From nobody Sun May 5 00:31:49 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+44754+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1564649096248289.2186081572596; Thu, 1 Aug 2019 01:44:56 -0700 (PDT) Return-Path: X-Received: from EUR03-AM5-obe.outbound.protection.outlook.com (EUR03-AM5-obe.outbound.protection.outlook.com [40.107.3.86]) by groups.io with SMTP; Thu, 01 Aug 2019 01:44:55 -0700 X-Received: from VI1PR08CA0247.eurprd08.prod.outlook.com (2603:10a6:803:dc::20) by HE1PR0801MB1850.eurprd08.prod.outlook.com (2603:10a6:3:86::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.16; Thu, 1 Aug 2019 08:44:49 +0000 X-Received: from DB5EUR03FT021.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::208) by VI1PR08CA0247.outlook.office365.com (2603:10a6:803:dc::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.14 via Frontend Transport; Thu, 1 Aug 2019 08:44:49 +0000 Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+44754+1787277+3901457@groups.io; helo=web01.groups.io; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT021.mail.protection.outlook.com (10.152.20.238) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:44:47 +0000 X-Received: ("Tessian outbound a1fd2c3cfdb0:v26"); Thu, 01 Aug 2019 08:44:45 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 87bb7f1c85c670e4 X-CR-MTA-TID: 64aa7808 X-Received: from 0ddf5e8498f6.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.8.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 296CBDAC-54E9-423C-A05B-C00592ECC597.1; Thu, 01 Aug 2019 08:44:39 +0000 X-Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-am5eur03lp2052.outbound.protection.outlook.com [104.47.8.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 0ddf5e8498f6.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384); Thu, 01 Aug 2019 08:44:39 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C+bxycks4LLfnIwhPwdPNnDsAjV848V403f4DLaPMrya56IJ2tHO19Cp4Rw1J+l5gOaBaetCUyyFT7X0cbui8ZeqrmccJeIpM///BvQVFiZLuwBXq8Y7x7aBLglDp8dIry3Q/l2HJROqaZcHcua7FhYna47raQlRAfPJX38mnwi+ev24/8QOIdDMqDFO3ZHh+G28YZMQNWyaL91Xu5fuwpXquBcXczfAmWTl6kAIYP/UgYD73KJMOojWaMrulmXjYm+sytBptZzieVtOrbGV4+hFpiwZ85rnDsPDhPs6Vg3/E+GXB+zxfp14oVFhEQVxvVaTv8Z82jjm/5CkgqmbTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TTaRI25v8QlSI92jcs55ZQ//q2FsRKcouByRpqzqneQ=; b=Fm9xCzN4HCRCBuMz1h16VwsdnVJWlNCwypAgENp2xexoROuS4f64/fivzsDJyAm7Gw39gWHvX+pd1SnKTi8LUqPChsfUDEq6VN0xsL4VMrBoCsrWnvcn0ofo2aa6wgoWCvHiW9zv8MkKY1Vuo66CrvHdr/Re+4jkoZG86wPeTsEvLwzJOZ5PrzTyTNzoz0hWPzUPumv1wV7MZWf/7wKElLyvTewUQ+CAT0ORQyDTjTetw8WnRmny/4r6S5TQU9jv+TAMN0VmI/v4XElN+6BIliOg25hR4IvVHKSPdoDGA4M6mzMQkbsVlxkuWGQnwUfSvD/6Iv8j7O3GFaHudkc9/Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none X-Received: from VI1PR08CA0176.eurprd08.prod.outlook.com (2603:10a6:800:d1::30) by HE1PR0801MB1850.eurprd08.prod.outlook.com (2603:10a6:3:86::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.16; Thu, 1 Aug 2019 08:44:36 +0000 X-Received: from VE1EUR03FT036.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::204) by VI1PR08CA0176.outlook.office365.com (2603:10a6:800:d1::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.12 via Frontend Transport; Thu, 1 Aug 2019 08:44:36 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from nebula.arm.com (40.67.248.234) by VE1EUR03FT036.mail.protection.outlook.com (10.152.19.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:44:32 +0000 X-Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:15 +0000 X-Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:15 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [edk2-devel] [PATCH v1 1/6] ShellPkg: acpiview: DBG2: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:02 +0100 Message-ID: <20190801084407.48712-2-krzysztof.koch@arm.com> In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(396003)(136003)(376002)(39860400002)(346002)(2980300002)(199004)(189003)(45080400002)(186003)(50226002)(26005)(8936002)(5660300002)(356004)(2906002)(6666004)(68736007)(53416004)(1076003)(6916009)(48376002)(50466002)(70586007)(70206006)(2351001)(478600001)(76176011)(86362001)(44832011)(53936002)(36756003)(486006)(476003)(126002)(316002)(54906003)(51416003)(16586007)(7696005)(47776003)(8676002)(4326008)(426003)(63370400001)(63350400001)(81166006)(81156014)(2616005)(11346002)(446003)(336012)(305945005);DIR:OUT;SFP:1101;SCL:1;SRVR:HE1PR0801MB1850;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6d82e8d2-937f-4e70-c752-08d7165c824e X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:HE1PR0801MB1850; X-MS-TrafficTypeDiagnostic: HE1PR0801MB1850:|HE1PR0801MB1850: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:431;OLM:431; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: nd2YIragJlTFKgWiAM5O9n1ZCkXJJOqp9sZzOpO1C/XMhzgG+EEh47NPo/pUY0cW4F2iJVc84e/RFrATPxzZ22hS5IvtKp0kpWIr2ootFo7/GbjbS4DJievN1Wg6GZOycEvtiNqw9kWLhww4EaAEI/unIIn2JM517a3KJYH6yueHS3/0mDbLRmHvFajjyTWj9S2d0Wzan0A9unPOK0yvvHf80ErvYuNOAcVcQ+ltoTMdFkkNSD91oTPMnuVNXkLUTzNmsrI5P/6bwN8UZBsEc8NZdG1lZEjfntUu8cC/R1n3QHFWHKeL3wLSgeGgK/inedLkZmOHEU1w3LbcaOvt6xhXSuCfXg2FBn6oydO3CTQYOHoH5RFWKK6Rx+F3hIFo8W9PwgUng/dV20w7PJhWuQvEn2CoDP0uT4k4UjSxg3E= X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0801MB1850 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT021.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: aa1fcf1a-2e2d-4d40-88be-08d7165c7a91 NoDisclaimer: True X-Microsoft-Antispam-Message-Info: ddbo85bNTxuVTJTmQCOx5TtjH5ah4vA4tpMg4CYxqdtIxXIbHTUVXgYXKUUaS3JVM7bP7Qu+XGUkTsf5VsJ8zq1YQlQ9KSWE0wbxnpt+EOcrucF9hN6coF3X6vkUNkEVa1lFkI/ccGqfJEMfcP/wOuKeEz8FKdE74Ek1hmD13P8w5OHZAGb9fW3arPFaynuUJmlxReqrQqHuEAiw89wYnNFMl6OmI1HDWdwZwr/5r5iU/nRuzdk1XFm2Z07W34MlRjmnR1kT0YmFrCamlxOw5XnWYicUxLDtWDpww3yTdcEAJFhKCwrLQB4jjEpeo0mDkz3pm2Dk/TaMGkhing9LLAfY+wlDH5zPf5AGe7KRTe/zQKD85cwEW2X9MgQr1TSllgFo+fh8picm1458Fe2vQhs2qz3jsn+Ct+BH67tdOyI= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:44:47.4517 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6d82e8d2-937f-4e70-c752-08d7165c824e X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0801MB1850 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,krzysztof.koch@arm.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1564649095; bh=SaCHEM1cld1zYVUtywfufhAJiIjqXDjHmdInRs/cqnI=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=HQqwTzrCWvgSJLGbxUuLCBtpP9/bTPHZWfub6rANVDLYTkpZU4Hh0yhKkTmelW3t7GD 9FV7Bhb5SgtADNghtWDJ9hu5rmVa4ef9jku1evaWUu6c4WFOSO2G5ErOF6BtMTTS+j5uy Dxh69IqvJm9FfARHXMyIPzd3HFCtGS6WV58= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Modify the DBG2 table parsing logic to prevent reading past the ACPI buffer lengths provided. Modify the signature of the DumpDbgDeviceInfo() function to make it consistent with the ACPI structure processing functions in other acpiview parsers. Now, the length of the Debug Device Information Structure is read before the entire structure is dumped. This refactoring change makes it easier to stop reading beyond the DBG2 table buffer if the Debug Device Information Structure Buffer does not fit in the DBG2 buffer. For processing the first two fields of the Debug Device Information Structure (to get the length) a new ACPI_PARSER array is defined. References: - Microsoft Debug Port Table 2 (DBG2), December 10, 2015 Signed-off-by: Krzysztof Koch Reviewed-by: Alexei Fedorov Reviewed-by: Sami Mujawar --- Notes: v1: - Prevent buffer overruns in DBG2 acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c | 1= 41 +++++++++++++------- 1 file changed, 92 insertions(+), 49 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Pa= rser.c index c6929695a1032c57761ef85002d6c51b7800ce23..869e700b9beda4886bf7bc5ae4c= ed3ab9a59efa3 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c @@ -64,10 +64,17 @@ STATIC CONST ACPI_PARSER Dbg2Parser[] =3D { (VOID**)&NumberDbgDeviceInfo, NULL, NULL} }; =20 +/// An ACPI_PARSER array describing the debug device information structure +/// header. +STATIC CONST ACPI_PARSER DbgDevInfoHeaderParser[] =3D { + {L"Revision", 1, 0, L"0x%x", NULL, NULL, NULL, NULL}, + {L"Length", 2, 1, L"%d", NULL, (VOID**)&DbgDevInfoLen, NULL, NULL} +}; + /// An ACPI_PARSER array describing the debug device information. STATIC CONST ACPI_PARSER DbgDevInfoParser[] =3D { {L"Revision", 1, 0, L"0x%x", NULL, NULL, NULL, NULL}, - {L"Length", 2, 1, L"%d", NULL, (VOID**)&DbgDevInfoLen, NULL, NULL}, + {L"Length", 2, 1, L"%d", NULL, NULL, NULL, NULL}, =20 {L"Generic Address Registers Count", 1, 3, L"0x%x", NULL, (VOID**)&GasCount, NULL, NULL}, @@ -93,76 +100,91 @@ STATIC CONST ACPI_PARSER DbgDevInfoParser[] =3D { /** This function parses the debug device information structure. =20 - @param [in] Ptr Pointer to the start of the buffer. - @param [out] Length Pointer in which the length of the debug - device information is returned. + @param [in] Ptr Pointer to the start of the buffer. + @param [in] Length Length of the debug device information structure. **/ STATIC VOID EFIAPI DumpDbgDeviceInfo ( - IN UINT8* Ptr, - OUT UINT32* Length + IN UINT8* Ptr, + IN UINT16 Length ) { UINT16 Index; - UINT8* DataPtr; - UINT32* AddrSize; - - // Parse the debug device info to get the Length - ParseAcpi ( - FALSE, - 0, - "Debug Device Info", - Ptr, - 3, // Length is 2 bytes starting at offset 1 - PARSER_PARAMS (DbgDevInfoParser) - ); + UINT16 Offset; =20 ParseAcpi ( TRUE, 2, "Debug Device Info", Ptr, - *DbgDevInfoLen, + Length, PARSER_PARAMS (DbgDevInfoParser) ); =20 - // GAS and Address Size + // GAS Index =3D 0; - DataPtr =3D Ptr + (*BaseAddrRegOffset); - AddrSize =3D (UINT32*)(Ptr + (*AddrSizeOffset)); - while (Index < (*GasCount)) { + Offset =3D *BaseAddrRegOffset; + while ((Index++ < *GasCount) && + (Offset < Length)) { PrintFieldName (4, L"BaseAddressRegister"); - DumpGasStruct (DataPtr, 4, GAS_LENGTH); + Offset +=3D (UINT16)DumpGasStruct ( + Ptr + Offset, + 4, + Length - Offset + ); + } + + // Make sure the array of address sizes corresponding to each GAS fit in= the + // Debug Device Information structure + if ((*AddrSizeOffset + (*GasCount * sizeof (UINT32))) > Length) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid GAS count. GasCount =3D %d. RemainingBufferLength = =3D %d. " \ + L"Parsing of the Debug Device Information structure aborted.\n", + *GasCount, + Length - *AddrSizeOffset + ); + return; + } + + // Address Size + Index =3D 0; + Offset =3D *AddrSizeOffset; + while ((Index++ < *GasCount) && + (Offset < Length)) { PrintFieldName (4, L"Address Size"); - Print (L"0x%x\n", AddrSize[Index]); - DataPtr +=3D GAS_LENGTH; - Index++; + Print (L"0x%x\n", *((UINT32*)(Ptr + Offset))); + Offset +=3D sizeof (UINT32); } =20 // NameSpace String Index =3D 0; - DataPtr =3D Ptr + (*NameSpaceStringOffset); + Offset =3D *NameSpaceStringOffset; PrintFieldName (4, L"NameSpace String"); - while (Index < (*NameSpaceStringLength)) { - Print (L"%c", DataPtr[Index++]); + while ((Index++ < *NameSpaceStringLength) && + (Offset < Length)) { + Print (L"%c", *(Ptr + Offset)); + Offset++; } Print (L"\n"); =20 // OEM Data - Index =3D 0; - DataPtr =3D Ptr + (*OEMDataOffset); - PrintFieldName (4, L"OEM Data"); - while (Index < (*OEMDataLength)) { - Print (L"%x ", DataPtr[Index++]); - if ((Index & 7) =3D=3D 0) { - Print (L"\n%-*s ", OUTPUT_FIELD_COLUMN_WIDTH, L""); + if (*OEMDataOffset !=3D 0) { + Index =3D 0; + Offset =3D *OEMDataOffset; + PrintFieldName (4, L"OEM Data"); + while ((Index++ < *OEMDataLength) && + (Offset < Length)) { + Print (L"%x ", *(Ptr + Offset)); + if ((Index & 7) =3D=3D 0) { + Print (L"\n%-*s ", OUTPUT_FIELD_COLUMN_WIDTH, L""); + } + Offset++; } + Print (L"\n"); } - Print (L"\n"); - - *Length =3D *DbgDevInfoLen; } =20 /** @@ -187,8 +209,7 @@ ParseAcpiDbg2 ( ) { UINT32 Offset; - UINT32 DbgDeviceInfoLength; - UINT8* DevInfoPtr; + UINT32 Index; =20 if (!Trace) { return; @@ -202,14 +223,36 @@ ParseAcpiDbg2 ( AcpiTableLength, PARSER_PARAMS (Dbg2Parser) ); - DevInfoPtr =3D Ptr + Offset; =20 - while (Offset < AcpiTableLength) { - DumpDbgDeviceInfo ( - DevInfoPtr, - &DbgDeviceInfoLength + Offset =3D *OffsetDbgDeviceInfo; + Index =3D 0; + + while (Index++ < *NumberDbgDeviceInfo) { + + // Parse the Debug Device Information Structure header to obtain Length + ParseAcpi ( + FALSE, + 0, + NULL, + Ptr + Offset, + AcpiTableLength - Offset, + PARSER_PARAMS (DbgDevInfoHeaderParser) ); - Offset +=3D DbgDeviceInfoLength; - DevInfoPtr +=3D DbgDeviceInfoLength; + + // Make sure the Debug Device Information structure lies inside the ta= ble. + if ((Offset + *DbgDevInfoLen) > AcpiTableLength) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid Debug Device Information structure length. " \ + L"DbgDevInfoLen =3D %d. RemainingTableBufferLength =3D %d. " \ + L"DBG2 parsing aborted.\n", + *DbgDevInfoLen, + AcpiTableLength - Offset + ); + return; + } + + DumpDbgDeviceInfo (Ptr + Offset, (*DbgDevInfoLen)); + Offset +=3D (*DbgDevInfoLen); } } -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#44754): https://edk2.groups.io/g/devel/message/44754 Mute This Topic: https://groups.io/mt/32676831/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 5 00:31:49 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+44753+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1564649096126158.21237856923608; Thu, 1 Aug 2019 01:44:56 -0700 (PDT) Return-Path: X-Received: from EUR01-DB5-obe.outbound.protection.outlook.com (EUR01-DB5-obe.outbound.protection.outlook.com [40.107.15.83]) by groups.io with SMTP; Thu, 01 Aug 2019 01:44:55 -0700 X-Received: from VI1PR08CA0203.eurprd08.prod.outlook.com (2603:10a6:800:d2::33) by AM6PR08MB4950.eurprd08.prod.outlook.com (2603:10a6:20b:e1::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.14; Thu, 1 Aug 2019 08:44:50 +0000 X-Received: from DB5EUR03FT060.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::200) by VI1PR08CA0203.outlook.office365.com (2603:10a6:800:d2::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.16 via Frontend Transport; Thu, 1 Aug 2019 08:44:50 +0000 Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+44753+1787277+3901457@groups.io; helo=web01.groups.io; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT060.mail.protection.outlook.com (10.152.21.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:44:48 +0000 X-Received: ("Tessian outbound cc8a947d4660:v26"); Thu, 01 Aug 2019 08:44:48 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 3e6760ba91f5e74c X-CR-MTA-TID: 64aa7808 X-Received: from c4f05d6a3f09.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.9.58]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id DBF61013-C564-44F4-A371-65988AB0F2F5.1; Thu, 01 Aug 2019 08:44:43 +0000 X-Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03lp2058.outbound.protection.outlook.com [104.47.9.58]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id c4f05d6a3f09.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384); Thu, 01 Aug 2019 08:44:43 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cAB3FEF9sARjIV12bJ5cY0TAF/X9MQi4lCCU4fXNW1msGweLxg5fiOCe+WEwAgYIxLtQK9kSyqUNWd8uRVYoZIudnjnyvV5PA5NUozWsJrztM3elHYtSguln5V8qyvrMtEOL2Mu/lUemJ+4JnBH9/yBkZMbXDEdBUnOYXG49/ALyIgJP14APwwcbw5fBp59LgvF5m0TXIe0962Dw/NQYc2mnL0g6oCgsse0gRjy5rUePSrJ8m/mNhSc3hpUJL/Cfv8IjcVdZKVIoDttZcMZMFZltayLSSpaqUoWxTzCh26BhS2rudI9/PfSrTQImZFtwN9JjFALCtLeZbUzuXmaYoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YufE/O+5YlFa96Q5PVYGh+HW1JHTt0HeiJnTH6jP0Yw=; b=cWwxuRiIq2pb2LC4i579zoJWqsTNGxbrweXpMw0OlELackXqo9lcWZR2/+LeAXKy1vpf+Pbwq0p9IIyx2i2m3JpQwz2OB/hOQ4z0fB+fQQ4JA55K1zIEcJwDbJm+TpxxabuptuNbJHMxwKcr9g/TiQq3tW2u2Yw6HL7QYeXjiFkGkihlWcUANhxgVYxrQDnfDZ2VWaUsF4IjJujUIb+Ub2ANds2cZZcY3oWSz8k8MkqfmBR7Ntea26lbvBgGnSqWGqwAjxhJuUePXs14pqGcf4n0ZvI/bcgfPiVbBvEyCoLghqv25DfMmMJB2IjiLc/23kmyFfSVGGFCDjOC/kQeoQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none X-Received: from VI1PR08CA0176.eurprd08.prod.outlook.com (2603:10a6:800:d1::30) by VI1PR0801MB1853.eurprd08.prod.outlook.com (2603:10a6:800:5a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.16; Thu, 1 Aug 2019 08:44:40 +0000 X-Received: from VE1EUR03FT036.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::204) by VI1PR08CA0176.outlook.office365.com (2603:10a6:800:d1::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.12 via Frontend Transport; Thu, 1 Aug 2019 08:44:40 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from nebula.arm.com (40.67.248.234) by VE1EUR03FT036.mail.protection.outlook.com (10.152.19.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:44:37 +0000 X-Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:16 +0000 X-Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:15 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [edk2-devel] [PATCH v1 2/6] ShellPkg: acpiview: GTDT: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:03 +0100 Message-ID: <20190801084407.48712-3-krzysztof.koch@arm.com> In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(346002)(39860400002)(376002)(396003)(136003)(2980300002)(189003)(199004)(50226002)(47776003)(48376002)(70206006)(50466002)(70586007)(2616005)(446003)(305945005)(11346002)(186003)(126002)(476003)(478600001)(86362001)(2351001)(44832011)(486006)(53416004)(2906002)(81166006)(81156014)(6916009)(4326008)(426003)(336012)(8676002)(8936002)(68736007)(316002)(26005)(16586007)(5660300002)(53936002)(356004)(36756003)(6666004)(51416003)(7696005)(1076003)(76176011)(63350400001)(63370400001)(54906003);DIR:OUT;SFP:1101;SCL:1;SRVR:VI1PR0801MB1853;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;MX:1;A:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7fef9e59-c183-4a3e-fff8-08d7165c8318 X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:VI1PR0801MB1853; X-MS-TrafficTypeDiagnostic: VI1PR0801MB1853:|AM6PR08MB4950: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:8882;OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: vLQFEGmoxx9YQMZ1hCW7KBPRbCdO5uCqsll15zUOdnRqJHYbP8N9osXX/+Y+XokT6eIcX4eAM2J+HEZTv/NpAE60u4arL1Io40IGpoany3PIT6DzyjgU40GIRLdvy3eIAI5k3bbNe6k0VeAVbo1xXJ5phkeUM/AZyLv9K1ywjLEMdQx9DonwYLGwviLh6yZ3e/KV+4OSn8UBVkaHRiOcmlttWN5FUHtBBzmyx3qeyk6DGWF9W5PHKRLssT/H7OF9IdSoQFtbSB7IJf830FD9EAwX2ynxari46wKy7LB2vaYOt9oxNYcg9lJNl2lOAW7A6IJGfiUv/oepYOvkWFOQ//BJUZ19JhNgdMhfrAcQqKyQOd9uv2LlVTHWXPsFzkgLDrm0vqJU7y8mQn9Xnr5G6B7uiK8GxbP6ebrP3755mi0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1853 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT060.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: b0cdf8df-b995-49e9-5e86-08d7165c7cf4 NoDisclaimer: True X-Microsoft-Antispam-Message-Info: cr15tMJXxgEodz7VcycaICc5Dq06pJftup1UTJZJ1PpwcW8+Zp2dyP1Pqu6esfetXDuR7JJMqtBJcKL0fC11gbWMKG28/+k/EOFu7g/+nTb+X2F5msqJ/CySxLVaiRYGutPurESvR/9ZK+AVD1w2gZgZYKdM7RCA0AAvLLzJbyzmxfec14vJruCIprXbZdiL6EJV6GQL/jtj3tGFjb//74LmuK6k8bawRftm8z1T2ZMQ6ny0m60AjIhIjh46p6QMNedXTWTFJzuFCmzyErUcVI0ppCsY8sUyTE7XClESTAXLEv/xznMofMdjYUVTQtXPeLEtzR8nKNmunm3QNaAlJoEared9qKSPkFBi8eixAD3TF90/hWB/DzPuabCYHQe9CXG/lVetchOdzt6PWpZIT3E/AYNNnQcuaRYfWGEBUYA= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:44:48.7759 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7fef9e59-c183-4a3e-fff8-08d7165c8318 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4950 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,krzysztof.koch@arm.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1564649095; bh=dbAQqyizyATVAf0r1ioI1sB5gpPSus+mwpf0i4Mrel8=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=p9ClWVm8WTNdcF3ncWdyGbOZWtC0utekMMZt14YOY80zRvsnjgZ2dSotxMcug48jxWQ XN+CVlzWhFH5hZtAn5Z7L4ycvQHgeyWIPGrZA3x+EGNTY+Dgv/y1A9xjqEvIUaOXpCNCG VkKcbTvrp1IKgJgiiKsM3DQLOlULTc3YU4E= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Modify the GTDT table parsing logic to prevent reading past the ACPI buffer lengths provided and to make it consistent with other table parsers. This includes converting the do-while loop in ParseAcpiGtdt() into a while loop. Remove a check which ensures that the entire Platform GT Block Structure buffer has been parsed. The ACPI specification does not ban from defining buffers which are larger than the size indicated by the count and sizes of substructures which constitute it. Change the data type of the Length parameter to the DumpGTBlock() function to reflect the width of the respective ACPI structure's field. References: - ACPI 6.3, January 2019, Table 5-124 Signed-off-by: Krzysztof Koch Reviewed-by: Alexei Fedorov Reviewed-by: Sami Mujawar Reviewed-by: Zhichao Gao --- Notes: v1: - Prevent buffer overruns in GTDT acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c | 1= 47 ++++++++++---------- 1 file changed, 76 insertions(+), 71 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/Gtdt= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtPa= rser.c index 1e5b5764f50a2d29aa904c889bc89af5bdc3af5c..57174e14c80072f12b90e1996eb= e8f0002d0c404 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c @@ -23,7 +23,6 @@ STATIC CONST UINT8* PlatformTimerType; STATIC CONST UINT16* PlatformTimerLength; STATIC CONST UINT32* GtBlockTimerCount; STATIC CONST UINT32* GtBlockTimerOffset; -STATIC CONST UINT16* GtBlockLength; STATIC ACPI_DESCRIPTION_HEADER_INFO AcpiHdrInfo; =20 /** @@ -127,7 +126,7 @@ STATIC CONST ACPI_PARSER GtPlatformTimerHeaderParser[] = =3D { **/ STATIC CONST ACPI_PARSER GtBlockParser[] =3D { {L"Type", 1, 0, L"%d", NULL, NULL, NULL, NULL}, - {L"Length", 2, 1, L"%d", NULL, (VOID**)&GtBlockLength, NULL, NULL}, + {L"Length", 2, 1, L"%d", NULL, NULL, NULL, NULL}, {L"Reserved", 1, 3, L"%x", NULL, NULL, NULL, NULL}, {L"Physical address (CntCtlBase)", 8, 4, L"0x%lx", NULL, NULL, NULL, NUL= L}, {L"Timer Count", 4, 12, L"%d", NULL, (VOID**)&GtBlockTimerCount, @@ -168,56 +167,43 @@ STATIC CONST ACPI_PARSER SBSAGenericWatchdogParser[] = =3D { /** This function parses the Platform GT Block. =20 - @param [in] Ptr Pointer to the start of the GT Block data. - @param [in] Length Length of the GT Block structure. + @param [in] Ptr Pointer to the start of the GT Block data. + @param [in] Length Length of the GT Block structure. **/ STATIC VOID DumpGTBlock ( IN UINT8* Ptr, - IN UINT32 Length + IN UINT16 Length ) { UINT32 Index; UINT32 Offset; - UINT32 GTBlockTimerLength; =20 - Offset =3D ParseAcpi ( - TRUE, - 2, - "GT Block", - Ptr, - Length, - PARSER_PARAMS (GtBlockParser) - ); - GTBlockTimerLength =3D (*GtBlockLength - Offset) / (*GtBlockTimerCount); - Length -=3D Offset; + ParseAcpi ( + TRUE, + 2, + "GT Block", + Ptr, + Length, + PARSER_PARAMS (GtBlockParser) + ); =20 - if (*GtBlockTimerCount !=3D 0) { - Ptr +=3D (*GtBlockTimerOffset); - Index =3D 0; - while ((Index < (*GtBlockTimerCount)) && (Length >=3D GTBlockTimerLeng= th)) { - Offset =3D ParseAcpi ( - TRUE, - 2, - "GT Block Timer", - Ptr, - GTBlockTimerLength, - PARSER_PARAMS (GtBlockTimerParser) - ); - // Increment by GT Block Timer structure size - Ptr +=3D Offset; - Length -=3D Offset; - Index++; - } + Offset =3D *GtBlockTimerOffset; + Index =3D 0; =20 - if (Length !=3D 0) { - IncrementErrorCount (); - Print ( - L"ERROR:GT Block Timer length mismatch. Unparsed %d bytes.\n", - Length - ); - } + // Parse the specified number of GT Block Timer Structures or the GT Blo= ck + // Structure buffer length. Whichever is minimum. + while ((Index++ < *GtBlockTimerCount) && + (Offset < Length)) { + Offset +=3D ParseAcpi ( + TRUE, + 2, + "GT Block Timer", + Ptr + Offset, + Length - Offset, + PARSER_PARAMS (GtBlockTimerParser) + ); } } =20 @@ -270,6 +256,7 @@ ParseAcpiGtdt ( ) { UINT32 Index; + UINT32 Offset; UINT8* TimerPtr; =20 if (!Trace) { @@ -285,36 +272,54 @@ ParseAcpiGtdt ( PARSER_PARAMS (GtdtParser) ); =20 - if (*GtdtPlatformTimerCount !=3D 0) { - TimerPtr =3D Ptr + (*GtdtPlatformTimerOffset); - Index =3D 0; - do { - // Parse the Platform Timer Header - ParseAcpi ( - FALSE, - 0, - NULL, - TimerPtr, - 4, // GT Platform Timer structure header length. - PARSER_PARAMS (GtPlatformTimerHeaderParser) + TimerPtr =3D Ptr + *GtdtPlatformTimerOffset; + Offset =3D *GtdtPlatformTimerOffset; + Index =3D 0; + + // Parse the specified number of Platform Timer Structures or the GTDT + // buffer length. Whichever is minimum. + while ((Index++ < *GtdtPlatformTimerCount) && + (Offset < AcpiTableLength)) { + // Parse the Platform Timer Header to obtain Length and Type + ParseAcpi ( + FALSE, + 0, + NULL, + TimerPtr, + AcpiTableLength - Offset, + PARSER_PARAMS (GtPlatformTimerHeaderParser) + ); + + // Make sure the Platform Timer is inside the table. + if ((Offset + *PlatformTimerLength) > AcpiTableLength) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid Platform Timer Structure length. " \ + L"PlatformTimerLength =3D %d. RemainingTableBufferLength =3D %d.= " \ + L"GTDT parsing aborted.\n", + *PlatformTimerLength, + AcpiTableLength - Offset ); - switch (*PlatformTimerType) { - case EFI_ACPI_6_2_GTDT_GT_BLOCK: - DumpGTBlock (TimerPtr, *PlatformTimerLength); - break; - case EFI_ACPI_6_2_GTDT_SBSA_GENERIC_WATCHDOG: - DumpWatchdogTimer (TimerPtr, *PlatformTimerLength); - break; - default: - IncrementErrorCount (); - Print ( - L"ERROR: INVALID Platform Timer Type =3D %d\n", - *PlatformTimerType - ); - break; - } // switch - TimerPtr +=3D (*PlatformTimerLength); - Index++; - } while (Index < *GtdtPlatformTimerCount); - } + return; + } + + switch (*PlatformTimerType) { + case EFI_ACPI_6_3_GTDT_GT_BLOCK: + DumpGTBlock (TimerPtr, *PlatformTimerLength); + break; + case EFI_ACPI_6_3_GTDT_SBSA_GENERIC_WATCHDOG: + DumpWatchdogTimer (TimerPtr, *PlatformTimerLength); + break; + default: + IncrementErrorCount (); + Print ( + L"ERROR: Invalid Platform Timer Type =3D %d\n", + *PlatformTimerType + ); + break; + } // switch + + TimerPtr +=3D *PlatformTimerLength; + Offset +=3D *PlatformTimerLength; + } // while } -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#44753): https://edk2.groups.io/g/devel/message/44753 Mute This Topic: https://groups.io/mt/32676830/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 5 00:31:49 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+44758+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 15646491725954.673382087311211; Thu, 1 Aug 2019 01:46:12 -0700 (PDT) Return-Path: X-Received: from EUR04-HE1-obe.outbound.protection.outlook.com (EUR04-HE1-obe.outbound.protection.outlook.com [40.107.7.87]) by groups.io with SMTP; Thu, 01 Aug 2019 01:46:11 -0700 X-Received: from DB7PR08CA0004.eurprd08.prod.outlook.com (2603:10a6:5:16::17) by DB8PR08MB4954.eurprd08.prod.outlook.com (2603:10a6:10:bf::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.15; Thu, 1 Aug 2019 08:46:07 +0000 X-Received: from DB5EUR03FT037.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::208) by DB7PR08CA0004.outlook.office365.com (2603:10a6:5:16::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.13 via Frontend Transport; Thu, 1 Aug 2019 08:46:07 +0000 Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+44758+1787277+3901457@groups.io; helo=web01.groups.io; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT037.mail.protection.outlook.com (10.152.20.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:46:05 +0000 X-Received: ("Tessian outbound 6d016ca6b65d:v26"); Thu, 01 Aug 2019 08:46:05 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: e109381fdd0ffb93 X-CR-MTA-TID: 64aa7808 X-Received: from fad75327a3b5.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.4.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 9304FCC1-B5F6-4FD8-8313-A2758F835E31.1; Thu, 01 Aug 2019 08:46:00 +0000 X-Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02lp2052.outbound.protection.outlook.com [104.47.4.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id fad75327a3b5.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 01 Aug 2019 08:46:00 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qc3BulZne2n16NxrSaGaqLoIjgG87ejMBXIdW0PSg8XbJQz97gUUF1pZb5cs4UrM8toLAIjOqTxXBQf4lo/GGopZD340XKUjLB46FkpDHbN+eIuhxt4WeCP013r2d7RUunkiqj2oRf2OA+ZpZY2zhrSoFjtUAMq/jaefiKDWVwYre1dk6tiy2801esXvD6tThxR9xGLFLpeFIS9rXL4oe4VSGVqXHLMzuStXuqJhTg+RlbXkz6q3l6pUGL83h79EhzE57cHAqwUQ/BWZaFzCUTiZjnAh1NCxZ7lp3IKtLFRg0NkMsPek7b+S3+LBcvTVBQpCd1omUorrEgu26cB4cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vOHaxVYsuiHlh4pr96Jkg2wbmnLKPx21+jPAX+F6Ovw=; b=HkLMZ2vywWiKn/TyxlT9WRXs7IKVeUMRD9bz5nxvSLs9v5n8zyEBxzqk3Xje9ASniDLWm0usaEI2LanWzhy11YjpDkpSMh6IWL//sixX9iySj6W/l19f995PvtGMNEVy8hkAtEfhFE56CcfqIc1D0XLVYES7IwvwWOllLM6dPoUH5Z1g3Z0cc1zEP8qIfVXEp4h1FkWg339kNiPreoPIHo8aKQpstNxhY9+X/k2kY+L2PVPQV1vXtnSeZZwUB9i9HEr52z60Zg/guYQf8n6Xuj+BB2VtU8IeD881RgXKcbBGJrXDTDEV0Em2MgtNSEO1UXQCeo30eDky59p0W9rVfA== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none X-Received: from VI1PR0801CA0072.eurprd08.prod.outlook.com (2603:10a6:800:7d::16) by DB6PR0801MB1846.eurprd08.prod.outlook.com (2603:10a6:4:35::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.15; Thu, 1 Aug 2019 08:45:57 +0000 X-Received: from DB5EUR03FT017.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::207) by VI1PR0801CA0072.outlook.office365.com (2603:10a6:800:7d::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.15 via Frontend Transport; Thu, 1 Aug 2019 08:45:57 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from nebula.arm.com (40.67.248.234) by DB5EUR03FT017.mail.protection.outlook.com (10.152.20.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:45:55 +0000 X-Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:16 +0000 X-Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:16 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [edk2-devel] [PATCH v1 3/6] ShellPkg: acpiview: IORT: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:04 +0100 Message-ID: <20190801084407.48712-4-krzysztof.koch@arm.com> In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(396003)(39860400002)(136003)(376002)(346002)(2980300002)(189003)(199004)(316002)(50466002)(81156014)(14444005)(44832011)(6666004)(70206006)(76176011)(486006)(47776003)(53416004)(70586007)(336012)(478600001)(50226002)(8936002)(54906003)(86362001)(63350400001)(6916009)(186003)(126002)(48376002)(8676002)(81166006)(4326008)(356004)(476003)(7696005)(68736007)(2906002)(2616005)(51416003)(11346002)(16586007)(1076003)(53936002)(63370400001)(5660300002)(2351001)(26005)(36756003)(426003)(305945005)(446003)(19627235002);DIR:OUT;SFP:1101;SCL:1;SRVR:DB6PR0801MB1846;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;MX:1;A:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f56cb967-b027-46e3-caf6-08d7165cb116 X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:DB6PR0801MB1846; X-MS-TrafficTypeDiagnostic: DB6PR0801MB1846:|DB8PR08MB4954: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:8273;OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: nSCg0gwx/sfpT/kjWrtYP+qge5AdlbfFRa4DVmKNGgNAb7Tnr5c9eNpPgOlxGNxeOQ44Ukf94qGRTdaNQupEZeCNyP6na1diCb4DMzNrUrEW5/dymMvdLand5Xv7GZ1IenVUB0LNgYHDdb9i+FiapUUKVFuEIor57cmw+NIOMa5G1b/BVvIInciD7tf31q1Xdz/q+Khx+BXsypdvF0+BiTfy9Fn0mV2bPg/xYTK01UDaGEqtb8d4XyRS0ipjk80NZ1KOrMZZCik1KjYCCW4MXIYDudwNMRQ2sh+F6YD2+xdLxpkYHMdvSnBcmvd7P+ZYSlF5Sl0y/gZeaFlXbM7gx76jpnOW7/fBLrgUD2NKvD5UX5pUKHm22hHujNcKHxVhLytEKloO3I4VLzFXmRoWB87cNsdxkld0Elc1u0oZboM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1846 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT037.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 1e64cae8-2417-42c1-547a-08d7165cab11 NoDisclaimer: True X-Microsoft-Antispam-Message-Info: sa6UqH/bZwf5HqFy93Foj3QCOAeEJKM2UR0GIR3ix0HK0qZJP2tV1BKd9UhGYZTGTxZHC+O+tvyotbVgZ4IlIl4ICh6EkIK4HZvy5odjYX+YIqP2V7/BrH038p2N8ShjdC+jlPsfvUdgQt7n1QbbvYloMfwMY8sUQjgVZadXSkozaPMEIOz8sRie8yJnz5EmaJVUEBO5Rodt/jybYWDxd2a6PDywNnvCZhSnKFe+gUbOSLsTOuqfbqTclixyub66auIP19kFoAiDdTuAocwLcmMnsP92bwKCNcjVzhz3P7VIU1oOljyUIKLHt2zPYJxhmDxuYpmz0r7SpZWvgmFvEvOLLaZWadY0+d0EJ9rIo00usaJYzqEeNESwk27WRkhiHtUmjXAa2JFlHEJHlEBz+qyXIOpV8AnMCHB6joOK5gg= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:46:05.9547 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f56cb967-b027-46e3-caf6-08d7165cb116 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4954 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,krzysztof.koch@arm.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1564649172; bh=RxBhC5l1bik+3qXK8UnvN5sqzrxklTxtF2xkYSkMlSg=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=VAX1Tv6ZN1PaRPznc2B9OS0EUNVtvXjILEnDG4VzaF7+RQxz6W5vR2XU21ZkN7bGZE/ gDIkikye+AyQxYFiWr1S8ZcjBVUmrRBiP0lPGCAy7yds56l+z4YgI6JUaT8I/5r6scJeY FfCbxeC/Ipa/aZDKoaPaNhvQrU9OEfRODDc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Modify the IORT table parsing logic to prevent reading past the buffer lengths provided. Change DumpIortNodeIdMappings() function's signature and implementation to simplify buffer overrun prevention. Update all calls to this function accordingly. Modify the parser for each type of IORT node such that the offset from the start of the node's buffer is tracked as the parsing function is executed. Again, this change helps prevent buffer overruns. Test that the IORT node buffer fits in the table buffer before the node's buffer contents are dumped. References: - IO Remapping Table (Issue D), Platform Design Document, March 2018 Signed-off-by: Krzysztof Koch Reviewed-by: Alexei Fedorov Reviewed-by: Sami Mujawar --- Notes: v1: - Prevent buffer overruns in IORT acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c | 1= 91 +++++++++++--------- 1 file changed, 105 insertions(+), 86 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/Iort= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortPa= rser.c index 7c850b3813d5204775e2cc247cabf42358b25769..8912d415a755c7f892b5cd2edc5= 32aae8964a42c 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c @@ -247,42 +247,41 @@ STATIC CONST ACPI_PARSER IortNodePmcgParser[] =3D { /** This function parses the IORT Node Id Mapping array. =20 - @param [in] Ptr Pointer to the start of the IORT Table. + @param [in] Ptr Pointer to the start of the ID mapping array. + @param [in] Length Length of the buffer. @param [in] MappingCount The ID Mapping count. - @param [in] MappingOffset The offset of the ID Mapping array - from the start of the IORT table. **/ STATIC VOID DumpIortNodeIdMappings ( IN UINT8* Ptr, - IN UINT32 MappingCount, - IN UINT32 MappingOffset + IN UINT32 Length, + IN UINT32 MappingCount ) { - UINT8* IdMappingPtr; UINT32 Index; UINT32 Offset; CHAR8 Buffer[40]; // Used for AsciiName param of ParseAcpi =20 - IdMappingPtr =3D Ptr + MappingOffset; Index =3D 0; - while (Index < MappingCount) { + Offset =3D 0; + + while ((Index < MappingCount) && + (Offset < Length)) { AsciiSPrint ( Buffer, sizeof (Buffer), "ID Mapping [%d]", Index ); - Offset =3D ParseAcpi ( - TRUE, - 4, - Buffer, - IdMappingPtr, - 20, - PARSER_PARAMS (IortNodeIdMappingParser) - ); - IdMappingPtr +=3D Offset; + Offset +=3D ParseAcpi ( + TRUE, + 4, + Buffer, + Ptr + Offset, + Length - Offset, + PARSER_PARAMS (IortNodeIdMappingParser) + ); Index++; } } @@ -309,8 +308,6 @@ DumpIortNodeSmmuV1V2 ( UINT32 Offset; CHAR8 Buffer[50]; // Used for AsciiName param of ParseAcpi =20 - UINT8* ArrayPtr; - ParseAcpi ( TRUE, 2, @@ -320,51 +317,55 @@ DumpIortNodeSmmuV1V2 ( PARSER_PARAMS (IortNodeSmmuV1V2Parser) ); =20 - ArrayPtr =3D Ptr + *InterruptContextOffset; + Offset =3D *InterruptContextOffset; Index =3D 0; - while (Index < *InterruptContextCount) { + + while ((Index < *InterruptContextCount) && + (Offset < Length)) { AsciiSPrint ( Buffer, sizeof (Buffer), "Context Interrupts Array [%d]", Index ); - Offset =3D ParseAcpi ( - TRUE, - 4, - Buffer, - ArrayPtr, - 8, - PARSER_PARAMS (InterruptArrayParser) - ); - ArrayPtr +=3D Offset; + Offset +=3D ParseAcpi ( + TRUE, + 4, + Buffer, + Ptr + Offset, + Length - Offset, + PARSER_PARAMS (InterruptArrayParser) + ); Index++; } =20 - ArrayPtr =3D Ptr + *PmuInterruptOffset; + Offset =3D *PmuInterruptOffset; Index =3D 0; - while (Index < *PmuInterruptCount) { + + while ((Index < *PmuInterruptCount) && + (Offset < Length)) { AsciiSPrint ( Buffer, sizeof (Buffer), "PMU Interrupts Array [%d]", Index ); - Offset =3D ParseAcpi ( - TRUE, - 4, - Buffer, - ArrayPtr, - 8, - PARSER_PARAMS (InterruptArrayParser) - ); - ArrayPtr +=3D Offset; + Offset +=3D ParseAcpi ( + TRUE, + 4, + Buffer, + Ptr + Offset, + Length - Offset, + PARSER_PARAMS (InterruptArrayParser) + ); Index++; } =20 - if (*IortIdMappingCount !=3D 0) { - DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); - } + DumpIortNodeIdMappings ( + Ptr + MappingOffset, + Length - MappingOffset, + MappingCount + ); } =20 /** @@ -394,9 +395,11 @@ DumpIortNodeSmmuV3 ( PARSER_PARAMS (IortNodeSmmuV3Parser) ); =20 - if (*IortIdMappingCount !=3D 0) { - DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); - } + DumpIortNodeIdMappings ( + Ptr + MappingOffset, + Length - MappingOffset, + MappingCount + ); } =20 /** @@ -414,40 +417,40 @@ DumpIortNodeIts ( { UINT32 Offset; UINT32 Index; - UINT8* ItsIdPtr; CHAR8 Buffer[80]; // Used for AsciiName param of ParseAcpi =20 Offset =3D ParseAcpi ( - TRUE, - 2, - "ITS Node", - Ptr, - Length, - PARSER_PARAMS (IortNodeItsParser) - ); + TRUE, + 2, + "ITS Node", + Ptr, + Length, + PARSER_PARAMS (IortNodeItsParser) + ); =20 - ItsIdPtr =3D Ptr + Offset; Index =3D 0; - while (Index < *ItsCount) { + + while ((Index < *ItsCount) && + (Offset < Length)) { AsciiSPrint ( Buffer, sizeof (Buffer), "GIC ITS Identifier Array [%d]", Index ); - Offset =3D ParseAcpi ( - TRUE, - 4, - Buffer, - ItsIdPtr, - 4, - PARSER_PARAMS (ItsIdParser) - ); - ItsIdPtr +=3D Offset; + Offset +=3D ParseAcpi ( + TRUE, + 4, + Buffer, + Ptr + Offset, + Length - Offset, + PARSER_PARAMS (ItsIdParser) + ); Index++; } =20 // Note: ITS does not have the ID Mappings Array + } =20 /** @@ -470,8 +473,6 @@ DumpIortNodeNamedComponent ( { UINT32 Offset; UINT32 Index; - UINT8* DeviceNamePtr; - UINT32 DeviceNameLength; =20 Offset =3D ParseAcpi ( TRUE, @@ -482,19 +483,22 @@ DumpIortNodeNamedComponent ( PARSER_PARAMS (IortNodeNamedComponentParser) ); =20 - DeviceNamePtr =3D Ptr + Offset; // Estimate the Device Name length - DeviceNameLength =3D Length - Offset - (MappingCount * 20); PrintFieldName (2, L"Device Object Name"); Index =3D 0; - while ((Index < DeviceNameLength) && (DeviceNamePtr[Index] !=3D 0)) { - Print (L"%c", DeviceNamePtr[Index++]); + + while ((*(Ptr + Offset) !=3D 0) && + (Offset < Length)) { + Print (L"%c", *(Ptr + Offset)); + Offset++; } Print (L"\n"); =20 - if (*IortIdMappingCount !=3D 0) { - DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); - } + DumpIortNodeIdMappings ( + Ptr + MappingOffset, + Length - MappingOffset, + MappingCount + ); } =20 /** @@ -524,9 +528,11 @@ DumpIortNodeRootComplex ( PARSER_PARAMS (IortNodeRootComplexParser) ); =20 - if (*IortIdMappingCount !=3D 0) { - DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); - } + DumpIortNodeIdMappings ( + Ptr + MappingOffset, + Length - MappingOffset, + MappingCount + ); } =20 /** @@ -554,11 +560,13 @@ DumpIortNodePmcg ( Ptr, Length, PARSER_PARAMS (IortNodePmcgParser) - ); + ); =20 - if (*IortIdMappingCount !=3D 0) { - DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); - } + DumpIortNodeIdMappings ( + Ptr + MappingOffset, + Length - MappingOffset, + MappingCount + ); } =20 /** @@ -605,23 +613,34 @@ ParseAcpiIort ( AcpiTableLength, PARSER_PARAMS (IortParser) ); + Offset =3D *IortNodeOffset; NodePtr =3D Ptr + Offset; Index =3D 0; =20 - while ((Index < *IortNodeCount) && (Offset < AcpiTableLength)) { + // Parse the specified number of IORT nodes or the IORT table buffer len= gth. + // Whichever is minimum. + while ((Index++ < *IortNodeCount) && + (Offset < AcpiTableLength)) { // Parse the IORT Node Header ParseAcpi ( FALSE, 0, "IORT Node Header", NodePtr, - 16, + AcpiTableLength - Offset, PARSER_PARAMS (IortNodeHeaderParser) ); - if (*IortNodeLength =3D=3D 0) { + + // Make sure the IORT Node is inside the table + if ((Offset + (*IortNodeLength)) > AcpiTableLength) { IncrementErrorCount (); - Print (L"ERROR: Parser error. Invalid table data.\n"); + Print ( + L"ERROR: Invalid IORT node length. IortNodeLength =3D %d. " \ + L"RemainingTableBufferLength =3D %d. IORT parsing aborted.\n", + *IortNodeLength, + AcpiTableLength - Offset + ); return; } =20 -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#44758): https://edk2.groups.io/g/devel/message/44758 Mute This Topic: https://groups.io/mt/32676846/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 5 00:31:49 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+44755+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1564649117245138.90761053866788; Thu, 1 Aug 2019 01:45:17 -0700 (PDT) Return-Path: X-Received: from EUR02-HE1-obe.outbound.protection.outlook.com (EUR02-HE1-obe.outbound.protection.outlook.com [40.107.1.78]) by groups.io with SMTP; Thu, 01 Aug 2019 01:45:16 -0700 X-Received: from AM6PR08CA0018.eurprd08.prod.outlook.com (2603:10a6:20b:b2::30) by VE1PR08MB4957.eurprd08.prod.outlook.com (2603:10a6:803:110::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.15; Thu, 1 Aug 2019 08:45:11 +0000 X-Received: from VE1EUR03FT060.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::203) by AM6PR08CA0018.outlook.office365.com (2603:10a6:20b:b2::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.15 via Frontend Transport; Thu, 1 Aug 2019 08:45:11 +0000 Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+44755+1787277+3901457@groups.io; helo=web01.groups.io; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT060.mail.protection.outlook.com (10.152.19.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:45:09 +0000 X-Received: ("Tessian outbound 578a71fe5eaa:v26"); Thu, 01 Aug 2019 08:45:09 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 6e1e5ac9a2a4533d X-CR-MTA-TID: 64aa7808 X-Received: from 06993cb37739.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.8.54]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 22BBF288-D876-4D9E-BE6F-00DB66235592.1; Thu, 01 Aug 2019 08:45:04 +0000 X-Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-am5eur03lp2054.outbound.protection.outlook.com [104.47.8.54]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 06993cb37739.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 01 Aug 2019 08:45:04 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=frJoDAPtQSPCiuGEYd6XqVL1dwDB6sIxh59oREVpWQWItwy1jQBVgjj/ZYMqztHGwI1+OWL223ZDlxspJgJwAkY0ojOYw2TDiTZM3GhSEax++Lf0NhZeqkHzJOm9zA0M+xcBiaZ1h62xsVsEkc9zdrSt4xS6p5CxjUeQHezjoyuNXQ03YjEHmiPO3Q0mW/gsJw6skrBfQkBdwCLCrWU9Ny+gqOFv5Md/PNJTOaAA33FLQU6DDJM3BNHHTs3IDLr5Ts85YT9plqU04PWmfX2Hwfb6uMb2XbgAiyj3lCBBREwRK09pN8I7Vbsgr7hWeRqkm83mFgcglCMfhu8EugvS2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5fhjNRWqRoKEnQCdkvvTdG76+3BqrnApVZGPfcPa0fo=; b=QFjOo5B8AhMRpZLlChcOUKZhAMwRIYL0blVM43ZOPLPG/yONi4pz0zt977AXVyvIPCGGMynOxhQKFEleMftH7IahG1VkqseFC7W1KsNaSAIfKAahD94GHiQMOSlk86FQ1DNxH2i2PpmSMC9KD4tbOoGNo1rV05chPz2cvcMzCV1XJ5HTlYgvdG6sV/hkoz6vtw11BXpedsAa6lLa3gPihdu6mrr+yeXh/lWSHwR83DBWhMdLXBtKsBTWLF/ULWmtmylUTQSOS7u57rDQF98OF2iLkKrOtRt7fRG2Edah2HdlV6F1vKEL2jfU+F3qBejaB9n9plE0vChsl2ldEMUhiA== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none X-Received: from AM6PR08CA0012.eurprd08.prod.outlook.com (2603:10a6:20b:b2::24) by HE1PR0801MB1849.eurprd08.prod.outlook.com (2603:10a6:3:89::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.11; Thu, 1 Aug 2019 08:45:01 +0000 X-Received: from AM5EUR03FT006.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::205) by AM6PR08CA0012.outlook.office365.com (2603:10a6:20b:b2::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.14 via Frontend Transport; Thu, 1 Aug 2019 08:45:01 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from nebula.arm.com (40.67.248.234) by AM5EUR03FT006.mail.protection.outlook.com (10.152.16.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:45:00 +0000 X-Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX04.Arm.com (10.251.24.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:16 +0000 X-Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:16 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [edk2-devel] [PATCH v1 4/6] ShellPkg: acpiview: MADT: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:05 +0100 Message-ID: <20190801084407.48712-5-krzysztof.koch@arm.com> In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(396003)(136003)(346002)(376002)(39860400002)(2980300002)(189003)(199004)(11346002)(316002)(76176011)(54906003)(26005)(5660300002)(86362001)(7696005)(1076003)(51416003)(50226002)(81166006)(186003)(68736007)(16586007)(81156014)(8936002)(8676002)(6916009)(63350400001)(2906002)(6666004)(48376002)(126002)(70586007)(70206006)(44832011)(36756003)(305945005)(4326008)(486006)(426003)(478600001)(336012)(63370400001)(50466002)(446003)(53416004)(47776003)(2616005)(476003)(14444005)(53936002)(356004)(2351001);DIR:OUT;SFP:1101;SCL:1;SRVR:HE1PR0801MB1849;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;MX:1;A:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 97b5cccf-d906-46f2-cef5-08d7165c8fc4 X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:HE1PR0801MB1849; X-MS-TrafficTypeDiagnostic: HE1PR0801MB1849:|VE1PR08MB4957: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:5236;OLM:5236; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: 5RI7KmvIHbet9t/y5fPvzm+RjXWMWujrQiQtfXJ5VrO1waPvU0dJ0cGEJkRy/jF7BGpzP3AIkb6mQKTfnEvp2bX2UpHDdkEj6vOxj7XtOz7JVocCPmGMgq9fsfUuaPtS9+zaGk+SJKniqfw1fU0qkiWb7iVogJyI/DbeNxxc71e0O/E9fVFppoK40YOwvZ5Jc0P8n9T6EP4708WqjfhMUCsjm6HRREFtmZAbeYiiAUKv9hdKU2kfuRtDOY1R49lx7/nH2To9xBSV7GzhVJgb6d085N5ZqmSd9PzoALwUDI3FdMUCqBWXvhtCODOfVWM7Z7qLxlSoDqPcJ4Jqcoyoa5bI+QfG8RBzMxtRW+cGPXPS+EmFhJUa2vIIpU95N9QgQXVjStrxkzPBgCdIajBbbZ/foPle3IGSnaiX+0GYtws= X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0801MB1849 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT060.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 724131ff-51f7-4591-05e9-08d7165c8a04 NoDisclaimer: True X-Microsoft-Antispam-Message-Info: ef//KijIphUZ8W1/f7FxZcESo2aXRwE4N9RvaVBjbcMSm/PyIa/yE5AfvAwJb+fxXQgqOJii1XC8Prn4yN2RcTXB+aH1T1ZETjR1j555dPnpo2rqU8ysZHeJUkqG9Lc1jpziKlGWEw8+YrJ2HZ6kvkDmyxeDQhFv73myQqGTYk/5aWZ0mZ5L15Hfz2r9ZoaBBewanK62YDAuryuwC0FKaR3hhRkwi2f1p4uX+5dGWQZY9NxgX/QF2lGm4foh2T/SU7n8wk8AWPUprWzy4XsndubVvjODda4LTNHB9AsDpE0h3SKygIGKiP6VHGa9cHwBB3J0OwHwq2MI7OdEnWK1jmEpdDLp77mJwbtGW/YhguWDhEgKYouSGBqxBwYEOebsrFjmV2vKZisELUUyavm1FavvuGVqjZ0gHF4MwPjQ590= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:45:09.9365 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 97b5cccf-d906-46f2-cef5-08d7165c8fc4 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB4957 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,krzysztof.koch@arm.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1564649116; bh=1ByhVBS5erxf3m4FjJ66i1X8npfl97VKHKmdFxLWCuM=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=oBBOVqmnG+vVQOWSHe0xhv3ldOxIkgSYz6xDV8QjyJhD1yvyAHuWRmqMrochypcGxQn +kTISOjBE/r3eqItokPiKZaIlJgjNjU+kYGuktDhpNgMz5QV+JTeZMeG+tLr13uCKh361 dhtqcy3tsJS8mvrq9l88ic1vJez4QS1ocfU= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Modify the parsing logic to prevent reading past the MADT table buffer length provided when parsing the Interrupt Controller Structure header. Signed-off-by: Krzysztof Koch Reviewed-by: Alexei Fedorov Reviewed-by: Sami Mujawar --- Notes: v1: - Prevent buffer overruns in MADT acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c | 2= +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/Madt= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtPa= rser.c index d80ebd1a2bae7a4acffe687ca5ee7b4090f0e223..90bdafea1970db522e8ed96de7c= 6e986cdaca5ba 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c @@ -256,7 +256,7 @@ ParseAcpiMadt ( 0, NULL, InterruptContollerPtr, - 2, // Length is 1 byte at offset 1 + AcpiTableLength - Offset, PARSER_PARAMS (MadtInterruptControllerHeaderParser) ); =20 -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#44755): https://edk2.groups.io/g/devel/message/44755 Mute This Topic: https://groups.io/mt/32676839/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 5 00:31:49 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+44759+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1564649174817116.33834325982787; Thu, 1 Aug 2019 01:46:14 -0700 (PDT) Return-Path: X-Received: from EUR03-VE1-obe.outbound.protection.outlook.com (EUR03-VE1-obe.outbound.protection.outlook.com [40.107.5.69]) by groups.io with SMTP; Thu, 01 Aug 2019 01:46:13 -0700 X-Received: from VI1PR08CA0248.eurprd08.prod.outlook.com (2603:10a6:803:dc::21) by VI1PR0801MB1853.eurprd08.prod.outlook.com (2603:10a6:800:5a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.16; Thu, 1 Aug 2019 08:46:09 +0000 X-Received: from AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::202) by VI1PR08CA0248.outlook.office365.com (2603:10a6:803:dc::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.14 via Frontend Transport; Thu, 1 Aug 2019 08:46:09 +0000 Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+44759+1787277+3901457@groups.io; helo=web01.groups.io; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT039.mail.protection.outlook.com (10.152.17.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:46:07 +0000 X-Received: ("Tessian outbound 40a263b748b4:v26"); Thu, 01 Aug 2019 08:46:07 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: dbc755c2332fe114 X-CR-MTA-TID: 64aa7808 X-Received: from f9d10c67884f.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.10.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 08F1ECFB-1D46-4AAA-947B-8C1A796CCF7D.1; Thu, 01 Aug 2019 08:46:02 +0000 X-Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp2056.outbound.protection.outlook.com [104.47.10.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id f9d10c67884f.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384); Thu, 01 Aug 2019 08:46:02 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L7htZJVmlYuGGkOfEmP/T+C02WuzjFYG2LvqBnnpv1spB1XOzv3jvW1tJkVeo9PRqqcuDaC6D8xoxILW9c8DK2/wkt5XMHfS36abR4XAmDvXnsph5jcRu0dwpZlZcJ2rEiO5CUUa7uE4KslxmQWw92VUD8h5uOuLIX05tAimyrxLEF0pECwJrtBxwiSSVyiB+7ff3qdLow+nhEgZGVkBRwymDNsa8FKlKju98hoP8tpyrk5ZTjli5Gw6MZLOqJ+nJD36/fLlUt7y1I4cyvf2v6NgrxQjpiEi/MCl71zHH11RF41qeL56LdUBRZCDET38m1HjsRrIgCvkuxyeayyUYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mb/tWhKHLEfh9STsJ6gNcfMP40Dci16GXNSOgcUVdnw=; b=MDY3Unf5YyufqecYbP8Nhk9PLLZ3t1Wb/OVjbz/kN+Zy5TXhw+pamZvgJv+j8qTtWm7sFu/CYTH6elTez8s99xoZtNcx3kk3mmcM+qrXwc8BHu/CESlmS7dATx03TJ/Ut3uCJuRBS5fv0YNBNb6J+KgMpAbZLYMEpUOG+0cc6GVswbyY+0g/tBfMUIwtK1RrRf0D6xGETN5T35OvwRtzmvI10v1iW5gROu9dDeY2lj8aO5ieuf8c/G87HNbu4iRll6icbhztZC4rGlSlfD03VSKdzam6mTDN+/dMFkfL9Hr2NgLq05UlDa8k+hg4Lg68fCGWXZe1k6oV/NfuZT9TOQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none X-Received: from VI1PR0801CA0070.eurprd08.prod.outlook.com (2603:10a6:800:7d::14) by AM5PR0801MB1842.eurprd08.prod.outlook.com (2603:10a6:203:3c::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.13; Thu, 1 Aug 2019 08:45:59 +0000 X-Received: from DB5EUR03FT017.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::208) by VI1PR0801CA0070.outlook.office365.com (2603:10a6:800:7d::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.12 via Frontend Transport; Thu, 1 Aug 2019 08:45:59 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from nebula.arm.com (40.67.248.234) by DB5EUR03FT017.mail.protection.outlook.com (10.152.20.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:45:57 +0000 X-Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:17 +0000 X-Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:17 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [edk2-devel] [PATCH v1 5/6] ShellPkg: acpiview: PPTT: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:06 +0100 Message-ID: <20190801084407.48712-6-krzysztof.koch@arm.com> In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(396003)(136003)(39860400002)(346002)(376002)(2980300002)(199004)(189003)(478600001)(63350400001)(50226002)(11346002)(26005)(16586007)(126002)(446003)(316002)(63370400001)(476003)(2616005)(426003)(8936002)(336012)(486006)(81166006)(8676002)(6916009)(36756003)(53936002)(356004)(86362001)(81156014)(186003)(76176011)(4326008)(50466002)(2906002)(1076003)(53416004)(51416003)(6666004)(2351001)(5660300002)(48376002)(70586007)(68736007)(54906003)(44832011)(7696005)(305945005)(70206006)(47776003);DIR:OUT;SFP:1101;SCL:1;SRVR:AM5PR0801MB1842;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 50214dff-7bed-4539-07f0-08d7165cb248 X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:AM5PR0801MB1842; X-MS-TrafficTypeDiagnostic: AM5PR0801MB1842:|VI1PR0801MB1853: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:3383;OLM:3383; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: auWt+HKFqjLLVPeGIVCv9INXyMhC5LjeNfErCvEhzo3F2VkhkKzQFHSNXHiUeNjbJOP50WLJo/6Q7IAtEpsAp5DkHwlIPsa9gxyq2eYcPSqpJaIk38W43fJ2LdvepeKJnyEH0hnIeYFPFlAxIn+w79zIsbx6/8A3+/v5XbSmC1JuwAQ2+upFIeTlOI10CIWxqSS4+r4CYgN8Nu3ukYWaBo8+5oWIrU7LrcVDcueSwsPfkPUwNyZTy0tCetIjYpsLQ4Yv+n5KJ8gj6CmuquNDD+HzZTwPTYGScmn+htsO3mMPQ662piNLJjxe1/i7qAX718FmWNnvPUi71FhrqboObRLD9GHlMYAu3ZqB/GmJNNQXqLbeFKe+WKQtpGuwSVsr74/GM68b3i/BMxgUB+BRNvOM1DtWU3a2v3858K7GcpU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB1842 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: d736e8de-51ed-43a3-afa7-08d7165cac36 NoDisclaimer: True X-Microsoft-Antispam-Message-Info: xP1U2rN20RBUyQd5ddU2EnTzw0yUBWtJ2HSLcV4NBSLsE1K95qTKJ0+vQHe0BJ5norLPT/FMU0hLXeb5SK/rZjjWIj1xDxfq9uSURPReT7gH1PCOuv3PthgUnjLqMmVasJXH8qlQFzXkp2nj8Ca+I09WqBX/3sHXJPZYapeml0LxLS2aZW7sF726L71KO4Pi3n1KOHrRoUD2SnvQxJ0ukVdSdv7lYyOBHj9cpb3KNFmHJ8fDvAAoqxtSi3bDyl09qKSOPeYIvmaIVtiEilWFANy8Zkmjj6xj5XSzyZCBT3VMFPxZG/mBKaPMA1jVIaPml1TTEpkjBqnGHobXo7+ZrPWG3qHvNjPZWNP4/GxtzqYoPdJcTibNIRq3kBHC3XkTtFCxyxYOV54cDilQuK2onAOAzC+dzw9mrKuqLT0HJgs= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:46:07.9261 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 50214dff-7bed-4539-07f0-08d7165cb248 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1853 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,krzysztof.koch@arm.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1564649174; bh=loHaG0brEg/khfKovFjLEmIMhpQHIjO46C5QDQqAV10=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=MDdMAeD3OfRib/uUyd6m4NONyBzYhqz0wMaQI+JXKwTUAWXIxP+h58le99IpPAKTo1K GijdkEHx2oJUGSZDTiwppdxTVCvKKAXSklyB8GKHwVJ0UIKR23JA/LsEAMGroE281vmDN +4I4gdPyooxizhwK3sXAmZ6hXBpJ0iPx9AA= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Modify the PPTT table parsing logic to prevent reading past the ACPI buffer lengths provided. Check if the Number of Private Resources specified in the Processor Hierarchy Node (Type 0) is possible given the Type 0 Structure's buffer length. Make sure that the processor topology structure's buffer fits in the PPTT table buffer before its contents are dumped. Prevent buffer overruns when reading the processor topology structure's header. References: - ACPI 6.3, January 2019, Section 5.2.29 Signed-off-by: Krzysztof Koch Reviewed-by: Alexei Fedorov Reviewed-by: Sami Mujawar --- Notes: v1: - Prevent buffer overruns in PPTT acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c | 3= 8 ++++++++++++++------ 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/Pptt= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttPa= rser.c index cec57be55e77096f9448f637ea129af2b42111ad..6254b9913fffb429fc54bb1301b= f3e4b2e5bf161 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c @@ -252,7 +252,6 @@ DumpProcessorHierarchyNodeStructure ( ) { UINT32 Offset; - UINT8* PrivateResourcePtr; UINT32 Index; CHAR16 Buffer[OUTPUT_FIELD_COLUMN_WIDTH]; =20 @@ -265,8 +264,23 @@ DumpProcessorHierarchyNodeStructure ( PARSER_PARAMS (ProcessorHierarchyNodeStructureParser) ); =20 - PrivateResourcePtr =3D Ptr + Offset; + // Make sure the Private Resource array lies inside this structure + if (Offset + (*NumberOfPrivateResources * sizeof (UINT32)) > Length) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid Number of Private Resources. " \ + L"PrivateResourceCount =3D %d. RemainingBufferLength =3D %d. " \ + L"Parsing of this structure aborted.\n", + *NumberOfPrivateResources, + Length - Offset + ); + return; + } + Index =3D 0; + + // Parse the specified number of private resource references or the Proc= essor + // Hierarchy Node length. Whichever is minimum. while (Index < *NumberOfPrivateResources) { UnicodeSPrint ( Buffer, @@ -278,10 +292,10 @@ DumpProcessorHierarchyNodeStructure ( PrintFieldName (4, Buffer); Print ( L"0x%x\n", - *((UINT32*) PrivateResourcePtr) + *((UINT32*)(Ptr + Offset)) ); =20 - PrivateResourcePtr +=3D sizeof(UINT32); + Offset +=3D sizeof (UINT32); Index++; } } @@ -382,19 +396,21 @@ ParseAcpiPptt ( 0, NULL, ProcessorTopologyStructurePtr, - 4, // Length of the processor topology structure header is 4 bytes + AcpiTableLength - Offset, PARSER_PARAMS (ProcessorTopologyStructureHeaderParser) ); =20 - if ((Offset + (*ProcessorTopologyStructureLength)) > AcpiTableLength) { + // Make sure the PPTT structure lies inside the table + if ((Offset + *ProcessorTopologyStructureLength) > AcpiTableLength) { IncrementErrorCount (); Print ( - L"ERROR: Invalid processor topology structure length:" - L" Type =3D %d, Length =3D %d\n", - *ProcessorTopologyStructureType, - *ProcessorTopologyStructureLength + L"ERROR: Invalid PPTT structure length. " \ + L"ProcessorTopologyStructureLength =3D %d. " \ + L"RemainingTableBufferLength =3D %d. PPTT parsing aborted.\n", + *ProcessorTopologyStructureLength, + AcpiTableLength - Offset ); - break; + return; } =20 PrintFieldName (2, L"* Structure Offset *"); -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#44759): https://edk2.groups.io/g/devel/message/44759 Mute This Topic: https://groups.io/mt/32676847/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 5 00:31:49 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+44761+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1564649189005863.9034099288172; Thu, 1 Aug 2019 01:46:29 -0700 (PDT) Return-Path: X-Received: from EUR02-AM5-obe.outbound.protection.outlook.com (EUR02-AM5-obe.outbound.protection.outlook.com [40.107.0.42]) by groups.io with SMTP; Thu, 01 Aug 2019 01:46:27 -0700 X-Received: from DB6PR0802CA0042.eurprd08.prod.outlook.com (2603:10a6:4:a3::28) by VI1PR0802MB2605.eurprd08.prod.outlook.com (2603:10a6:800:b0::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.14; Thu, 1 Aug 2019 08:46:23 +0000 X-Received: from DB5EUR03FT003.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::209) by DB6PR0802CA0042.outlook.office365.com (2603:10a6:4:a3::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2115.15 via Frontend Transport; Thu, 1 Aug 2019 08:46:23 +0000 Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+44761+1787277+3901457@groups.io; helo=web01.groups.io; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT003.mail.protection.outlook.com (10.152.20.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:46:21 +0000 X-Received: ("Tessian outbound 1e6e633a5b56:v26"); Thu, 01 Aug 2019 08:46:21 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 4e274b27aeed8ebf X-CR-MTA-TID: 64aa7808 X-Received: from 0fd72d287953.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.13.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id E46C5FE8-E59A-4792-958A-54E69F37AF28.1; Thu, 01 Aug 2019 08:46:21 +0000 X-Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04lp2056.outbound.protection.outlook.com [104.47.13.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 0fd72d287953.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 01 Aug 2019 08:46:21 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JnW24mD+GYaBsyXbS1Jj3zzMp0kBDUWg8rWkg9JZk23F6/ZVYEgvlNWSVJMePeG/wbWZl3YjHVe1QuSHGAulvU2vPUhbvhzC3boVb5YVR83wVKQIiQacgg/EeRnJQoH4B+1+Pz5PB0H5MyRG4QqRpwNpZHJ++j4TspG3c7yKs8yoyhngKb3/OGB5IISsItxU8/ff8+mohXdYT4VbVvopIwej6nW7XKobGZt2GXuv+td9HTixN4hdBKx7oWv6UOV4aT2ShcaQ5AmJX6de78ryqo+/Gi+H0oAK4pE+cPaQNYMSLjj5QgQ+H1vgBZA9p5e45CBCUeV8Wcs/UQuF39XIig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sC4B431h8aFM8Q0V84Qxcov0xJG0Auocll/MtcesJ/0=; b=mgzHMHxX59o/9B6r9FiBHAake5finpEechOjmRwemW7SrGK2vXyMAn/TF/ZjSyNH/F7eVdbLxD3ULGI9hXjMpn0foKzbVr7zHkZ8gNVUh/cd1vADG2qsp6EPp/433+s1az/52rwuFG5cHMdyFZ3jSDUzpVMzIKDzt4M5Rum9AJ5vFoveNhhQwI6v0IbIbrSAAmoJkwh8CdytKpkJigieIY0m/DpI357OGV5y8hBX44TTPgu3Dd6QGcdLwlh4Nz3jSXtcX1gWphbD4M4JjCHRbwfZFayUX/Y43BrBbka2YEwEKw9UA7o8V+YNWmYe4/585Lgw8eEvZb3vvZEegINCDw== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none X-Received: from DB6PR0802CA0040.eurprd08.prod.outlook.com (2603:10a6:4:a3::26) by DB8PR08MB4953.eurprd08.prod.outlook.com (2603:10a6:10:ef::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.14; Thu, 1 Aug 2019 08:46:19 +0000 X-Received: from DB5EUR03FT063.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::204) by DB6PR0802CA0040.outlook.office365.com (2603:10a6:4:a3::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.16 via Frontend Transport; Thu, 1 Aug 2019 08:46:19 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from nebula.arm.com (40.67.248.234) by DB5EUR03FT063.mail.protection.outlook.com (10.152.20.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:46:17 +0000 X-Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:17 +0000 X-Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:17 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [edk2-devel] [PATCH v1 6/6] ShellPkg: acpiview: SRAT: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:07 +0100 Message-ID: <20190801084407.48712-7-krzysztof.koch@arm.com> In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(346002)(376002)(39860400002)(136003)(396003)(2980300002)(199004)(189003)(76176011)(2906002)(51416003)(7696005)(14444005)(16586007)(186003)(26005)(446003)(70206006)(48376002)(316002)(63370400001)(53416004)(1076003)(36756003)(70586007)(426003)(63350400001)(2616005)(86362001)(2351001)(476003)(54906003)(126002)(11346002)(47776003)(305945005)(50466002)(6916009)(356004)(81166006)(81156014)(478600001)(8676002)(44832011)(6666004)(8936002)(68736007)(336012)(5660300002)(486006)(4326008)(50226002)(53936002);DIR:OUT;SFP:1101;SCL:1;SRVR:DB8PR08MB4953;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c2930687-f67e-43e9-5912-08d7165cba89 X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:DB8PR08MB4953; X-MS-TrafficTypeDiagnostic: DB8PR08MB4953:|VI1PR0802MB2605: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:3968;OLM:3968; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: gEyUJSiLUXOOdD89n1utOkVcoZUG5QCaLkfuPmhbW10a7D9V8ePKRP6vQeOhMzgXO07jsPPHX4bp6Ec7dhVB3HqxVAjkeu0LDO0gl8hD/GNQj3S5M2UGfKe6HMRMa2auPkCcolC1rMPUh+rub4+4m4RVpV/HUyMjXM8Oi2LdJbuxKYSHyhuYUhwa0BQN1cyvNv3rFFMz0SCJE6d/gHKaUu2fQyX5w9nfnv+QWS6dpow+JEhia6SIw9lz105omgZ6iKup5T3DAdvhS5tvTXkqyKerEONfo5ciP5W660KorgPHuGYcpWk3tK9vdtCdMgckepUlJgVouQiJIDvyd7L5k5wFVe0e+aU0edV681LY4V0tAJ/XFlre8T5zdGQHHM+AokObFz0faD4R0wjZX9Ml2ZkHdXmYJ6kaZ6YoT95XSPU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4953 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT003.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 6a5dfb02-348b-4716-8a50-08d7165cb82b NoDisclaimer: True X-Microsoft-Antispam-Message-Info: jGe20u/gPYQC0rFYrkdYZmO4V0zmusMcvpo0MJmh+GOzyvNTOZNdHZ1M3OdzqdXu2kaYJKEyu6Pq4YeY66BRmo29NQG70KezL4PjNwqV/TAE0ETz4fZ2kdiW+7swrmsoiM/K0zSleCqE4TFbqSfDxaOcVvCKj+5t14N19djCNYarE8Xum5NWVIKwxsWc/8yq1rSXU9Y5rn75MKGXDf0WpJ1Gb6JFuQk0dkMGH0r5827Q1QNQaeNdrbZwRrVLa+DAUoWRCq6WyLBBwP+NC6j0gwgKb2iHKtBU912yfw5dDR/bB5pU7ji3lyJl1FYDL7vKR5lRQ50mLCtSpItMvTAGpcedeodfxL0F6auAoHuS5gENRAofS3ElVx8ZUFvoFk7HNkEnFppJ3aQcaNPHQkMDKcTMnVQZ4OOKkyLRXVf8FM0= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:46:21.8049 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c2930687-f67e-43e9-5912-08d7165cba89 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2605 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,krzysztof.koch@arm.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1564649188; bh=8pkhOabRXI9D/at3JXYEOdd1SK0hUzShkNdqM/43sRM=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=k2pPHa25q0/fF2gBRgB6izyjcb6tFR0AeyF448y+qx3huZXw+tTsPFgof7iqgvaLzVE ZN1gnb8QgLtYI9/sbPorgwSdXyO74bIrg94Pvp5cV8CDFzCtNNSO6Fnhuso9cKqUPHfUI bjULiCAdvBEpfO/XmXm6+V8HR6ovzZNScoE= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Modify the SRAT parsing logic to prevent reading past the table buffer length provided. Check if the Static Resource Allocation Structure's buffer fits in the SRAT table buffer before its contents are dumped. Prevent buffer overruns when reading the Static Resource Allocation Structure's header. References: - ACPI 6.3, January 2019, Section 5.2.16 Signed-off-by: Krzysztof Koch Reviewed-by: Alexei Fedorov Reviewed-by: Sami Mujawar --- Notes: v1: - Prevent buffer overruns in SRAT acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c | 1= 4 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/Srat= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratPa= rser.c index 59c77401eaab32b73a9f83fd4d63785221b3c222..a8aa420487bb6bf29fc38221d0b= 221573c64b8b3 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c @@ -215,10 +215,22 @@ ParseAcpiSrat ( 0, NULL, ResourcePtr, - 2, // The length is 1 byte at offset 1 + AcpiTableLength - Offset, PARSER_PARAMS (SratResourceAllocationParser) ); =20 + // Make sure the SRAT structure lies inside the table + if ((Offset + *SratRALength) > AcpiTableLength) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid SRAT structure length. SratRALength =3D %d. " \ + L"RemainingTableBufferLength =3D %d. SRAT parsing aborted.\n", + *SratRALength, + AcpiTableLength - Offset + ); + return; + } + switch (*SratRAType) { case EFI_ACPI_6_2_GICC_AFFINITY: AsciiSPrint ( -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#44761): https://edk2.groups.io/g/devel/message/44761 Mute This Topic: https://groups.io/mt/32676850/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-