B+1+Pz5PB0H5MyRG4QqRpwNpZHJ++j4TspG3c7yKs8yoyhngKb3/OGB5IISsItxU8/ff8+mohXdYT4VbVvopIwej6nW7XKobGZt2GXuv+td9HTixN4hdBKx7oWv6UOV4aT2ShcaQ5AmJX6de78ryqo+/Gi+H0oAK4pE+cPaQNYMSLjj5QgQ+H1vgBZA9p5e45CBCUeV8Wcs/UQuF39XIig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sC4B431h8aFM8Q0V84Qxcov0xJG0Auocll/MtcesJ/0=; b=mgzHMHxX59o/9B6r9FiBHAake5finpEechOjmRwemW7SrGK2vXyMAn/TF/ZjSyNH/F7eVdbLxD3ULGI9hXjMpn0foKzbVr7zHkZ8gNVUh/cd1vADG2qsp6EPp/433+s1az/52rwuFG5cHMdyFZ3jSDUzpVMzIKDzt4M5Rum9AJ5vFoveNhhQwI6v0IbIbrSAAmoJkwh8CdytKpkJigieIY0m/DpI357OGV5y8hBX44TTPgu3Dd6QGcdLwlh4Nz3jSXtcX1gWphbD4M4JjCHRbwfZFayUX/Y43BrBbka2YEwEKw9UA7o8V+YNWmYe4/585Lgw8eEvZb3vvZEegINCDw== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sC4B431h8aFM8Q0V84Qxcov0xJG0Auocll/MtcesJ/0=; b=lscxrSAqtabkA435b0l4SJ2PYkSbEzOlqsNPWArrDfShFmUe80d6Tg2A4PC2IjzatMiaJzBscjXq1WRYpY4842GyicFhh6x3wUSOnih/WuN+2LKAEldjwNJdPtFcGcVrXFJPvFC9zrsfyIxthOMS+RJ1AbSoCBIjhW+BZhwVvg4= Received: from DB6PR0802CA0040.eurprd08.prod.outlook.com (2603:10a6:4:a3::26) by DB8PR08MB4953.eurprd08.prod.outlook.com (2603:10a6:10:ef::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.14; Thu, 1 Aug 2019 08:46:19 +0000 Received: from DB5EUR03FT063.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::204) by DB6PR0802CA0040.outlook.office365.com (2603:10a6:4:a3::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.16 via Frontend Transport; Thu, 1 Aug 2019 08:46:19 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from nebula.arm.com (40.67.248.234) by DB5EUR03FT063.mail.protection.outlook.com (10.152.20.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:46:17 +0000 Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:17 +0000 Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:17 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [PATCH v1 6/6] ShellPkg: acpiview: SRAT: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:07 +0100 Message-ID: <20190801084407.48712-7-krzysztof.koch@arm.com> X-Mailer: git-send-email 2.16.2.windows.1 In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(346002)(376002)(39860400002)(136003)(396003)(2980300002)(199004)(189003)(76176011)(2906002)(51416003)(7696005)(14444005)(16586007)(186003)(26005)(446003)(70206006)(48376002)(316002)(63370400001)(53416004)(1076003)(36756003)(70586007)(426003)(63350400001)(2616005)(86362001)(2351001)(476003)(54906003)(126002)(11346002)(47776003)(305945005)(50466002)(6916009)(356004)(81166006)(81156014)(478600001)(8676002)(44832011)(6666004)(8936002)(68736007)(336012)(5660300002)(486006)(4326008)(50226002)(53936002);DIR:OUT;SFP:1101;SCL:1;SRVR:DB8PR08MB4953;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c2930687-f67e-43e9-5912-08d7165cba89 X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:DB8PR08MB4953; X-MS-TrafficTypeDiagnostic: DB8PR08MB4953:|VI1PR0802MB2605: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:3968;OLM:3968; X-Forefront-PRVS: 01165471DB X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: gEyUJSiLUXOOdD89n1utOkVcoZUG5QCaLkfuPmhbW10a7D9V8ePKRP6vQeOhMzgXO07jsPPHX4bp6Ec7dhVB3HqxVAjkeu0LDO0gl8hD/GNQj3S5M2UGfKe6HMRMa2auPkCcolC1rMPUh+rub4+4m4RVpV/HUyMjXM8Oi2LdJbuxKYSHyhuYUhwa0BQN1cyvNv3rFFMz0SCJE6d/gHKaUu2fQyX5w9nfnv+QWS6dpow+JEhia6SIw9lz105omgZ6iKup5T3DAdvhS5tvTXkqyKerEONfo5ciP5W660KorgPHuGYcpWk3tK9vdtCdMgckepUlJgVouQiJIDvyd7L5k5wFVe0e+aU0edV681LY4V0tAJ/XFlre8T5zdGQHHM+AokObFz0faD4R0wjZX9Ml2ZkHdXmYJ6kaZ6YoT95XSPU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4953 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Return-Path: Krzysztof.Koch@arm.com X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT003.eop-EUR03.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:63.35.35.123;IPV:CAL;SCL:-1;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(346002)(376002)(396003)(136003)(39860400002)(2980300002)(189003)(199004)(76130400001)(22756006)(6666004)(1076003)(86362001)(70586007)(70206006)(336012)(53416004)(8936002)(81156014)(81166006)(8676002)(50226002)(305945005)(36756003)(2351001)(48376002)(50466002)(54906003)(16586007)(316002)(2906002)(478600001)(6916009)(26826003)(5660300002)(47776003)(51416003)(7696005)(4326008)(126002)(476003)(486006)(2616005)(26005)(14444005)(44832011)(186003)(426003)(11346002)(63370400001)(63350400001)(76176011)(446003);DIR:OUT;SFP:1101;SCL:1;SRVR:VI1PR0802MB2605;H:64aa7808-outbound-1.mta.getcheckrecipient.com;FPR:;SPF:TempError;LANG:en;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;MX:1;A:1; X-MS-Office365-Filtering-Correlation-Id-Prvs: 6a5dfb02-348b-4716-8a50-08d7165cb82b X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(710020)(711020)(4605104)(1401327)(2017052603328);SRVR:VI1PR0802MB2605; NoDisclaimer: True X-Forefront-PRVS: 01165471DB X-Microsoft-Antispam-Message-Info: jGe20u/gPYQC0rFYrkdYZmO4V0zmusMcvpo0MJmh+GOzyvNTOZNdHZ1M3OdzqdXu2kaYJKEyu6Pq4YeY66BRmo29NQG70KezL4PjNwqV/TAE0ETz4fZ2kdiW+7swrmsoiM/K0zSleCqE4TFbqSfDxaOcVvCKj+5t14N19djCNYarE8Xum5NWVIKwxsWc/8yq1rSXU9Y5rn75MKGXDf0WpJ1Gb6JFuQk0dkMGH0r5827Q1QNQaeNdrbZwRrVLa+DAUoWRCq6WyLBBwP+NC6j0gwgKb2iHKtBU912yfw5dDR/bB5pU7ji3lyJl1FYDL7vKR5lRQ50mLCtSpItMvTAGpcedeodfxL0F6auAoHuS5gENRAofS3ElVx8ZUFvoFk7HNkEnFppJ3aQcaNPHQkMDKcTMnVQZ4OOKkyLRXVf8FM0= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:46:21.8049 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c2930687-f67e-43e9-5912-08d7165cba89 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2605 Content-Type: text/plain Modify the SRAT parsing logic to prevent reading past the table buffer length provided. Check if the Static Resource Allocation Structure's buffer fits in the SRAT table buffer before its contents are dumped. Prevent buffer overruns when reading the Static Resource Allocation Structure's header. References: - ACPI 6.3, January 2019, Section 5.2.16 Signed-off-by: Krzysztof Koch --- Notes: v1: - Prevent buffer overruns in SRAT acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c index 59c77401eaab32b73a9f83fd4d63785221b3c222..a8aa420487bb6bf29fc38221d0b221573c64b8b3 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c @@ -215,10 +215,22 @@ ParseAcpiSrat ( 0, NULL, ResourcePtr, - 2, // The length is 1 byte at offset 1 + AcpiTableLength - Offset, PARSER_PARAMS (SratResourceAllocationParser) ); + // Make sure the SRAT structure lies inside the table + if ((Offset + *SratRALength) > AcpiTableLength) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid SRAT structure length. SratRALength = %d. " \ + L"RemainingTableBufferLength = %d. SRAT parsing aborted.\n", + *SratRALength, + AcpiTableLength - Offset + ); + return; + } + switch (*SratRAType) { case EFI_ACPI_6_2_GICC_AFFINITY: AsciiSPrint ( -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'