From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
 by mx.groups.io with SMTP id smtpd.web11.4358.1659684048137429363
 for <devel@edk2.groups.io>;
 Fri, 05 Aug 2022 00:20:48 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: huawei.com, ip: 45.249.212.188, mailfrom: xiewenyi2@huawei.com)
Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.53])
	by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4LzcPf0N8wzlVsP;
	Fri,  5 Aug 2022 15:17:58 +0800 (CST)
Received: from kwepemm600004.china.huawei.com (7.193.23.242) by
 dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Fri, 5 Aug 2022 15:20:43 +0800
Received: from kwephisprg16640.huawei.com (10.247.83.252) by
 kwepemm600004.china.huawei.com (7.193.23.242) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Fri, 5 Aug 2022 15:20:43 +0800
From: "wenyi,xie" <xiewenyi2@huawei.com>
To: <devel@edk2.groups.io>, <jian.j.wang@intel.com>,
	<gaoliming@byosoft.com.cn>, <eric.dong@intel.com>, <ray.ni@intel.com>
CC: <songdongkuang@huawei.com>, <xiewenyi2@huawei.com>
Subject: [PATCH EDK2 v1 1/1] MdeModulePkg/PiSmmCore:Avoid overflow risk
Date: Fri, 5 Aug 2022 15:20:37 +0800
Message-ID: <20220805072037.1868254-2-xiewenyi2@huawei.com>
X-Mailer: git-send-email 2.18.0.huawei.25
In-Reply-To: <20220805072037.1868254-1-xiewenyi2@huawei.com>
References: <20220805072037.1868254-1-xiewenyi2@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.247.83.252]
X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To
 kwepemm600004.china.huawei.com (7.193.23.242)
X-CFilter-Loop: Reflected
Content-Type: text/plain

As the CommunicationBuffer plus BufferSize may overflow, check the
value first before using.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com>
---
 MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 22 +++++++++++++-------
 MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c  |  5 +++++
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
index 9e5c6cbe33dd..fcf8c61d7f1b 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
@@ -613,23 +613,28 @@ SmmEndOfS3ResumeHandler (
   @retval FALSE     Buffer doesn't overlap.
 
 **/
-BOOLEAN
+EFI_STATUS
 InternalIsBufferOverlapped (
   IN UINT8  *Buff1,
   IN UINTN  Size1,
   IN UINT8  *Buff2,
-  IN UINTN  Size2
+  IN UINTN  Size2,
+  IN BOOLEAN *IsOverlapped
   )
 {
+  *IsOverlapped = TRUE;
+  if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN - Size2)) {
+    return EFI_INVALID_PARAMETER;
+  }
   //
   // If buff1's end is less than the start of buff2, then it's ok.
   // Also, if buff1's start is beyond buff2's end, then it's ok.
   //
   if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) {
-    return FALSE;
+    *IsOverlapped = FALSE;
   }
 
-  return TRUE;
+  return EFI_SUCCESS;
 }
 
 /**
@@ -693,17 +698,18 @@ SmmEntryPoint (
       //
       // Synchronous SMI for SMM Core or request from Communicate protocol
       //
-      IsOverlapped = InternalIsBufferOverlapped (
+      Status = InternalIsBufferOverlapped (
                        (UINT8 *)CommunicationBuffer,
                        BufferSize,
                        (UINT8 *)gSmmCorePrivate,
-                       sizeof (*gSmmCorePrivate)
+                       sizeof (*gSmmCorePrivate),
+                       &IsOverlapped
                        );
-      if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || IsOverlapped) {
+      if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || EFI_ERROR(Status) || IsOverlapped) {
         //
         // If CommunicationBuffer is not in valid address scope,
         // or there is overlap between gSmmCorePrivate and CommunicationBuffer,
-        // return EFI_INVALID_PARAMETER
+        // return EFI_ACCESS_DENIED
         //
         gSmmCorePrivate->CommunicationBuffer = NULL;
         gSmmCorePrivate->ReturnStatus        = EFI_ACCESS_DENIED;
diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
index 4f00cebaf5ed..bd13cf97ec93 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
@@ -525,6 +525,11 @@ SmmCommunicationCommunicate (
 
   CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommBuffer;
 
+  if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data)) {
+    DEBUG ((DEBUG_ERROR, "MessageLength is invalid!\n"));
+    return EFI_INVALID_PARAMETER;
+  }
+
   if (CommSize == NULL) {
     TempCommSize = OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + CommunicateHeader->MessageLength;
   } else {
-- 
2.20.1.windows.1