public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io
Cc: Dandan Bi <dandan.bi@intel.com>,
	Erich McMillan <emcmillan@microsoft.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Michael Kubacki <mikuback@linux.microsoft.com>,
	Star Zeng <star.zeng@intel.com>,
	Zhichao Gao <zhichao.gao@intel.com>,
	Zhiguang Liu <zhiguang.liu@intel.com>,
	Michael Kubacki <michael.kubacki@microsoft.com>
Subject: [PATCH v2 01/12] MdeModulePkg/SmbiosDxe: Fix pointer and buffer overflow CodeQL alerts
Date: Tue, 29 Nov 2022 12:32:35 -0500	[thread overview]
Message-ID: <20221129173246.2182-2-mikuback@linux.microsoft.com> (raw)
In-Reply-To: <20221129173246.2182-1-mikuback@linux.microsoft.com>

From: Erich McMillan <emcmillan@microsoft.com>

Details for these CodeQL alerts can be found here:

- Pointer overflow check (cpp/pointer-overflow-check):
  - https://cwe.mitre.org/data/definitions/758.html

- Potential buffer overflow check (cpp/potential-buffer-overflow):
  - https://cwe.mitre.org/data/definitions/676.html

CodeQL alert:

  - Line 1612 in MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c
    - Type: Pointer overflow check
    - Severity: Low
    - Problem: Range check relying on pointer overflow

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Erich McMillan <emcmillan@microsoft.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael Kubacki <mikuback@linux.microsoft.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Zhichao Gao <zhichao.gao@intel.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Erich McMillan <emcmillan@microsoft.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
---
 MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c   | 11 ++++++++---
 MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf |  1 +
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c b/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c
index 1d43adc7662c..c1da2adc296b 100644
--- a/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c
+++ b/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
 
 #include "SmbiosDxe.h"
+#include <Library/SafeIntLib.h>
 
 //
 // Module Global:
@@ -1594,6 +1595,7 @@ ParseAndAddExistingSmbiosTable (
   CHAR8                     *String;
   EFI_SMBIOS_HANDLE         SmbiosHandle;
   SMBIOS_STRUCTURE_POINTER  SmbiosEnd;
+  UINTN                     SafeIntResult;
 
   mPrivateData.Smbios.MajorVersion = MajorVersion;
   mPrivateData.Smbios.MinorVersion = MinorVersion;
@@ -1608,9 +1610,12 @@ ParseAndAddExistingSmbiosTable (
     //
     // Make sure not to access memory beyond SmbiosEnd
     //
-    if ((Smbios.Raw + sizeof (SMBIOS_STRUCTURE) > SmbiosEnd.Raw) ||
-        (Smbios.Raw + sizeof (SMBIOS_STRUCTURE) < Smbios.Raw))
-    {
+    Status = SafeUintnAdd ((UINTN)Smbios.Raw, sizeof (SMBIOS_STRUCTURE), &SafeIntResult);
+    if (EFI_ERROR (Status)) {
+      return EFI_INVALID_PARAMETER;
+    }
+
+    if ((SafeIntResult > (UINTN)SmbiosEnd.Raw) || (SafeIntResult < (UINTN)Smbios.Raw)) {
       return EFI_INVALID_PARAMETER;
     }
 
diff --git a/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf b/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf
index c03915a6921f..8b7c74694775 100644
--- a/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf
+++ b/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf
@@ -42,6 +42,7 @@ [LibraryClasses]
   DebugLib
   PcdLib
   HobLib
+  SafeIntLib
 
 [Protocols]
   gEfiSmbiosProtocolGuid                            ## PRODUCES
-- 
2.28.0.windows.1


  reply	other threads:[~2022-11-29 17:33 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-29 17:32 [PATCH v2 00/12] Enable New CodeQL Queries Michael Kubacki
2022-11-29 17:32 ` Michael Kubacki [this message]
2022-11-29 17:32 ` [PATCH v2 02/12] BaseTools/PatchCheck.py: Add PCCTS to tab exemption list Michael Kubacki
2022-11-29 17:32 ` [PATCH v2 03/12] BaseTools/VfrCompile: Fix potential buffer overwrites Michael Kubacki
2022-11-29 17:32 ` [PATCH v2 04/12] CryptoPkg: Fix conditionally uninitialized variable Michael Kubacki
2022-12-01  8:28   ` Yao, Jiewen
2022-11-29 17:32 ` [PATCH v2 05/12] MdeModulePkg: Fix conditionally uninitialized variables Michael Kubacki
2022-11-29 17:32 ` [PATCH v2 06/12] MdePkg: " Michael Kubacki
2022-11-29 17:32 ` [PATCH v2 07/12] NetworkPkg: " Michael Kubacki
2022-11-29 17:32 ` [PATCH v2 08/12] PcAtChipsetPkg: " Michael Kubacki
2022-11-29 17:32 ` [PATCH v2 09/12] ShellPkg: " Michael Kubacki
2022-11-30  6:55   ` Gao, Zhichao
2022-11-29 17:32 ` [PATCH v2 10/12] UefiCpuPkg: " Michael Kubacki
2022-11-29 17:32 ` [PATCH v2 11/12] .github/codeql/edk2.qls: Enable CWE 457, 676, and 758 queries Michael Kubacki
2022-11-29 17:32 ` [PATCH v2 12/12] .github/codeql/edk2.qls: Enable CWE 120, 787, and 805 queries Michael Kubacki

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221129173246.2182-2-mikuback@linux.microsoft.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox