From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=40.107.73.76; helo=nam05-dm3-obe.outbound.protection.outlook.com; envelope-from=garrett.kirkendall@amd.com; receiver=edk2-devel@lists.01.org Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-eopbgr730076.outbound.protection.outlook.com [40.107.73.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B5A7521AE30DB for ; Mon, 24 Sep 2018 06:18:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RHl7c5ohEfmGT1y3TuMn732/0jj3+ATvivAipYgt24g=; b=5nME/spR4qw0S5u11N3xeCxGJe5YcVWAxRw9YSlSglZCqhmXdrUbL4yFjKhyMJEx2q/e9L0+/ExxnaFF/UpVELpnxiwpn6vUCZdgr0Q3Em9M/mZy2y6CU2t8PHca4VlmiQ5nXc7gPl3PuhLWWNnjDjmUWT3ToOYMYatrTbFWAjs= Received: from SN1PR12MB0158.namprd12.prod.outlook.com (10.162.3.145) by SN1PR12MB2591.namprd12.prod.outlook.com (52.132.199.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1164.22; Mon, 24 Sep 2018 13:18:18 +0000 Received: from SN1PR12MB0158.namprd12.prod.outlook.com ([fe80::b13a:d70a:2bb1:2fc9]) by SN1PR12MB0158.namprd12.prod.outlook.com ([fe80::b13a:d70a:2bb1:2fc9%8]) with mapi id 15.20.1143.022; Mon, 24 Sep 2018 13:18:17 +0000 From: "Kirkendall, Garrett" To: Ruiyu Ni , "edk2-devel@lists.01.org" CC: Star Zeng Thread-Topic: [edk2] [PATCH 1/3] MdeModulePkg/PciHostBridge: Enhance boundary check in Io/Mem.Read/Write Thread-Index: AQHUUXwxvPE4FCPgOkaGUhPssTN5VqT/beSQ Date: Mon, 24 Sep 2018 13:18:17 +0000 Message-ID: References: <20180921072539.268068-1-ruiyu.ni@intel.com> <20180921072539.268068-2-ruiyu.ni@intel.com> In-Reply-To: <20180921072539.268068-2-ruiyu.ni@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Garrett.Kirkendall@amd.com; x-originating-ip: [165.204.77.1] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; SN1PR12MB2591; 20:1Rk6jIqh8dZWKsnXuvareF088QtEWlhol8SyuO0N6urrV4hc4jsnr8wdpUqxBM4oHxJjin4+Dq8qmP99qT7y/xozX00rTCgZAc94irTBLoW7rz7qHJqXl1oIsznCL6qgPwE4t4yVdxXonqMEl64uF0lqDxLfsBI3+ioyeOHure6cisYSzEZvLnU+AOJ+knP8/YLt5UPdG2vaxPzeHkEWb2MLDDEXVXlf0Nb3AXv26kLSb0f2gDD4yOK9xBG2NsB0 x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 87a1f336-0520-4f0e-4450-08d62220312a x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:SN1PR12MB2591; x-ms-traffictypediagnostic: SN1PR12MB2591: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(81227570615382)(767451399110)(162533806227266)(228905959029699); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231355)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(6055026)(149066)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123558120)(20161123562045)(201708071742011)(7699051); SRVR:SN1PR12MB2591; BCL:0; PCL:0; RULEID:; SRVR:SN1PR12MB2591; x-forefront-prvs: 0805EC9467 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(346002)(39860400002)(376002)(366004)(13464003)(189003)(199004)(11346002)(446003)(476003)(86362001)(186003)(81166006)(6506007)(8676002)(81156014)(5660300001)(486006)(229853002)(99286004)(7696005)(6306002)(53936002)(9686003)(305945005)(55016002)(6436002)(71200400001)(71190400001)(68736007)(74316002)(102836004)(53546011)(7736002)(97736004)(316002)(3846002)(6116002)(45954006)(14444005)(256004)(110136005)(19627235002)(6246003)(4326008)(478600001)(5250100002)(26005)(8936002)(2906002)(2501003)(2900100001)(966005)(66066001)(72206003)(105586002)(14454004)(76176011)(25786009)(106356001)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR12MB2591; H:SN1PR12MB0158.namprd12.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: amd.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: 3IvVLE/0KvPUEkkdCz0X0LljSmrU5IOCiPFuG8kyWMvAmEEKGwTbbLZ6WJof2W1MidD4jaPpOlwauiS3R/Y5tx3/tjIBmMidAuaMtnZos0SQHsWz0Y8CVc8jiyuPz4Tek2dIqMInJzulZnlaCNaNieUbL6BYEctYA704shs3YIDZjcigJa8CZlEzGF/pJZOCoNSQzYH9g+gpSVdzUaL0BfYZ8ipyMIEgy6QSKZcMVwRAHUhIy0+9c/lebJrJEhYVZhGikmk8mz8druz74L5cyKFCMkUs7kNAjZoWMwFvUlY2MMI41+p+yespdTAvRgFYIATdqpowcODSpeqaoJz8t/g/xUwnDut6Xd66aFg7FaI= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 87a1f336-0520-4f0e-4450-08d62220312a X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Sep 2018 13:18:17.7134 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2591 Subject: Re: [PATCH 1/3] MdeModulePkg/PciHostBridge: Enhance boundary check in Io/Mem.Read/Write X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2018 13:18:23 -0000 Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable GARRETT KIRKENDALL SMTS Firmware Engineer | CTE 7171 Southwest Parkway, Austin, TX 78735 USA=20 AMD=A0=A0 facebook=A0 |=A0 amd.com -----Original Message----- From: edk2-devel On Behalf Of Ruiyu Ni Sent: Friday, September 21, 2018 2:26 AM To: edk2-devel@lists.01.org Cc: Star Zeng Subject: [edk2] [PATCH 1/3] MdeModulePkg/PciHostBridge: Enhance boundary ch= eck in Io/Mem.Read/Write Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni Cc: Star Zeng --- .../Bus/Pci/PciHostBridgeDxe/PciRootBridgeIo.c | 26 +++++++++++++++++-= ---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciRootBridgeIo.c b/MdeM= odulePkg/Bus/Pci/PciHostBridgeDxe/PciRootBridgeIo.c index f8a1239ceb..0b6b56f846 100644 --- a/MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciRootBridgeIo.c +++ b/MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciRootBridgeIo.c @@ -321,6 +321,7 @@ RootBridgeIoCheckParameter ( UINT64 Base; UINT64 Limit; UINT32 Size; + UINT64 Length; =20 // // Check to see if Buffer is NULL @@ -337,7 +338,7 @@ RootBridgeIoCheckParameter ( } =20 // - // For FIFO type, the target address won't increase during the access, + // For FIFO type, the device address won't increase during the=20 + access, // so treat Count as 1 // if (Width >=3D EfiPciWidthFifoUint8 && Width <=3D EfiPciWidthFifoUint64)= { @@ -347,6 +348,13 @@ RootBridgeIoCheckParameter ( Width =3D (EFI_PCI_ROOT_BRIDGE_IO_PROTOCOL_WIDTH) (Width & 0x03); Size =3D 1 << Width; =20 + // + // Make sure (Count * Size) doesn't exceed MAX_UINT64 // if (Count=20 + > DivU64x32 (MAX_UINT64, Size)) { + return EFI_INVALID_PARAMETER; + } + // // Check to see if Address is aligned // @@ -354,6 +362,14 @@ RootBridgeIoCheckParameter ( return EFI_UNSUPPORTED; } =20 + // + // Make sure (Address + Count * Size) doesn't exceed MAX_UINT64 // =20 + Length =3D MultU64x32 (Count, Size); if (Address > MAX_UINT64 - Length)= =20 + { + return EFI_INVALID_PARAMETER; + } + RootBridge =3D ROOT_BRIDGE_FROM_THIS (This); =20 // @@ -372,7 +388,7 @@ RootBridgeIoCheckParameter ( // // Allow Legacy IO access // - if (Address + MultU64x32 (Count, Size) <=3D 0x1000) { + if (Address + Length <=3D 0x1000) { if ((RootBridge->Attributes & ( EFI_PCI_ATTRIBUTE_ISA_IO | EFI_PCI_ATTRIBUTE_VGA_PALETTE_IO | E= FI_PCI_ATTRIBUTE_VGA_IO | EFI_PCI_ATTRIBUTE_IDE_PRIMARY_IO | EFI_PCI_ATTRIBUTE_IDE_SECOND= ARY_IO | @@ -386,7 +402,7 @@ RootBridgeIoCheckParameter ( // // Allow Legacy MMIO access // - if ((Address >=3D 0xA0000) && (Address + MultU64x32 (Count, Size)) <= =3D 0xC0000) { + if ((Address >=3D 0xA0000) && (Address + Length) <=3D 0xC0000) { if ((RootBridge->Attributes & EFI_PCI_ATTRIBUTE_VGA_MEMORY) !=3D 0) = { return EFI_SUCCESS; } @@ -395,7 +411,7 @@ RootBridgeIoCheckParameter ( // By comparing the Address against Limit we know which range to be us= ed // for checking // - if (Address + MultU64x32 (Count, Size) <=3D RootBridge->Mem.Limit + 1)= { + if (Address + Length <=3D RootBridge->Mem.Limit + 1) { Base =3D RootBridge->Mem.Base; Limit =3D RootBridge->Mem.Limit; } else { @@ -427,7 +443,7 @@ RootBridgeIoCheckParameter ( return EFI_INVALID_PARAMETER; } =20 - if (Address + MultU64x32 (Count, Size) > Limit + 1) { + if (Address + Length > Limit + 1) { return EFI_INVALID_PARAMETER; } =20 -- 2.16.1.windows.1 Reviewed-by: Garrett Kirkendall _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel