From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: chasel.chiu@intel.com)
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120])
 by groups.io with SMTP; Thu, 18 Jul 2019 06:57:05 -0700
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jul 2019 06:57:04 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.64,278,1559545200"; 
   d="scan'208";a="158788147"
Received: from pgsmsx113.gar.corp.intel.com ([10.108.55.202])
  by orsmga007.jf.intel.com with ESMTP; 18 Jul 2019 06:57:03 -0700
Received: from pgsmsx111.gar.corp.intel.com ([169.254.2.22]) by
 pgsmsx113.gar.corp.intel.com ([169.254.6.230]) with mapi id 14.03.0439.000;
 Thu, 18 Jul 2019 21:57:02 +0800
From: "Chiu, Chasel" <chasel.chiu@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>, "Desimone, Nathaniel L"
	<nathaniel.l.desimone@intel.com>
CC: "Kubacki, Michael A" <michael.a.kubacki@intel.com>, "Chaganty, Rangasai V"
	<rangasai.v.chaganty@intel.com>
Subject: Re: [edk2-devel] [edk2-platforms] [PATCH v2] KabylakeSiliconPkg: Possible out-of-bounds memory writes
Thread-Topic: [edk2-devel] [edk2-platforms] [PATCH v2] KabylakeSiliconPkg:
 Possible out-of-bounds memory writes
Thread-Index: AQHVPTTnh9MHNiaM2Eqqg/28a4Wnx6bQZuCw
Date: Thu, 18 Jul 2019 13:57:01 +0000
Message-ID: <3C3EFB470A303B4AB093197B6777CCEC504322DD@PGSMSX111.gar.corp.intel.com>
References: <20190718064834.18100-1-nathaniel.l.desimone@intel.com>
In-Reply-To: <20190718064834.18100-1-nathaniel.l.desimone@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMTI3ZDE5OGQtOTFhOC00YmJiLWI0MjgtY2U3ZjMwOWU2ZDE4IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiMVwvamJwOXhvek5cL3N4MlFNdXlucTFac2R1TEpTWklxUzFkdTc0MHRMQXNXMTIyZkVmOXVDTTFkaUxrR2lXRFQzIn0=
x-ctpclassification: CTP_NT
x-originating-ip: [172.30.20.205]
MIME-Version: 1.0
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


Reviewed-by: Chasel Chiu <chasel.chiu@intel.com>

> -----Original Message-----
> From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Na=
te
> DeSimone
> Sent: Thursday, July 18, 2019 2:49 PM
> To: devel@edk2.groups.io
> Cc: Chiu, Chasel <chasel.chiu@intel.com>; Kubacki, Michael A
> <michael.a.kubacki@intel.com>; Chaganty, Rangasai V
> <rangasai.v.chaganty@intel.com>
> Subject: [edk2-devel] [edk2-platforms] [PATCH v2] KabylakeSiliconPkg: Po=
ssible
> out-of-bounds memory writes
>=20
> - Add check for the DSDT not existing.
> - Fixed logic errors in loop boundary check.
>=20
> Cc: Chasel Chiu <chasel.chiu@intel.com>
> Cc: Michael A Kubacki <michael.a.kubacki@intel.com>
> Cc: Sai Chaganty <rangasai.v.chaganty@intel.com>
>=20
> Co-authored-by: John Mathews <john.mathews@intel.com>
> Signed-off-by: Nate DeSimone <nathaniel.l.desimone@intel.com>
> ---
>  .../Library/DxeAslUpdateLib/DxeAslUpdateLib.c          | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>=20
> diff --git
> a/Silicon/Intel/KabylakeSiliconPkg/Library/DxeAslUpdateLib/DxeAslUpdateL=
ib.
> c
> b/Silicon/Intel/KabylakeSiliconPkg/Library/DxeAslUpdateLib/DxeAslUpdateL=
ib.
> c
> index e6ab43db6d..87c6b15ed2 100644
> ---
> a/Silicon/Intel/KabylakeSiliconPkg/Library/DxeAslUpdateLib/DxeAslUpdateL=
ib.
> c
> +++ b/Silicon/Intel/KabylakeSiliconPkg/Library/DxeAslUpdateLib/DxeAslUpd
> +++ ateLib.c
> @@ -6,7 +6,7 @@
>=20
>    This library uses the ACPI Support protocol.
>=20
> -Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
>  SPDX-License-Identifier: BSD-2-Clause-Patent
>=20
>  **/
> @@ -59,6 +59,7 @@ InitializeAslUpdateLib (
>    @param[in] Length            - length of data to be overwritten
>=20
>    @retval EFI_SUCCESS          - The function completed successfully.
> +  @retval EFI_NOT_FOUND        - Failed to locate AcpiTable.
>  **/
>  EFI_STATUS
>  UpdateNameAslCode (
> @@ -72,6 +73,7 @@ UpdateNameAslCode (
>    UINT8                       *CurrPtr;
>    UINT32                      *Signature;
>    UINT8                       *DsdtPointer;
> +  UINT8                       *EndPointer;
>    UINTN                       Handle;
>    UINT8                       DataSize;
>=20
> @@ -99,11 +101,15 @@ UpdateNameAslCode (
>    /// Point to the beginning of the DSDT table
>    ///
>    CurrPtr =3D (UINT8 *) Table;
> +  if (CurrPtr =3D=3D NULL) {
> +    return EFI_NOT_FOUND;
> +  }
>=20
>    ///
>    /// Loop through the ASL looking for values that we must fix up.
>    ///
> -  for (DsdtPointer =3D CurrPtr; DsdtPointer <=3D (CurrPtr +
> ((EFI_ACPI_COMMON_HEADER *) CurrPtr)->Length); DsdtPointer++) {
> +  EndPointer =3D CurrPtr + ((EFI_ACPI_COMMON_HEADER *) CurrPtr)->Length=
;
> + for (DsdtPointer =3D CurrPtr; DsdtPointer < EndPointer; DsdtPointer++)=
 {
>      ///
>      /// Get a pointer to compare for signature
>      ///
> --
> 2.17.1.windows.2
>=20
>=20
>=20