From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web11.157018.1669743194889668786 for ; Tue, 29 Nov 2022 09:33:14 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@linux.microsoft.com header.s=default header.b=UvaxXJL3; spf=pass (domain: linux.microsoft.com, ip: 13.77.154.182, mailfrom: mikuback@linux.microsoft.com) Received: from localhost.localdomain (unknown [47.201.8.94]) by linux.microsoft.com (Postfix) with ESMTPSA id 5601820B6C40; Tue, 29 Nov 2022 09:33:13 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 5601820B6C40 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1669743194; bh=yFB7jszTcJpEtHndWstcW9yuewZZ9yyzQNErn1MTJ5g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UvaxXJL39wmv+R5htyzc892zIJRlI14F/14sNZG8prBT9gL2mz6hff3IKGyDGykRD PD8hf2k1QQDCvaP3NLrM2w4aePc00TLyVoDKaX4yrCnpmY6xDDGqBmvzciHbY2Gfi3 CAlycnOPu29jr9mamxYr5RkLitiHwo3t/+x2P1Sk= From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Dandan Bi , Erich McMillan , Jian J Wang , Liming Gao , Michael Kubacki , Star Zeng , Zhichao Gao , Zhiguang Liu , Michael Kubacki Subject: [PATCH v2 01/12] MdeModulePkg/SmbiosDxe: Fix pointer and buffer overflow CodeQL alerts Date: Tue, 29 Nov 2022 12:32:35 -0500 Message-Id: <20221129173246.2182-2-mikuback@linux.microsoft.com> X-Mailer: git-send-email 2.28.0.windows.1 In-Reply-To: <20221129173246.2182-1-mikuback@linux.microsoft.com> References: <20221129173246.2182-1-mikuback@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Erich McMillan Details for these CodeQL alerts can be found here: - Pointer overflow check (cpp/pointer-overflow-check): - https://cwe.mitre.org/data/definitions/758.html - Potential buffer overflow check (cpp/potential-buffer-overflow): - https://cwe.mitre.org/data/definitions/676.html CodeQL alert: - Line 1612 in MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c - Type: Pointer overflow check - Severity: Low - Problem: Range check relying on pointer overflow Cc: Dandan Bi Cc: Erich McMillan Cc: Jian J Wang Cc: Liming Gao Cc: Michael Kubacki Cc: Star Zeng Cc: Zhichao Gao Cc: Zhiguang Liu Co-authored-by: Michael Kubacki Signed-off-by: Erich McMillan Reviewed-by: Liming Gao --- MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c | 11 ++++++++--- MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf | 1 + 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c b/MdeModulePkg/= Universal/SmbiosDxe/SmbiosDxe.c index 1d43adc7662c..c1da2adc296b 100644 --- a/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c +++ b/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ =20 #include "SmbiosDxe.h" +#include =20 // // Module Global: @@ -1594,6 +1595,7 @@ ParseAndAddExistingSmbiosTable ( CHAR8 *String; EFI_SMBIOS_HANDLE SmbiosHandle; SMBIOS_STRUCTURE_POINTER SmbiosEnd; + UINTN SafeIntResult; =20 mPrivateData.Smbios.MajorVersion =3D MajorVersion; mPrivateData.Smbios.MinorVersion =3D MinorVersion; @@ -1608,9 +1610,12 @@ ParseAndAddExistingSmbiosTable ( // // Make sure not to access memory beyond SmbiosEnd // - if ((Smbios.Raw + sizeof (SMBIOS_STRUCTURE) > SmbiosEnd.Raw) || - (Smbios.Raw + sizeof (SMBIOS_STRUCTURE) < Smbios.Raw)) - { + Status =3D SafeUintnAdd ((UINTN)Smbios.Raw, sizeof (SMBIOS_STRUCTURE= ), &SafeIntResult); + if (EFI_ERROR (Status)) { + return EFI_INVALID_PARAMETER; + } + + if ((SafeIntResult > (UINTN)SmbiosEnd.Raw) || (SafeIntResult < (UINT= N)Smbios.Raw)) { return EFI_INVALID_PARAMETER; } =20 diff --git a/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf b/MdeModulePk= g/Universal/SmbiosDxe/SmbiosDxe.inf index c03915a6921f..8b7c74694775 100644 --- a/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf +++ b/MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf @@ -42,6 +42,7 @@ [LibraryClasses] DebugLib PcdLib HobLib + SafeIntLib =20 [Protocols] gEfiSmbiosProtocolGuid ## PRODUCES --=20 2.28.0.windows.1