From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR01-DB5-obe.outbound.protection.outlook.com (EUR01-DB5-obe.outbound.protection.outlook.com [40.107.15.78]) by mx.groups.io with SMTP id smtpd.web11.10481.1581953738883567821 for ; Mon, 17 Feb 2020 07:35:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=Kp7EgOl6; spf=pass (domain: arm.com, ip: 40.107.15.78, mailfrom: sami.mujawar@arm.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g+M8/5w/e2Lb2dksi5PHb4ASchYFn3wKGf1/tlBq6W8=; b=Kp7EgOl6hzp1luVrOnquhGkXoPrMlg3XR3GSKaQcHQYOBkaBg9X5o78beJw/T1D+7G76o1iSnHo6d2GYmyFjhuzNBIaTn3mY2d5BKifUtLm6pzs9L/H7guDeZbrZqyI/jkh3bF+oAICM/s2iGqQioj15RZqUZ8cb9I1npF8gIp4= Received: from AM4PR08CA0077.eurprd08.prod.outlook.com (2603:10a6:205:2::48) by DB7PR08MB4603.eurprd08.prod.outlook.com (2603:10a6:10:75::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.29; Mon, 17 Feb 2020 15:35:36 +0000 Received: from DB5EUR03FT016.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::202) by AM4PR08CA0077.outlook.office365.com (2603:10a6:205:2::48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.25 via Frontend Transport; Mon, 17 Feb 2020 15:35:36 +0000 Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=bestguesspass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT016.mail.protection.outlook.com (10.152.20.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.18 via Frontend Transport; Mon, 17 Feb 2020 15:35:35 +0000 Received: ("Tessian outbound 62d9cfe08e54:v42"); Mon, 17 Feb 2020 15:35:35 +0000 X-CR-MTA-TID: 64aa7808 Received: from 9a98a3ec73c1.3 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 5C9F2003-A490-4D5C-9278-DDDCDB0202AD.1; Mon, 17 Feb 2020 15:35:30 +0000 Received: from EUR02-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 9a98a3ec73c1.3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 17 Feb 2020 15:35:30 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YXv1fNzrh70eLajUcCFAMm9k/sNuEW7nE8XfexbJe+9PWOKrnT9ubIvcabi8SdOBHBl35WCApa7XxnPUvf7HrQQYMbPoDnhwyWsWuqoDPxDDiEmmwu79/dReHScVy7xdGxgoH+vIzaOOMWspJJuIDl7r1lYwXC5Oc4maznyK+reB2bpDiu+1k5lJ5RIQOQqvHTYhRg4L+1k2x7/dpZ1grXTdKfKt22MGysVIWg/vHNsfkD4Wn4OUXe1f9I5tGyZXZEVhTAxTEb4W2NqWk3Pekd++bux8j0bXAHeIFk7qiAeXW5cfnbBH3pKXQzSV4bMh/bAfpdBx62lANVbt0739yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g+M8/5w/e2Lb2dksi5PHb4ASchYFn3wKGf1/tlBq6W8=; b=cBGwQt2HBXTGN+juByZ9YGAHrBHnFv569UD5T2dI3dUvcxpZg0OUjcKK3YBB9uUesuzuWaGn1YsLoBdvY6NhqrXwCPCUeCOpMkt6KjFMtRhZyqXljakGg8u0ADJED9VSKNEKrVStrbdVWTMqAj2FBbtcAsgSAVDM01I4VmA4+GVXE6sfxdJdYUyrgjRO2BvPNi5e/KXN/2vooVen82C7aqQuLXSESFKFs5fEy7NPKlSTEbbiERyQWESGnQke5j2mZptEJ5CILNLuJUD27IFVGyR3t0As4uKYWOKHvJnHNY81ld+FUm7AQad7Tagn6kYz6+bHAOidbABhQ7G+Eo/awQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g+M8/5w/e2Lb2dksi5PHb4ASchYFn3wKGf1/tlBq6W8=; b=Kp7EgOl6hzp1luVrOnquhGkXoPrMlg3XR3GSKaQcHQYOBkaBg9X5o78beJw/T1D+7G76o1iSnHo6d2GYmyFjhuzNBIaTn3mY2d5BKifUtLm6pzs9L/H7guDeZbrZqyI/jkh3bF+oAICM/s2iGqQioj15RZqUZ8cb9I1npF8gIp4= Received: from AM0PR08MB3091.eurprd08.prod.outlook.com (52.134.95.10) by AM0PR08MB4049.eurprd08.prod.outlook.com (20.178.119.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.25; Mon, 17 Feb 2020 15:35:28 +0000 Received: from AM0PR08MB3091.eurprd08.prod.outlook.com ([fe80::509b:8511:bd41:933a]) by AM0PR08MB3091.eurprd08.prod.outlook.com ([fe80::509b:8511:bd41:933a%7]) with mapi id 15.20.2729.032; Mon, 17 Feb 2020 15:35:28 +0000 From: "Sami Mujawar" To: Krzysztof Koch , "devel@edk2.groups.io" CC: "ray.ni@intel.com" , "zhichao.gao@intel.com" , Matteo Carlini , nd , Laura Moretta Subject: Re: [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0 Thread-Topic: [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0 Thread-Index: AQHV4z76HCsBwBtbEECNGAyoz8L9pKgfiARw Date: Mon, 17 Feb 2020 15:35:28 +0000 Message-ID: References: <20200214135906.34344-1-krzysztof.koch@arm.com> In-Reply-To: <20200214135906.34344-1-krzysztof.koch@arm.com> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ts-tracking-id: fc5e4b6d-07af-4148-aa16-8c1823ff12e2.1 x-checkrecipientchecked: true Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Sami.Mujawar@arm.com; x-originating-ip: [217.140.106.50] x-ms-publictraffictype: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 983291c4-3b7b-4219-85bd-08d7b3bf0890 X-MS-TrafficTypeDiagnostic: AM0PR08MB4049:|AM0PR08MB4049:|DB7PR08MB4603: x-ms-exchange-transport-forked: True X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true nodisclaimer: true x-ms-oob-tlc-oobclassifiers: OLM:813;OLM:813; x-forefront-prvs: 0316567485 X-Forefront-Antispam-Report-Untrusted: SFV:NSPM;SFS:(10009020)(4636009)(346002)(366004)(396003)(39860400002)(376002)(136003)(189003)(199004)(53546011)(81166006)(81156014)(33656002)(8676002)(26005)(86362001)(5660300002)(2906002)(110136005)(186003)(8936002)(7696005)(54906003)(4326008)(30864003)(66556008)(966005)(6506007)(316002)(9686003)(71200400001)(66946007)(66446008)(52536014)(55016002)(64756008)(66476007)(478600001)(76116006);DIR:OUT;SFP:1101;SCL:1;SRVR:AM0PR08MB4049;H:AM0PR08MB3091.eurprd08.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: jHDPTV1jbDtgR1I2TFkDZyna50Ug4jlvd9UVfqxMu9uIT1r/CKeqsXxrp5Gt8l/4a6yfkWeRizCRPMoShADgLiZvBFvnpzqb1EpuM8iLABnUbewklvCEMSUUeGzWYEtpodUsJDLScmkRUiNWnAhUr0UuRxosLtkKP6ymNiWFX3s9BVjkMf8tSs7yzT6BBSvUdcQQEHeDJqS1u45zKl+1HcsE0EfM4Qinum7OqpDfJpMvGJ3GOGocfVhksoNZPeFTnaUFrcKQmygz2JI5PoSuxNVByCGqsZDsqDAHWwUfAeAr2KpVULmc10spqP3GrxMkBwfVoAi1JO67550Vw69C52X5qnTSwueO3YXhZehq69EaTzK8AmDP+RZmsAXvtrcIEGgwv/6nrSrZpPL/WeKnf63y14ot8RSFfiTUUbdfYRox18oTXbliWdz8tIqhzN1SqFjqILeFgUgPwJlJyfOi5qc2PfQ+Vfz+X59x2h406udkgpi8nkyyHCB6gpWPfrhSDlyMAFkjbTw+Nv9s13H4JA== x-ms-exchange-antispam-messagedata: SSxix446CC4jwjVOo5EaDdIgPtT4y2aELm1znBf2yKG+2a41EHVHGaeL4w0GgICML0+zt8Oq0Brfya9Ia1eFp27cHKxMuKgh9kAnkm35TQsFjW6KUCYydxZMhH1RN9yfFG88f3xMK4ENwkDbeKtNaA== MIME-Version: 1.0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4049 Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Sami.Mujawar@arm.com; Return-Path: Sami.Mujawar@arm.com X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT016.eop-EUR03.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:63.35.35.123;IPV:CAL;SCL:-1;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(396003)(136003)(376002)(346002)(39860400002)(199004)(189003)(86362001)(30864003)(52536014)(26005)(5660300002)(33656002)(81156014)(81166006)(55016002)(9686003)(70586007)(70206006)(8676002)(4326008)(2906002)(316002)(478600001)(336012)(54906003)(7696005)(6506007)(53546011)(966005)(26826003)(110136005)(8936002)(356004)(186003);DIR:OUT;SFP:1101;SCL:1;SRVR:DB7PR08MB4603;H:64aa7808-outbound-1.mta.getcheckrecipient.com;FPR:;SPF:Pass;LANG:en;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;A:1;MX:1; X-MS-Office365-Filtering-Correlation-Id-Prvs: d058f706-f779-43e3-f405-08d7b3bf03f9 X-Forefront-PRVS: 0316567485 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: IWG3H3O8RKho3Unio8m/CVP1q6mDT/um0O3QLMFkilPjBwQoadQkb3W2CD9hmjxX/c/u3zOJa73xdRTPijphdDiPHZXdudfdGmrDZr7nV2u1wIlNa3ZNSlJ5/P/wqtc8Ia4ujElveE0cSBDz7TePrC6SnEkKj/qm8xWVqxz/3qrVIlqhRHJnVkpabX9bebtwvlInf1AdZH4nc+RVNSN8bsAFmkAi3qxWIGXPOR+Jp0aeTqfSaeagtHjKQ5FaxOqbYB3HjG8RCd1BCQIMUpObpFbLw9co5Za9ILVsRVAQ4wlm0/Er7Kq2aNrKCzGSDB8tRvUwexXCGRWlO/s38dt2BC0WzxMfCCBQY6iN8hFinDfG6UKh8kPX/vwC0Kc/szvEqS9bV4nUCc8WllRPhD4Kwa1G/qEr/hW9SW6MFbYCo0rTVQsgJrDYPDGhgXDqmGtcdmRx3EXeo0egeWlRm7F1VisbxUwURAuvXU2fGLgDluKd/Gf4Fp4skbRdqekIVH3jn9XNYayYl5QU+5S/MAQpcg== X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2020 15:35:35.9748 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 983291c4-3b7b-4219-85bd-08d7b3bf0890 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB4603 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Sami Mujawar Regards, Sami Mujawar -----Original Message----- From: Krzysztof Koch =20 Sent: 14 February 2020 13:59 To: devel@edk2.groups.io Cc: ray.ni@intel.com; zhichao.gao@intel.com; Sami Mujawar ; Matteo Carlini ; nd Subject: [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if struct= ure length is 0 Extend validation of ACPI structure lengths which are read from the ACPI ta= ble being parsed. Additionally check if the structure 'Length' field value is positive. If not, stop parsing the faulting table. Some ACPI tables define internal structures of variable size. The 'Length' = field inside the substructure is used to update a pointer used for table tr= aversal. If the byte-length of the structure is equal to 0, acpiview can en= ter an infinite loop. This condition can occur if, for example, the zero-al= located ACPI table buffer is not fully populated. This is typically a bug on the ACPI table writer side. In short, this method helps acpiview recover gracefully from a zero-valued = ACPI structure length. Signed-off-by: Krzysztof Koch --- Changes can be seen at: https://github.com/KrzysztofKoch1/edk2/tree/612_acp= iview_prevent_inf_loops_v1 Notes: v1: - prevent infinite loops in acpiview parsers [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c | 1= 5 ++++++----- ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/Gt= dtParser.c | 13 ++++----- ShellPkg/Library/UefiShellAcpiViewCommandLib/Par= sers/Iort/IortParser.c | 14 +++++----- ShellPkg/Library/UefiShellAcpiViewC= ommandLib/Parsers/Madt/MadtParser.c | 28 ++++++-------------- ShellPkg/Lib= rary/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c | 15 ++++++-----= ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c | = 14 +++++----- 6 files changed, 47 insertions(+), 52 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Pa= rser.c index 0f730a306a94329a23fbaf54b59f1833b44616ba..9df111ecaa7d7a703a13a39c243= ed78b9f12ee97 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.= c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Pars +++ er.c @@ -1,7 +1,7 @@ /** @file DBG2 table parser =20 - Copyright (c) 2016 - 2019, ARM Limited. All rights reserved. + Copyright (c) 2016 - 2020, ARM Limited. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent =20 @par Reference(s): @@ -282,15 +282,16 @@ ParseAcpiDbg2 ( return; } =20 - // Make sure the Debug Device Information structure lies inside the ta= ble. - if ((Offset + *DbgDevInfoLen) > AcpiTableLength) { + // Validate Debug Device Information Structure length + if ((*DbgDevInfoLen =3D=3D 0) || + ((Offset + (*DbgDevInfoLen)) > AcpiTableLength)) { IncrementErrorCount (); Print ( - L"ERROR: Invalid Debug Device Information structure length. " \ - L"DbgDevInfoLen =3D %d. RemainingTableBufferLength =3D %d. " \ - L"DBG2 parsing aborted.\n", + L"ERROR: Invalid Debug Device Information Structure length. " \ + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", *DbgDevInfoLen, - AcpiTableLength - Offset + Offset, + AcpiTableLength ); return; } diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/Gtdt= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtPa= rser.c index 699a55b549ec3fa61bbd156898821055dc019199..bdd30ff45c61142c071ead63a27= babab8998721b 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.= c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtPars +++ er.c @@ -1,7 +1,7 @@ /** @file GTDT table parser =20 - Copyright (c) 2016 - 2019, ARM Limited. All rights reserved. + Copyright (c) 2016 - 2020, ARM Limited. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent =20 @par Reference(s): @@ -327,15 +327,16 @@ ParseAcpiGtdt ( return; } =20 - // Make sure the Platform Timer is inside the table. - if ((Offset + *PlatformTimerLength) > AcpiTableLength) { + // Validate Platform Timer Structure length + if ((*PlatformTimerLength =3D=3D 0) || + ((Offset + (*PlatformTimerLength)) > AcpiTableLength)) { IncrementErrorCount (); Print ( L"ERROR: Invalid Platform Timer Structure length. " \ - L"PlatformTimerLength =3D %d. RemainingTableBufferLength =3D %d.= " \ - L"GTDT parsing aborted.\n", + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", *PlatformTimerLength, - AcpiTableLength - Offset + Offset, + AcpiTableLength ); return; } diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/Iort= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortPa= rser.c index 9d5d937c7b2c19945ca2ad3eba644bdfc09cc3f6..9a006a01448b897865cd7cd8565= 1c816933acf05 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.= c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortPars +++ er.c @@ -1,7 +1,7 @@ /** @file IORT table parser =20 - Copyright (c) 2016 - 2019, ARM Limited. All rights reserved. + Copyright (c) 2016 - 2020, ARM Limited. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent =20 @par Reference(s): @@ -687,14 +687,16 @@ ParseAcpiIort ( return; } =20 - // Make sure the IORT Node is inside the table - if ((Offset + (*IortNodeLength)) > AcpiTableLength) { + // Validate IORT Node length + if ((*IortNodeLength =3D=3D 0) || + ((Offset + (*IortNodeLength)) > AcpiTableLength)) { IncrementErrorCount (); Print ( - L"ERROR: Invalid IORT node length. IortNodeLength =3D %d. " \ - L"RemainingTableBufferLength =3D %d. IORT parsing aborted.\n", + L"ERROR: Invalid IORT Node length. " \ + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", *IortNodeLength, - AcpiTableLength - Offset + Offset, + AcpiTableLength ); return; } diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/Madt= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtPa= rser.c index 438905cb24f58b8b82e8fe61280e72f765d578d8..f85d2b36532cfc5db36fe7bef98= 30cccc64969cc 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.= c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtPars +++ er.c @@ -1,7 +1,7 @@ /** @file MADT table parser =20 - Copyright (c) 2016 - 2019, ARM Limited. All rights reserved. + Copyright (c) 2016 - 2020, ARM Limited. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent =20 @par Reference(s): @@ -273,28 +273,16 @@ ParseAcpiMadt ( return; } =20 - // Make sure forward progress is made. - if (*MadtInterruptControllerLength < 2) { + // Validate Interrupt Controller Structure length + if ((*MadtInterruptControllerLength =3D=3D 0) || + ((Offset + (*MadtInterruptControllerLength)) >=20 + AcpiTableLength)) { IncrementErrorCount (); Print ( - L"ERROR: Structure length is too small: " \ - L"MadtInterruptControllerLength =3D %d. " \ - L"MadtInterruptControllerType =3D %d. MADT parsing aborted.\n", + L"ERROR: Invalid Interrupt Controller Structure length. " \ + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", *MadtInterruptControllerLength, - *MadtInterruptControllerType - ); - return; - } - - // Make sure the MADT structure lies inside the table - if ((Offset + *MadtInterruptControllerLength) > AcpiTableLength) { - IncrementErrorCount (); - Print ( - L"ERROR: Invalid MADT structure length. " \ - L"MadtInterruptControllerLength =3D %d. " \ - L"RemainingTableBufferLength =3D %d. MADT parsing aborted.\n", - *MadtInterruptControllerLength, - AcpiTableLength - Offset + Offset, + AcpiTableLength ); return; } diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/Pptt= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttPa= rser.c index 675ba75f02b367cd5ad9f2ac23c30ed0ab58f286..0db272c16af0ad8824c8da4c88d= d409c8550112a 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.= c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttPars +++ er.c @@ -1,7 +1,7 @@ /** @file PPTT table parser =20 - Copyright (c) 2019, ARM Limited. All rights reserved. + Copyright (c) 2019 - 2020, ARM Limited. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent =20 @par Reference(s): @@ -425,15 +425,16 @@ ParseAcpiPptt ( return; } =20 - // Make sure the PPTT structure lies inside the table - if ((Offset + *ProcessorTopologyStructureLength) > AcpiTableLength) { + // Validate Processor Topology Structure length + if ((*ProcessorTopologyStructureLength =3D=3D 0) || + ((Offset + (*ProcessorTopologyStructureLength)) >=20 + AcpiTableLength)) { IncrementErrorCount (); Print ( - L"ERROR: Invalid PPTT structure length. " \ - L"ProcessorTopologyStructureLength =3D %d. " \ - L"RemainingTableBufferLength =3D %d. PPTT parsing aborted.\n", + L"ERROR: Invalid Processor Topology Structure length. " \ + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", *ProcessorTopologyStructureLength, - AcpiTableLength - Offset + Offset, + AcpiTableLength ); return; } diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/Srat= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratPa= rser.c index 3613900ae322483fdd3d3383de4e22ba75b2128b..6f66be68cc0bed14811a0432c61= a79fd47c54890 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.= c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratPars +++ er.c @@ -1,7 +1,7 @@ /** @file SRAT table parser =20 - Copyright (c) 2016 - 2019, ARM Limited. All rights reserved. + Copyright (c) 2016 - 2020, ARM Limited. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent =20 @par Reference(s): @@ -412,14 +412,16 @@ ParseAcpiSrat ( return; } =20 - // Make sure the SRAT structure lies inside the table - if ((Offset + *SratRALength) > AcpiTableLength) { + // Validate Static Resource Allocation Structure length + if ((*SratRALength =3D=3D 0) || + ((Offset + (*SratRALength)) > AcpiTableLength)) { IncrementErrorCount (); Print ( - L"ERROR: Invalid SRAT structure length. SratRALength =3D %d. " \ - L"RemainingTableBufferLength =3D %d. SRAT parsing aborted.\n", + L"ERROR: Invalid Static Resource Allocation Structure length. " \ + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", *SratRALength, - AcpiTableLength - Offset + Offset, + AcpiTableLength ); return; } -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'