From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by mx.groups.io with SMTP id smtpd.web12.39871.1660815281552200545 for ; Thu, 18 Aug 2022 02:34:41 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: huawei.com, ip: 45.249.212.255, mailfrom: xiewenyi2@huawei.com) Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.55]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4M7flT1zd2z1N7JQ; Thu, 18 Aug 2022 17:31:17 +0800 (CST) Received: from kwepemm600004.china.huawei.com (7.193.23.242) by dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 18 Aug 2022 17:34:39 +0800 Received: from kwephisprg16640.huawei.com (10.247.83.252) by kwepemm600004.china.huawei.com (7.193.23.242) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 18 Aug 2022 17:34:38 +0800 From: "wenyi,xie" To: , , , , CC: , Subject: [PATCH EDK2 v2 1/1] MdeModulePkg/PiSmmCore:Avoid overflow risk Date: Thu, 18 Aug 2022 17:34:33 +0800 Message-ID: <20220818093433.2609170-2-xiewenyi2@huawei.com> X-Mailer: git-send-email 2.18.0.huawei.25 In-Reply-To: <20220818093433.2609170-1-xiewenyi2@huawei.com> References: <20220818093433.2609170-1-xiewenyi2@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.247.83.252] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To kwepemm600004.china.huawei.com (7.193.23.242) X-CFilter-Loop: Reflected Content-Type: text/plain As the CommunicationBuffer plus BufferSize may overflow, check the value first before using. Cc: Jian J Wang Cc: Liming Gao Cc: Eric Dong Cc: Ray Ni Signed-off-by: Wenyi Xie --- MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 10 +++++++++- MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 4 ++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c index 9e5c6cbe33dd..003db3b85802 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c @@ -621,6 +621,14 @@ InternalIsBufferOverlapped ( IN UINTN Size2 ) { + // + // If integer overflow when adding Buff1 to Size1, treat it as Overlap. + // Also, if integer overflow when adding Buff2 to Size2, treat it as Overlap. + // + if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN - Size2)) { + return TRUE; + } + // // If buff1's end is less than the start of buff2, then it's ok. // Also, if buff1's start is beyond buff2's end, then it's ok. @@ -703,7 +711,7 @@ SmmEntryPoint ( // // If CommunicationBuffer is not in valid address scope, // or there is overlap between gSmmCorePrivate and CommunicationBuffer, - // return EFI_INVALID_PARAMETER + // return EFI_ACCESS_DENIED // gSmmCorePrivate->CommunicationBuffer = NULL; gSmmCorePrivate->ReturnStatus = EFI_ACCESS_DENIED; diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c index 4f00cebaf5ed..78df802fe748 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c @@ -526,6 +526,10 @@ SmmCommunicationCommunicate ( CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommBuffer; if (CommSize == NULL) { + if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data)) { + return EFI_INVALID_PARAMETER; + } + TempCommSize = OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + CommunicateHeader->MessageLength; } else { TempCommSize = *CommSize; -- 2.20.1.windows.1