From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.92.19.37])
 by mx.groups.io with SMTP id smtpd.web10.2276.1586401369338527311
 for <devel@edk2.groups.io>;
 Wed, 08 Apr 2020 20:02:49 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@outlook.com header.s=selector1 header.b=vJRxL+xz;
 spf=pass (domain: outlook.com, ip: 40.92.19.37, mailfrom: michael.kubacki@outlook.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=g49Y8p3HZGQ6UjUFMEmDHNZEhRaP2XNYAdvlb6WMz9+p/1PqPBhdPsmxLvvlI4CK2apSqnTJfF+GP8tsEzyMEy8z5w6K6avr/5N7T52gQnW0c8Z5wE5vv+AYFxLdpuZjK1hjmBfRNXGUDQQp6U/+PgejMVa7D9ltblSMHZ2vPKCgz7eKEa5VvJB4Rqghm2SdSWlL9SHhh4WAVP1Y8fGswhxoj6s5oyBVH5NWFJaFCKzlY0fdAEKIH9rqVozm7PhpJAsWvgvYwN8pDkIfOSGN9+LMBmHgIFyeNsUGxkxsQrGWlfiHR5o2xYK4nqkj+U2LDlXNMRyy6ECmD9wV6IEfgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=/L9d4TmeiprrOqu7rJyl0eKdADKYJU+UvA1eDesdi6c=;
 b=a64Yv1vFHMkJ4YvnoShXJB7iHfI42JZFukxoqk/tNAurSPJlKK70947MmxscAqEIr6Uu//SyZ5OhXkwkxnujTH5yDawCVJwlPoiO1Q8SGqaBgSEpEO8lvw07hpJ6z0/dY2Uw8TvRIfRQcqtacAAAR8FANLEj9Da5UbkQGM3V7zkGuB//rQuDMsWYHk3OVUs1A0zhat9duXpMBXBxuT6q8ZF8EydkTQcF2nUVfQGEthV1dBR1hOc5067rdxbnFVqr3OF82khfxf0QOIqmZfE4JE0vshkf0UdMS0bZklhBR0d9sY9R+beQ6coQ05REKF6emgRVck1LPnwMQCx/eGuUiQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=outlook.com; dmarc=pass action=none header.from=outlook.com;
 dkim=pass header.d=outlook.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=/L9d4TmeiprrOqu7rJyl0eKdADKYJU+UvA1eDesdi6c=;
 b=vJRxL+xzTNd6tGUTbxKvsFGKipco3Dm6XSjC9WGRzf1EupWTr0cfv2e6HPIs5Xhrdl6nSVO3GbfDXM4E4Hf43X23x2OSIepcKVLlyzdXr6Fw3mVknEu3v2eKWyYU8Vq8v9FVN3mkiguHACci0OqrDXZ5RIVHgk2Cu02RjkZJSehgG+ZQ1RvRwIITlGXo3/FyfNEQ5QNaKftdlkhLdfzfBLQc45D9TCL6m9Of4rW6/pkpJ/HVntPlpgkHczSxQkAwFWoU7/+pX7+I9KH4hHSB5YDrJ/pvT/5OPTuEmX022yBF082IGhf6F6eF3NKHog3eIov1Z78NT2wbnKbqaGdUcw==
Received: from CO1NAM11FT058.eop-nam11.prod.protection.outlook.com
 (2a01:111:e400:3861::52) by
 CO1NAM11HT164.eop-nam11.prod.protection.outlook.com (2a01:111:e400:3861::301)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.15; Thu, 9 Apr
 2020 03:02:48 +0000
Received: from MWHPR07MB3440.namprd07.prod.outlook.com
 (2a01:111:e400:3861::40) by CO1NAM11FT058.mail.protection.outlook.com
 (2a01:111:e400:3861::164) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.15 via Frontend
 Transport; Thu, 9 Apr 2020 03:02:48 +0000
X-IncomingTopHeaderMarker: 
 OriginalChecksum:D24AF5C5E4B4252C5D8ECDCC66C7D69445B4A71E9BC3DC4A258E65AEBF96CE3D;UpperCasedChecksum:0CC25A0DA3668788FD5E0807E06855B4F0CAAA511887862E7738E0AA3BB5F539;SizeAsReceived:7639;Count:47
Received: from MWHPR07MB3440.namprd07.prod.outlook.com
 ([fe80::f5a7:e51b:e22a:959f]) by MWHPR07MB3440.namprd07.prod.outlook.com
 ([fe80::f5a7:e51b:e22a:959f%7]) with mapi id 15.20.2878.022; Thu, 9 Apr 2020
 03:02:47 +0000
From: "Michael Kubacki" <michael.kubacki@outlook.com>
To: devel@edk2.groups.io
Cc: Siyuan Fu <siyuan.fu@intel.com>,
	Maciej Rabeda <maciej.rabeda@linux.intel.com>,
	Jiaxin Wu <jiaxin.wu@intel.com>
Subject: [PATCH v1 1/1] NetworkPkg/SnpDxe: Prevent invalid PCI BAR access
Date: Wed,  8 Apr 2020 20:02:05 -0700
Message-ID: 
 <MWHPR07MB34402BD8F4D421DF24B53947E9C10@MWHPR07MB3440.namprd07.prod.outlook.com>
X-Mailer: git-send-email 2.16.3.windows.1
X-ClientProxiedBy: MWHPR18CA0031.namprd18.prod.outlook.com
 (2603:10b6:320:31::17) To MWHPR07MB3440.namprd07.prod.outlook.com
 (2603:10b6:301:69::28)
Return-Path: michael.kubacki@outlook.com
X-Microsoft-Original-Message-ID: 
 <20200409030205.55604-1-michael.kubacki@outlook.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost.localdomain (2001:4898:80e8:2:39dc:c1e2:e5d5:ace1) by MWHPR18CA0031.namprd18.prod.outlook.com (2603:10b6:320:31::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.17 via Frontend Transport; Thu, 9 Apr 2020 03:02:47 +0000
X-Mailer: git-send-email 2.16.3.windows.1
X-Microsoft-Original-Message-ID: 
 <20200409030205.55604-1-michael.kubacki@outlook.com>
X-TMN: [HJQPYCtiIkPrMnNLiTOtbelvrSSxPdXV4EPF+aDMp5FCHfv7pj229sjirO89AQDu]
X-MS-PublicTrafficType: Email
X-IncomingHeaderCount: 47
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-Correlation-Id: b155d556-108f-40e6-bd0e-08d7dc327b5d
X-MS-TrafficTypeDiagnostic: CO1NAM11HT164:
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	AG1VKZEUuVDgyGQEcNoPUzfYTqi10iLVhcUFVCp09KFQOIf0c+oFlEt2AmqmfiLFg25R064/I5YDpwRgFYAd9KpBBav9sZxCob6iCJsbQkRfSyZ5M5O0HDTuWRUk6GMM5m5XWYg/lJUI0L2R1UkvZKr0lMIuzpoSKETkdVv1YpgTa4tR8NSnXNUjdEZthVuxZlwWqfkkd6r482cPWOxgMBtiE6y4gmaGGlVBQYA3MFk=
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR07MB3440.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901;
X-MS-Exchange-AntiSpam-MessageData: 
	59iIQlaI0Y9KWTvDF+8xTY2AVbPCcKAijUfvmpI8EgqeZtC1L3DpfEVRVYvmtRBeJINL6H3h2oZBSghIWMJwu735HLG/Ha6FGsed5Hqu30XxbSCJfGOsJ803RCQkkWKB4KCYGBAaiUrsSleTdnxDZu8WSi/ldWDnvFGB7yYFWLnrYmYzuTrwTyOXS6EC0hISr3Qm15VI+dNG1Fr8FEObDQ==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b155d556-108f-40e6-bd0e-08d7dc327b5d
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Apr 2020 03:02:47.6817
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM11HT164
Content-Type: text/plain

From: Michael Kubacki <michael.kubacki@microsoft.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1563

SnpDxe initializes values for MemoryBarIndex and IoBarIndex to 0 and 1
respectively even if calls to PciIo->GetBarAttributes never return
success.

Later, if the BAR is used to perform IO/Mem reads/writes, a potentially
non-existent BAR index may be accessed. This change initializes the values
to an invalid BAR index (PCI_MAX_BAR) so the condition can be explicitly
checked to avoid an invalid BAR access.

Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
 NetworkPkg/SnpDxe/Callback.c | 77 ++++++++++++--------
 NetworkPkg/SnpDxe/Snp.c      |  5 +-
 2 files changed, 48 insertions(+), 34 deletions(-)

diff --git a/NetworkPkg/SnpDxe/Callback.c b/NetworkPkg/SnpDxe/Callback.c
index 0c0b81fdca8e..99b7fd3ef835 100644
--- a/NetworkPkg/SnpDxe/Callback.c
+++ b/NetworkPkg/SnpDxe/Callback.c
@@ -4,6 +4,7 @@
   stores the interface context for the NIC that snp is trying to talk.
 
 Copyright (c) 2006 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -115,47 +116,59 @@ SnpUndi32CallbackMemio (
 
   switch (ReadOrWrite) {
   case PXE_IO_READ:
-    Snp->PciIo->Io.Read (
-                     Snp->PciIo,
-                     Width,
-                     Snp->IoBarIndex,      // BAR 1 (for 32bit regs), IO base address
-                     MemOrPortAddr,
-                     1,                    // count
-                     (VOID *) (UINTN) BufferPtr
-                     );
+    ASSERT (Snp->IoBarIndex < PCI_MAX_BAR);
+    if (Snp->IoBarIndex < PCI_MAX_BAR) {
+      Snp->PciIo->Io.Read (
+                       Snp->PciIo,
+                       Width,
+                       Snp->IoBarIndex,      // BAR 1 (for 32bit regs), IO base address
+                       MemOrPortAddr,
+                       1,                    // count
+                       (VOID *) (UINTN) BufferPtr
+                       );
+    }
     break;
 
   case PXE_IO_WRITE:
-    Snp->PciIo->Io.Write (
-                     Snp->PciIo,
-                     Width,
-                     Snp->IoBarIndex,      // BAR 1 (for 32bit regs), IO base address
-                     MemOrPortAddr,
-                     1,                    // count
-                     (VOID *) (UINTN) BufferPtr
-                     );
+    ASSERT (Snp->IoBarIndex < PCI_MAX_BAR);
+    if (Snp->IoBarIndex < PCI_MAX_BAR) {
+      Snp->PciIo->Io.Write (
+                       Snp->PciIo,
+                       Width,
+                       Snp->IoBarIndex,      // BAR 1 (for 32bit regs), IO base address
+                       MemOrPortAddr,
+                       1,                    // count
+                       (VOID *) (UINTN) BufferPtr
+                       );
+    }
     break;
 
   case PXE_MEM_READ:
-    Snp->PciIo->Mem.Read (
-                      Snp->PciIo,
-                      Width,
-                      Snp->MemoryBarIndex,  // BAR 0, Memory base address
-                      MemOrPortAddr,
-                      1,                    // count
-                      (VOID *) (UINTN) BufferPtr
-                      );
+    ASSERT (Snp->MemoryBarIndex < PCI_MAX_BAR);
+    if (Snp->MemoryBarIndex < PCI_MAX_BAR) {
+      Snp->PciIo->Mem.Read (
+                        Snp->PciIo,
+                        Width,
+                        Snp->MemoryBarIndex,  // BAR 0, Memory base address
+                        MemOrPortAddr,
+                        1,                    // count
+                        (VOID *) (UINTN) BufferPtr
+                        );
+    }
     break;
 
   case PXE_MEM_WRITE:
-    Snp->PciIo->Mem.Write (
-                      Snp->PciIo,
-                      Width,
-                      Snp->MemoryBarIndex,  // BAR 0, Memory base address
-                      MemOrPortAddr,
-                      1,                    // count
-                      (VOID *) (UINTN) BufferPtr
-                      );
+    ASSERT (Snp->MemoryBarIndex < PCI_MAX_BAR);
+    if (Snp->MemoryBarIndex < PCI_MAX_BAR) {
+      Snp->PciIo->Mem.Write (
+                        Snp->PciIo,
+                        Width,
+                        Snp->MemoryBarIndex,  // BAR 0, Memory base address
+                        MemOrPortAddr,
+                        1,                    // count
+                        (VOID *) (UINTN) BufferPtr
+                        );
+    }
     break;
   }
 
diff --git a/NetworkPkg/SnpDxe/Snp.c b/NetworkPkg/SnpDxe/Snp.c
index 078b27cf5edd..da9fba51eff5 100644
--- a/NetworkPkg/SnpDxe/Snp.c
+++ b/NetworkPkg/SnpDxe/Snp.c
@@ -2,6 +2,7 @@
   Implementation of driver entry point and driver binding protocol.
 
 Copyright (c) 2004 - 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -465,8 +466,8 @@ SimpleNetworkDriverStart (
   // the IO BAR.  Save the index of the BAR into the adapter info structure.
   // for regular 32bit BARs, 0 is memory mapped, 1 is io mapped
   //
-  Snp->MemoryBarIndex = 0;
-  Snp->IoBarIndex     = 1;
+  Snp->MemoryBarIndex = PCI_MAX_BAR;
+  Snp->IoBarIndex     = PCI_MAX_BAR;
   FoundMemoryBar      = FALSE;
   FoundIoBar          = FALSE;
   for (BarIndex = 0; BarIndex < PCI_MAX_BAR; BarIndex++) {
-- 
2.16.3.windows.1