From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com;
 receiver=edk2-devel@lists.01.org 
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id AD980211518DB
 for <edk2-devel@lists.01.org>; Fri, 21 Sep 2018 03:53:59 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com
 [10.5.11.26])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 39BB1307D874;
 Fri, 21 Sep 2018 10:53:59 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-8.rdu2.redhat.com
 [10.10.120.8])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 332283091386;
 Fri, 21 Sep 2018 10:53:57 +0000 (UTC)
To: Ruiyu Ni <ruiyu.ni@intel.com>, edk2-devel@lists.01.org
Cc: Star Zeng <star.zeng@intel.com>
References: <20180921072539.268068-1-ruiyu.ni@intel.com>
 <20180921072539.268068-2-ruiyu.ni@intel.com>
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <a9646d7d-0d27-ff9f-2058-b3aded9fbb32@redhat.com>
Date: Fri, 21 Sep 2018 12:53:57 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20180921072539.268068-2-ruiyu.ni@intel.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.48]); Fri, 21 Sep 2018 10:53:59 +0000 (UTC)
Subject: Re: [PATCH 1/3] MdeModulePkg/PciHostBridge: Enhance boundary check in Io/Mem.Read/Write
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2018 10:53:59 -0000
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 09/21/18 09:25, Ruiyu Ni wrote:
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> ---
>  .../Bus/Pci/PciHostBridgeDxe/PciRootBridgeIo.c     | 26 +++++++++++++++++-----
>  1 file changed, 21 insertions(+), 5 deletions(-)
> 
> diff --git a/MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciRootBridgeIo.c b/MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciRootBridgeIo.c
> index f8a1239ceb..0b6b56f846 100644
> --- a/MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciRootBridgeIo.c
> +++ b/MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciRootBridgeIo.c
> @@ -321,6 +321,7 @@ RootBridgeIoCheckParameter (
>    UINT64                                       Base;
>    UINT64                                       Limit;
>    UINT32                                       Size;
> +  UINT64                                       Length;
>  
>    //
>    // Check to see if Buffer is NULL
> @@ -337,7 +338,7 @@ RootBridgeIoCheckParameter (
>    }
>  
>    //
> -  // For FIFO type, the target address won't increase during the access,
> +  // For FIFO type, the device address won't increase during the access,
>    // so treat Count as 1
>    //
>    if (Width >= EfiPciWidthFifoUint8 && Width <= EfiPciWidthFifoUint64) {
> @@ -347,6 +348,13 @@ RootBridgeIoCheckParameter (
>    Width = (EFI_PCI_ROOT_BRIDGE_IO_PROTOCOL_WIDTH) (Width & 0x03);
>    Size  = 1 << Width;
>  
> +  //
> +  // Make sure (Count * Size) doesn't exceed MAX_UINT64
> +  //
> +  if (Count > DivU64x32 (MAX_UINT64, Size)) {
> +    return EFI_INVALID_PARAMETER;
> +  }
> +
>    //
>    // Check to see if Address is aligned
>    //
> @@ -354,6 +362,14 @@ RootBridgeIoCheckParameter (
>      return EFI_UNSUPPORTED;
>    }
>  
> +  //
> +  // Make sure (Address + Count * Size) doesn't exceed MAX_UINT64
> +  //
> +  Length = MultU64x32 (Count, Size);
> +  if (Address > MAX_UINT64 - Length) {
> +    return EFI_INVALID_PARAMETER;
> +  }
> +
>    RootBridge = ROOT_BRIDGE_FROM_THIS (This);
>  
>    //
> @@ -372,7 +388,7 @@ RootBridgeIoCheckParameter (
>      //
>      // Allow Legacy IO access
>      //
> -    if (Address + MultU64x32 (Count, Size) <= 0x1000) {
> +    if (Address + Length <= 0x1000) {
>        if ((RootBridge->Attributes & (
>             EFI_PCI_ATTRIBUTE_ISA_IO | EFI_PCI_ATTRIBUTE_VGA_PALETTE_IO | EFI_PCI_ATTRIBUTE_VGA_IO |
>             EFI_PCI_ATTRIBUTE_IDE_PRIMARY_IO | EFI_PCI_ATTRIBUTE_IDE_SECONDARY_IO |
> @@ -386,7 +402,7 @@ RootBridgeIoCheckParameter (
>      //
>      // Allow Legacy MMIO access
>      //
> -    if ((Address >= 0xA0000) && (Address + MultU64x32 (Count, Size)) <= 0xC0000) {
> +    if ((Address >= 0xA0000) && (Address + Length) <= 0xC0000) {
>        if ((RootBridge->Attributes & EFI_PCI_ATTRIBUTE_VGA_MEMORY) != 0) {
>          return EFI_SUCCESS;
>        }
> @@ -395,7 +411,7 @@ RootBridgeIoCheckParameter (
>      // By comparing the Address against Limit we know which range to be used
>      // for checking
>      //
> -    if (Address + MultU64x32 (Count, Size) <= RootBridge->Mem.Limit + 1) {
> +    if (Address + Length <= RootBridge->Mem.Limit + 1) {
>        Base = RootBridge->Mem.Base;
>        Limit = RootBridge->Mem.Limit;
>      } else {
> @@ -427,7 +443,7 @@ RootBridgeIoCheckParameter (
>        return EFI_INVALID_PARAMETER;
>    }
>  
> -  if (Address + MultU64x32 (Count, Size) > Limit + 1) {
> +  if (Address + Length > Limit + 1) {
>      return EFI_INVALID_PARAMETER;
>    }
>  
> 

Reviewed-by: Laszlo Ersek <lersek@redhat.com>