From: "wenyi,xie" <xiewenyi2@huawei.com>
To: gaoliming <gaoliming@byosoft.com.cn>, <devel@edk2.groups.io>,
<jian.j.wang@intel.com>, <eric.dong@intel.com>,
<ray.ni@intel.com>
Cc: <songdongkuang@huawei.com>
Subject: Re: 回复: [edk2-devel] [PATCH EDK2 v1 1/1] MdeModulePkg/PiSmmCore:Avoid overflow risk
Date: Mon, 15 Aug 2022 09:44:56 +0800 [thread overview]
Message-ID: <7bd1bccd-5d3d-ca23-3078-39a02159a4b1@huawei.com> (raw)
In-Reply-To: <00f601d8b044$12c56260$38502720$@byosoft.com.cn>
On 2022/8/15 9:12, gaoliming wrote:
> Wenyi:
> I add my comments below.
Thank you for your comments. I agree with you that overflow can be treated as overlap. I will update the patch and send it later.
Thanks
Wenyi
>
>> -----邮件原件-----
>> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 wenyi,xie via
>> groups.io
>> 发送时间: 2022年8月5日 15:21
>> 收件人: devel@edk2.groups.io; jian.j.wang@intel.com;
>> gaoliming@byosoft.com.cn; eric.dong@intel.com; ray.ni@intel.com
>> 抄送: songdongkuang@huawei.com; xiewenyi2@huawei.com
>> 主题: [edk2-devel] [PATCH EDK2 v1 1/1] MdeModulePkg/PiSmmCore:Avoid
>> overflow risk
>>
>> As the CommunicationBuffer plus BufferSize may overflow, check the
>> value first before using.
>>
>> Cc: Jian J Wang <jian.j.wang@intel.com>
>> Cc: Liming Gao <gaoliming@byosoft.com.cn>
>> Cc: Eric Dong <eric.dong@intel.com>
>> Cc: Ray Ni <ray.ni@intel.com>
>> Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com>
>> ---
>> MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 22 +++++++++++++-------
>> MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 5 +++++
>> 2 files changed, 19 insertions(+), 8 deletions(-)
>>
>> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
>> b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
>> index 9e5c6cbe33dd..fcf8c61d7f1b 100644
>> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
>> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
>> @@ -613,23 +613,28 @@ SmmEndOfS3ResumeHandler (
>> @retval FALSE Buffer doesn't overlap.
>>
>> **/
>> -BOOLEAN
>> +EFI_STATUS
>> InternalIsBufferOverlapped (
>> IN UINT8 *Buff1,
>> IN UINTN Size1,
>> IN UINT8 *Buff2,
>> - IN UINTN Size2
>> + IN UINTN Size2,
>> + IN BOOLEAN *IsOverlapped
>> )
>> {
>> + *IsOverlapped = TRUE;
>> + if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN -
>> Size2)) {
>> + return EFI_INVALID_PARAMETER;
>> + }
>> //
>> // If buff1's end is less than the start of buff2, then it's ok.
>> // Also, if buff1's start is beyond buff2's end, then it's ok.
>> //
>> if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) {
>> - return FALSE;
>> + *IsOverlapped = FALSE;
>> }
>>
>> - return TRUE;
>> + return EFI_SUCCESS;
>> }
>>
> If Buff1 + Size1 overflows MAX_UINTN, it can be also regarded as overlap,
> return TRUE.
>
> If you think overflow is not overlap, please also update function
> InternalIsBufferOverlapped name and description to avoid confuse.
>
> Thanks
> Liming
>
>> /**
>> @@ -693,17 +698,18 @@ SmmEntryPoint (
>> //
>> // Synchronous SMI for SMM Core or request from Communicate
>> protocol
>> //
>> - IsOverlapped = InternalIsBufferOverlapped (
>> + Status = InternalIsBufferOverlapped (
>> (UINT8 *)CommunicationBuffer,
>> BufferSize,
>> (UINT8 *)gSmmCorePrivate,
>> - sizeof (*gSmmCorePrivate)
>> + sizeof (*gSmmCorePrivate),
>> + &IsOverlapped
>> );
>> - if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer,
>> BufferSize) || IsOverlapped) {
>> + if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer,
>> BufferSize) || EFI_ERROR(Status) || IsOverlapped) {
>> //
>> // If CommunicationBuffer is not in valid address scope,
>> // or there is overlap between gSmmCorePrivate and
>> CommunicationBuffer,
>> - // return EFI_INVALID_PARAMETER
>> + // return EFI_ACCESS_DENIED
>> //
>> gSmmCorePrivate->CommunicationBuffer = NULL;
>> gSmmCorePrivate->ReturnStatus = EFI_ACCESS_DENIED;
>> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
>> b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
>> index 4f00cebaf5ed..bd13cf97ec93 100644
>> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
>> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
>> @@ -525,6 +525,11 @@ SmmCommunicationCommunicate (
>>
>> CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER
>> *)CommBuffer;
>>
>> + if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF
>> (EFI_SMM_COMMUNICATE_HEADER, Data)) {
>> + DEBUG ((DEBUG_ERROR, "MessageLength is invalid!\n"));
>> + return EFI_INVALID_PARAMETER;
>> + }
>> +
>> if (CommSize == NULL) {
>> TempCommSize = OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER,
>> Data) + CommunicateHeader->MessageLength;
>> } else {
>> --
>> 2.20.1.windows.1
>>
>>
>>
>>
>>
>
>
>
> .
>
prev parent reply other threads:[~2022-08-15 1:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-05 7:20 [PATCH EDK2 v1 0/1] MdeModulePkg/PiSmmCore:Avoid overflow risk wenyi,xie
2022-08-05 7:20 ` [PATCH EDK2 v1 1/1] " wenyi,xie
2022-08-15 1:12 ` 回复: [edk2-devel] " gaoliming
2022-08-15 1:44 ` wenyi,xie [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7bd1bccd-5d3d-ca23-3078-39a02159a4b1@huawei.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox