From nobody Wed May 8 22:23:19 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+95786+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+95786+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1667264933; cv=none; d=zohomail.com; s=zohoarc; b=KgTpGrjO4aorpyiP8Oj6NtVqJJBVQg8vqcqmv4LqYP0QRKG/9pboRPc+Ed1x6sTV04Bdn0rZenxU5IDqtW41m4PEPU+X/Cs0c+V3IRs8CxMtO2D+/bemfYeChxuGkxNWzywdDZdW35cPJhvgqrFLhwvOxS00+UJ+2AWZUxR0d3A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1667264933; h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=2yxbBXGjnoBa6TtUtPTU+eq8ZfpxCSGrSHVUl9P9OtQ=; b=eAPCoe7hwQW6/PB6CyZ13B9yeDiywHjP1A+yA2M1GgCBXGtX9h9eyeJVr2m3JqaamdTtuqknUpGebhOtstJ9pBuPyd50UBDPjhihZPiHo5n5xvgDOH9ROswWs2IKbIfX3oRDyqLWvjBIoxL3ykhc4Eu6AEz1fVn0teW9cT0wcPg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+95786+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1667264933540617.2825403656708; Mon, 31 Oct 2022 18:08:53 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id h39tYY1788612xrlrm36hE1s; Mon, 31 Oct 2022 18:08:53 -0700 X-Received: from walk.intel-email.com (walk.intel-email.com [101.227.64.242]) by mx.groups.io with SMTP id smtpd.web09.1144.1667264886714222780 for ; Mon, 31 Oct 2022 18:08:07 -0700 X-Received: from walk.intel-email.com (localhost [127.0.0.1]) by walk.intel-email.com (Postfix) with ESMTP id 38D3ACD1F6DF for ; Tue, 1 Nov 2022 09:08:04 +0800 (CST) X-Received: from localhost (localhost [127.0.0.1]) by walk.intel-email.com (Postfix) with ESMTP id 34222CD1F6D6 for ; Tue, 1 Nov 2022 09:08:04 +0800 (CST) X-Received: from walk.intel-email.com (localhost [127.0.0.1]) by walk.intel-email.com (Postfix) with ESMTP id EC02DCD1F6C2 for ; Tue, 1 Nov 2022 09:08:03 +0800 (CST) X-Received: from mail.byosoft.com.cn (mail.byosoft.com.cn [58.240.74.242]) by walk.intel-email.com (Postfix) with SMTP id 8A62ACD1F6F1 for ; Tue, 1 Nov 2022 09:08:01 +0800 (CST) X-Received: from DESKTOPS6D0PVI ([58.246.60.130]) (envelope-sender ) by 192.168.6.13 with ESMTP for ; Tue, 01 Nov 2022 09:07:59 +0800 X-WM-Sender: gaoliming@byosoft.com.cn X-Originating-IP: 58.246.60.130 X-WM-AuthFlag: YES X-WM-AuthUser: gaoliming@byosoft.com.cn From: "gaoliming via groups.io" To: "'Demeter, Miki'" , Cc: "'Kinney, Michael D'" , "'Wang, Jian J'" References: In-Reply-To: Subject: =?UTF-8?B?W2VkazItZGV2ZWxdIOWbnuWkjTogW1BhdGNoIHY0XSBNZGVNb2R1bGVQa2cvUGlTbW1Db3JlU21tRW50cnlQb2ludCB1bmRlcmZsb3coQ1ZFLTIwMjEtMzg1Nzgp?= Date: Tue, 1 Nov 2022 09:08:01 +0800 Message-ID: <000b01d8ed8e$63832e30$2a898a90$@byosoft.com.cn> MIME-Version: 1.0 Thread-Index: AQFhgPrarDfD6L8EZxbRER4xHWYUHa8YGryw Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gaoliming@byosoft.com.cn X-Gm-Message-State: DQPNYQOgXCOccr8phfaoa85Bx1787277AA= Content-Type: multipart/alternative; boundary="----=_NextPart_000_000C_01D8EDD1.71AA8CE0" Content-Language: zh-cn DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1667264933; bh=gSBBvAzNNAw7F7EVD9ZSLkm9Q9yYyGTMDkjdC9wt3Og=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=LXBpeXT8eRveC+DDC5FNWvw+tZiVxuXCL1x3IIFIp3373tGkYDtFjUAorDS6avISdhi ElCLekUgxdMSGa3vojdLB8p99+SnQ70rMeMUyWcKwTTGPXR/ptkbr+v17whdybjbislVv CtkklOEXW1ixCOl1rvHWf4UecuI5AMjZbf8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1667264934275100001 ------=_NextPart_000_000C_01D8EDD1.71AA8CE0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Reviewed-by: Liming Gao =20 =E5=8F=91=E4=BB=B6=E4=BA=BA: Demeter, Miki =20 =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2022=E5=B9=B411=E6=9C=881=E6=97=A5 6:= 32 =E6=94=B6=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io =E6=8A=84=E9=80=81: Kinney, Michael D ; Gao, Li= ming ; Wang, Jian J =E4=B8=BB=E9=A2=98: [Patch v4] MdeModulePkg/PiSmmCoreSmmEntryPoint underflow(CVE-2021-38578) =20 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D3387 =20 Added use of SafeIntLib to validate values are not causing overflows or underflows in user controlled values when calculating buffer sizes. =20 Signed-off-by: Miki Demeter > Reviewed-by: Michael D Kinney > Cc: Jian J Wang > Cc: Liming Gao > --- MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 41 ++++++++++++++++++----- MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 1 + MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf | 1 + MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 31 +++++++++++++---- MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf | 1 + 5 files changed, 60 insertions(+), 15 deletions(-) =20 diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c index 9e5c6cbe33..875c7c0258 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c @@ -610,6 +610,7 @@ SmmEndOfS3ResumeHandler ( @param[in] Size2 Size of Buff2 =20 @retval TRUE Buffers overlap in memory. + @retval TRUE Math error. Prevents potential math over and underflows. @retval FALSE Buffer doesn't overlap. =20 **/ @@ -621,11 +622,24 @@ InternalIsBufferOverlapped ( IN UINTN Size2 ) { + UINTN End1; + UINTN End2; + BOOLEAN IsOverUnderflow1; + BOOLEAN IsOverUnderflow2; + + // Check for over or underflow + IsOverUnderflow1 =3D EFI_ERROR (SafeUintnAdd ((UINTN)Buff1, Size1, &End1= )); + IsOverUnderflow2 =3D EFI_ERROR (SafeUintnAdd ((UINTN)Buff2, Size2, &End2= )); + + if (IsOverUnderflow1 || IsOverUnderflow2) { + return TRUE; + } + // // If buff1's end is less than the start of buff2, then it's ok. // Also, if buff1's start is beyond buff2's end, then it's ok. // - if (((Buff1 + Size1) <=3D Buff2) || (Buff1 >=3D (Buff2 + Size2))) { + if ((End1 <=3D (UINTN)Buff2) || ((UINTN)Buff1 >=3D End2)) { return FALSE; } =20 @@ -651,6 +665,7 @@ SmmEntryPoint ( EFI_SMM_COMMUNICATE_HEADER *CommunicateHeader; BOOLEAN InLegacyBoot; BOOLEAN IsOverlapped; + BOOLEAN IsOverUnderflow; VOID *CommunicationBuffer; UINTN BufferSize; =20 @@ -699,23 +714,31 @@ SmmEntryPoint ( (UINT8 *)gSmmCorePrivate, sizeof (*gSmmCorePrivate) ); - if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || IsOverlapped) { + // + // Check for over or underflows + // + IsOverUnderflow =3D EFI_ERROR (SafeUintnSub (BufferSize, OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data), &BufferSize)); + + if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || + IsOverlapped || IsOverUnderflow) + { // // If CommunicationBuffer is not in valid address scope, // or there is overlap between gSmmCorePrivate and CommunicationBuffer, + // or there is over or underflow, // return EFI_INVALID_PARAMETER // gSmmCorePrivate->CommunicationBuffer =3D NULL; gSmmCorePrivate->ReturnStatus =3D EFI_ACCESS_DENIED; } else { CommunicateHeader =3D (EFI_SMM_COMMUNICATE_HEADER *)CommunicationBuffer; - BufferSize -=3D OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data); - Status =3D SmiManage ( - &CommunicateHeader->HeaderGuid, - NULL, - CommunicateHeader->Data, - &BufferSize - ); + // BufferSize was updated by the SafeUintnSub() call above. + Status =3D SmiManage ( + &CommunicateHeader->HeaderGuid, + NULL, + CommunicateHeader->Data, + &BufferSize + ); // // Update CommunicationBuffer, BufferSize and ReturnStatus // Communicate service finished, reset the pointer to CommBuffer to NULL diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h index 71422b9dfc..b8a490a8c3 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h @@ -54,6 +54,7 @@ #include #include #include +#include =20 #include "PiSmmCorePrivateData.h" #include "HeapGuard.h" diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf index c8bfae3860..3df44b38f1 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf @@ -60,6 +60,7 @@ PerformanceLib HobLib SmmMemLib + SafeIntLib =20 [Protocols] gEfiDxeSmmReadyToLockProtocolGuid ## UNDEFINED # SmiHandlerRegister diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c index 4f00cebaf5..fbba868fd0 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c @@ -34,8 +34,8 @@ #include #include #include - #include "PiSmmCorePrivateData.h" +#include =20 #define SMRAM_CAPABILITIES (EFI_MEMORY_WB | EFI_MEMORY_UC) =20 @@ -1354,6 +1354,7 @@ SmmSplitSmramEntry ( @param[in] ReservedRangeToCompare Pointer to EFI_SMM_RESERVED_SMRAM_REGION to compare. =20 @retval TRUE There is overlap. + @retval TRUE Math error. @retval FALSE There is no overlap. =20 **/ @@ -1363,11 +1364,29 @@ SmmIsSmramOverlap ( IN EFI_SMM_RESERVED_SMRAM_REGION *ReservedRangeToCompare ) { - UINT64 RangeToCompareEnd; - UINT64 ReservedRangeToCompareEnd; - - RangeToCompareEnd =3D RangeToCompare->CpuStart + RangeToCompare->PhysicalSize; - ReservedRangeToCompareEnd =3D ReservedRangeToCompare->SmramReservedStart= + ReservedRangeToCompare->SmramReservedSize; + UINT64 RangeToCompareEnd; + UINT64 ReservedRangeToCompareEnd; + BOOLEAN IsOverUnderflow1; + BOOLEAN IsOverUnderflow2; + + // Check for over or underflow. + IsOverUnderflow1 =3D EFI_ERROR ( + SafeUint64Add ( + (UINT64)RangeToCompare->CpuStart, + RangeToCompare->PhysicalSize, + &RangeToCompareEnd + ) + ); + IsOverUnderflow2 =3D EFI_ERROR ( + SafeUint64Add ( + (UINT64)ReservedRangeToCompare->SmramReservedStart, + ReservedRangeToCompare->SmramReservedSize, + &ReservedRangeToCompareEnd + ) + ); + if (IsOverUnderflow1 || IsOverUnderflow2) { + return TRUE; + } =20 if ((RangeToCompare->CpuStart >=3D ReservedRangeToCompare->SmramReservedStart) && (RangeToCompare->CpuStart < ReservedRangeToCompareEnd)) diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf index 6109d6b544..ddeb39cee2 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf @@ -46,6 +46,7 @@ DxeServicesLib PcdLib ReportStatusCodeLib + SafeIntLib =20 [Protocols] gEfiSmmBase2ProtocolGuid ## PRODUCES --=20 2.21.0 =20 =20 --=20 =20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#95786): https://edk2.groups.io/g/devel/message/95786 Mute This Topic: https://groups.io/mt/94700349/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- ------=_NextPart_000_000C_01D8EDD1.71AA8CE0 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable

Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>

 

=B7=A2=BC=FE=C8=CB: Demeter, Miki <= ;miki.demeter@intel.com>
=B7=A2=CB=CD=CA=B1=BC=E4:= 2022=C4=EA11=D4=C21=C8=D5 6:32
=CA=D5=BC=FE=C8=CB: devel@edk2.groups.io
=B3=AD=CB=CD: Kinney, Michael D <michael.d= .kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>; Wang, = Jian J <jian.j.wang@intel.com>
=D6=F7=CC=E2: [Patch v4] MdeModulePkg/PiSmmCoreSmmE= ntryPoint underflow(CVE-2021-38578)

 

REF:https://bugzilla.tianocore.= org/show_bug.cgi?id=3D3387

 

Added use of SafeIntLib to valida= te values are not causing overflows or

underfl= ows in user controlled values when calculating buffer sizes.<= span lang=3DEN-US>

 

Signed-off-by: Miki Demeter <= miki.demeter@intel.com><= /span>

Reviewed-by: Mi= chael D Kinney <michael.d.= kinney@intel.com>=

Cc: Jian J Wang <<= a href=3D"mailto:jian.j.wang@intel.com">jian.j.wang@intel.com>

Cc: Liming Gao <gaoliming@byosoft.com.cn>

= ---

 MdeModulePkg/Core/PiSmmCore/PiSmmCore.c   <= /span>| 41 ++++++++++++++++++---= --

 MdeModulePkg/Core/PiSmmCore/PiSmmCore.h   |  1 +

 MdeModulePkg/Cor= e/PiSmmCore/PiSmmCore.inf |  1 +

=  = MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c<= /span>  =   | 31 +++++++++++++= ----

 MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf<= /span>  = |  1 +<= /span>

 5 files changed= , 60 insertions(+), 15 deletions(-)

 

diff --git a/MdeModulePk= g/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c

index 9e5c6cbe33..875c7c0258 100644<= span lang=3DEN-US>

--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c<= span lang=3DEN-US>

+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c<= span lang=3DEN-US>

@@ -610,6 +610,7 @@ SmmEndOfS3ResumeHandler (<= span lang=3DEN-US>

   @param[in] Size2  Size of Buff2

 

   @retval TRUE      Buffers overlap in memory.

+  @retval TRUE      Math error.     Prevents potential math over and underflows.

=    @retval FALSE     Buffer doesn't overlap.

 

 **/=

@@ = -621,11 +622,24 @@ InternalIsBufferOverlapped (

   IN UINTN  Size2

   <= span class=3Ds1>)<= /o:p>

 {<= /span>

+  U= INTN&n= bsp;   End1;<= /span>

+  U= INTN&n= bsp;   End2;<= /span>

+  B= OOLEAN=   IsOverUnderflow1;<= /span>

+  BOOLEAN  IsOverUnd= erflow2;

+

+  // Check for over or underflo= w

+  IsOverUnderflow1 =3D EFI_ERROR (SafeUintnAdd ((UINTN)Buff1, Size1,= &End1));

+  IsOverUnderflow2 =3D EFI_ERROR (SafeUintnAdd ((UINTN)Bu= ff2, Size2, &End2));=

+

+  if (IsOverUnd= erflow1 || IsOverUnderflow2) {<= /span>

+=     return TRUE;

+  }

= +

=

 =   //

   // If buff1's end is less than the start of buff2, the= n it's ok.

   <= /span>// Also, if buff1's start = is beyond buff2's end, then it's ok.<= /o:p>

   //=

-  if (((Buff1 + Size1) <=3D Buff2) || (Buff1 >=3D (Buff2 + Siz= e2))) {

+  if ((End1 <=3D (UINTN)Buff2) || ((UINTN)Buff1 >=3D End2= )) {

     return FALSE;=

   }

=  

= @@ -651,6 +665,7 @@ SmmEntryPoint (

   EFI_SMM_COMMUNICATE_HEADER  <= span class=3Ds1>*CommunicateHeader;

   BOOLEAN <= span lang=3DEN-US>                &= nbsp;   InLegacyBoot= ;

   BOOLEAN           =           IsOverlapped;<= /p>

+  BOOLEAN             &= nbsp;       IsOverUnderflow;

 &n= bsp; VOID      &= nbsp;                 *CommunicationBuffer;

   UINTN                =       Buf= ferSize;

 

<= span lang=3DEN-US>@@ -699,23 +714,31 @@ SmmEntryPoint (

            &nbs= p;           (UINT8 *)gSmmCorePrivate,

                  =       size= of (*gSmmCorePrivate)

 = ;                     &nb= sp; );

-      if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) = || IsOverlapped) {

+      //=

+  &= nbsp;   // Check for= over or underflows

<= p class=3Dp1>+      //=

+  &= nbsp;   IsOverUnderf= low =3D EFI_ERROR (SafeUintnSub (BufferSize, OFFSET_OF (EFI_SMM_COMMUNICATE= _HEADER, Data), &BufferSize));

+

+      if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, Buf= ferSize) ||

+          IsOverlapped || IsOverUnderf= low)

+      {

=          //

   &= nbsp;     // If= CommunicationBuffer is not in valid address scope,

         // or there is overlap between gSmmCorePr= ivate and CommunicationBuffer,<= /span>

+=      =   // or there is ov= er or underflow,

 &nbs= p;       /= / return EFI_INVALID_PARAMETER<= /span>

         //

  = ;       gS= mmCorePrivate->CommunicationBuffer =3D NULL;

         gSmmCorePrivate->ReturnStatus     = ;   =3D EFI_ACCESS_D= ENIED;

=      =   } else {

         CommunicateHeader =3D (EFI_= SMM_COMMUNICATE_HEADER *)CommunicationBuffer;

= - = ;       Bu= fferSize       -= =3D OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);

-        Status            =3D SmiManage (<= /o:p>

-<= /span>    =                      = ;     &Comm= unicateHeader->HeaderGuid,

-<= span class=3Dapple-converted-space>      =                      = ;   NULL,

= -                 = ;             = CommunicateHeader->Data,

-&nbs= p;                     &n= bsp;       &BufferSize

-         =                     );

+&n= bsp;       // BufferSize was updated by the SafeUintnSub() call above.<= span lang=3DEN-US>

+        Status =3D SmiManage (

+ <= /span>    =               &CommunicateHeader->HeaderGuid,

<= span lang=3DEN-US>+                  = ; NULL,

+                   CommunicateHeader->Data,<= /span>

+               &= nbsp;   &BufferS= ize

+             &nbs= p;     );

       &nbs= p; //

         // Update CommunicationBuffer, Buffer= Size and ReturnStatus

 = ;        // Communicate service finished, reset the pointer to CommBuffer to NUL= L

diff --git a/MdeModulePkg/Core/PiSmmCore/PiS= mmCore.h b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h

index 71422b9dfc..b8a490a8c3 100644<= o:p>

--- = a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h<= o:p>

+++ = b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h<= o:p>

@@ -= 54,6 +54,7 @@

 = #include <Library/Performance= Lib.h>

 #include <Library/HobLib.h>

 #include <Library/SmmMemLib.h>

<= span lang=3DEN-US>+#include <Library/SafeIntLib.h>

 <= /o:p>

 #include = "PiSmmCorePrivateData.h"

 #include &= quot;HeapGuard.h"

diff --git a/MdeModuleP= kg/Core/PiSmmCore/PiSmmCore.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf=

index c8bfae3860..3df44b38f1 100644

--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf<= /span>

+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf

@@ -60,6 +60,7 @@=

   PerformanceLib

 &n= bsp; HobLib=

   SmmMemLib

+  SafeIntLib

 =

 [Protocols]

   gEfiDxeSmmReadyToLockProtocolGuid =    =         ## UNDEFINED # SmiHandlerRegister=

diff --g= it a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/P= iSmmIpl.c

index 4f00cebaf5..fbba868fd0 100644<= /span>

--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c

+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c

@@ -34,8 +34,8 @@

<= span lang=3DEN-US> #= include <Library/UefiRuntimeLib.h>

 #incl= ude <Library/PcdLib.h>

 #include <Libr= ary/ReportStatusCodeLib.h>

-<= span lang=3DEN-US>

 #include "PiSmmCorePrivateData.h"

+#include <Library/SafeIntLib.h>

 =

 #define SMRAM_= CAPABILITIES  (EFI_MEMORY_= WB | EFI_MEMORY_UC)

<= p class=3Dp2> <= /span>

@@ -1354,6 +1354,7 @@ SmmSplitSmramEntry (

   @param[in] ReservedRangeToCompare <= /span>    = Pointer to EFI_SMM_RESERV= ED_SMRAM_REGION to compare.

 

   @retval TRUE  There is overlap.

+  @retval TRUE  Math error.

   = @retval FALSE There is no overlap.

 

 **/=

@@ -1363,11 +1364,29 @@ SmmIsSmramOverlap (=

   IN EFI_SMM_RESERVED_SMRAM_REGION  *ReservedRangeToCompare

   )

=  {

-  UINT64  RangeToCompareEnd;

-  UI= NT64&n= bsp; ReservedRangeToCompa= reEnd;

= -=

-=   RangeToCompareEnd      = ;   =3D RangeToCompa= re->CpuStart + RangeToCompare->PhysicalSize;

-  ReservedRangeToCo= mpareEnd =3D ReservedRangeToCompare->SmramReservedStart + ReservedRangeT= oCompare->SmramReservedSize;=

+  UINT64   RangeToCompareEnd;

+  UINT64   ReservedRangeToCompareEnd;

+  BOOLEAN  IsOverUnderflow1;

+  BOOLEA= N = ; IsOverUnderflow2;

+

+  // Check for over or underflow.

= +  IsOv= erUnderflow1 =3D EFI_ERROR (

+ <= span class=3Dapple-converted-space>      =                 SafeUint64Add (

+ &nb= sp;                     &= nbsp; (UINT64)RangeToComp= are->CpuStart,

+         &nb= sp;               RangeToCompare->PhysicalSize,<= span lang=3DEN-US>

+                   &= nbsp;     &= RangeToCompareEnd

+         &nb= sp;               )

+ =      =                 );

+  IsOverUnderflow2 =3D EFI_ERROR (

+               &n= bsp;       SafeUint64Add (

+         &nb= sp;               (UINT64)ReservedRangeToCompare->SmramReserve= dStart,

+             =             ReservedRangeToCompare->SmramReservedSize,

+                  =       &am= p;ReservedRangeToCompareEnd

+       &= nbsp;                 )

+   &nbs= p;                   );

+<= /span>  = if (IsOverUnderflow1 || I= sOverUnderflow2) {

+    return TRUE;

= + = ; }

 

   if = ((RangeToCompare->CpuStart >=3D ReservedRangeToCompare->SmramReser= vedStart) &&

=

 =       (Ran= geToCompare->CpuStart < ReservedRangeToCompareEnd))

diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf b/MdeModu= lePkg/Core/PiSmmCore/PiSmmIpl.inf

index 6109d6= b544..ddeb39cee2 100644<= /p>

--- a/MdeModulePkg/Cor= e/PiSmmCore/PiSmmIpl.inf=

+++ b/MdeModulePkg/Co= re/PiSmmCore/PiSmmIpl.inf

@@ -46,6 +46,7 @@

   DxeServicesLib

   PcdLib

 &nbs= p; ReportStatusCodeLib

+  SafeIntLib

 

 [Protocols]<= /o:p>

   gE= fiSmmBase2ProtocolGuid                &nb= sp;     ## PROD= UCES

-- <= /o:p>

2.21.0

 

 =

-- 

 

_._,_._,_
G= roups.io Links:

You receive all messages sent to this group.

Vi= ew/Reply Online (#95786) | | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [importer@patchew.org]
_._,_._,_=20 ------=_NextPart_000_000C_01D8EDD1.71AA8CE0--