From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65])
 by mx.groups.io with SMTP id smtpd.web09.13700.1628451641596301572
 for <devel@edk2.groups.io>;
 Sun, 08 Aug 2021 12:40:41 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@posteo.de header.s=2017 header.b=M6vPF0Tm;
 spf=pass (domain: posteo.de, ip: 185.67.36.65, mailfrom: mhaeuser@posteo.de)
Received: from submission (posteo.de [89.146.220.130]) 
	by mout01.posteo.de (Postfix) with ESMTPS id 0CA06240027
	for <devel@edk2.groups.io>; Sun,  8 Aug 2021 21:40:40 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017;
	t=1628451640; bh=40g7Mb90mwA5r4lyaGhYRLX09kL4enXJNfYeWeC8hHk=;
	h=From:To:Cc:Subject:Date:From;
	b=M6vPF0TmNA5G6B8p4BmCiu/qf/dgUCg43WEEftoz/pG0lI6bu69zCwO/uWC7qLGUw
	 LyAXunPe0caipnB/TNMqT6Xyx9zjN0SgNn4bKKx2ohmn0skWasFZOx16IyfL9hsJDl
	 plV6O0dxmqK8QQKdlPTNTXGCDmkm81kepqTeTu3vEMBTPE5aV1X3x3MQxqybZbNiju
	 +qkDIrg1nbVYCrgHWEmU4IIIULCNBo+GsQNy475HdFSI9u1R9Q/O4JTnS7V8IL/l7X
	 O+Mnq6fsBm2Jun3mPgJ4lNurbmdHj5z8F3o5nMGlpJhsnK6jc/2zT97i0XsZ47BJ0u
	 7d5ubBXIgLLqg==
Received: from customer (localhost [127.0.0.1])
	by submission (posteo.de) with ESMTPSA id 4GjV1g3THwz6tmD;
	Sun,  8 Aug 2021 21:40:39 +0200 (CEST)
From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= <mhaeuser@posteo.de>
To: devel@edk2.groups.io
Cc: Guo Dong <guo.dong@intel.com>,
	Ray Ni <ray.ni@intel.com>,
	Maurice Ma <maurice.ma@intel.com>,
	Benjamin You <benjamin.you@intel.com>,
	Vitaly Cheptsov <vit9696@protonmail.com>
Subject: [PATCH] UefiPayloadPkg/UefiPayloadEntry: Fix memory corruption
Date: Sun,  8 Aug 2021 19:39:53 +0000
Message-Id: <efa510e3eb820b31f16ac6b79db183d7ad235080.1628365054.git.mhaeuser@posteo.de>
In-Reply-To: <5df11a13422732b9c03c120775a2b4dd0a49182f.1628444003.git.mhaeuser@posteo.de>
References: <5df11a13422732b9c03c120775a2b4dd0a49182f.1628444003.git.mhaeuser@posteo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

UefiPayloadEntry's AllocatePool() applies the "sizeof" operator to
HOB index rather than the HOB header structure. This yields 4 Bytes
compared to the 8 Bytes the structure header requires. Fix the call
to allocate the required space instead.

Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Maurice Ma <maurice.ma@intel.com>
Cc: Benjamin You <benjamin.you@intel.com>
Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Signed-off-by: Marvin H=C3=A4user <mhaeuser@posteo.de>
---
 UefiPayloadPkg/UefiPayloadEntry/MemoryAllocation.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/UefiPayloadPkg/UefiPayloadEntry/MemoryAllocation.c b/UefiPaylo=
adPkg/UefiPayloadEntry/MemoryAllocation.c
index 1204573b3e09..f3494969e5ac 100644
--- a/UefiPayloadPkg/UefiPayloadEntry/MemoryAllocation.c
+++ b/UefiPayloadPkg/UefiPayloadEntry/MemoryAllocation.c
@@ -163,7 +163,7 @@ AllocatePool (
     return NULL;=0D
   }=0D
 =0D
-  Hob =3D (EFI_HOB_MEMORY_POOL *)CreateHob (EFI_HOB_TYPE_MEMORY_POOL, (UIN=
T16)(sizeof (EFI_HOB_TYPE_MEMORY_POOL) + AllocationSize));=0D
+  Hob =3D (EFI_HOB_MEMORY_POOL *)CreateHob (EFI_HOB_TYPE_MEMORY_POOL, (UIN=
T16)(sizeof (EFI_HOB_MEMORY_POOL) + AllocationSize));=0D
   return (VOID *)(Hob + 1);=0D
 }=0D
 =0D
--=20
2.31.1