[PATCH EDK2 v2 0/1] MdeModulePkg/PiSmmCore:Avoid overflow risk

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

* [PATCH EDK2 v2 0/1] MdeModulePkg/PiSmmCore:Avoid overflow risk
@ 2022-08-18  9:34 wenyi,xie
  2022-08-18  9:34 ` [PATCH EDK2 v2 1/1] " wenyi,xie
  0 siblings, 1 reply; 3+ messages in thread
From: wenyi,xie @ 2022-08-18  9:34 UTC (permalink / raw)
  To: devel, jian.j.wang, gaoliming, eric.dong, ray.ni; +Cc: songdongkuang, xiewenyi2

Main Changes since v1 :
1.add comments for overflow check;
2.move condition check to if-clause.

Wenyi Xie (1):
  MdeModulePkg/PiSmmCore:Avoid overflow risk

 MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 10 +++++++++-
 MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c  |  4 ++++
 2 files changed, 13 insertions(+), 1 deletion(-)

-- 
2.20.1.windows.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH EDK2 v2 1/1] MdeModulePkg/PiSmmCore:Avoid overflow risk
  2022-08-18  9:34 [PATCH EDK2 v2 0/1] MdeModulePkg/PiSmmCore:Avoid overflow risk wenyi,xie
@ 2022-08-18  9:34 ` wenyi,xie
  0 siblings, 0 replies; 3+ messages in thread
From: wenyi,xie @ 2022-08-18  9:34 UTC (permalink / raw)
  To: devel, jian.j.wang, gaoliming, eric.dong, ray.ni; +Cc: songdongkuang, xiewenyi2

As the CommunicationBuffer plus BufferSize may overflow, check the
value first before using.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com>
---
 MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 10 +++++++++-
 MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c  |  4 ++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
index 9e5c6cbe33dd..003db3b85802 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
@@ -621,6 +621,14 @@ InternalIsBufferOverlapped (
   IN UINTN  Size2
   )
 {
+  //
+  // If integer overflow when adding Buff1 to Size1, treat it as Overlap.
+  // Also, if integer overflow when adding Buff2 to Size2, treat it as Overlap.
+  //
+  if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN - Size2)) {
+    return TRUE;
+  }
+
   //
   // If buff1's end is less than the start of buff2, then it's ok.
   // Also, if buff1's start is beyond buff2's end, then it's ok.
@@ -703,7 +711,7 @@ SmmEntryPoint (
         //
         // If CommunicationBuffer is not in valid address scope,
         // or there is overlap between gSmmCorePrivate and CommunicationBuffer,
-        // return EFI_INVALID_PARAMETER
+        // return EFI_ACCESS_DENIED
         //
         gSmmCorePrivate->CommunicationBuffer = NULL;
         gSmmCorePrivate->ReturnStatus        = EFI_ACCESS_DENIED;
diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
index 4f00cebaf5ed..78df802fe748 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
@@ -526,6 +526,10 @@ SmmCommunicationCommunicate (
   CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommBuffer;
 
   if (CommSize == NULL) {
+    if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data)) {
+      return EFI_INVALID_PARAMETER;
+    }
+
     TempCommSize = OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + CommunicateHeader->MessageLength;
   } else {
     TempCommSize = *CommSize;
-- 
2.20.1.windows.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH EDK2 v2 0/1] MdeModulePkg/PiSmmCore:Avoid overflow risk
@ 2022-08-15 11:45 wenyi,xie
  2022-08-15 11:45 ` [PATCH EDK2 v2 1/1] " wenyi,xie
  0 siblings, 1 reply; 3+ messages in thread
From: wenyi,xie @ 2022-08-15 11:45 UTC (permalink / raw)
  To: devel, jian.j.wang, gaoliming, eric.dong, ray.ni; +Cc: songdongkuang, xiewenyi2

Main Changes since v1 :
1.treate overflow as overlap

Wenyi Xie (1):
  MdeModulePkg/PiSmmCore:Avoid overflow risk

 MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 5 ++++-
 MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c  | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)

-- 
2.20.1.windows.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH EDK2 v2 1/1] MdeModulePkg/PiSmmCore:Avoid overflow risk
  2022-08-15 11:45 [PATCH EDK2 v2 0/1] " wenyi,xie
@ 2022-08-15 11:45 ` wenyi,xie
  0 siblings, 0 replies; 3+ messages in thread
From: wenyi,xie @ 2022-08-15 11:45 UTC (permalink / raw)
  To: devel, jian.j.wang, gaoliming, eric.dong, ray.ni; +Cc: songdongkuang, xiewenyi2

As the CommunicationBuffer plus BufferSize may overflow, check the
value first before using.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com>
---
 MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 5 ++++-
 MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c  | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
index 9e5c6cbe33dd..a2a97a4056ee 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
@@ -621,6 +621,9 @@ InternalIsBufferOverlapped (
   IN UINTN  Size2
   )
 {
+  if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN - Size2)) {
+    return TRUE;
+  }
   //
   // If buff1's end is less than the start of buff2, then it's ok.
   // Also, if buff1's start is beyond buff2's end, then it's ok.
@@ -703,7 +706,7 @@ SmmEntryPoint (
         //
         // If CommunicationBuffer is not in valid address scope,
         // or there is overlap between gSmmCorePrivate and CommunicationBuffer,
-        // return EFI_INVALID_PARAMETER
+        // return EFI_ACCESS_DENIED
         //
         gSmmCorePrivate->CommunicationBuffer = NULL;
         gSmmCorePrivate->ReturnStatus        = EFI_ACCESS_DENIED;
diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
index 4f00cebaf5ed..fe3e6ba54281 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
@@ -525,6 +525,10 @@ SmmCommunicationCommunicate (
 
   CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommBuffer;
 
+  if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data)) {
+    return EFI_INVALID_PARAMETER;
+  }
+
   if (CommSize == NULL) {
     TempCommSize = OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + CommunicateHeader->MessageLength;
   } else {
-- 
2.20.1.windows.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-08-18  9:34 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-18  9:34 [PATCH EDK2 v2 0/1] MdeModulePkg/PiSmmCore:Avoid overflow risk wenyi,xie
2022-08-18  9:34 ` [PATCH EDK2 v2 1/1] " wenyi,xie
  -- strict thread matches above, loose matches on Subject: below --
2022-08-15 11:45 [PATCH EDK2 v2 0/1] " wenyi,xie
2022-08-15 11:45 ` [PATCH EDK2 v2 1/1] " wenyi,xie

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox