From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 627C0820C3 for ; Sun, 11 Dec 2016 05:28:34 -0800 (PST) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga102.fm.intel.com with ESMTP; 11 Dec 2016 05:28:33 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,332,1477983600"; d="scan'208";a="1080392056" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga001.fm.intel.com with ESMTP; 11 Dec 2016 05:28:33 -0800 Received: from fmsmsx155.amr.corp.intel.com (10.18.116.71) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sun, 11 Dec 2016 05:28:33 -0800 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by FMSMSX155.amr.corp.intel.com (10.18.116.71) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sun, 11 Dec 2016 05:28:32 -0800 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.11]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.206]) with mapi id 14.03.0248.002; Sun, 11 Dec 2016 21:28:30 +0800 From: "Yao, Jiewen" To: "Zeng, Star" , "edk2-devel@lists.01.org" Thread-Topic: [PATCH] MdeModulePkg VariableSmm: Check InfoSize correctly Thread-Index: AQHSUfjww1vz1Nlh80C4ovKx7WuXvqECwOnw Date: Sun, 11 Dec 2016 13:28:30 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C50386F6319@SHSMSX104.ccr.corp.intel.com> References: <1481273266-181628-1-git-send-email-star.zeng@intel.com> In-Reply-To: <1481273266-181628-1-git-send-email-star.zeng@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] MdeModulePkg VariableSmm: Check InfoSize correctly X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2016 13:28:34 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: jiewen.yao@intel.com > -----Original Message----- > From: Zeng, Star > Sent: Friday, December 9, 2016 4:48 PM > To: edk2-devel@lists.01.org > Cc: Zeng, Star ; Yao, Jiewen > Subject: [PATCH] MdeModulePkg VariableSmm: Check InfoSize correctly >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D290 >=20 > Current SmmVariableGetStatistics() in VariableSmm.c is always > checking input InfoSize against the first variable info, > it is incorrect. >=20 > For instance, there are three variables. > BootOrder > Boot0000 > Boot0001 >=20 > If the input InfoEntry is holding the second variable info (Boot0000) > and InfoSize is sizeof (VARIABLE_INFO_ENTRY) + StrSize (L"Boot0000"), > current code will return EFI_BUFFER_TOO_SMALL, but it should return > the third variable info (Boot0001). >=20 > This patch is to refine the code logic. >=20 > Cc: Jiewen Yao > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Star Zeng > --- > .../Universal/Variable/RuntimeDxe/VariableSmm.c | 25 > +++++++++++++++------- > 1 file changed, 17 insertions(+), 8 deletions(-) >=20 > diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c > b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c > index eafb53322e8c..85158d8b46ae 100644 > --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c > +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c > @@ -349,9 +349,10 @@ SmmVariableGetStatistics ( > ) > { > VARIABLE_INFO_ENTRY *VariableInfo; > - UINTN NameLength; > + UINTN NameSize; > UINTN > StatisticsInfoSize; > CHAR16 *InfoName; > + UINTN > InfoNameMaxSize; > EFI_GUID VendorGuid; >=20 > if (InfoEntry =3D=3D NULL) { > @@ -363,12 +364,13 @@ SmmVariableGetStatistics ( > return EFI_UNSUPPORTED; > } >=20 > - StatisticsInfoSize =3D sizeof (VARIABLE_INFO_ENTRY) + StrSize > (VariableInfo->Name); > + StatisticsInfoSize =3D sizeof (VARIABLE_INFO_ENTRY); > if (*InfoSize < StatisticsInfoSize) { > *InfoSize =3D StatisticsInfoSize; > return EFI_BUFFER_TOO_SMALL; > } > InfoName =3D (CHAR16 *)(InfoEntry + 1); > + InfoNameMaxSize =3D (*InfoSize - sizeof (VARIABLE_INFO_ENTRY)); >=20 > CopyGuid (&VendorGuid, &InfoEntry->VendorGuid); >=20 > @@ -376,8 +378,14 @@ SmmVariableGetStatistics ( > // > // Return the first variable info > // > + NameSize =3D StrSize (VariableInfo->Name); > + StatisticsInfoSize =3D sizeof (VARIABLE_INFO_ENTRY) + NameSize; > + if (*InfoSize < StatisticsInfoSize) { > + *InfoSize =3D StatisticsInfoSize; > + return EFI_BUFFER_TOO_SMALL; > + } > CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY)); > - CopyMem (InfoName, VariableInfo->Name, StrSize (VariableInfo->Name))= ; > + CopyMem (InfoName, VariableInfo->Name, NameSize); > *InfoSize =3D StatisticsInfoSize; > return EFI_SUCCESS; > } > @@ -387,9 +395,9 @@ SmmVariableGetStatistics ( > // > while (VariableInfo !=3D NULL) { > if (CompareGuid (&VariableInfo->VendorGuid, &VendorGuid)) { > - NameLength =3D StrSize (VariableInfo->Name); > - if (NameLength =3D=3D StrSize (InfoName)) { > - if (CompareMem (VariableInfo->Name, InfoName, NameLength) =3D=3D= 0) > { > + NameSize =3D StrSize (VariableInfo->Name); > + if (NameSize <=3D InfoNameMaxSize) { > + if (CompareMem (VariableInfo->Name, InfoName, NameSize) =3D=3D 0= ) { > // > // Find the match one > // > @@ -409,14 +417,15 @@ SmmVariableGetStatistics ( > // > // Output the new variable info > // > - StatisticsInfoSize =3D sizeof (VARIABLE_INFO_ENTRY) + StrSize > (VariableInfo->Name); > + NameSize =3D StrSize (VariableInfo->Name); > + StatisticsInfoSize =3D sizeof (VARIABLE_INFO_ENTRY) + NameSize; > if (*InfoSize < StatisticsInfoSize) { > *InfoSize =3D StatisticsInfoSize; > return EFI_BUFFER_TOO_SMALL; > } >=20 > CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY)); > - CopyMem (InfoName, VariableInfo->Name, StrSize (VariableInfo->Name)); > + CopyMem (InfoName, VariableInfo->Name, NameSize); > *InfoSize =3D StatisticsInfoSize; >=20 > return EFI_SUCCESS; > -- > 2.7.0.windows.1