From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web09.2332.1617738786188364078 for ; Tue, 06 Apr 2021 12:53:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20161025 header.b=g03b9/AA; spf=pass (domain: gmail.com, ip: 209.85.215.180, mailfrom: kuqin12@gmail.com) Received: by mail-pg1-f180.google.com with SMTP id h25so11172493pgm.3 for ; Tue, 06 Apr 2021 12:53:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=qHvffu/Xx9IRKitUDijAynSG4z6vM7a9B9w4+aazpwE=; b=g03b9/AAVZIHYchtSMKiG+9qvOi5zFQJ8Nq2M+lDx2FY3nHXa3h+VW1TOIOtGE/LKx 5MKc3dT5J6zo3uTEBF2TDGZm//oi4/6CaJdb6J37PV6+JOCqL7vBlPfT9HS0wLXDCkkS Vg1dz3vMmdCSdr/WDRd8UFA7j5PZpgV1Bwq8AJ92XAL4UnfQXMCPqoKwy74ujICe/E4F TlgTllTwXr6CmSeN8B6jjwEQ/eAaiHfsOYkK5pRcydef1tCkcW26WDU5rWIk56b5qdva /hVNBz0DZAZOVDTl6HtxLbFR96mWzHyd8cWJ8tiN6OcDOwq2bRR31bRaBTzexrBOdKwv Ziww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=qHvffu/Xx9IRKitUDijAynSG4z6vM7a9B9w4+aazpwE=; b=Rdq1JiuuseiPnv6hvieCzxdf8GLAmcxrCe+VmmO+owkLllutYLHQ8ut3XJiJGuZ4Pi UD8nNPC81666g0zgZdgPHWK77+kr+f+LhkRgrD++ep7xChizzhvvtXQlalLBLrO4cs1S UlsqAmOOAZ9hiI6N5rdtynj/aTtzyGxvOb4qPzthpoEPYrrP0nemxTGX2vZhirU6jUR1 6mamboPQ1FaHd2FeHhy9PJR4RhEvwlHBzuFjyAOjc0IIzYFLcuIiiMM5JbPRqTgPJCuT xFPKadSD976dG6peNwuXdEEXESSWGXJwi3WjxB8YMr/NIUSgmJV8z4HUa5/715ZRothf tLYg== X-Gm-Message-State: AOAM531cy4L2QeVIb9/gn6KRR9Ea+nh6m+WZEp8wL+gHLSKV0XYVMfru KaBCn45rlaMqVRORrQafrr+InYgVA1reRA== X-Google-Smtp-Source: ABdhPJzLumZCWGxhqa5zsfTEmkqIcTIdg5fykES5R3cEFXcbH00UCls5GPd9pbHsl9yomzlLMnaSdw== X-Received: by 2002:aa7:9533:0:b029:241:9d92:92e1 with SMTP id c19-20020aa795330000b02902419d9292e1mr283998pfp.14.1617738785496; Tue, 06 Apr 2021 12:53:05 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.35.88.161]) by smtp.gmail.com with ESMTPSA id 67sm20229577pfb.148.2021.04.06.12.53.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Apr 2021 12:53:04 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Eric Dong , Ray Ni , Laszlo Ersek , Rahul Kumar Subject: [PATCH v1 1/1] UefiCpuPkg: PiSmmCpuDxeSmm: Check buffer size before accessing Date: Tue, 6 Apr 2021 12:52:54 -0700 Message-Id: <20210406195254.1018-2-kuqin12@gmail.com> X-Mailer: git-send-email 2.31.0.windows.1 In-Reply-To: <20210406195254.1018-1-kuqin12@gmail.com> References: <20210406195254.1018-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3283 Current SMM Save State routine does not check the number of bytes to be read, when it comse to read IO_INFO, before casting the incoming buffer to EFI_SMM_SAVE_STATE_IO_INFO. This could potentially cause memory corruption due to extra bytes are written out of buffer boundary. This change adds a width check before copying IoInfo into output buffer. Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Cc: Rahul Kumar Signed-off-by: Kun Qin Reviewed-by: Ray Ni Reviewed-by: Laszlo Ersek --- Notes: v2: - Update return code description [Laszlo] UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 9 ++++++++- UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c index 661cc51f361a..fc418c2500a9 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c @@ -343,7 +343,7 @@ ReadSaveStateRegisterByIndex ( @retval EFI_SUCCESS The register was read from Save State. @retval EFI_NOT_FOUND The register is not defined for the Save State of Processor. - @retval EFI_INVALID_PARAMETER This or Buffer is NULL. + @retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requirement per Register type. **/ EFI_STATUS @@ -418,6 +418,13 @@ ReadSaveStateRegister ( return EFI_NOT_FOUND; } + // + // Make sure the incoming buffer is large enough to hold IoInfo before accessing + // + if (Width < sizeof (EFI_SMM_SAVE_STATE_IO_INFO)) { + return EFI_INVALID_PARAMETER; + } + // // Zero the IoInfo structure that will be returned in Buffer // diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h index b8aa9e1769d3..2248a8c5ee66 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h @@ -337,7 +337,7 @@ This function supports reading a CPU Save State register in SMBase relocation ha @retval EFI_SUCCESS The register was read from Save State. @retval EFI_NOT_FOUND The register is not defined for the Save State of Processor. -@retval EFI_INVALID_PARAMETER This or Buffer is NULL. +@retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requirement per Register type. **/ EFI_STATUS -- 2.31.0.windows.1