From nobody Mon Apr 29 19:45:28 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+53716+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+53716+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1580807220505928.3992026399129;
 Tue, 4 Feb 2020 01:07:00 -0800 (PST)
Return-Path: <bounce+27952+53716+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id eJ7RYY1788612xHLnPXIeF5P;
 Tue, 04 Feb 2020 01:07:00 -0800
X-Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by mx.groups.io with SMTP id smtpd.web12.3635.1580807219357236746
 for <devel@edk2.groups.io>;
 Tue, 04 Feb 2020 01:06:59 -0800
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
X-Received: from fmsmga002.fm.intel.com ([10.253.24.26])
  by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 04 Feb 2020 01:06:53 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,398,1574150400";
   d="scan'208";a="263767693"
X-Received: from lgao4-mobl.ccr.corp.intel.com ([10.249.170.116])
  by fmsmga002.fm.intel.com with ESMTP; 04 Feb 2020 01:06:52 -0800
From: "Liming Gao" <liming.gao@intel.com>
To: devel@edk2.groups.io
Cc: Bob Feng <bob.c.feng@intel.com>,
	Isaac Oram <isaac.w.oram@intel.com>
Subject: [edk2-devel] [edk2-platform][patch v2] FitGen: Fix the issue to run
 in X64 linux machine
Date: Tue,  4 Feb 2020 17:06:37 +0800
Message-Id: <20200204090637.332-1-liming.gao@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,liming.gao@intel.com
X-Gm-Message-State: lj0dtTmRd10eVjyGVIJNIZqLx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1580807220;
 bh=J5W6YvLconqv+qXuqnzi/5QzjyVvqeIKL+uVXeErYZY=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=D49GRtWfNXIio9Y7u1HLxjjYiHn49edhloG5KkFlgEpJDoloEizI0aB+Au7v4OXziLN
 bh9A1IfzFo3jsqIjgvWy8htz1AH5PMM0AWsiHqBuT4xNBoaCNSCefwJnVwIU4aRQR53do
 z+2B128TJ1KWjXKWl1ZcSNlbIMrCmX14/5o=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2466
Memory allocation (malloc) may return the buffer address be above 4G.
Current logic always converts the memory address to UINT32. It will
cause memory read and free corrupt. This patch uses pointer to store
the allocated memory address.

Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Isaac Oram <isaac.w.oram@intel.com>
Signed-off-by: Liming Gao <liming.gao@intel.com>
---
In V2, add the detail commit message.

 Silicon/Intel/Tools/FitGen/FitGen.c | 31 ++++++++++++++++++++-----------
 Silicon/Intel/Tools/FitGen/FitGen.h |  2 +-
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/Silicon/Intel/Tools/FitGen/FitGen.c b/Silicon/Intel/Tools/FitG=
en/FitGen.c
index 833610f2a0..c9dfa23a2c 100644
--- a/Silicon/Intel/Tools/FitGen/FitGen.c
+++ b/Silicon/Intel/Tools/FitGen/FitGen.c
@@ -2,7 +2,7 @@
 This utility is part of build process for IA32/X64 FD.
 It generates FIT table.
=20
-Copyright (c) 2010-2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010-2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -226,9 +226,17 @@ typedef struct {
 #define FIT_TABLE_TYPE_BIOS_DATA_AREA         13
 #define FIT_TABLE_TYPE_CSE_SECURE_BOOT        16
=20
+//
+// With OptionalModule Address isn't known until free space has been
+// identified and the optional module has been copied into the FLASH
+// image buffer (or initialized to be populated later by another program).
+// This is very dangerous code as it can truncate 64b pointers to
+// allocated memory buffers.  The full pointer is in Buffer for that case.
+//
 typedef struct {
   UINT32  Type;
   UINT32  Address;
+  UINT8   *Buffer; // Used by OptionalModule only
   UINT32  Size;
   UINT32  Version; // Used by OptionalModule and PortModule only
 } FIT_TABLE_CONTEXT_ENTRY;
@@ -575,9 +583,9 @@ Returns:
   UINT64                      FvLength;
   EFI_GUID                    *TempGuid;
   UINT8                       *FixPoint;
-  UINT32                      Offset;
-  UINT32                      FileLength;
-  UINT32                      FileOccupiedSize;
+  UINTN                       Offset;
+  UINTN                       FileLength;
+  UINTN                       FileOccupiedSize;
=20
   //
   // Find the FFS file
@@ -595,7 +603,7 @@ Returns:
     InitializeFvLib (FvHeader, (UINT32)FvLength);
=20
     FileHeader       =3D (EFI_FFS_FILE_HEADER *)((UINTN)FvHeader + FvHeade=
r->HeaderLength);
-    Offset           =3D (UINT32) (UINTN) FileHeader - (UINT32) (UINTN) Fv=
Header;
+    Offset           =3D (UINTN) FileHeader - (UINTN) FvHeader;
=20
     while (Offset < FvLength) {
       TempGuid =3D (EFI_GUID *)&(FileHeader->Name);
@@ -625,7 +633,7 @@ Returns:
         return FixPoint;
       }
       FileHeader =3D (EFI_FFS_FILE_HEADER *)((UINTN)FileHeader + FileOccup=
iedSize);
-      Offset =3D (UINT32) (UINTN) FileHeader - (UINT32) (UINTN) FvHeader;
+      Offset =3D (UINTN) FileHeader - (UINTN) FvHeader;
     }
=20
     //
@@ -1082,7 +1090,7 @@ Returns:
                 return 0;
               }
               gFitTableContext.Microcode[gFitTableContext.MicrocodeNumber]=
.Type =3D FIT_TABLE_TYPE_MICROCODE;
-              gFitTableContext.Microcode[gFitTableContext.MicrocodeNumber]=
.Address =3D MicrocodeBase + ((UINT32) (UINTN) MicrocodeBuffer - (UINT32) (=
UINTN) MicrocodeFileBuffer);
+              gFitTableContext.Microcode[gFitTableContext.MicrocodeNumber]=
.Address =3D MicrocodeBase + (UINT32)((UINTN) MicrocodeBuffer - (UINTN) Mic=
rocodeFileBuffer);
               gFitTableContext.Microcode[gFitTableContext.MicrocodeNumber]=
.Size =3D MicrocodeSize;
               gFitTableContext.MicrocodeNumber++;
               gFitTableContext.FitEntryNumber++;
@@ -1110,7 +1118,7 @@ Returns:
               ///
               while (MicrocodeBuffer + SlotSize <=3D MicrocodeFileBuffer +=
 MicrocodeFileSize) {
                 gFitTableContext.Microcode[gFitTableContext.MicrocodeNumbe=
r].Type =3D FIT_TABLE_TYPE_MICROCODE;
-                gFitTableContext.Microcode[gFitTableContext.MicrocodeNumbe=
r].Address =3D MicrocodeBase + ((UINT32) (UINTN) MicrocodeBuffer - (UINT32)=
 (UINTN) MicrocodeFileBuffer);
+                gFitTableContext.Microcode[gFitTableContext.MicrocodeNumbe=
r].Address =3D MicrocodeBase + (UINT32)((UINTN) MicrocodeBuffer - (UINTN) M=
icrocodeFileBuffer);
                 gFitTableContext.MicrocodeNumber++;
                 gFitTableContext.FitEntryNumber++;
=20
@@ -1428,7 +1436,7 @@ Returns:
         return 0;
       }
       gFitTableContext.Microcode[gFitTableContext.MicrocodeNumber].Type =
=3D FIT_TABLE_TYPE_MICROCODE;
-      gFitTableContext.Microcode[gFitTableContext.MicrocodeNumber].Address=
 =3D MicrocodeBase + ((UINT32) (UINTN) MicrocodeBuffer - (UINT32) (UINTN) M=
icrocodeFileBuffer);
+      gFitTableContext.Microcode[gFitTableContext.MicrocodeNumber].Address=
 =3D MicrocodeBase + (UINT32)((UINTN) MicrocodeBuffer - (UINTN) MicrocodeFi=
leBuffer);
       gFitTableContext.Microcode[gFitTableContext.MicrocodeNumber].Size =
=3D MicrocodeSize;
       gFitTableContext.MicrocodeNumber++;
       gFitTableContext.FitEntryNumber++;
@@ -1557,6 +1565,7 @@ Returns:
     }
     gFitTableContext.OptionalModule[gFitTableContext.OptionalModuleNumber]=
.Type =3D Type;
     gFitTableContext.OptionalModule[gFitTableContext.OptionalModuleNumber]=
.Address =3D (UINT32) (UINTN) FileBuffer;
+    gFitTableContext.OptionalModule[gFitTableContext.OptionalModuleNumber]=
.Buffer =3D FileBuffer;
     gFitTableContext.OptionalModule[gFitTableContext.OptionalModuleNumber]=
.Size =3D FileSize;
=20
     //
@@ -1846,8 +1855,8 @@ Returns:
           }
         }
       }
-      memcpy (OptionalModuleAddress, (VOID *) (UINTN) gFitTableContext.Opt=
ionalModule[Index].Address, gFitTableContext.OptionalModule[Index].Size);
-      free ((VOID *) (UINTN) gFitTableContext.OptionalModule[Index].Addres=
s);
+      memcpy (OptionalModuleAddress, gFitTableContext.OptionalModule[gFitT=
ableContext.OptionalModuleNumber].Buffer, gFitTableContext.OptionalModule[I=
ndex].Size);
+      free (gFitTableContext.OptionalModule[gFitTableContext.OptionalModul=
eNumber].Buffer);
       gFitTableContext.OptionalModule[Index].Address =3D MEMORY_TO_FLASH (=
OptionalModuleAddress, FvBuffer, FvSize);
     }
     //
diff --git a/Silicon/Intel/Tools/FitGen/FitGen.h b/Silicon/Intel/Tools/FitG=
en/FitGen.h
index 9bd3f6824b..ecb5822d32 100644
--- a/Silicon/Intel/Tools/FitGen/FitGen.h
+++ b/Silicon/Intel/Tools/FitGen/FitGen.h
@@ -31,7 +31,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 // Utility version information
 //
 #define UTILITY_MAJOR_VERSION 0
-#define UTILITY_MINOR_VERSION 56
+#define UTILITY_MINOR_VERSION 57
 #define UTILITY_DATE          __DATE__
=20
 //
--=20
2.13.0.windows.1


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#53716): https://edk2.groups.io/g/devel/message/53716
Mute This Topic: https://groups.io/mt/70968976/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-