From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.81]) by mx.groups.io with SMTP id smtpd.web09.1028.1581618586329509114 for ; Thu, 13 Feb 2020 10:29:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DIIYlfMc; spf=pass (domain: redhat.com, ip: 207.211.31.81, mailfrom: philmd@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581618585; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6Lv3n+2vDH6d3AIQw/lMNTwhqyKXKZyN0kjvwC+one8=; b=DIIYlfMcB3zzk+NvfGm1kxE/IZFex3Ilm0m1RCtJS+p18FrteydHJlcUWaA7HTPYT2T2kT VYX9gVfNfoqw8FwAa2W/TIg5lfRS0pSYY6I74eHXGvUca17Tu71jrNjTx9YH4xEtwhuisj WDlOt7CvScvlfzqnvJrl7i9cfznh6gA= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-395-WbWFHAxwO5GM62iRcwSqbQ-1; Thu, 13 Feb 2020 13:29:41 -0500 Received: by mail-wr1-f69.google.com with SMTP id o6so2707239wrp.8 for ; Thu, 13 Feb 2020 10:29:41 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=z8W5pX3yiqWmOxojpdfvXIwGA0ia2db0PT22AakakXE=; b=BnYQbGy/IpGxKLJZP1Z4aRS+bvhkTe48XIIXOW3ZFPsSiHz6s4+L8Zr3G93dFMV3bl euPaeLWhyUQNwXc4/2GIp2UN+Ce6I6K3sEj6z/q4mp2ymvOihqJntgwchEN4o/QHa8Hw svcfFpmgI00HZfw22Ga47X0UOt6M8TLtzz65StUkzoPJRwvNz/jU2UKnkOoKHbHKurIi sZ6D6Sq/+ZlnmBJMFFoVkkoH5DpwCj9I8+BVUlTF9CRDy19m5dNI2vwCyUwa9Bf3Ui6r rKq/+oMI3WEJTDB6kCA6fUxS4Xgc5YPO/oBLLdQSH73YXScR/xDQKSg8bnVDc5F8lmCI fIiA== X-Gm-Message-State: APjAAAWM4gpKqM5ScTHwM8SElVwo+j3Q+aK5S5He9QJ66fDKbIix0LpO e7C8yWwS1oaFqNMWySk6cUayxpO7KNs60bkfcTpR2IcwT6L/DWYuDZAGdoDsCjZT10Vh4Kg+z94 w+et7v76VRgfHbw== X-Received: by 2002:a7b:cbd6:: with SMTP id n22mr7424525wmi.118.1581618579685; Thu, 13 Feb 2020 10:29:39 -0800 (PST) X-Google-Smtp-Source: APXvYqzsIKJrsYQVOYiXT4+emlahEpOY+B4X0Q37m+F+2qyDjSsW4xESYiRiAVNFNsEgSKt72EANxw== X-Received: by 2002:a7b:cbd6:: with SMTP id n22mr7424463wmi.118.1581618578708; Thu, 13 Feb 2020 10:29:38 -0800 (PST) Return-Path: Received: from x1w.redhat.com (78.red-88-21-202.staticip.rima-tde.net. [88.21.202.78]) by smtp.gmail.com with ESMTPSA id d22sm3927229wmd.39.2020.02.13.10.29.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Feb 2020 10:29:37 -0800 (PST) From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= To: devel@edk2.groups.io Cc: Philippe Mathieu-Daude , Jian J Wang , Hao A Wu , Eric Dong , Laszlo Ersek Subject: [RFC PATCH 1/1] MdeModulePkg/PiDxeS3BootScriptLib: Use SafeIntLib to avoid truncation Date: Thu, 13 Feb 2020 19:29:35 +0100 Message-Id: <20200213182935.26663-2-philmd@redhat.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200213182935.26663-1-philmd@redhat.com> References: <20200213182935.26663-1-philmd@redhat.com> MIME-Version: 1.0 X-MC-Unique: WbWFHAxwO5GM62iRcwSqbQ-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Math expressions written in terms of SafeIntLib function calls are easily readable, making review trivial. Convert the truncation checks added by commit 322ac05f8 to SafeIntLib calls. Cc: Jian J Wang Cc: Hao A Wu Cc: Eric Dong Suggested-by: Laszlo Ersek Signed-off-by: Philippe Mathieu-Daude --- .../DxeS3BootScriptLib.inf | 1 + .../InternalBootScriptLib.h | 1 + .../PiDxeS3BootScriptLib/BootScriptSave.c | 114 +++++++++++------- 3 files changed, 73 insertions(+), 43 deletions(-) diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.i= nf b/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf index 2b894c99da55..698039fe8e69 100644 --- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf +++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf @@ -40,15 +40,16 @@ [Packages] [LibraryClasses] UefiBootServicesTableLib BaseLib BaseMemoryLib TimerLib DebugLib PcdLib UefiLib SmbusLib PciSegmentLib IoLib LockBoxLib + SafeIntLib =20 [Protocols] gEfiSmmBase2ProtocolGuid ## SOMETIMES_CONSUMES diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLi= b.h b/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h index 9485994087d0..7513220c15ac 100644 --- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h +++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h @@ -1,49 +1,50 @@ /** @file Support for S3 boot script lib. This file defined some internal macro an= d internal data structure =20 Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
=20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ #ifndef __INTERNAL_BOOT_SCRIPT_LIB__ #define __INTERNAL_BOOT_SCRIPT_LIB__ =20 #include =20 #include #include #include #include #include #include =20 #include =20 #include #include #include #include #include #include #include #include #include #include #include +#include =20 #include "BootScriptInternalFormat.h" =20 #define MAX_IO_ADDRESS 0xFFFF =20 // // Macro to convert a UEFI PCI address + segment to a PCI Segment Library = PCI address // #define PCI_ADDRESS_ENCODE(S, A) PCI_SEGMENT_LIB_ADDRESS( \ S, \ ((((UINTN)(A)) & 0xff000000) >> 24), \ ((((UINTN)(A)) & 0x00ff0000) >> 16), \ ((((UINTN)(A)) & 0xff00) >> 8), \ ((RShiftU64 ((A), 32) & 0xfff) | ((A) &= 0xff)) \ ) diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c b/M= deModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c index 9315fc9f0188..d229263638fc 100644 --- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c +++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c @@ -995,55 +995,60 @@ EFIAPI S3BootScriptSaveIoWrite ( IN S3_BOOT_SCRIPT_LIB_WIDTH Width, IN UINT64 Address, IN UINTN Count, IN VOID *Buffer ) =20 { + EFI_STATUS Status; UINT8 Length; UINT8 *Script; UINT8 WidthInByte; EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite; =20 - WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); + Status =3D SafeUintnToUint8 (Count, &Length); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } + + Status =3D SafeUint8Mult (Length, 0x01 << (Width & 0x03), &Length); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } =20 - // - // Truncation check - // - if ((Count > MAX_UINT8) || - (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE)= )) { + Status =3D SafeUint8Add (Length, sizeof (EFI_BOOT_SCRIPT_IO_WRITE), &Len= gth); + if (EFI_ERROR (Status)) { return RETURN_OUT_OF_RESOURCES; } - Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Co= unt)); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); if (Script =3D=3D NULL) { return RETURN_OUT_OF_RESOURCES; } // // save script data // ScriptIoWrite.OpCode =3D EFI_BOOT_SCRIPT_IO_WRITE_OPCODE; ScriptIoWrite.Length =3D Length; ScriptIoWrite.Width =3D Width; ScriptIoWrite.Address =3D Address; ScriptIoWrite.Count =3D (UINT32) Count; CopyMem ((VOID*)Script, (VOID*)&ScriptIoWrite, sizeof(EFI_BOOT_SCRIPT_IO= _WRITE)); CopyMem ((VOID*)(Script + sizeof (EFI_BOOT_SCRIPT_IO_WRITE)), Buffer, Wi= dthInByte * Count); =20 SyncBootScript (Script); =20 return RETURN_SUCCESS; } =20 /** Adds a record for an I/O modify operation into a S3 boot script table =20 @param Width The width of the I/O operations.Enumerated in S3_BOOT_SCR= IPT_LIB_WIDTH. @param Address The base address of the I/O operations. @param Data A pointer to the data to be OR-ed. @param DataMask A pointer to the data mask to be AND-ed with the data r= ead from the register =20 @retval RETURN_OUT_OF_RESOURCES Not enough memory for the table do oper= ation. @retval RETURN_SUCCESS Opcode is added. **/ @@ -1100,54 +1105,59 @@ EFIAPI S3BootScriptSaveMemWrite ( IN S3_BOOT_SCRIPT_LIB_WIDTH Width, IN UINT64 Address, IN UINTN Count, IN VOID *Buffer ) { + EFI_STATUS Status; UINT8 Length; UINT8 *Script; UINT8 WidthInByte; EFI_BOOT_SCRIPT_MEM_WRITE ScriptMemWrite; =20 - WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); + Status =3D SafeUintnToUint8 (Count, &Length); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } + + Status =3D SafeUint8Mult (Length, 0x01 << (Width & 0x03), &Length); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } =20 - // - // Truncation check - // - if ((Count > MAX_UINT8) || - (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_MEM_WRITE= ))) { + Status =3D SafeUint8Add (Length, sizeof (EFI_BOOT_SCRIPT_MEM_WRITE), &Le= ngth); + if (EFI_ERROR (Status)) { return RETURN_OUT_OF_RESOURCES; } - Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * C= ount)); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); if (Script =3D=3D NULL) { return RETURN_OUT_OF_RESOURCES; } // // Build script data // ScriptMemWrite.OpCode =3D EFI_BOOT_SCRIPT_MEM_WRITE_OPCODE; ScriptMemWrite.Length =3D Length; ScriptMemWrite.Width =3D Width; ScriptMemWrite.Address =3D Address; ScriptMemWrite.Count =3D (UINT32) Count; =20 CopyMem ((VOID*)Script, (VOID*)&ScriptMemWrite, sizeof(EFI_BOOT_SCRIPT_M= EM_WRITE)); CopyMem ((VOID*)(Script + sizeof (EFI_BOOT_SCRIPT_MEM_WRITE)), Buffer, W= idthInByte * Count); =20 SyncBootScript (Script); =20 return RETURN_SUCCESS; } /** Adds a record for a memory modify operation into a specified boot script= table. =20 @param Width The width of the I/O operations.Enumerated in S3_BOOT_S= CRIPT_LIB_WIDTH. @param Address The base address of the memory operations. Address need= s alignment if required @param Data A pointer to the data to be OR-ed. @param DataMask A pointer to the data mask to be AND-ed with the data r= ead from the register. =20 @retval RETURN_OUT_OF_RESOURCES Not enough memory for the table do oper= ation. @retval RETURN_SUCCESS Opcode is added. **/ @@ -1206,62 +1216,67 @@ EFIAPI S3BootScriptSavePciCfgWrite ( IN S3_BOOT_SCRIPT_LIB_WIDTH Width, IN UINT64 Address, IN UINTN Count, IN VOID *Buffer ) { + EFI_STATUS Status; UINT8 Length; UINT8 *Script; UINT8 WidthInByte; EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE ScriptPciWrite; =20 if (Width =3D=3D S3BootScriptWidthUint64 || Width =3D=3D S3BootScriptWidthFifoUint64 || Width =3D=3D S3BootScriptWidthFillUint64) { return EFI_INVALID_PARAMETER; } =20 - WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); + Status =3D SafeUintnToUint8 (Count, &Length); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } + + Status =3D SafeUint8Mult (Length, 0x01 << (Width & 0x03), &Length); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } =20 - // - // Truncation check - // - if ((Count > MAX_UINT8) || - (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFI= G_WRITE))) { + Status =3D SafeUint8Add (Length, sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRIT= E), &Length); + if (EFI_ERROR (Status)) { return RETURN_OUT_OF_RESOURCES; } - Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + (WidthInB= yte * Count)); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); if (Script =3D=3D NULL) { return RETURN_OUT_OF_RESOURCES; } // // Build script data // ScriptPciWrite.OpCode =3D EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE_OPCODE; ScriptPciWrite.Length =3D Length; ScriptPciWrite.Width =3D Width; ScriptPciWrite.Address =3D Address; ScriptPciWrite.Count =3D (UINT32) Count; =20 CopyMem ((VOID*)Script, (VOID*)&ScriptPciWrite, sizeof (EFI_BOOT_SCRIPT= _PCI_CONFIG_WRITE)); CopyMem ((VOID*)(Script + sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE)), Bu= ffer, WidthInByte * Count); =20 SyncBootScript (Script); =20 return RETURN_SUCCESS; } /** Adds a record for a PCI configuration space modify operation into a spec= ified boot script table. =20 @param Width The width of the I/O operations.Enumerated in S3_BOOT_S= CRIPT_LIB_WIDTH. @param Address The address within the PCI configuration space. @param Data A pointer to the data to be OR-ed.The size depends on W= idth. @param DataMask A pointer to the data mask to be AND-ed. =20 @retval RETURN_OUT_OF_RESOURCES Not enough memory for the table do oper= ation. @retval RETURN__SUCCESS Opcode is added. @note A known Limitations in the implementation which is 64bits operati= ons are not supported. =20 **/ @@ -1331,65 +1346,70 @@ EFIAPI S3BootScriptSavePciCfg2Write ( IN S3_BOOT_SCRIPT_LIB_WIDTH Width, IN UINT16 Segment, IN UINT64 Address, IN UINTN Count, IN VOID *Buffer ) { + EFI_STATUS Status; UINT8 Length; UINT8 *Script; UINT8 WidthInByte; EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE ScriptPciWrite2; =20 if (Width =3D=3D S3BootScriptWidthUint64 || Width =3D=3D S3BootScriptWidthFifoUint64 || Width =3D=3D S3BootScriptWidthFillUint64) { return EFI_INVALID_PARAMETER; } =20 - WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); + Status =3D SafeUintnToUint8 (Count, &Length); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } + + Status =3D SafeUint8Mult (Length, 0x01 << (Width & 0x03), &Length); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } =20 - // - // Truncation check - // - if ((Count > MAX_UINT8) || - (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFI= G2_WRITE))) { + Status =3D SafeUint8Add (Length, sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRI= TE), &Length); + if (EFI_ERROR (Status)) { return RETURN_OUT_OF_RESOURCES; } - Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + (WidthIn= Byte * Count)); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); if (Script =3D=3D NULL) { return RETURN_OUT_OF_RESOURCES; } // // Build script data // ScriptPciWrite2.OpCode =3D EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE_OPCODE; ScriptPciWrite2.Length =3D Length; ScriptPciWrite2.Width =3D Width; ScriptPciWrite2.Address =3D Address; ScriptPciWrite2.Segment =3D Segment; ScriptPciWrite2.Count =3D (UINT32)Count; =20 CopyMem ((VOID*)Script, (VOID*)&ScriptPciWrite2, sizeof (EFI_BOOT_SCRIPT= _PCI_CONFIG2_WRITE)); CopyMem ((VOID*)(Script + sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE)), B= uffer, WidthInByte * Count); =20 SyncBootScript (Script); =20 return RETURN_SUCCESS; } /** Adds a record for a PCI configuration 2 space modify operation into a sp= ecified boot script table. =20 @param Width The width of the I/O operations.Enumerated in S3_BOOT_S= CRIPT_LIB_WIDTH. @param Segment The PCI segment number for Address. @param Address The address within the PCI configuration space. @param Data A pointer to the data to be OR-ed. The size depends on = Width. @param DataMask A pointer to the data mask to be AND-ed. =20 @retval RETURN_OUT_OF_RESOURCES Not enough memory for the table do oper= ation. @retval RETURN_SUCCESS Opcode is added. @note A known Limitations in the implementation which is 64bits operati= ons are not supported. =20 **/ @@ -1560,64 +1580,66 @@ EFIAPI S3BootScriptSaveSmbusExecute ( IN UINTN SmBusAddress, IN EFI_SMBUS_OPERATION Operation, IN UINTN *Length, IN VOID *Buffer ) { EFI_STATUS Status; UINTN BufferLength; UINT8 DataSize; UINT8 *Script; EFI_BOOT_SCRIPT_SMBUS_EXECUTE ScriptSmbusExecute; =20 if (Length =3D=3D NULL) { BufferLength =3D 0; } else { BufferLength =3D *Length; } =20 Status =3D CheckParameters (SmBusAddress, Operation, &BufferLength, Buff= er); if (EFI_ERROR (Status)) { return Status; } =20 - // - // Truncation check - // - if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) { + Status =3D SafeUintnToUint8 (BufferLength, &DataSize); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } + + Status =3D SafeUint8Add (DataSize, sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE= ), &DataSize); + if (EFI_ERROR (Status)) { return RETURN_OUT_OF_RESOURCES; } - DataSize =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + BufferLeng= th); =20 Script =3D S3BootScriptGetEntryAddAddress (DataSize); if (Script =3D=3D NULL) { return RETURN_OUT_OF_RESOURCES; } // // Build script data // ScriptSmbusExecute.OpCode =3D EFI_BOOT_SCRIPT_SMBUS_EXECUTE_OPCODE= ; ScriptSmbusExecute.Length =3D DataSize; ScriptSmbusExecute.SmBusAddress =3D (UINT64) SmBusAddress; ScriptSmbusExecute.Operation =3D Operation; ScriptSmbusExecute.DataSize =3D (UINT32) BufferLength; =20 CopyMem ((VOID*)Script, (VOID*)&ScriptSmbusExecute, sizeof (EFI_BOOT_SCR= IPT_SMBUS_EXECUTE)); CopyMem ( (VOID*)(Script + sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)), Buffer, BufferLength ); =20 SyncBootScript (Script); =20 return RETURN_SUCCESS; } /** Adds a record for an execution stall on the processor into a specified b= oot script table. =20 @param Duration Duration in microseconds of the stall =20 @retval RETURN_OUT_OF_RESOURCES Not enough memory for the table do oper= ation. @retval RETURN_SUCCESS Opcode is added. **/ @@ -1768,48 +1790,51 @@ EFIAPI S3BootScriptSaveInformation ( IN UINT32 InformationLength, IN VOID *Information ) { + EFI_STATUS Status; UINT8 Length; UINT8 *Script; EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; =20 - // - // Truncation check - // - if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)= ) { + Status =3D SafeUint32ToUint8 (InformationLength, &Length); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } + + Status =3D SafeUint8Add (Length, sizeof (EFI_BOOT_SCRIPT_INFORMATION), &= Length); + if (EFI_ERROR (Status)) { return RETURN_OUT_OF_RESOURCES; } - Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLen= gth); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); if (Script =3D=3D NULL) { return RETURN_OUT_OF_RESOURCES; } // // Build script data // ScriptInformation.OpCode =3D EFI_BOOT_SCRIPT_INFORMATION_OPCODE; ScriptInformation.Length =3D Length; =20 =20 ScriptInformation.InformationLength =3D InformationLength; =20 CopyMem ((VOID*)Script, (VOID*)&ScriptInformation, sizeof (EFI_BOOT_SCRI= PT_INFORMATION)); CopyMem ((VOID*)(Script + sizeof (EFI_BOOT_SCRIPT_INFORMATION)), (VOID *= ) Information, (UINTN) InformationLength); =20 SyncBootScript (Script); =20 return RETURN_SUCCESS; =20 } /** Store a string in the boot script table. This opcode is a no-op on dispa= tch and is only used for debugging script issues. =20 @param String The string to save to boot script table =20 @retval RETURN_OUT_OF_RESOURCES Not enough memory for the table do oper= ation. @retval RETURN_SUCCESS Opcode is added. =20 **/ @@ -2231,62 +2256,65 @@ EFIAPI S3BootScriptLabelInternal ( IN BOOLEAN BeforeOrAfter, IN OUT VOID **Position OPTIONAL, IN UINT32 InformationLength, IN CONST CHAR8 *Information ) { + EFI_STATUS Status; UINT8 Length; UINT8 *Script; EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; =20 - // - // Truncation check - // - if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)= ) { + Status =3D SafeUint32ToUint8 (InformationLength, &Length); + if (EFI_ERROR (Status)) { + return RETURN_OUT_OF_RESOURCES; + } + + Status =3D SafeUint8Add (Length, sizeof (EFI_BOOT_SCRIPT_INFORMATION), &= Length); + if (EFI_ERROR (Status)) { return RETURN_OUT_OF_RESOURCES; } - Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLen= gth); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); if (Script =3D=3D NULL) { return RETURN_OUT_OF_RESOURCES; } // // Build script data // ScriptInformation.OpCode =3D S3_BOOT_SCRIPT_LIB_LABEL_OPCODE; ScriptInformation.Length =3D Length; =20 =20 ScriptInformation.InformationLength =3D InformationLength; =20 CopyMem ((VOID*)Script, (VOID*)&ScriptInformation, sizeof (EFI_BOOT_SCRI= PT_INFORMATION)); CopyMem ((VOID*)(Script + sizeof (EFI_BOOT_SCRIPT_INFORMATION)), (VOID *= ) Information, (UINTN) InformationLength); =20 SyncBootScript (Script); =20 return S3BootScriptMoveLastOpcode (BeforeOrAfter, Position); =20 } /** Find a label within the boot script table and, if not present, optionall= y create it. =20 @param BeforeOrAfter Specifies whether the opcode is stored bef= ore (TRUE) or after (FALSE) the position in the boot = script table specified by Position. @param CreateIfNotFound Specifies whether the label will be create= d if the label does not exists (TRUE) or not (FALSE). @param Position On entry, specifies the position in the bo= ot script table where the opcode will be inserted, either = before or after, depending on BeforeOrAfter. On exit, speci= fies the position of the inserted opcode in the boot script = table. @param Label Points to the label which will be inserted= in the boot script table. =20 @retval EFI_SUCCESS The operation succeeded. A record was adde= d into the specified script table. @retval EFI_INVALID_PARAMETER The parameter is illegal or the given boot= script is not supported. If the opcode is unknow or not supported b= ecause of the PCD Feature Flags. @retval EFI_OUT_OF_RESOURCES There is insufficient memory to store the = boot script. =20 **/ --=20 2.21.1