From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by mx.groups.io with SMTP id smtpd.web09.839.1660563941090243276 for ; Mon, 15 Aug 2022 04:45:41 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: huawei.com, ip: 45.249.212.187, mailfrom: xiewenyi2@huawei.com) Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4M5sp30nr3zkWPV; Mon, 15 Aug 2022 19:42:19 +0800 (CST) Received: from kwepemm600004.china.huawei.com (7.193.23.242) by dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 15 Aug 2022 19:45:37 +0800 Received: from kwephisprg16640.huawei.com (10.247.83.252) by kwepemm600004.china.huawei.com (7.193.23.242) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 15 Aug 2022 19:45:36 +0800 From: "wenyi,xie" To: , , , , CC: , Subject: [PATCH EDK2 v2 1/1] MdeModulePkg/PiSmmCore:Avoid overflow risk Date: Mon, 15 Aug 2022 19:45:29 +0800 Message-ID: <20220815114529.665138-2-xiewenyi2@huawei.com> X-Mailer: git-send-email 2.18.0.huawei.25 In-Reply-To: <20220815114529.665138-1-xiewenyi2@huawei.com> References: <20220815114529.665138-1-xiewenyi2@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.247.83.252] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To kwepemm600004.china.huawei.com (7.193.23.242) X-CFilter-Loop: Reflected Content-Type: text/plain As the CommunicationBuffer plus BufferSize may overflow, check the value first before using. Cc: Jian J Wang Cc: Liming Gao Cc: Eric Dong Cc: Ray Ni Signed-off-by: Wenyi Xie --- MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 5 ++++- MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c index 9e5c6cbe33dd..a2a97a4056ee 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c @@ -621,6 +621,9 @@ InternalIsBufferOverlapped ( IN UINTN Size2 ) { + if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN - Size2)) { + return TRUE; + } // // If buff1's end is less than the start of buff2, then it's ok. // Also, if buff1's start is beyond buff2's end, then it's ok. @@ -703,7 +706,7 @@ SmmEntryPoint ( // // If CommunicationBuffer is not in valid address scope, // or there is overlap between gSmmCorePrivate and CommunicationBuffer, - // return EFI_INVALID_PARAMETER + // return EFI_ACCESS_DENIED // gSmmCorePrivate->CommunicationBuffer = NULL; gSmmCorePrivate->ReturnStatus = EFI_ACCESS_DENIED; diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c index 4f00cebaf5ed..fe3e6ba54281 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c @@ -525,6 +525,10 @@ SmmCommunicationCommunicate ( CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommBuffer; + if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data)) { + return EFI_INVALID_PARAMETER; + } + if (CommSize == NULL) { TempCommSize = OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + CommunicateHeader->MessageLength; } else { -- 2.20.1.windows.1