From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web08.2936.1631159232480516358 for ; Wed, 08 Sep 2021 20:47:12 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@linux.microsoft.com header.s=default header.b=f6m5GIbK; spf=pass (domain: linux.microsoft.com, ip: 13.77.154.182, mailfrom: mikuback@linux.microsoft.com) Received: from localhost.localdomain (c-73-27-179-174.hsd1.fl.comcast.net [73.27.179.174]) by linux.microsoft.com (Postfix) with ESMTPSA id 9128720B6C51; Wed, 8 Sep 2021 20:47:11 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9128720B6C51 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1631159232; bh=w0jCQzNSgWA3g9/wLgQLQEaEOYPtnXuXjqMJntvH258=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=f6m5GIbK6yDcze7oUSyvav+8DzTVvF/OVIvfqN6AY1t6PhCJE6pnMs4bkV9+juTRi uqCCN4y5N8n/OrPCdns+3mn5rn1tK6iIRbKnxOQiNl5a9jTl1TvpfXeR9Yy3p5cRWI pD6cnwKCduJ32GtscyHa/1TNKl+UGSK6xPI/O5qU= From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Jian J Wang , Liming Gao , Dandan Bi Subject: [PATCH v1 3/3] MdeModulePkg/Core/Pei: Fix pointer size mismatch in EvacuateTempRam() Date: Wed, 8 Sep 2021 23:46:01 -0400 Message-Id: <20210909034601.699-4-mikuback@linux.microsoft.com> X-Mailer: git-send-email 2.28.0.windows.1 In-Reply-To: <20210909034601.699-1-mikuback@linux.microsoft.com> References: <20210909034601.699-1-mikuback@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Michael Kubacki REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D3512 In 32-bit PEI, the local variable pointers MigratedFvHeader and RawDataFvHeader in EvacuateTempRam() will be 32-bit in size. The pointers are currently passed to PeiServicesAllocatePages() which expects a 64-bit output buffer of type EFI_PHYSICAL_ADDRESS. When PeiServicesAllocatePages() writes to the buffer, the data can overflow. Cc: Jian J Wang Cc: Liming Gao Cc: Dandan Bi Signed-off-by: Michael Kubacki --- MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c b/MdeModulePkg= /Core/Pei/Dispatcher/Dispatcher.c index a050a6ed9646..f6bb906f38f3 100644 --- a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c +++ b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c @@ -1135,6 +1135,7 @@ EvacuateTempRam ( volatile UINTN FvIndex; volatile UINTN FvChildIndex; UINTN ChildFvOffset; + EFI_PHYSICAL_ADDRESS FvHeaderAddress; EFI_FIRMWARE_VOLUME_HEADER *FvHeader; EFI_FIRMWARE_VOLUME_HEADER *ChildFvHeader; EFI_FIRMWARE_VOLUME_HEADER *MigratedFvHeader; @@ -1186,9 +1187,10 @@ EvacuateTempRam ( Status =3D PeiServicesAllocatePages ( EfiBootServicesCode, EFI_SIZE_TO_PAGES ((UINTN) FvHeader->FvLength), - (EFI_PHYSICAL_ADDRESS *) &MigratedFvHeader + &FvHeaderAddress ); ASSERT_EFI_ERROR (Status); + MigratedFvHeader =3D (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvHeader= Address; =20 // // Allocate pool to save the raw PEIMs, which is used to keep cons= istent context across @@ -1197,9 +1199,10 @@ EvacuateTempRam ( Status =3D PeiServicesAllocatePages ( EfiBootServicesCode, EFI_SIZE_TO_PAGES ((UINTN) FvHeader->FvLength), - (EFI_PHYSICAL_ADDRESS *) &RawDataFvHeader + &FvHeaderAddress ); ASSERT_EFI_ERROR (Status); + RawDataFvHeader =3D (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvHeaderA= ddress; =20 DEBUG (( DEBUG_VERBOSE, --=20 2.28.0.windows.1