From nobody Tue Feb 10 13:18:19 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+44759+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1564649174817116.33834325982787; Thu, 1 Aug 2019 01:46:14 -0700 (PDT) Return-Path: X-Received: from EUR03-VE1-obe.outbound.protection.outlook.com (EUR03-VE1-obe.outbound.protection.outlook.com [40.107.5.69]) by groups.io with SMTP; Thu, 01 Aug 2019 01:46:13 -0700 X-Received: from VI1PR08CA0248.eurprd08.prod.outlook.com (2603:10a6:803:dc::21) by VI1PR0801MB1853.eurprd08.prod.outlook.com (2603:10a6:800:5a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.16; Thu, 1 Aug 2019 08:46:09 +0000 X-Received: from AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::202) by VI1PR08CA0248.outlook.office365.com (2603:10a6:803:dc::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.14 via Frontend Transport; Thu, 1 Aug 2019 08:46:09 +0000 Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+44759+1787277+3901457@groups.io; helo=web01.groups.io; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT039.mail.protection.outlook.com (10.152.17.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:46:07 +0000 X-Received: ("Tessian outbound 40a263b748b4:v26"); Thu, 01 Aug 2019 08:46:07 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: dbc755c2332fe114 X-CR-MTA-TID: 64aa7808 X-Received: from f9d10c67884f.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.10.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 08F1ECFB-1D46-4AAA-947B-8C1A796CCF7D.1; Thu, 01 Aug 2019 08:46:02 +0000 X-Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp2056.outbound.protection.outlook.com [104.47.10.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id f9d10c67884f.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384); Thu, 01 Aug 2019 08:46:02 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L7htZJVmlYuGGkOfEmP/T+C02WuzjFYG2LvqBnnpv1spB1XOzv3jvW1tJkVeo9PRqqcuDaC6D8xoxILW9c8DK2/wkt5XMHfS36abR4XAmDvXnsph5jcRu0dwpZlZcJ2rEiO5CUUa7uE4KslxmQWw92VUD8h5uOuLIX05tAimyrxLEF0pECwJrtBxwiSSVyiB+7ff3qdLow+nhEgZGVkBRwymDNsa8FKlKju98hoP8tpyrk5ZTjli5Gw6MZLOqJ+nJD36/fLlUt7y1I4cyvf2v6NgrxQjpiEi/MCl71zHH11RF41qeL56LdUBRZCDET38m1HjsRrIgCvkuxyeayyUYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mb/tWhKHLEfh9STsJ6gNcfMP40Dci16GXNSOgcUVdnw=; b=MDY3Unf5YyufqecYbP8Nhk9PLLZ3t1Wb/OVjbz/kN+Zy5TXhw+pamZvgJv+j8qTtWm7sFu/CYTH6elTez8s99xoZtNcx3kk3mmcM+qrXwc8BHu/CESlmS7dATx03TJ/Ut3uCJuRBS5fv0YNBNb6J+KgMpAbZLYMEpUOG+0cc6GVswbyY+0g/tBfMUIwtK1RrRf0D6xGETN5T35OvwRtzmvI10v1iW5gROu9dDeY2lj8aO5ieuf8c/G87HNbu4iRll6icbhztZC4rGlSlfD03VSKdzam6mTDN+/dMFkfL9Hr2NgLq05UlDa8k+hg4Lg68fCGWXZe1k6oV/NfuZT9TOQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none X-Received: from VI1PR0801CA0070.eurprd08.prod.outlook.com (2603:10a6:800:7d::14) by AM5PR0801MB1842.eurprd08.prod.outlook.com (2603:10a6:203:3c::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.13; Thu, 1 Aug 2019 08:45:59 +0000 X-Received: from DB5EUR03FT017.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::208) by VI1PR0801CA0070.outlook.office365.com (2603:10a6:800:7d::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.12 via Frontend Transport; Thu, 1 Aug 2019 08:45:59 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) X-Received: from nebula.arm.com (40.67.248.234) by DB5EUR03FT017.mail.protection.outlook.com (10.152.20.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:45:57 +0000 X-Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:17 +0000 X-Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:17 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [edk2-devel] [PATCH v1 5/6] ShellPkg: acpiview: PPTT: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:06 +0100 Message-ID: <20190801084407.48712-6-krzysztof.koch@arm.com> In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(396003)(136003)(39860400002)(346002)(376002)(2980300002)(199004)(189003)(478600001)(63350400001)(50226002)(11346002)(26005)(16586007)(126002)(446003)(316002)(63370400001)(476003)(2616005)(426003)(8936002)(336012)(486006)(81166006)(8676002)(6916009)(36756003)(53936002)(356004)(86362001)(81156014)(186003)(76176011)(4326008)(50466002)(2906002)(1076003)(53416004)(51416003)(6666004)(2351001)(5660300002)(48376002)(70586007)(68736007)(54906003)(44832011)(7696005)(305945005)(70206006)(47776003);DIR:OUT;SFP:1101;SCL:1;SRVR:AM5PR0801MB1842;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 50214dff-7bed-4539-07f0-08d7165cb248 X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:AM5PR0801MB1842; X-MS-TrafficTypeDiagnostic: AM5PR0801MB1842:|VI1PR0801MB1853: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:3383;OLM:3383; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: auWt+HKFqjLLVPeGIVCv9INXyMhC5LjeNfErCvEhzo3F2VkhkKzQFHSNXHiUeNjbJOP50WLJo/6Q7IAtEpsAp5DkHwlIPsa9gxyq2eYcPSqpJaIk38W43fJ2LdvepeKJnyEH0hnIeYFPFlAxIn+w79zIsbx6/8A3+/v5XbSmC1JuwAQ2+upFIeTlOI10CIWxqSS4+r4CYgN8Nu3ukYWaBo8+5oWIrU7LrcVDcueSwsPfkPUwNyZTy0tCetIjYpsLQ4Yv+n5KJ8gj6CmuquNDD+HzZTwPTYGScmn+htsO3mMPQ662piNLJjxe1/i7qAX718FmWNnvPUi71FhrqboObRLD9GHlMYAu3ZqB/GmJNNQXqLbeFKe+WKQtpGuwSVsr74/GM68b3i/BMxgUB+BRNvOM1DtWU3a2v3858K7GcpU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB1842 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: d736e8de-51ed-43a3-afa7-08d7165cac36 NoDisclaimer: True X-Microsoft-Antispam-Message-Info: xP1U2rN20RBUyQd5ddU2EnTzw0yUBWtJ2HSLcV4NBSLsE1K95qTKJ0+vQHe0BJ5norLPT/FMU0hLXeb5SK/rZjjWIj1xDxfq9uSURPReT7gH1PCOuv3PthgUnjLqMmVasJXH8qlQFzXkp2nj8Ca+I09WqBX/3sHXJPZYapeml0LxLS2aZW7sF726L71KO4Pi3n1KOHrRoUD2SnvQxJ0ukVdSdv7lYyOBHj9cpb3KNFmHJ8fDvAAoqxtSi3bDyl09qKSOPeYIvmaIVtiEilWFANy8Zkmjj6xj5XSzyZCBT3VMFPxZG/mBKaPMA1jVIaPml1TTEpkjBqnGHobXo7+ZrPWG3qHvNjPZWNP4/GxtzqYoPdJcTibNIRq3kBHC3XkTtFCxyxYOV54cDilQuK2onAOAzC+dzw9mrKuqLT0HJgs= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:46:07.9261 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 50214dff-7bed-4539-07f0-08d7165cb248 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1853 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,krzysztof.koch@arm.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1564649174; bh=loHaG0brEg/khfKovFjLEmIMhpQHIjO46C5QDQqAV10=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=MDdMAeD3OfRib/uUyd6m4NONyBzYhqz0wMaQI+JXKwTUAWXIxP+h58le99IpPAKTo1K GijdkEHx2oJUGSZDTiwppdxTVCvKKAXSklyB8GKHwVJ0UIKR23JA/LsEAMGroE281vmDN +4I4gdPyooxizhwK3sXAmZ6hXBpJ0iPx9AA= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Modify the PPTT table parsing logic to prevent reading past the ACPI buffer lengths provided. Check if the Number of Private Resources specified in the Processor Hierarchy Node (Type 0) is possible given the Type 0 Structure's buffer length. Make sure that the processor topology structure's buffer fits in the PPTT table buffer before its contents are dumped. Prevent buffer overruns when reading the processor topology structure's header. References: - ACPI 6.3, January 2019, Section 5.2.29 Signed-off-by: Krzysztof Koch Reviewed-by: Alexei Fedorov --- Notes: v1: - Prevent buffer overruns in PPTT acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c | 3= 8 ++++++++++++++------ 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/Pptt= Parser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttPa= rser.c index cec57be55e77096f9448f637ea129af2b42111ad..6254b9913fffb429fc54bb1301b= f3e4b2e5bf161 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c @@ -252,7 +252,6 @@ DumpProcessorHierarchyNodeStructure ( ) { UINT32 Offset; - UINT8* PrivateResourcePtr; UINT32 Index; CHAR16 Buffer[OUTPUT_FIELD_COLUMN_WIDTH]; =20 @@ -265,8 +264,23 @@ DumpProcessorHierarchyNodeStructure ( PARSER_PARAMS (ProcessorHierarchyNodeStructureParser) ); =20 - PrivateResourcePtr =3D Ptr + Offset; + // Make sure the Private Resource array lies inside this structure + if (Offset + (*NumberOfPrivateResources * sizeof (UINT32)) > Length) { + IncrementErrorCount (); + Print ( + L"ERROR: Invalid Number of Private Resources. " \ + L"PrivateResourceCount =3D %d. RemainingBufferLength =3D %d. " \ + L"Parsing of this structure aborted.\n", + *NumberOfPrivateResources, + Length - Offset + ); + return; + } + Index =3D 0; + + // Parse the specified number of private resource references or the Proc= essor + // Hierarchy Node length. Whichever is minimum. while (Index < *NumberOfPrivateResources) { UnicodeSPrint ( Buffer, @@ -278,10 +292,10 @@ DumpProcessorHierarchyNodeStructure ( PrintFieldName (4, Buffer); Print ( L"0x%x\n", - *((UINT32*) PrivateResourcePtr) + *((UINT32*)(Ptr + Offset)) ); =20 - PrivateResourcePtr +=3D sizeof(UINT32); + Offset +=3D sizeof (UINT32); Index++; } } @@ -382,19 +396,21 @@ ParseAcpiPptt ( 0, NULL, ProcessorTopologyStructurePtr, - 4, // Length of the processor topology structure header is 4 bytes + AcpiTableLength - Offset, PARSER_PARAMS (ProcessorTopologyStructureHeaderParser) ); =20 - if ((Offset + (*ProcessorTopologyStructureLength)) > AcpiTableLength) { + // Make sure the PPTT structure lies inside the table + if ((Offset + *ProcessorTopologyStructureLength) > AcpiTableLength) { IncrementErrorCount (); Print ( - L"ERROR: Invalid processor topology structure length:" - L" Type =3D %d, Length =3D %d\n", - *ProcessorTopologyStructureType, - *ProcessorTopologyStructureLength + L"ERROR: Invalid PPTT structure length. " \ + L"ProcessorTopologyStructureLength =3D %d. " \ + L"RemainingTableBufferLength =3D %d. PPTT parsing aborted.\n", + *ProcessorTopologyStructureLength, + AcpiTableLength - Offset ); - break; + return; } =20 PrintFieldName (2, L"* Structure Offset *"); -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#44759): https://edk2.groups.io/g/devel/message/44759 Mute This Topic: https://groups.io/mt/32676847/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-