From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
 by mx.groups.io with SMTP id smtpd.web09.2860.1581988378318171812
 for <devel@edk2.groups.io>;
 Mon, 17 Feb 2020 17:12:58 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: zhichao.gao@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga007.fm.intel.com ([10.253.24.52])
  by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Feb 2020 17:12:58 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,454,1574150400"; 
   d="scan'208";a="228152459"
Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205])
  by fmsmga007.fm.intel.com with ESMTP; 17 Feb 2020 17:12:58 -0800
Received: from shsmsx602.ccr.corp.intel.com (10.109.6.142) by
 fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Mon, 17 Feb 2020 17:12:57 -0800
Received: from shsmsx603.ccr.corp.intel.com (10.109.6.143) by
 SHSMSX602.ccr.corp.intel.com (10.109.6.142) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1713.5; Tue, 18 Feb 2020 09:12:55 +0800
Received: from shsmsx603.ccr.corp.intel.com ([10.109.6.143]) by
 SHSMSX603.ccr.corp.intel.com ([10.109.6.143]) with mapi id 15.01.1713.004;
 Tue, 18 Feb 2020 09:12:55 +0800
From: "Gao, Zhichao" <zhichao.gao@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>, "krzysztof.koch@arm.com"
	<krzysztof.koch@arm.com>
CC: "Ni, Ray" <ray.ni@intel.com>, "Matteo.Carlini@arm.com"
	<Matteo.Carlini@arm.com>, "sami.mujawar@arm.com" <sami.mujawar@arm.com>,
	"nd@arm.com" <nd@arm.com>
Subject: Re: [edk2-devel] [PATCH v2 1/1] ShellPkg: acpiview: Validate ACPI table 'Length' field
Thread-Topic: [edk2-devel] [PATCH v2 1/1] ShellPkg: acpiview: Validate ACPI
 table 'Length' field
Thread-Index: AQHV4MJDRmUlXH/LHU2Ghsq528X3EKgaaClQ
Date: Tue, 18 Feb 2020 01:12:55 +0000
Message-ID: <c3f3662b33054bd186afe42dadfc1315@intel.com>
References: <20200211100117.45860-1-krzysztof.koch@arm.com>
In-Reply-To: <20200211100117.45860-1-krzysztof.koch@arm.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-product: dlpe-windows
x-ctpclassification: CTP_NT
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiY2RkMDZmMGUtNjZlYy00NjhmLWI3YWEtNDVjMWQzYWNiZDcwIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiTStlVDdsTjdlZjRuQVwvVTljb3k4bzZGWFk2ditlcUZFa0R6NExaT1JkNGI3VTA2OGJ4bmRWdEd5UDk4eDJ2RnUifQ==
dlp-reaction: no-action
dlp-version: 11.2.0.6
x-originating-ip: [10.239.127.36]
MIME-Version: 1.0
Return-Path: zhichao.gao@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Zhichao Gao <zhichao.gao@intel.com>

Thanks,
Zhichao

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Krzysztof
> Koch
> Sent: Tuesday, February 11, 2020 6:01 PM
> To: devel@edk2.groups.io
> Cc: Ni, Ray <ray.ni@intel.com>; Gao, Zhichao <zhichao.gao@intel.com>;
> Matteo.Carlini@arm.com; sami.mujawar@arm.com; nd@arm.com
> Subject: [edk2-devel] [PATCH v2 1/1] ShellPkg: acpiview: Validate ACPI t=
able
> 'Length' field
>=20
> Check if the ACPI table length, as reported in the ACPI table header, is=
 big
> enough to fit at least the header itself.
>=20
> If not, report an error to the user and stop parsing the table in order =
to prevent
> buffer overruns.
>=20
> Signed-off-by: Krzysztof Koch <krzysztof.koch@arm.com>
> ---
>=20
> Changes can be seet at:
> https://github.com/KrzysztofKoch1/edk2/pull/new/650_add_checks_process_a
> cpi_table_v2
>=20
> Notes:
>     v2:
>     - Change code comment style [Zhichao]
>=20
>     v1:
>     - Validate ACPI table length [Krzysztof]
>=20
>  ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParser.c | 20
> +++++++++++++++++++-
>  1 file changed, 19 insertions(+), 1 deletion(-)
>=20
> diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParse=
r.c
> b/ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParser.c
> index
> d5500bcb2b4a55c7a69f45444aa49d36d2c1694f..501967c4dde680809c56e5d79
> ed744a1013a69e1 100644
> --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParser.c
> +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParser.c
> @@ -1,7 +1,7 @@
>  /** @file
>    ACPI table parser
>=20
> -  Copyright (c) 2016 - 2019, ARM Limited. All rights reserved.
> +  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
>    SPDX-License-Identifier: BSD-2-Clause-Patent  **/
>=20
> @@ -176,6 +176,7 @@ ProcessAcpiTable (
>    CONST UINT32* AcpiTableSignature;
>    CONST UINT32* AcpiTableLength;
>    CONST UINT8*  AcpiTableRevision;
> +  CONST UINT8*  SignaturePtr;
>    PARSE_ACPI_TABLE_PROC ParserProc;
>=20
>    ParseAcpiHeader (
> @@ -193,6 +194,23 @@ ProcessAcpiTable (
>=20
>    if (Trace) {
>      DumpRaw (Ptr, *AcpiTableLength);
> +
> +    // Do not process the ACPI table any further if the table length re=
ad
> +    // is invalid. The ACPI table should at least contain the table hea=
der.
> +    if (*AcpiTableLength < sizeof (EFI_ACPI_DESCRIPTION_HEADER)) {
> +      SignaturePtr =3D (CONST UINT8*)AcpiTableSignature;
> +      IncrementErrorCount ();
> +      Print (
> +        L"ERROR: Invalid %c%c%c%c table length. Length =3D %d\n",
> +        SignaturePtr[0],
> +        SignaturePtr[1],
> +        SignaturePtr[2],
> +        SignaturePtr[3],
> +        *AcpiTableLength
> +        );
> +      return;
> +    }
> +
>      if (GetConsistencyChecking ()) {
>        VerifyChecksum (TRUE, Ptr, *AcpiTableLength);
>      }
> --
> 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
>=20
>=20
>=20