From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by mx.groups.io with SMTP id smtpd.web10.12353.1617344505056073007
 for <devel@edk2.groups.io>;
 Thu, 01 Apr 2021 23:21:45 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=oGjOB7sx;
 spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: ray.ni@intel.com)
IronPort-SDR: hrw8MmCJKZPzAEEGzTHUGKtpaSYlVO2DZBx94UcIvXYpul6RmqLaOiGo9LqtOMMcNhOljxyCW5
 IO2OgIPI/lTg==
X-IronPort-AV: E=McAfee;i="6000,8403,9941"; a="192433280"
X-IronPort-AV: E=Sophos;i="5.81,299,1610438400"; 
   d="scan'208";a="192433280"
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Apr 2021 23:21:44 -0700
IronPort-SDR: 2thu1TSbp6ROPIB8QnVeXLMh/AzemsmPR2YhZo9uZ195qOWxd/lE5udkmrn5fd37eATQdgpYIN
 8Jas/AzKZEeA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.81,299,1610438400"; 
   d="scan'208";a="394838504"
Received: from orsmsx606.amr.corp.intel.com ([10.22.229.19])
  by orsmga002.jf.intel.com with ESMTP; 01 Apr 2021 23:21:44 -0700
Received: from orsmsx607.amr.corp.intel.com (10.22.229.20) by
 ORSMSX606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2106.2; Thu, 1 Apr 2021 23:21:43 -0700
Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by
 ORSMSX607.amr.corp.intel.com (10.22.229.20) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2106.2; Thu, 1 Apr 2021 23:21:43 -0700
Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by
 orsmsx611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2
 via Frontend Transport; Thu, 1 Apr 2021 23:21:43 -0700
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.44) by
 edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2106.2; Thu, 1 Apr 2021 23:21:42 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=MJeGE4w0gWKl7hSWtaaqAji80uaQ7OzWRtoIpMTGZ3KEn+XEpdIYFVFqxWUm9DuW2tLh4JqHFcLRCo6+b9L7Q1Rab3IutwNKUK3OnIfNJipepMH7Juycu5F6FeefT/cfPKMJOpJ2awNubhfXTYs3vNKCBMSUuTIvu6+YVXYmbNo0fylMOVc1AkcyXn/+hEgawRT+wIL/9ty0ItrSsh+ug1POvUz5iep0Io8ATjqsGWyIAPQs+39QMGqOMzKeUMcZyNa/eMu8dWQItxR2G0lmbhP+fuDvl7xylvXWRPxt3e9/FjIbSUS3udwQRpEmbQeofvMG9RZrZ2cdMIcr+fOEyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Agmkn5b5vQUo+Dx9D7vIQ0Yro3p1QUO4vnhrwepM7aU=;
 b=TOp9RD3cqd/PgaGdc10HcS1V7izCVAI5ezcJY5TRRSWo2Gt7J5OvmuGPwpO+W4FsPAm1Y6VELdU9uH6H4DUaeX10xkURAKNX4tRSlEzs06G70IpgouEnZcIg35fGTVPT7YcM8fZzi91DdZ8HewXGnbjawuvYQo8LhaQm1ed7s5GD49YIjGVEVzItS406dXF7JQQxfh6zW6NN4lo1j27vZ5wb9PSarGArRF1BehSbKzPrZX9NH7vh3ftwnq80Plja+5wDLN4yoYimjgZPloFg00TShSppEz8/mQeT642UxaFUDkUFYhBnZ6JpNM7NV5gO3CROp3TEYdjDK5IEy6xpKw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Agmkn5b5vQUo+Dx9D7vIQ0Yro3p1QUO4vnhrwepM7aU=;
 b=oGjOB7sx4UbW3BCcYQFqwfvpyTPROy78JpADx/kPpDY1ZTQIU+HoVw8FHJ46SQYvatuV6sku2wUDzt2IXQ1ydHAMDwWSClmT2xbSyXirtHPlELggxjhHmsd1GeURoGTJTY6f465cJes+B0px23xWwTNMpyiOqKc/SItLtTTXBJ4=
Received: from CO1PR11MB4930.namprd11.prod.outlook.com (2603:10b6:303:9b::11)
 by MWHPR1101MB2128.namprd11.prod.outlook.com (2603:10b6:301:55::23) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.28; Fri, 2 Apr
 2021 06:21:42 +0000
Received: from CO1PR11MB4930.namprd11.prod.outlook.com
 ([fe80::59d6:8b94:55bf:36e7]) by CO1PR11MB4930.namprd11.prod.outlook.com
 ([fe80::59d6:8b94:55bf:36e7%5]) with mapi id 15.20.3999.028; Fri, 2 Apr 2021
 06:21:42 +0000
From: "Ni, Ray" <ray.ni@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>, "kuqin12@gmail.com"
	<kuqin12@gmail.com>
CC: "Dong, Eric" <eric.dong@intel.com>, Laszlo Ersek <lersek@redhat.com>,
	"Kumar, Rahul1" <rahul1.kumar@intel.com>
Subject: Re: [edk2-devel] [PATCH v1 1/1] UefiCpuPkg: PiSmmCpuDxeSmm: Check buffer size before accessing
Thread-Topic: [edk2-devel] [PATCH v1 1/1] UefiCpuPkg: PiSmmCpuDxeSmm: Check
 buffer size before accessing
Thread-Index: AQHXIpmkdUOyyJpNLE62ZG+4g9Fls6qgy6CQ
Date: Fri, 2 Apr 2021 06:21:42 +0000
Message-ID: <CO1PR11MB493011F12FD7FD93327856588C7A9@CO1PR11MB4930.namprd11.prod.outlook.com>
References: <20210326234142.1973-1-kuqin12@gmail.com>
 <20210326234142.1973-2-kuqin12@gmail.com>
In-Reply-To: <20210326234142.1973-2-kuqin12@gmail.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.5.1.3
dlp-reaction: no-action
dlp-product: dlpe-windows
authentication-results: edk2.groups.io; dkim=none (message not signed)
 header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com;
x-originating-ip: [124.77.195.36]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0ea6c8d2-8936-4046-4b83-08d8f59f9503
x-ms-traffictypediagnostic: MWHPR1101MB2128:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MWHPR1101MB2128C4FF370DE9D22E7CFD3A8C7A9@MWHPR1101MB2128.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /GhFNyh/jYU02vGcDj7TGpGMMI02dVxSDJo84yH+zFy4u6AKJ7SI35qoFTZR8IUVV/+zVocEgTdy32itl+pmx8WIBZtDczmD/PMkgRYfspjoFYr5/2NiOBZk6HsQIpqid3HLJJW1T1a8s8Kt7FWQj+0V1bOkhGc3nAq7QtFST7e1+ed9kC5v2nncuOdRwWxZap8iVOk4dygSQzhFcYYgNmrcQIdIp0/MDyEQHlu4QNVOutStlPtTcEsDDXgEzoJVAW937U49uL9oSasqFxQADz1oOxW/62kVWlBg85N0KqN+7VYNWH5Q8AayxSDdQJIr6uYELaJ4mwarq55N/oRBE1wJPr4X03pY6FlxU0tdtWeSeZlTw1M8noAvWyzLREaOMXkgZC1WShgaCFYE2/Fm4LDx/gmY4QHKBY/7rVx8IHBRLLVWFq5tXCSjvePNLtMPA/YReKMSABvMizNuUcvXzKacEo7o8iQ1gqC138hvuqxw9KQ/Gvv1fUJZM3/loVHOEqvdxdIjE8/y90UUqa9c0YROT015MGkJhj4CJRfJxwVJFbOgbPxNp2mBMJeLIz+QlzwwQb/D/C924EdN/4gI5qEctim+V//V4b1x27HRwlkPFCH9yoNIQ9fb1+7x3CH7fyK45TCrLu4XD2BWPx3cFi0Jb6hm/BWmIth/28ZifQZ+RXVDNa0tvJ/CGaUyjL73FTkl1dXrpR2jVhuaOdRAvrZwJS42Qam0bzzZUn5HxcOOuKt+rXLVF3eBkdWrbtqF
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB4930.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(6029001)(366004)(39860400002)(136003)(396003)(346002)(376002)(7696005)(66476007)(66556008)(66446008)(66946007)(76116006)(316002)(478600001)(966005)(110136005)(64756008)(33656002)(5660300002)(26005)(86362001)(71200400001)(54906003)(186003)(9686003)(55016002)(107886003)(53546011)(4326008)(83380400001)(2906002)(8676002)(8936002)(38100700001)(6506007)(52536014);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?PNv09F+fl7bAS2wuZK6xGhpfuKiytN83vKQbnGxImg7J2u2vrC4LN3OjhIbC?=
 =?us-ascii?Q?9z6BM4AQgITjHhUCsw+Y6mx0Mxc2HGxVPKjK9SMGdYUxBdepnXEyFEEPUYE/?=
 =?us-ascii?Q?0Pl43fRveth/+BRNxGWT67TlKSy60/v7eX4ck8Nt94RNU44/6unRFKBmoivb?=
 =?us-ascii?Q?mKQ0oQhV5GIq+9ecTS+yufkGlCfzdKW/RaWK4JrD+T/lekGne64NKkCca27q?=
 =?us-ascii?Q?4ub/ysnGfPwa1HgJfbuECRn2+tnKtuiFtVdhsbBb2ur7HX3MzAdUjBfifWEd?=
 =?us-ascii?Q?E7JRLy2lta0nVkicfsGwImqZ+6ZEGWLq5l3F3fZw6u7Ni29sKynVWiEpXEVe?=
 =?us-ascii?Q?8FNEB4oB25bXxV+/t8/LnTojDpqLDYvptjBJf31NqEfg3BW80PuFnSLBgkfH?=
 =?us-ascii?Q?vD43XULoAKQ6WuokZurPr6NCQng9O7DKSMf3HbFF8ctviZi/V5RhoqelsnDv?=
 =?us-ascii?Q?OZzhtlcRa8vGFLs94J0+CCPlDNe2WA76HfIwnFhEdUirg4PipFuzTljhdi/W?=
 =?us-ascii?Q?/grWhHkbbvohd+zZf9wV076vnvTS28NS2Hl8R8gVdN1Sshr/fujrAFafId/Q?=
 =?us-ascii?Q?7F+2ctnGpZNxp5KpPZ4LXYTs749BMgZ9f6K/FZXB+O6cEbXVGtN9BaYATkQp?=
 =?us-ascii?Q?7CpLZT5yqjowjED2qykvx6OaG6m6aTlylL0agBirCv4I4MYOruS/VkB6pUAa?=
 =?us-ascii?Q?f7T/XP7/yDs3CSVeuK4DSut6Y0VuKvD1V76I6rnlYtln8SVMjL/0M063FMFP?=
 =?us-ascii?Q?Gh6SCiz+7fHWMqVWg/fnR5NwtghTdwTbr7sh+kw/xG3aH08816ZoY4Cf6psl?=
 =?us-ascii?Q?qTD0q81LLej7BTCDciI4tlGvbWrI+O9A4duH86POhi4wXZr0tZ5PL2UONvq5?=
 =?us-ascii?Q?5ygpHbHzsQ4PfB9P67/qkOCd0FnsbJUoMHl3jjkjY0sp5oYOX/ilUE6cxlwR?=
 =?us-ascii?Q?gPKVqkz9+z6wJYeFFKJBveDBlJGvtiihlVdimoLrmP01kCuJRH+f8SqvEQ+S?=
 =?us-ascii?Q?kWLCR8v7qgOD+3/rMyBYsVhNy5hxqIM/9/GkxPx32nwFokGLx7vO+mMf0lkj?=
 =?us-ascii?Q?Zk/AEiNepHbtuAfqM5kJDx+TOgJans/XxvrtwBtCpD1d57ObufxnF3LWwGGF?=
 =?us-ascii?Q?gCA1oBz8TPkqvdcU4cIzzXMIIibQ2HExctI1ZPo01P9Dj8KWt7IgXS6XCqeH?=
 =?us-ascii?Q?Y3fFJYDtsqsiCXINHbN3LHgu837znMcuF+m3k9Va4BBANwdrftRN6TsLd9fe?=
 =?us-ascii?Q?mo5xGh/VdlBEZmRNSjFu7wdJNLCNbEyg9WWW7ih5j6lwb5lvtlHTEcfw2Gw5?=
 =?us-ascii?Q?N6Dk1DgsLTN3boECObqYnB9U?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB4930.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0ea6c8d2-8936-4046-4b83-08d8f59f9503
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2021 06:21:42.0386
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sSmhqH+iWGXrMlr5WbHyrRP0KSUlEBiFaM09pFi3PD8vu+2tsdLgEvPHZc4fXRDFeFtJdhXkiidPKRkxQI+jfg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1101MB2128
Return-Path: ray.ni@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Ray Ni <ray.ni@intel.com>

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Kun Qin
> Sent: Saturday, March 27, 2021 7:42 AM
> To: devel@edk2.groups.io
> Cc: Dong, Eric <eric.dong@intel.com>; Ni, Ray <ray.ni@intel.com>; Laszlo=
 Ersek <lersek@redhat.com>; Kumar, Rahul1
> <rahul1.kumar@intel.com>
> Subject: [edk2-devel] [PATCH v1 1/1] UefiCpuPkg: PiSmmCpuDxeSmm: Check b=
uffer size before accessing
>=20
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3283
>=20
> Current SMM Save State routine does not check the number of bytes to be
> read, when it comse to read IO_INFO, before casting the incoming buffer
> to EFI_SMM_SAVE_STATE_IO_INFO. This could potentially cause memory
> corruption due to extra bytes are written out of buffer boundary.
>=20
> This change adds a width check before copying IoInfo into output buffer.
>=20
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
>=20
> Signed-off-by: Kun Qin <kuqin12@gmail.com>
> ---
>  UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>=20
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c b/UefiCpuPkg/PiS=
mmCpuDxeSmm/SmramSaveState.c
> index 661cc51f361a..ec760e4c37ca 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
> @@ -418,6 +418,13 @@ ReadSaveStateRegister (
>        return EFI_NOT_FOUND;
>      }
>=20
> +    //
> +    // Make sure the incoming buffer is large enough to hold IoInfo bef=
ore accessing
> +    //
> +    if (Width < sizeof (EFI_SMM_SAVE_STATE_IO_INFO)) {
> +      return EFI_INVALID_PARAMETER;
> +    }
> +
>      //
>      // Zero the IoInfo structure that will be returned in Buffer
>      //
> --
> 2.31.0.windows.1
>=20
>=20
>=20
>=20
>=20