From nobody Tue Feb 10 11:34:23 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted
 sender)  smtp.mailfrom=bounce+27952+44113+1787277+3901457@groups.io;
	arc=fail (BodyHash is different from the expected one)
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1563782007307541.670077570351;
 Mon, 22 Jul 2019 00:53:27 -0700 (PDT)
Return-Path: <bounce+27952+44113+1787277+3901457@groups.io>
X-Received: from EUR03-AM5-obe.outbound.protection.outlook.com
 (EUR03-AM5-obe.outbound.protection.outlook.com [40.107.3.46])
 by groups.io with SMTP; Mon, 22 Jul 2019 00:53:26 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=B/Jl3drFcSjH+DfAyWfGcALZKxvt/exF0aV7mVLJwbC3x19vlTl8VN+D08BQKZXG/FG3xpat3Eg/2UPiUzUfAMi8M9yfW1c7VfTzMbssuRJUZ4AfI2kv3xR12yfzU9XclzxUi1amDv78pcHEThfLI/3Ej95jfya/QYkt2br06Pjbzvzh4dJOieJNR3PNw2YTz2HIuyqO21gue7tBFOGkE2h8A06pbwNNcKAiJ1KNq35Hvy/pQUDiFIkMjGFrHRmmFm6YlJieJ4hKLXO8Hbd1ZpUl4WTz1mCl1TGrw96RNcIEKZwNp3bzYnmREBgHNN0/dcDE7gEtV01YAAdTb63MpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=ODUJFB15+/7wSpoxlcTZvpHFai9hOSqSZr8HjDWDvAE=;
 b=kihYdLuMRNjpC1AeV9msFcAtlWX12cmpNWhUs7GT1CXtzFOI1/XF+eDqBpvfehhl8R/3uMMGLE4CoJTGHdI7zZuL6i2fPGGIqnFSA46ryAnBcyS6P2T7a3SRgLwI8zv8SvUDOqiUvSOmcmo9HtP9z52QkTyp5hby1NDIR5rEiO3ZfofxvtB/gJuu3p0D/5si2jDbEddXH3QcGfQmYAdfssCXnywgh6ejAZjU8uIgP4uPkcXax+07txhWX7lLZw6toD3gKGpzBXfdKe/ir6hrCuDAGnj5cQcxXjci3c06vZyzt2QJQVI+CNLTnHklc6e0J3vEm5iQ9Byn3OPPInvUlA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip
 is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io
 smtp.mailfrom=arm.com;dmarc=temperror action=none
 header.from=arm.com;dkim=none (message not signed);arc=none
X-Received: from VI1PR0802CA0047.eurprd08.prod.outlook.com (10.172.253.33) by
 AM5PR0802MB2596.eurprd08.prod.outlook.com (10.175.41.8) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2094.17; Mon, 22 Jul 2019 07:53:21 +0000
X-Received: from DB5EUR03FT059.eop-EUR03.prod.protection.outlook.com
 (2a01:111:f400:7e0a::206) by VI1PR0802CA0047.outlook.office365.com
 (2603:10a6:800:a9::33) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2094.11 via Frontend
 Transport; Mon, 22 Jul 2019 07:53:21 +0000
Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as
 permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+44113+1787277+3901457@groups.io;
 helo=web01.groups.io;
Received-SPF: TempError (protection.outlook.com: error in processing during
 lookup of arm.com: DNS Timeout)
X-Received: from nebula.arm.com (40.67.248.234) by
 DB5EUR03FT059.mail.protection.outlook.com (10.152.21.175) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id
 15.20.2052.18 via Frontend Transport; Mon, 22 Jul 2019 07:53:20 +0000
X-Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX04.Arm.com
 (10.251.24.32) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Mon, 22 Jul
 2019 07:50:37 +0000
X-Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32)
 with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Mon, 22 Jul
 2019 07:50:37 +0000
From: "Krzysztof Koch" <krzysztof.koch@arm.com>
To: <devel@edk2.groups.io>
CC: <jaben.carsey@intel.com>, <ray.ni@intel.com>, <zhichao.gao@intel.com>,
	<Sami.Mujawar@arm.com>, <Matteo.Carlini@arm.com>, <nd@arm.com>
Subject: [edk2-devel] [PATCH v2 5/6] ShellPkg: acpiview: MADT: Split structure
 length validation
Date: Mon, 22 Jul 2019 08:50:25 +0100
Message-ID: <20190722075026.20244-6-krzysztof.koch@arm.com>
In-Reply-To: <20190722075026.20244-1-krzysztof.koch@arm.com>
References: <20190722075026.20244-1-krzysztof.koch@arm.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 27cc271c-a872-4913-db00-08d70e79a9ed
X-MS-TrafficTypeDiagnostic: AM5PR0802MB2596:
X-Microsoft-Antispam-PRVS: 
 <AM5PR0802MB25963CFEE630B4F1B389F77284C40@AM5PR0802MB2596.eurprd08.prod.outlook.com>
NoDisclaimer: True
X-MS-Oob-TLC-OOBClassifiers: OLM:3826;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 
 5Yo6IPB3s4MjSXn3BqaLLDqaLMV64306p+OSEhJ+f+XmWp7NnRVFrYCPsFmnC1OmA20pu7R25GrWBagLClVDIRjYQx5FdXbgqNotkXdWG+cJipYTqyy81+V9iWIL7gsOQC6zLFl2cvNn2fj/ScyDNU6vkL6wkXMDsW4UkrJu+pUfTHbPUkCm0qJX1RDe0RQqmFeMBgUBYW3W4uajjQlr+CIQbmr/yNky/CPjjBK3v/+8/7xYXjlDbcDIBr4agR3G2GirGP7kYVsm9lSLuZ5ywI+JrQ1sJhN8epFFlp2XfhvM7/5hYhYd4iqg1VRYKDW8RRp1UKho5KVufd+zKhPt03QVTOb/MopzGVUjmHQDR0VG5qClxrgDVSvwGqQhWsRbYmEsO8hNCvACCxEMLuG+Xa+dXL8mbMFZ+SdayDkYE08=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jul 2019 07:53:20.0851
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 27cc271c-a872-4913-db00-08d70e79a9ed
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[40.67.248.234];Helo=[nebula.arm.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0802MB2596
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,krzysztof.koch@arm.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1563782006;
 bh=54poodB0VDtm0MgS40hMbF10weGoC/1tBFSiZVImPko=;
 h=CC:Content-Type:Date:From:Reply-To:Subject:To;
 b=MtTUBmsDc1ajvI0l9tjrT/03rq0X/RQCQrPr61Tlc72Dv+y/6NOf/pWWN7CQ99a19/E
 5FeazZoqGXLA5Hamw//4EmaihIEvnn4T7tL5sCwB1Y1e4fkzFaa8ZNUZ7UFtf+BSBYbes
 xfcbrhnMv33J5vM2/kD3D2Y42zL0Z+Z3Dxc=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Split the Interrupt Controller Structure length validation in the
acpiview UEFI shell tool into two logical parts:
1. Ensuring MADT table parser forward progress.
2. Preventing MADT table buffer overruns.

Also, make the condition for infinite loop detection applicable to
all types of Interrupt Controller Structures (for all interrupt models
which can be represented in MADT). Check if the controller length
specified is shorter than the byte size of the first two fields
('Type' and 'Length') present in every valid Interrupt Controller
Structure.

Signed-off-by: Krzysztof Koch <krzysztof.koch@arm.com>
---

Notes:
    v1:
    - split MADT structure length validation [Krzysztof]

 ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c | 3=
0 ++++++++++++++------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/Madt=
Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtPa=
rser.c
index 338295d30e35c366a60505225cf57145a8e73d93..d80ebd1a2bae7a4acffe687ca5e=
e7b4090f0e223 100644
--- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c
+++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c
@@ -260,16 +260,30 @@ ParseAcpiMadt (
       PARSER_PARAMS (MadtInterruptControllerHeaderParser)
       );
=20
-    if (((Offset + (*MadtInterruptControllerLength)) > AcpiTableLength) ||
-        (*MadtInterruptControllerLength < 4)) {
+    // Make sure forward progress is made.
+    if (*MadtInterruptControllerLength < 2) {
       IncrementErrorCount ();
       Print (
-         L"ERROR: Invalid Interrupt Controller Length,"
-          L" Type =3D %d, Length =3D %d\n",
-         *MadtInterruptControllerType,
-         *MadtInterruptControllerLength
-         );
-      break;
+        L"ERROR: Structure length is too small: " \
+          L"MadtInterruptControllerLength =3D %d. " \
+          L"MadtInterruptControllerType =3D %d. MADT parsing aborted.\n",
+        *MadtInterruptControllerLength,
+        *MadtInterruptControllerType
+        );
+      return;
+    }
+
+    // Make sure the MADT structure lies inside the table
+    if ((Offset + *MadtInterruptControllerLength) > AcpiTableLength) {
+      IncrementErrorCount ();
+      Print (
+        L"ERROR: Invalid MADT structure length. " \
+          L"MadtInterruptControllerLength =3D %d. " \
+          L"RemainingTableBufferLength =3D %d. MADT parsing aborted.\n",
+        *MadtInterruptControllerLength,
+        AcpiTableLength - Offset
+        );
+      return;
     }
=20
     switch (*MadtInterruptControllerType) {
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#44113): https://edk2.groups.io/g/devel/message/44113
Mute This Topic: https://groups.io/mt/32556349/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-