From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.1673.1581566728057546399 for ; Wed, 12 Feb 2020 20:05:28 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Feb 2020 20:05:27 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,434,1574150400"; d="scan'208";a="347651212" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga001.fm.intel.com with ESMTP; 12 Feb 2020 20:05:27 -0800 Received: from fmsmsx118.amr.corp.intel.com (10.18.116.18) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 12 Feb 2020 20:05:27 -0800 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by fmsmsx118.amr.corp.intel.com (10.18.116.18) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 12 Feb 2020 20:05:27 -0800 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.46]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.201]) with mapi id 14.03.0439.000; Thu, 13 Feb 2020 12:05:25 +0800 From: "Wang, Jian J" To: "Bi, Dandan" , "devel@edk2.groups.io" CC: "Gao, Liming" , "Dong, Eric" Subject: Re: [patch] MdeModulePkg/HiiDB: Remove configuration table when it's freed (CVE-2019-14586) Thread-Topic: [patch] MdeModulePkg/HiiDB: Remove configuration table when it's freed (CVE-2019-14586) Thread-Index: AQHV4iKQJPtB/fzUy0ifq/4wPRhOiagYgU5Q Date: Thu, 13 Feb 2020 04:05:24 +0000 Message-ID: References: <20200213040303.53336-1-dandan.bi@intel.com> In-Reply-To: <20200213040303.53336-1-dandan.bi@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMjhjZmJjNGUtOTRjOC00M2FmLTgxNTgtM2I1MTc4ODlmYzg4IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoialV4Z1lONnFGTlRBdm5zWGtVTkpabWVOUHVaRFN3MERuZU0zOFdrVHJrQUZGT1ZUcURWSjc0RmN5Rm5uYk03bSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jian.j.wang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jian J Wang Regards, Jian > -----Original Message----- > From: Bi, Dandan > Sent: Thursday, February 13, 2020 12:03 PM > To: devel@edk2.groups.io > Cc: Gao, Liming ; Dong, Eric ; > Wang, Jian J > Subject: [patch] MdeModulePkg/HiiDB: Remove configuration table when it's > freed (CVE-2019-14586) >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1995 >=20 > Fix the corner case issue that the original configuration runtime > memory is freed, but it is still exposed to the OS runtime. > So this patch is to remove the configuration table to avoid being > used in OS runtime when the configuration runtime memory is freed. >=20 > Cc: Liming Gao > Cc: Eric Dong > Cc: Jian J Wang > Signed-off-by: Dandan Bi > Reviewed-by: Eric Dong > --- > MdeModulePkg/Universal/HiiDatabaseDxe/Database.c | 8 ++++++++ > 1 file changed, 8 insertions(+) >=20 > diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c > b/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c > index d3791ca68b..36265b8ff9 100644 > --- a/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c > +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c > @@ -3374,10 +3374,14 @@ HiiGetConfigRespInfo( > } > gRTConfigRespBuffer =3D (EFI_STRING) AllocateRuntimeZeroPool > (gConfigRespSize); > if (gRTConfigRespBuffer =3D=3D NULL){ > FreePool(ConfigAltResp); > DEBUG ((DEBUG_ERROR, "[HiiDatabase]: No enough memory resource t= o > store the ConfigResp string.\n")); > + // > + // Remove from the System Table when the configuration runtime b= uffer is > freed. > + // > + gBS->InstallConfigurationTable (&gEfiHiiConfigRoutingProtocolGui= d, > NULL); > return EFI_OUT_OF_RESOURCES; > } > } else { > ZeroMem(gRTConfigRespBuffer,gConfigRespSize); > } > @@ -3429,10 +3433,14 @@ HiiGetDatabaseInfo( > DEBUG ((DEBUG_WARN, "[HiiDatabase]: Memory allocation is required > after ReadyToBoot, which may change memory map and cause S4 resume > issue.\n")); > } > gRTDatabaseInfoBuffer =3D AllocateRuntimeZeroPool (gDatabaseInfoSize= ); > if (gRTDatabaseInfoBuffer =3D=3D NULL){ > DEBUG ((DEBUG_ERROR, "[HiiDatabase]: No enough memory resource to > store the HiiDatabase info.\n")); > + // > + // Remove from the System Table when the configuration runtime buf= fer is > freed. > + // > + gBS->InstallConfigurationTable (&gEfiHiiDatabaseProtocolGuid, NULL= ); > return EFI_OUT_OF_RESOURCES; > } > } else { > ZeroMem(gRTDatabaseInfoBuffer,gDatabaseInfoSize); > } > -- > 2.18.0.windows.1