From nobody Sun Feb 8 23:43:07 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73409+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73409+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1616802116; cv=none; d=zohomail.com; s=zohoarc; b=g01U/Bbg1fajW+w3yMhX/9+EsR5pmGtS5jmEyZ5HEsuE3ejHNoAmWXfsNQf2zZIhk3gYxrUcU/v6VVWbdF89doNBNnJCUZ+l0Fjh6kH4VCiIiwECLUOnOE+I5neL/pXcYNtDWhi4xF6Dbxne5P8FriZllQw/Zs5X3TiZKYwWYxA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1616802116; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=e+enOG2gA5rJynzn3Iyb++7EjVcFVdMHzkwONCydZ70=; b=aZZofkdGcDzlX6exvZKG2VFp2TaJU/2Ppl8Q5MCJev1+uv4Bkf22z3lRWdhAjD9L2f2X4SHTAflDOPR0IcZ1lzQFdjUUGli4w/eN1v4d6l2BPu8T1dMiEtIEWACmPuPl8HDS1ZWF+gY/ZusL1B1iJO6V41XJFZUQhKctbr3hHmc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73409+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616802116877495.88309719619576; Fri, 26 Mar 2021 16:41:56 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id y6QaYY1788612xgLbVeWWJSG; Fri, 26 Mar 2021 16:41:55 -0700 X-Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web09.318.1616802115003488926 for ; Fri, 26 Mar 2021 16:41:55 -0700 X-Received: by mail-pj1-f52.google.com with SMTP id q6-20020a17090a4306b02900c42a012202so3193341pjg.5 for ; Fri, 26 Mar 2021 16:41:54 -0700 (PDT) X-Gm-Message-State: egdT7LdjJlVgKLBDoxBIN3Skx1787277AA= X-Google-Smtp-Source: ABdhPJw/0I3j9mfxBIUQ4aXebTcKkOg3BASRkPJ/qoSR413t63GRrS3Regi3DuNi2xUgp/M24KBSuQ== X-Received: by 2002:a17:90a:ce82:: with SMTP id g2mr16029231pju.193.1616802114327; Fri, 26 Mar 2021 16:41:54 -0700 (PDT) X-Received: from localhost.localdomain ([50.35.88.161]) by smtp.gmail.com with ESMTPSA id q20sm9837248pgh.17.2021.03.26.16.41.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Mar 2021 16:41:53 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Eric Dong , Ray Ni , Laszlo Ersek , Rahul Kumar Subject: [edk2-devel] [PATCH v1 1/1] UefiCpuPkg: PiSmmCpuDxeSmm: Check buffer size before accessing Date: Fri, 26 Mar 2021 16:41:42 -0700 Message-Id: <20210326234142.1973-2-kuqin12@gmail.com> In-Reply-To: <20210326234142.1973-1-kuqin12@gmail.com> References: <20210326234142.1973-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616802115; bh=SdmzcfpSM6Q17P6oSoDb4zB0vBZpq/C/N9Lk/hkjKfo=; h=Cc:Date:From:Reply-To:Subject:To; b=KC/kqo+jKg7RuJfvm8m+G0t5+dAFRJm7luTTAJ3LVVtHqAomWb5unH5kSXy1cN7o4rV 1BPc/TNcEwLOUl0EnqIbTcIeIcajeBpClix8ssmtXDWn+1lZ2bMDfGNtAtmNA7oyTCy6I /xkiCdIFDxRFDUH2CMji4pbtC+b/3d+aRjY= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3283 Current SMM Save State routine does not check the number of bytes to be read, when it comse to read IO_INFO, before casting the incoming buffer to EFI_SMM_SAVE_STATE_IO_INFO. This could potentially cause memory corruption due to extra bytes are written out of buffer boundary. This change adds a width check before copying IoInfo into output buffer. Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Cc: Rahul Kumar Signed-off-by: Kun Qin Reviewed-by: Laszlo Ersek Reviewed-by: Ray Ni --- UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c b/UefiCpuPkg/PiSmmC= puDxeSmm/SmramSaveState.c index 661cc51f361a..ec760e4c37ca 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c @@ -418,6 +418,13 @@ ReadSaveStateRegister ( return EFI_NOT_FOUND; } =20 + // + // Make sure the incoming buffer is large enough to hold IoInfo before= accessing + // + if (Width < sizeof (EFI_SMM_SAVE_STATE_IO_INFO)) { + return EFI_INVALID_PARAMETER; + } + // // Zero the IoInfo structure that will be returned in Buffer // --=20 2.31.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73409): https://edk2.groups.io/g/devel/message/73409 Mute This Topic: https://groups.io/mt/81642500/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-