From nobody Fri Apr 26 07:23:50 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+73742+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+73742+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1617738787; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ZbHAjEixwTXJzsex+gLWIuEZF3wkIexLB//iSbvQF7MdiVHpxl24zk2p1yeNPsv1TZLYfuVjS1rM7gFXsfhXM1hKPv7tiZzeXH3/sgIn1YEBYtcNCslBbYN2GeyGeZIesUCpWnKflXhI3GNteftUiSS8cnFoJpej6mHqlqjgN3M=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1617738787;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=tVea4ZKvwtTNo5dgZ0JGwZGVfpOueFnhQ+sz/OYPvUM=;
	b=FQQgS+rYmttMbyrPAf6za2HKWGEqw+jKpnsXPH09sGPKLMbwpRSFN8adQjZT9mD7Z50cdyDQ98+YugSSOust9GazKn8sH7POEzc82bXsyU0pFkVdBXabfa++I48dMMztqluwNmo8fPa/I2w+yezSnu1b2GT8r0ulgEfuQPbHuSs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+73742+1787277+3901457@groups.io;
	dmarc=fail header.from=<kuqin12@gmail.com> (p=none dis=none)
 header.from=<kuqin12@gmail.com>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1617738787177456.7788234069743;
 Tue, 6 Apr 2021 12:53:07 -0700 (PDT)
Return-Path: <bounce+27952+73742+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id OazXYY1788612xRPZqWf0W1i;
 Tue, 06 Apr 2021 12:53:06 -0700
X-Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com
 [209.85.215.180])
 by mx.groups.io with SMTP id smtpd.web09.2332.1617738786188364078
 for <devel@edk2.groups.io>;
 Tue, 06 Apr 2021 12:53:06 -0700
X-Received: by mail-pg1-f180.google.com with SMTP id h25so11172493pgm.3
        for <devel@edk2.groups.io>; Tue, 06 Apr 2021 12:53:06 -0700 (PDT)
X-Gm-Message-State: WshWAIuxNMxauiW0Pfm9Km7Mx1787277AA=
X-Google-Smtp-Source: 
 ABdhPJzLumZCWGxhqa5zsfTEmkqIcTIdg5fykES5R3cEFXcbH00UCls5GPd9pbHsl9yomzlLMnaSdw==
X-Received: by 2002:aa7:9533:0:b029:241:9d92:92e1 with SMTP id
 c19-20020aa795330000b02902419d9292e1mr283998pfp.14.1617738785496;
        Tue, 06 Apr 2021 12:53:05 -0700 (PDT)
X-Received: from localhost.localdomain ([50.35.88.161])
        by smtp.gmail.com with ESMTPSA id
 67sm20229577pfb.148.2021.04.06.12.53.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 06 Apr 2021 12:53:04 -0700 (PDT)
From: "Kun Qin" <kuqin12@gmail.com>
To: devel@edk2.groups.io
Cc: Eric Dong <eric.dong@intel.com>,
	Ray Ni <ray.ni@intel.com>,
	Laszlo Ersek <lersek@redhat.com>,
	Rahul Kumar <rahul1.kumar@intel.com>
Subject: [edk2-devel] [PATCH v1 1/1] UefiCpuPkg: PiSmmCpuDxeSmm: Check buffer
 size before accessing
Date: Tue,  6 Apr 2021 12:52:54 -0700
Message-Id: <20210406195254.1018-2-kuqin12@gmail.com>
In-Reply-To: <20210406195254.1018-1-kuqin12@gmail.com>
References: <20210406195254.1018-1-kuqin12@gmail.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,kuqin12@gmail.com
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1617738786;
 bh=JGceVGl9GpBZUVaTHS7gkq1bzGEzgU978ID2dN0VbPQ=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=wh9DhHKsIsH37xMSYMUlmpNPKXzv9LssDpaVelYkf1KxeYkckg0imwMiMF1tsbGskvD
 Y0KsPwnjfOQz9CtLYdH0UD4Pf7KogBJNJMmFWKVdEBMrDbk8XTq6og56aCgB/0TynjYC2
 stCq0aWMtuM5PUHqofaYtCR3jc16bSTl1uw=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3283

Current SMM Save State routine does not check the number of bytes to be
read, when it comse to read IO_INFO, before casting the incoming buffer
to EFI_SMM_SAVE_STATE_IO_INFO. This could potentially cause memory
corruption due to extra bytes are written out of buffer boundary.

This change adds a width check before copying IoInfo into output buffer.

Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>

Signed-off-by: Kun Qin <kuqin12@gmail.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---

Notes:
    v2:
    - Update return code description [Laszlo]

 UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 9 ++++++++-
 UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c b/UefiCpuPkg/PiSmmC=
puDxeSmm/SmramSaveState.c
index 661cc51f361a..fc418c2500a9 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
@@ -343,7 +343,7 @@ ReadSaveStateRegisterByIndex (
=20
   @retval EFI_SUCCESS           The register was read from Save State.
   @retval EFI_NOT_FOUND         The register is not defined for the Save S=
tate of Processor.
-  @retval EFI_INVALID_PARAMETER  This or Buffer is NULL.
+  @retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet req=
uirement per Register type.
=20
 **/
 EFI_STATUS
@@ -418,6 +418,13 @@ ReadSaveStateRegister (
       return EFI_NOT_FOUND;
     }
=20
+    //
+    // Make sure the incoming buffer is large enough to hold IoInfo before=
 accessing
+    //
+    if (Width < sizeof (EFI_SMM_SAVE_STATE_IO_INFO)) {
+      return EFI_INVALID_PARAMETER;
+    }
+
     //
     // Zero the IoInfo structure that will be returned in Buffer
     //
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h b/UefiCpuPkg/PiSmmC=
puDxeSmm/PiSmmCpuDxeSmm.h
index b8aa9e1769d3..2248a8c5ee66 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
@@ -337,7 +337,7 @@ This function supports reading a CPU Save State registe=
r in SMBase relocation ha
=20
 @retval EFI_SUCCESS           The register was read from Save State.
 @retval EFI_NOT_FOUND         The register is not defined for the Save Sta=
te of Processor.
-@retval EFI_INVALID_PARAMETER  This or Buffer is NULL.
+@retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requi=
rement per Register type.
=20
 **/
 EFI_STATUS
--=20
2.31.0.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#73742): https://edk2.groups.io/g/devel/message/73742
Mute This Topic: https://groups.io/mt/81899611/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-