From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Zeng, Star" <star.zeng@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: [PATCH] MdeModulePkg VariableSmm: Check InfoSize correctly
Date: Sun, 11 Dec 2016 13:28:30 +0000 [thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C50386F6319@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <1481273266-181628-1-git-send-email-star.zeng@intel.com>
Reviewed-by: jiewen.yao@intel.com
> -----Original Message-----
> From: Zeng, Star
> Sent: Friday, December 9, 2016 4:48 PM
> To: edk2-devel@lists.01.org
> Cc: Zeng, Star <star.zeng@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH] MdeModulePkg VariableSmm: Check InfoSize correctly
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=290
>
> Current SmmVariableGetStatistics() in VariableSmm.c is always
> checking input InfoSize against the first variable info,
> it is incorrect.
>
> For instance, there are three variables.
> BootOrder
> Boot0000
> Boot0001
>
> If the input InfoEntry is holding the second variable info (Boot0000)
> and InfoSize is sizeof (VARIABLE_INFO_ENTRY) + StrSize (L"Boot0000"),
> current code will return EFI_BUFFER_TOO_SMALL, but it should return
> the third variable info (Boot0001).
>
> This patch is to refine the code logic.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Star Zeng <star.zeng@intel.com>
> ---
> .../Universal/Variable/RuntimeDxe/VariableSmm.c | 25
> +++++++++++++++-------
> 1 file changed, 17 insertions(+), 8 deletions(-)
>
> diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
> b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
> index eafb53322e8c..85158d8b46ae 100644
> --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
> +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
> @@ -349,9 +349,10 @@ SmmVariableGetStatistics (
> )
> {
> VARIABLE_INFO_ENTRY *VariableInfo;
> - UINTN NameLength;
> + UINTN NameSize;
> UINTN
> StatisticsInfoSize;
> CHAR16 *InfoName;
> + UINTN
> InfoNameMaxSize;
> EFI_GUID VendorGuid;
>
> if (InfoEntry == NULL) {
> @@ -363,12 +364,13 @@ SmmVariableGetStatistics (
> return EFI_UNSUPPORTED;
> }
>
> - StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + StrSize
> (VariableInfo->Name);
> + StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY);
> if (*InfoSize < StatisticsInfoSize) {
> *InfoSize = StatisticsInfoSize;
> return EFI_BUFFER_TOO_SMALL;
> }
> InfoName = (CHAR16 *)(InfoEntry + 1);
> + InfoNameMaxSize = (*InfoSize - sizeof (VARIABLE_INFO_ENTRY));
>
> CopyGuid (&VendorGuid, &InfoEntry->VendorGuid);
>
> @@ -376,8 +378,14 @@ SmmVariableGetStatistics (
> //
> // Return the first variable info
> //
> + NameSize = StrSize (VariableInfo->Name);
> + StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + NameSize;
> + if (*InfoSize < StatisticsInfoSize) {
> + *InfoSize = StatisticsInfoSize;
> + return EFI_BUFFER_TOO_SMALL;
> + }
> CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));
> - CopyMem (InfoName, VariableInfo->Name, StrSize (VariableInfo->Name));
> + CopyMem (InfoName, VariableInfo->Name, NameSize);
> *InfoSize = StatisticsInfoSize;
> return EFI_SUCCESS;
> }
> @@ -387,9 +395,9 @@ SmmVariableGetStatistics (
> //
> while (VariableInfo != NULL) {
> if (CompareGuid (&VariableInfo->VendorGuid, &VendorGuid)) {
> - NameLength = StrSize (VariableInfo->Name);
> - if (NameLength == StrSize (InfoName)) {
> - if (CompareMem (VariableInfo->Name, InfoName, NameLength) == 0)
> {
> + NameSize = StrSize (VariableInfo->Name);
> + if (NameSize <= InfoNameMaxSize) {
> + if (CompareMem (VariableInfo->Name, InfoName, NameSize) == 0) {
> //
> // Find the match one
> //
> @@ -409,14 +417,15 @@ SmmVariableGetStatistics (
> //
> // Output the new variable info
> //
> - StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + StrSize
> (VariableInfo->Name);
> + NameSize = StrSize (VariableInfo->Name);
> + StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + NameSize;
> if (*InfoSize < StatisticsInfoSize) {
> *InfoSize = StatisticsInfoSize;
> return EFI_BUFFER_TOO_SMALL;
> }
>
> CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));
> - CopyMem (InfoName, VariableInfo->Name, StrSize (VariableInfo->Name));
> + CopyMem (InfoName, VariableInfo->Name, NameSize);
> *InfoSize = StatisticsInfoSize;
>
> return EFI_SUCCESS;
> --
> 2.7.0.windows.1
prev parent reply other threads:[~2016-12-11 13:28 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-09 8:47 [PATCH] MdeModulePkg VariableSmm: Check InfoSize correctly Star Zeng
2016-12-11 13:28 ` Yao, Jiewen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74D8A39837DF1E4DA445A8C0B3885C50386F6319@SHSMSX104.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox