From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web09.318.1616802115003488926 for ; Fri, 26 Mar 2021 16:41:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20161025 header.b=G0PiKc1V; spf=pass (domain: gmail.com, ip: 209.85.216.52, mailfrom: kuqin12@gmail.com) Received: by mail-pj1-f52.google.com with SMTP id q6-20020a17090a4306b02900c42a012202so3193341pjg.5 for ; Fri, 26 Mar 2021 16:41:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=7/XwbXn3q6/z2PEEd3QMF3ORe8G/B7kztHamPB9yV8M=; b=G0PiKc1VqBTYLF8fPEtB72xNm3Zwz9rP77vbyUl0vmVdtk3D27kG4UCsvpV131k6gV kjDdw8iK4BMXBhv2S1ASdg7bMdjbndGaYud+3IlTLkX+XXJyPrHVyrxOlJxqVu0TpPhX E27OAbjIbmdvl6PtN72XxBkXw2IScWX89mSRNOTo/8LeXihf6+9YUQVLU2y0VJh/g65+ uLzv9xgwpmYb7zi1MBnwkFNgUBr4Hvoy3epClZX7cU8DSDkTMhKMY/kVMN3tn7/Evxf6 yHWjN4Zms0KxEFfM0/qfh7V+0PsjDIFrTkoIFhzYghfA93CsFCaCcn50aAZIuQFwTDV1 apNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=7/XwbXn3q6/z2PEEd3QMF3ORe8G/B7kztHamPB9yV8M=; b=ZlrhS7fjtXDEGCgBIn1N3FpEEZppKGHskGn9rWDQxKAUw4egZA9ES6KCAlI1ZEvcUn ZqPTS9fzPIp9+p16jnRfZACbmVWjkJ3Z3JHUKkxNJNn8kVm/3TvSmfwYgEgWs34bkKPp JUGuGl2sH1Nqe4I11w2XaiFdZmMxTIKskXDHSvP5IxiFkG95OIf3Y0oHNhkLALevw84v 4pUyXim203jmj/sdRCq7ND61Eo/vzseV7MeVMRKg8fxr727Vh8bNERC3xRYpS6XsOZ4s jiKPaIbU6o8etkxW0ruhS1gPG9i6mUUxWvXpddEBg0jYyDXmlWjPPz++wzPgshngdR6f 6Y1w== X-Gm-Message-State: AOAM533wURfWKyTiMub0F2kvYPDGmFwxRMvTClqPDMhjxY9WJ9InZoc3 1VEsbZaourOwjDzdlfK/r3S5uL1WjUTCOw== X-Google-Smtp-Source: ABdhPJw/0I3j9mfxBIUQ4aXebTcKkOg3BASRkPJ/qoSR413t63GRrS3Regi3DuNi2xUgp/M24KBSuQ== X-Received: by 2002:a17:90a:ce82:: with SMTP id g2mr16029231pju.193.1616802114327; Fri, 26 Mar 2021 16:41:54 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.35.88.161]) by smtp.gmail.com with ESMTPSA id q20sm9837248pgh.17.2021.03.26.16.41.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Mar 2021 16:41:53 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Eric Dong , Ray Ni , Laszlo Ersek , Rahul Kumar Subject: [PATCH v1 1/1] UefiCpuPkg: PiSmmCpuDxeSmm: Check buffer size before accessing Date: Fri, 26 Mar 2021 16:41:42 -0700 Message-Id: <20210326234142.1973-2-kuqin12@gmail.com> X-Mailer: git-send-email 2.31.0.windows.1 In-Reply-To: <20210326234142.1973-1-kuqin12@gmail.com> References: <20210326234142.1973-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3283 Current SMM Save State routine does not check the number of bytes to be read, when it comse to read IO_INFO, before casting the incoming buffer to EFI_SMM_SAVE_STATE_IO_INFO. This could potentially cause memory corruption due to extra bytes are written out of buffer boundary. This change adds a width check before copying IoInfo into output buffer. Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Cc: Rahul Kumar Signed-off-by: Kun Qin --- UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c index 661cc51f361a..ec760e4c37ca 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c @@ -418,6 +418,13 @@ ReadSaveStateRegister ( return EFI_NOT_FOUND; } + // + // Make sure the incoming buffer is large enough to hold IoInfo before accessing + // + if (Width < sizeof (EFI_SMM_SAVE_STATE_IO_INFO)) { + return EFI_INVALID_PARAMETER; + } + // // Zero the IoInfo structure that will be returned in Buffer // -- 2.31.0.windows.1