From nobody Thu Mar 28 12:43:07 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+43648+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1562914498; cv=none; d=zoho.com; s=zohoarc; b=cGg48mOHPSjXvw6fubvoFrFB9T4DFIs8iijiRwC4bpamEvQuWMtjO+6FxS2PgsmNrxrytKwQoNfQHAl6aH/L+Gm9IdYRil3VW98UCxgCR5ExuYxtAB01Kpe818POYhRiUCGwt4eryhMbnVYQ+k9tFNB1jAwsp0gU8rqxTxXYM0E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1562914498; h=Content-Type:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=QczkpmruP2Tfy5dpIQm1BPtQ6M/y0ZT/3LyLEeOOckU=; b=kR2kDvrvu21CXgA2+6S1CIZUDz9TD6+TICj1Vlrs8c/1UE9Ds3oAEyHfBqc+oaRz8NHmI9JPbywMlud8v3O3P/+90VlQWvS2agFVNk1MGbNLMh4zukHo46jA0xYeLIHvSZSxqPLf5538hnON3enbGL1+kJEepMxYgJt1l5JUaJY= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+43648+1787277+3901457@groups.io Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1562914498250163.6077472344956; Thu, 11 Jul 2019 23:54:58 -0700 (PDT) Return-Path: X-Received: from EUR01-DB5-obe.outbound.protection.outlook.com (EUR01-DB5-obe.outbound.protection.outlook.com [40.107.15.50]) by groups.io with SMTP; Thu, 11 Jul 2019 23:54:57 -0700 X-Received: from VI1PR08CA0165.eurprd08.prod.outlook.com (2603:10a6:800:d1::19) by VE1PR08MB4957.eurprd08.prod.outlook.com (2603:10a6:803:110::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.19; Fri, 12 Jul 2019 06:54:52 +0000 X-Received: from DB5EUR03FT010.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::207) by VI1PR08CA0165.outlook.office365.com (2603:10a6:800:d1::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2073.10 via Frontend Transport; Fri, 12 Jul 2019 06:54:52 +0000 Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+43648+1787277+3901457@groups.io; helo=web01.groups.io; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from nebula.arm.com (40.67.248.234) by DB5EUR03FT010.mail.protection.outlook.com (10.152.20.96) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2052.18 via Frontend Transport; Fri, 12 Jul 2019 06:54:50 +0000 X-Received: from AZ-NEU-EX03.Arm.com (10.251.24.31) by AZ-NEU-EX04.Arm.com (10.251.24.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Fri, 12 Jul 2019 06:53:21 +0000 X-Received: from E119924.Arm.com (10.37.8.167) by mail.arm.com (10.251.24.31) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Fri, 12 Jul 2019 06:53:21 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [edk2-devel] [PATCH v1 08/11] ShellPkg: acpiview: PPTT: Add error-checking in the parsing logic Date: Fri, 12 Jul 2019 07:52:40 +0100 Message-ID: <20190712065243.3812-9-krzysztof.koch@arm.com> In-Reply-To: <20190712065243.3812-1-krzysztof.koch@arm.com> References: <20190712065243.3812-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 358243bc-00a3-40bd-6fa8-08d70695d62a X-MS-TrafficTypeDiagnostic: VE1PR08MB4957: X-MS-Exchange-PUrlCount: 1 X-Microsoft-Antispam-PRVS: NoDisclaimer: True X-MS-Oob-TLC-OOBClassifiers: OLM:3276; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: MMBTn1ZrIqJyjmajuQgG5yO2S6skmyZW+J6XVLuKRL6xzBVxXY17ULopop57gBTnl3ajkvWOQ47hE8qt9R6L/yWjghjDVnE/wMZn53pl5o+5V3EMqLwrtPpAQE38bSs91n2VfEH3BO4wKs3BIxvJFDe26aXsm/6+j5CWOpHEWofnuiD35A4hEc4iC8hUkybR596XEIMgfahDwbKOAqq7qjNCXs/9zhCIsrMW17n6pQrvzaSJxh4obIXGQa4tE7BO/N1VkiY4ATsAqct6+QRjHOe/IeefahFjs4wRepWC85b/GnXibYcnkpyOBUaievcoabZe+Kw5KxtE88SrPpS5uo2Xu8g9toWbA2NvV7zVqOMzDCejn56jBdDz8lPVZnhxlS6uOqSw43tPe7vVYihkIFjvk8lcJdbvGIxP8jwAayU= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jul 2019 06:54:50.9093 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 358243bc-00a3-40bd-6fa8-08d70695d62a X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[40.67.248.234];Helo=[nebula.arm.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB4957 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,krzysztof.koch@arm.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1562914497; bh=NzZjOUve2ZDXKaU93k7/sT557NcJEeHrNPIw2FDc5N0=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=Z6DFVyNO2LYelRqykzZ/ggKTHvR1b/UE2iOPTaJEMAx8RKclCUz6nF45MHBQ2s4lP49 3wQpx4JhOICVj+3OtEkjEkEiBGduYOYABm9/Kftx0QkfCMy7H2nbPHRlAAPPZwR/5UmOF pTySVn3aawfeP8YcXqYaZoEFG1nodCugQBc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" 1. Check if the global pointers (in the scope of this ACPI table parser) have been successfully updated before they are later used to control the parsing logic. 2. Give forward progress guarantee when parsing the PPTT table. Report an error if a PPTT structure is too small to be valid. Without this check, there is a possibility for the parser to enter an ifninite loop. 3. Test against buffer overruns. 4. Allow silencing ACPI table content validation errors which do not cause table parsing to fail. Signed-off-by: Krzysztof Koch Reviewed-by: Alexei Fedorov --- Changes can be seen at: https://github.com/KrzysztofKoch1/edk2/commit/e4789= 351e111fa1ed6a2c55759f190166b08fc8c Notes: v1: - improve the logic in the PPTT parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c | 9= 5 ++++++++++++++++---- 1 file changed, 76 insertions(+), 19 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/Pptt= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttPa= rser.c index cec57be55e77096f9448f637ea129af2b42111ad..8d8760940b493eb94c91da3d46f= 9a844930c1738 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c @@ -252,7 +252,6 @@ DumpProcessorHierarchyNodeStructure ( ) { UINT32 Offset; - UINT8* PrivateResourcePtr; UINT32 Index; CHAR16 Buffer[OUTPUT_FIELD_COLUMN_WIDTH]; =20 @@ -265,8 +264,34 @@ DumpProcessorHierarchyNodeStructure ( PARSER_PARAMS (ProcessorHierarchyNodeStructureParser) ); =20 - PrivateResourcePtr =3D Ptr + Offset; + // Check if the values used to control the parsing logic have been + // successfully read. + if (NumberOfPrivateResources =3D=3D NULL) { + IncrementErrorCount (); + Print ( + L"ERROR: Insufficient Processor Hierarchy Node length. Length =3D %d= .\n", + Length + ); + return; + } + + // Make sure the Private Resource array lies inside this structure + if (Offset + (*NumberOfPrivateResources * sizeof (UINT32)) > Length) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid Number of Private Resources. " \ + L"PrivateResourceCount =3D %d. RemainingBufferLength =3D %d. " \ + L"Parsing of this structure aborted.\n", + *NumberOfPrivateResources, + Length - Offset + ); + return; + } + Index =3D 0; + + // Parse the specified number of private resource references or the Proc= essor + // Hierarchy Node length. Whichever is minimum. while (Index < *NumberOfPrivateResources) { UnicodeSPrint ( Buffer, @@ -278,10 +303,10 @@ DumpProcessorHierarchyNodeStructure ( PrintFieldName (4, Buffer); Print ( L"0x%x\n", - *((UINT32*) PrivateResourcePtr) + *((UINT32*)(Ptr + Offset)) ); =20 - PrivateResourcePtr +=3D sizeof(UINT32); + Offset +=3D sizeof (UINT32); Index++; } } @@ -373,6 +398,7 @@ ParseAcpiPptt ( AcpiTableLength, PARSER_PARAMS (PpttParser) ); + ProcessorTopologyStructurePtr =3D Ptr + Offset; =20 while (Offset < AcpiTableLength) { @@ -382,19 +408,47 @@ ParseAcpiPptt ( 0, NULL, ProcessorTopologyStructurePtr, - 4, // Length of the processor topology structure header is 4 bytes + AcpiTableLength - Offset, PARSER_PARAMS (ProcessorTopologyStructureHeaderParser) ); =20 - if ((Offset + (*ProcessorTopologyStructureLength)) > AcpiTableLength) { + // Check if the values used to control the parsing logic have been + // successfully read. + if ((ProcessorTopologyStructureType =3D=3D NULL) || + (ProcessorTopologyStructureLength =3D=3D NULL)) { IncrementErrorCount (); Print ( - L"ERROR: Invalid processor topology structure length:" - L" Type =3D %d, Length =3D %d\n", - *ProcessorTopologyStructureType, - *ProcessorTopologyStructureLength + L"ERROR: Insufficient remaining table buffer length to read the " \ + L"processor topology structure header. Length =3D %d.\n", + AcpiTableLength - Offset ); - break; + return; + } + + // Make sure forward progress is made. + if (*ProcessorTopologyStructureLength < 2) { + IncrementErrorCount (); + Print ( + L"ERROR: Structure length is too small: " \ + L"ProcessorTopologyStructureLength =3D %d. " \ + L"ProcessorTopologyStructureType =3D %d. PPTT parsing aborted.\n= ", + *ProcessorTopologyStructureLength, + *ProcessorTopologyStructureType + ); + return; + } + + // Make sure the PPTT structure lies inside the table + if ((Offset + *ProcessorTopologyStructureLength) > AcpiTableLength) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid PPTT structure length. " \ + L"ProcessorTopologyStructureLength =3D %d. " \ + L"RemainingTableBufferLength =3D %d. PPTT parsing aborted.\n", + *ProcessorTopologyStructureLength, + AcpiTableLength - Offset + ); + return; } =20 PrintFieldName (2, L"* Structure Offset *"); @@ -420,14 +474,17 @@ ParseAcpiPptt ( ); break; default: - IncrementErrorCount (); - Print ( - L"ERROR: Unknown processor topology structure:" - L" Type =3D %d, Length =3D %d\n", - *ProcessorTopologyStructureType, - *ProcessorTopologyStructureLength - ); - } + if (GetConsistencyChecking ()) { + IncrementErrorCount (); + Print ( + L"ERROR: Unknown processor topology structure:" + L" Type =3D %d, Length =3D %d\n", + *ProcessorTopologyStructureType, + *ProcessorTopologyStructureLength + ); + } + break; + } // switch =20 ProcessorTopologyStructurePtr +=3D *ProcessorTopologyStructureLength; Offset +=3D *ProcessorTopologyStructureLength; -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#43648): https://edk2.groups.io/g/devel/message/43648 Mute This Topic: https://groups.io/mt/32439512/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-