From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR04-HE1-obe.outbound.protection.outlook.com (EUR04-HE1-obe.outbound.protection.outlook.com [40.107.7.84]) by mx.groups.io with SMTP id smtpd.web09.10527.1581953967880421051 for ; Mon, 17 Feb 2020 07:39:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=jABr9YEO; spf=pass (domain: arm.com, ip: 40.107.7.84, mailfrom: krzysztof.koch@arm.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xiYVnOv9ec55Zi4lv+hN2yQvm0ghbMfa/XgICreoF48=; b=jABr9YEO08qtzzTKCL56altLO+xHWoOJpsGFWmgwnFQfiTV8auOVAqtla0Q5I+wTpVBzH37GrsVw6IjjFGMzdwcUp9tNeMeKBJQ6eSHUflCslEcJn9CYqflnknTt8kUpuum2LAPwZ+/3hxrg+KA6fuFGWlb6VuKO9Arg1GJnwDs= Received: from VI1PR08CA0121.eurprd08.prod.outlook.com (2603:10a6:800:d4::23) by HE1PR0802MB2620.eurprd08.prod.outlook.com (2603:10a6:3:e2::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.31; Mon, 17 Feb 2020 15:39:24 +0000 Received: from VE1EUR03FT043.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::206) by VI1PR08CA0121.outlook.office365.com (2603:10a6:800:d4::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.22 via Frontend Transport; Mon, 17 Feb 2020 15:39:24 +0000 Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=bestguesspass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT043.mail.protection.outlook.com (10.152.19.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.18 via Frontend Transport; Mon, 17 Feb 2020 15:39:24 +0000 Received: ("Tessian outbound 846b976b3941:v42"); Mon, 17 Feb 2020 15:39:24 +0000 X-CR-MTA-TID: 64aa7808 Received: from 77c72ade63b2.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id FBFC6768-F006-4DD6-A545-261E3F507B83.1; Mon, 17 Feb 2020 15:39:19 +0000 Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 77c72ade63b2.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 17 Feb 2020 15:39:19 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MPqSDmIe0G+ETT+i1E/y9st7yf2Mc+eeC13p92g0yKu69Pnb9ViSMvW+KyHsByL8t3SHO3NmA/F8MdlLi+pfDHCjHV3a2ej4tsMNDH/AQ2r9uHSXWoGeLIb1Hl+5ozj4p7B+IH8zhvo8zgAXDT2FH4x9VcZ4HfhxEqRF9PAT5xrDbuNVXQZKUKDlYL90ox4eYlwox0MooCmtlJYq21rFg6ZHfs9jBDZtk6eyzp//H5RLV7jf9vLtCcU7obqtnkn/JqqPgatg0267XIeOn9N3tL9FkLfwJ2ELKn/FmAugVvE8emAOz/NyyQLXppijqiz3Mc6FzSxPXaDWW5PmUeaOYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xiYVnOv9ec55Zi4lv+hN2yQvm0ghbMfa/XgICreoF48=; b=UWzn/Vx9/A53jEY6A8wDYgzccPajf8cyx2XBF/U6I/MQI3VuImVKfo3RJDHb44MEuXM9N2RCgAw9fjcJU1Z3Vn8lvi0LB/AoVKC0gYkCx+eoWtulsgBvGIIzF0uMSycVZ9DK9Lw0eXArs2WpaZfacrd4bwOsMuze/rs0hd9O/bspnJp2yEMhko6hs2Sr5NMOQQOSj7rJBlZqu7ug2qXQB1pIuX7jBg/e2/qhidrRde4bR9x6EWySFzQbtoBDbb1/3nnF22/KyeKYPdEzcJjVAm7oWjjYrYm1hqiNlY07C+lRu44utLntpbIR+d7UdNHL6ZX/HsXsCXDSaOA3mh5dKg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xiYVnOv9ec55Zi4lv+hN2yQvm0ghbMfa/XgICreoF48=; b=jABr9YEO08qtzzTKCL56altLO+xHWoOJpsGFWmgwnFQfiTV8auOVAqtla0Q5I+wTpVBzH37GrsVw6IjjFGMzdwcUp9tNeMeKBJQ6eSHUflCslEcJn9CYqflnknTt8kUpuum2LAPwZ+/3hxrg+KA6fuFGWlb6VuKO9Arg1GJnwDs= Received: from AM5PR0801MB1777.eurprd08.prod.outlook.com (10.169.246.139) by AM5PR0801MB2034.eurprd08.prod.outlook.com (10.168.158.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.23; Mon, 17 Feb 2020 15:39:18 +0000 Received: from AM5PR0801MB1777.eurprd08.prod.outlook.com ([fe80::b4c3:e06e:b199:7af3]) by AM5PR0801MB1777.eurprd08.prod.outlook.com ([fe80::b4c3:e06e:b199:7af3%3]) with mapi id 15.20.2729.032; Mon, 17 Feb 2020 15:39:18 +0000 From: "Krzysztof Koch" To: "devel@edk2.groups.io" , Krzysztof Koch , "liming.gao@intel.com" CC: "Ni, Ray" , "Gao, Zhichao" , Sami Mujawar , Matteo Carlini , nd Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0 Thread-Topic: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0 Thread-Index: AQHV4z8ODQS1EMenHEmJTXu6P/S/Oqgfgj2QgAABB6CAAAbVEA== Date: Mon, 17 Feb 2020 15:39:18 +0000 Message-ID: References: <20200214135906.34344-1-krzysztof.koch@arm.com> <15F439D65D9DE013.5373@groups.io> In-Reply-To: <15F439D65D9DE013.5373@groups.io> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ts-tracking-id: e3b4ca80-fe05-406b-b290-51ee1ecf48cc.0 x-checkrecipientchecked: true Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Krzysztof.Koch@arm.com; x-originating-ip: [217.140.106.55] x-ms-publictraffictype: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: df27775d-eece-42b3-d209-08d7b3bf90c4 X-MS-TrafficTypeDiagnostic: AM5PR0801MB2034:|AM5PR0801MB2034:|HE1PR0802MB2620: x-ms-exchange-transport-forked: True X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true nodisclaimer: true x-ms-oob-tlc-oobclassifiers: OLM:4303;OLM:4303; x-forefront-prvs: 0316567485 X-Forefront-Antispam-Report-Untrusted: SFV:NSPM;SFS:(10009020)(4636009)(346002)(366004)(376002)(39860400002)(136003)(396003)(189003)(199004)(81166006)(81156014)(2906002)(9686003)(478600001)(26005)(52536014)(4326008)(8676002)(71200400001)(86362001)(966005)(6506007)(53546011)(64756008)(8936002)(66446008)(55016002)(66476007)(186003)(76116006)(7696005)(66946007)(5660300002)(110136005)(316002)(54906003)(33656002)(30864003)(66556008);DIR:OUT;SFP:1101;SCL:1;SRVR:AM5PR0801MB2034;H:AM5PR0801MB1777.eurprd08.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: nWTnH55nUXn1sVtpwKTikUEQTKIteQv05kz06zPO8mbFI8DjT1xfLcWGibwlCcMvHnQi7eUNO8reIy7nYi9vr7VxRWuLMGCkbCg19xmsXNfCc22eF64l+WS2wu9ImB1EdGKR4NfuKTMyI2UkatZ6nVR6DyazmSma6poSaRn2o1i7tvS8F/gbES6ULzgLACKu1q/B6I8assUrCfrzXqXr1Wi19uAIhJXCok7xf+cj4UuM8FLgK9DSWebCidSKvYVAap9fiuVHTWsyd7jYIR4d112ddzw1Sau9TELGyXtKySK2gkK0sjxEU2ZJE4F5cZHJxMPcFu7eGtOBT/CgrZhGsDMogMoSq+XCxHxJswRR9PLN2RaqjI1KPM7F4EdQpR21ZXFUCt+UDu1ox3L7wZSRBTl6diE8+iFoJfBJzfoMzGllkvpN8hmOzvYw3c8uQul/rTBm7VNNU5MsztTyRPNQ/IMmtxSufS9YfQkIeKFY9NsE6xaXtfACl3Na0+oNz13H6G148dbQ/QWIT0gwqlBzGA== x-ms-exchange-antispam-messagedata: 4H6lRR3GdymfQmb/FUybc7hBacHpGtWl8tWy9NJ0Iq+X6n0ar9fhtfEDejRq0DUXdLcbTZR7ehU0FkT8z3AxwRv/yRGvKWs8PdjDW6A9BcJZtCtdzGLcxAs+wMseLj+vZ1hspak/rl1g2O0R7pPivQ== MIME-Version: 1.0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB2034 Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Krzysztof.Koch@arm.com; Return-Path: Krzysztof.Koch@arm.com X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT043.eop-EUR03.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:63.35.35.123;IPV:CAL;SCL:-1;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(136003)(39860400002)(376002)(396003)(346002)(189003)(199004)(6506007)(53546011)(33656002)(478600001)(2906002)(186003)(81156014)(81166006)(8676002)(336012)(54906003)(52536014)(4326008)(30864003)(7696005)(5660300002)(55016002)(8936002)(966005)(316002)(70586007)(356004)(86362001)(26826003)(70206006)(110136005)(36906005)(26005)(9686003);DIR:OUT;SFP:1101;SCL:1;SRVR:HE1PR0802MB2620;H:64aa7808-outbound-1.mta.getcheckrecipient.com;FPR:;SPF:Pass;LANG:en;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;MX:1;A:1; X-MS-Office365-Filtering-Correlation-Id-Prvs: 32facde6-bdfa-4281-2796-08d7b3bf8d0c X-Forefront-PRVS: 0316567485 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: PWQN0xC158j3y2TaUMGrwNBeZWsKTxEW1BmCFUhtQtU4EOTKKXDVDbwpwYi9qNfnBXBJjFpxw+HQpncyPHTgIVqvyDzn0Mt361xaajZi/t3UAfxmvi6g5ktOLt9tMOjKsIyRuVQUQMgJb1Vv0JzfM4NjDypBMhIeAvYqRnJuv+hLURsyEVG4vN86i1ujsV4eGPr/+ttnihnmMkoAqsYOR+qz/XOD3/1gG9Nh3T5isxaKBvh9YPhf8raa2Aj4luKffkP0r0vJcWcLIAzK+17J7q0N5TbGFpX76vVtwJfKTu4kn3WaSJJ+1QP5JLcIGLxkQECIG1DV0UcoTqqZymFqW2nisxUi28VH+2XAvWYmUvzYRaHglniNIuH/zljnU76FQz410X2xV16VTMyo+bTuCaoJkO2l2X/42uI6gplRn0EvV/1JTIteJW2s5EoCJTbTJBVDHD2i/p8niunFzqQDfTaMGhTLJoeXXtwq6bKKDVB/Cn2YZLYq1cB+scrn7S7E1iP9c5uLnFz+tFxsDBQq8w== X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2020 15:39:24.3726 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: df27775d-eece-42b3-d209-08d7b3bf90c4 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2620 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Liming, The BZ is: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2534 Please let me know if I should change something. Kind regards, Krzysztof -----Original Message----- From: devel@edk2.groups.io On Behalf Of Krzysztof K= och via Groups.Io Sent: Monday, February 17, 2020 15:23 To: devel@edk2.groups.io; liming.gao@intel.com Cc: Ni, Ray ; Gao, Zhichao ; Sami= Mujawar ; Matteo Carlini ; n= d Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infin= ite loop if structure length is 0 Hi Liming, I haven't created a BZ yet, shall I create one? It would be great if the p= atch makes it to the stable tag. Over the last few months I added some security features to acpiview. They = make this debug tool less sensitive to exploits from ACPI tables. This patc= h completes my efforts in making the tool more reliable. Kind regards, Krzysztof -----Original Message----- From: devel@edk2.groups.io On Behalf Of Liming Gao = via Groups.Io Sent: Monday, February 17, 2020 15:11 To: devel@edk2.groups.io; Krzysztof Koch Cc: Ni, Ray ; Gao, Zhichao ; Sami= Mujawar ; Matteo Carlini ; n= d Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infin= ite loop if structure length is 0 Krzysztof: Is there one BZ for this issue? Does this patch catch to this edk2 stabl= e tag 202002? Thanks Liming > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of=20 > Krzysztof Koch > Sent: Friday, February 14, 2020 9:59 PM > To: devel@edk2.groups.io > Cc: Ni, Ray ; Gao, Zhichao ;=20 > Sami.Mujawar@arm.com; Matteo.Carlini@arm.com; nd@arm.com > Subject: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent=20 > infinite loop if structure length is 0 >=20 > Extend validation of ACPI structure lengths which are read from the=20 > ACPI table being parsed. Additionally check if the structure 'Length' > field value is positive. If not, stop parsing the faulting table. >=20 > Some ACPI tables define internal structures of variable size. The=20 > 'Length' field inside the substructure is used to update a pointer=20 > used for table traversal. If the byte-length of the structure is equal= =20 > to 0, acpiview can enter an infinite loop. This condition can occur=20 > if, for example, the zero-allocated ACPI table buffer is not fully popul= ated. > This is typically a bug on the ACPI table writer side. >=20 > In short, this method helps acpiview recover gracefully from a=20 > zero-valued ACPI structure length. >=20 > Signed-off-by: Krzysztof Koch > --- >=20 > Changes can be seen at:=20 > https://github.com/KrzysztofKoch1/edk2/tree/612_acpiview_prevent_inf_l > oops_v1 >=20 > Notes: > v1: > - prevent infinite loops in acpiview parsers [Krzysztof] >=20 > > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c > | 15 ++++++----- > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c > | 13 ++++----- > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c > | 14 +++++----- > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c > | 28 ++++++-------------- > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c > | 15 ++++++----- > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c > | 14 +++++----- > 6 files changed, 47 insertions(+), 52 deletions(-) >=20 > diff --git > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser > .c > b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser > .c index > 0f730a306a94329a23fbaf54b59f1833b44616ba..9df111ecaa7d7a703a13a39c243e > d78b9f12ee97 100644 > --- > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser > .c > +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Pa > +++ rser.c > @@ -1,7 +1,7 @@ > /** @file > DBG2 table parser >=20 > - Copyright (c) 2016 - 2019, ARM Limited. All rights reserved. > + Copyright (c) 2016 - 2020, ARM Limited. All rights reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @par Reference(s): > @@ -282,15 +282,16 @@ ParseAcpiDbg2 ( > return; > } >=20 > - // Make sure the Debug Device Information structure lies inside the= table. > - if ((Offset + *DbgDevInfoLen) > AcpiTableLength) { > + // Validate Debug Device Information Structure length > + if ((*DbgDevInfoLen =3D=3D 0) || > + ((Offset + (*DbgDevInfoLen)) > AcpiTableLength)) { > IncrementErrorCount (); > Print ( > - L"ERROR: Invalid Debug Device Information structure length. " \ > - L"DbgDevInfoLen =3D %d. RemainingTableBufferLength =3D %d. " = \ > - L"DBG2 parsing aborted.\n", > + L"ERROR: Invalid Debug Device Information Structure length. " \ > + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", > *DbgDevInfoLen, > - AcpiTableLength - Offset > + Offset, > + AcpiTableLength > ); > return; > } > diff --git > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser > .c > b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser > .c index > 699a55b549ec3fa61bbd156898821055dc019199..bdd30ff45c61142c071ead63a27b > abab8998721b 100644 > --- > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser > .c > +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtPa > +++ rser.c > @@ -1,7 +1,7 @@ > /** @file > GTDT table parser >=20 > - Copyright (c) 2016 - 2019, ARM Limited. All rights reserved. > + Copyright (c) 2016 - 2020, ARM Limited. All rights reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @par Reference(s): > @@ -327,15 +327,16 @@ ParseAcpiGtdt ( > return; > } >=20 > - // Make sure the Platform Timer is inside the table. > - if ((Offset + *PlatformTimerLength) > AcpiTableLength) { > + // Validate Platform Timer Structure length > + if ((*PlatformTimerLength =3D=3D 0) || > + ((Offset + (*PlatformTimerLength)) > AcpiTableLength)) { > IncrementErrorCount (); > Print ( > L"ERROR: Invalid Platform Timer Structure length. " \ > - L"PlatformTimerLength =3D %d. RemainingTableBufferLength =3D = %d. " \ > - L"GTDT parsing aborted.\n", > + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", > *PlatformTimerLength, > - AcpiTableLength - Offset > + Offset, > + AcpiTableLength > ); > return; > } > diff --git > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser > .c > b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser > .c index > 9d5d937c7b2c19945ca2ad3eba644bdfc09cc3f6..9a006a01448b897865cd7cd85651 > c816933acf05 100644 > --- > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser > .c > +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortPa > +++ rser.c > @@ -1,7 +1,7 @@ > /** @file > IORT table parser >=20 > - Copyright (c) 2016 - 2019, ARM Limited. All rights reserved. > + Copyright (c) 2016 - 2020, ARM Limited. All rights reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @par Reference(s): > @@ -687,14 +687,16 @@ ParseAcpiIort ( > return; > } >=20 > - // Make sure the IORT Node is inside the table > - if ((Offset + (*IortNodeLength)) > AcpiTableLength) { > + // Validate IORT Node length > + if ((*IortNodeLength =3D=3D 0) || > + ((Offset + (*IortNodeLength)) > AcpiTableLength)) { > IncrementErrorCount (); > Print ( > - L"ERROR: Invalid IORT node length. IortNodeLength =3D %d. " \ > - L"RemainingTableBufferLength =3D %d. IORT parsing aborted.\n"= , > + L"ERROR: Invalid IORT Node length. " \ > + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", > *IortNodeLength, > - AcpiTableLength - Offset > + Offset, > + AcpiTableLength > ); > return; > } > diff --git > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser > .c > b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser > .c index > 438905cb24f58b8b82e8fe61280e72f765d578d8..f85d2b36532cfc5db36fe7bef983 > 0cccc64969cc 100644 > --- > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser > .c > +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtPa > +++ rser.c > @@ -1,7 +1,7 @@ > /** @file > MADT table parser >=20 > - Copyright (c) 2016 - 2019, ARM Limited. All rights reserved. > + Copyright (c) 2016 - 2020, ARM Limited. All rights reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @par Reference(s): > @@ -273,28 +273,16 @@ ParseAcpiMadt ( > return; > } >=20 > - // Make sure forward progress is made. > - if (*MadtInterruptControllerLength < 2) { > + // Validate Interrupt Controller Structure length > + if ((*MadtInterruptControllerLength =3D=3D 0) || > + ((Offset + (*MadtInterruptControllerLength)) > > + AcpiTableLength)) { > IncrementErrorCount (); > Print ( > - L"ERROR: Structure length is too small: " \ > - L"MadtInterruptControllerLength =3D %d. " \ > - L"MadtInterruptControllerType =3D %d. MADT parsing aborted.\n= ", > + L"ERROR: Invalid Interrupt Controller Structure length. " \ > + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", > *MadtInterruptControllerLength, > - *MadtInterruptControllerType > - ); > - return; > - } > - > - // Make sure the MADT structure lies inside the table > - if ((Offset + *MadtInterruptControllerLength) > AcpiTableLength) { > - IncrementErrorCount (); > - Print ( > - L"ERROR: Invalid MADT structure length. " \ > - L"MadtInterruptControllerLength =3D %d. " \ > - L"RemainingTableBufferLength =3D %d. MADT parsing aborted.\n"= , > - *MadtInterruptControllerLength, > - AcpiTableLength - Offset > + Offset, > + AcpiTableLength > ); > return; > } > diff --git > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser > .c > b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser > .c index > 675ba75f02b367cd5ad9f2ac23c30ed0ab58f286..0db272c16af0ad8824c8da4c88dd > 409c8550112a 100644 > --- > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser > .c > +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttPa > +++ rser.c > @@ -1,7 +1,7 @@ > /** @file > PPTT table parser >=20 > - Copyright (c) 2019, ARM Limited. All rights reserved. > + Copyright (c) 2019 - 2020, ARM Limited. All rights reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @par Reference(s): > @@ -425,15 +425,16 @@ ParseAcpiPptt ( > return; > } >=20 > - // Make sure the PPTT structure lies inside the table > - if ((Offset + *ProcessorTopologyStructureLength) > AcpiTableLength)= { > + // Validate Processor Topology Structure length > + if ((*ProcessorTopologyStructureLength =3D=3D 0) || > + ((Offset + (*ProcessorTopologyStructureLength)) > > + AcpiTableLength)) { > IncrementErrorCount (); > Print ( > - L"ERROR: Invalid PPTT structure length. " \ > - L"ProcessorTopologyStructureLength =3D %d. " \ > - L"RemainingTableBufferLength =3D %d. PPTT parsing aborted.\n"= , > + L"ERROR: Invalid Processor Topology Structure length. " \ > + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", > *ProcessorTopologyStructureLength, > - AcpiTableLength - Offset > + Offset, > + AcpiTableLength > ); > return; > } > diff --git > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser > .c > b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser > .c index > 3613900ae322483fdd3d3383de4e22ba75b2128b..6f66be68cc0bed14811a0432c61a > 79fd47c54890 100644 > --- > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser > .c > +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratPa > +++ rser.c > @@ -1,7 +1,7 @@ > /** @file > SRAT table parser >=20 > - Copyright (c) 2016 - 2019, ARM Limited. All rights reserved. > + Copyright (c) 2016 - 2020, ARM Limited. All rights reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @par Reference(s): > @@ -412,14 +412,16 @@ ParseAcpiSrat ( > return; > } >=20 > - // Make sure the SRAT structure lies inside the table > - if ((Offset + *SratRALength) > AcpiTableLength) { > + // Validate Static Resource Allocation Structure length > + if ((*SratRALength =3D=3D 0) || > + ((Offset + (*SratRALength)) > AcpiTableLength)) { > IncrementErrorCount (); > Print ( > - L"ERROR: Invalid SRAT structure length. SratRALength =3D %d. " = \ > - L"RemainingTableBufferLength =3D %d. SRAT parsing aborted.\n"= , > + L"ERROR: Invalid Static Resource Allocation Structure length. "= \ > + L"Length =3D %d. Offset =3D %d. AcpiTableLength =3D %d.\n", > *SratRALength, > - AcpiTableLength - Offset > + Offset, > + AcpiTableLength > ); > return; > } > -- > 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' >=20 >=20 >=20