From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.10509.1592408315260448763 for ; Wed, 17 Jun 2020 08:38:35 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ard.biesheuvel@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D18A51045; Wed, 17 Jun 2020 08:38:33 -0700 (PDT) Received: from dogfood.home (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 975593F73C; Wed, 17 Jun 2020 08:38:32 -0700 (PDT) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: leif@nuviainc.com, pete@akeo.ie, awarkentin@vmware.com, jeremy.linton@arm.com, Samer.El-Haj-Mahmoud@arm.com, Ard Biesheuvel Subject: [PATCH] EmbeddedPkg/NonCoherentDmaLib: avoid dereferencing bogus buffer address Date: Wed, 17 Jun 2020 17:38:24 +0200 Message-Id: <20200617153824.1175136-1-ard.biesheuvel@arm.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable The bounce buffering code in NonCoherentDmaLib copies data into the bounce buffer using CopyMem(), but passes Map->HostAddress as the source of the copy before it has been assigned its correct value. Signed-off-by: Ard Biesheuvel --- EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c b/Em= beddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c index 115345765435..9c8ef5bfb533 100644 --- a/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c +++ b/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c @@ -225,8 +225,7 @@ DmaMap ( }=0D =0D if (Map->Operation =3D=3D MapOperationBusMasterRead) {=0D - CopyMem (Map->BufferAddress, (VOID *)(UINTN)Map->HostAddress,=0D - *NumberOfBytes);=0D + CopyMem (Map->BufferAddress, (VOID *)(UINTN)HostAddress, *NumberOfBy= tes);=0D }=0D mCpu->FlushDataCache (mCpu, (UINTN)Map->BufferAddress, AllocSize,=0D EfiCpuFlushTypeWriteBack);=0D --=20 2.27.0