From nobody Thu Apr 25 12:31:17 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+92157+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)  smtp.mailfrom=bounce+27952+92157+1787277+3901457@groups.io
ARC-Seal: i=1; a=rsa-sha256; t=1659684050; cv=none;
	d=zohomail.com; s=zohoarc;
	b=UtLpAotUnm9TBE+rI0eQtjPZJsYfyIJbx6u4SIbyjIwE0aCyjAoY+Dzw3b9K7z87bQ74hcI0WhtcK51YDIcyvHEhmveCk9RjBWMfmBy1JbwSaQZ1k7Oaps2DaRQo4id+t1N/6eGKbzzU+A3waY0TLhARN6o8vYMBsbYkSiKyWr4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1659684050;
 h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=btj0eLqvLH1XMZFBWKiwczv817H8FTzpcQRD10K9U44=;
	b=gYcE1s9oBvD51jwNtn9n8uMqmlABofcyJZJXjYZL8mzSEem8nQtdQE+jqfIGMWzDvNauswVcrz26kwvODibrgIY7RX1Mj2daCNbxVXDaHf0EU5zf1eM3kfQ5Q4V7le2AcsV7b1XXlz4DKr4FFuBmPHXlP/Xz2PD49k55PLuhKWo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)  smtp.mailfrom=bounce+27952+92157+1787277+3901457@groups.io
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1659684050718837.7957623809782;
 Fri, 5 Aug 2022 00:20:50 -0700 (PDT)
Return-Path: <bounce+27952+92157+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id B76mYY1788612xq6BSsUUFdN;
 Fri, 05 Aug 2022 00:20:49 -0700
X-Received: from szxga02-in.huawei.com (szxga02-in.huawei.com
 [45.249.212.188])
 by mx.groups.io with SMTP id smtpd.web11.4358.1659684048137429363
 for <devel@edk2.groups.io>;
 Fri, 05 Aug 2022 00:20:48 -0700
X-Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.53])
	by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4LzcPf0N8wzlVsP;
	Fri,  5 Aug 2022 15:17:58 +0800 (CST)
X-Received: from kwepemm600004.china.huawei.com (7.193.23.242) by
 dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Fri, 5 Aug 2022 15:20:43 +0800
X-Received: from kwephisprg16640.huawei.com (10.247.83.252) by
 kwepemm600004.china.huawei.com (7.193.23.242) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Fri, 5 Aug 2022 15:20:43 +0800
From: "wenyi,xie via groups.io" <xiewenyi2=huawei.com@groups.io>
To: <devel@edk2.groups.io>, <jian.j.wang@intel.com>,
	<gaoliming@byosoft.com.cn>, <eric.dong@intel.com>, <ray.ni@intel.com>
CC: <songdongkuang@huawei.com>, <xiewenyi2@huawei.com>
Subject: [edk2-devel] [PATCH EDK2 v1 1/1] MdeModulePkg/PiSmmCore:Avoid
 overflow risk
Date: Fri, 5 Aug 2022 15:20:37 +0800
Message-ID: <20220805072037.1868254-2-xiewenyi2@huawei.com>
In-Reply-To: <20220805072037.1868254-1-xiewenyi2@huawei.com>
References: <20220805072037.1868254-1-xiewenyi2@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.247.83.252]
X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To
 kwepemm600004.china.huawei.com (7.193.23.242)
X-CFilter-Loop: Reflected
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,xiewenyi2@huawei.com
X-Gm-Message-State: H5Z2zNkygICb4UZbQvy6nmuSx1787277AA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1659684049;
 bh=5RdonkK89taMI3/ptffuzlPRRNEgVo/9Gk4um8mGh5M=;
 h=CC:Content-Type:Date:From:Reply-To:Subject:To;
 b=pXXzZ2h7Mc9o05f4ZMW2s8gsqMVCSbLMXkUAQqU21+WUzyJ+7RVh8+RQDQV4mAazgQ1
 upwMDZ37BHD4B3CrqRoChMRHAnF+BHb5lSAqlLhpZnxjTrCTZ4vBUeWp8i6mcY2eoIF7u
 QE+oG8nH2n96ag7HA/1le1vSUlFPIhb8i88=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1659684052192100007
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

As the CommunicationBuffer plus BufferSize may overflow, check the
value first before using.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com>
---
 MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 22 +++++++++++++-------
 MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c  |  5 +++++
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/Pi=
SmmCore/PiSmmCore.c
index 9e5c6cbe33dd..fcf8c61d7f1b 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
@@ -613,23 +613,28 @@ SmmEndOfS3ResumeHandler (
   @retval FALSE     Buffer doesn't overlap.
=20
 **/
-BOOLEAN
+EFI_STATUS
 InternalIsBufferOverlapped (
   IN UINT8  *Buff1,
   IN UINTN  Size1,
   IN UINT8  *Buff2,
-  IN UINTN  Size2
+  IN UINTN  Size2,
+  IN BOOLEAN *IsOverlapped
   )
 {
+  *IsOverlapped =3D TRUE;
+  if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN - Si=
ze2)) {
+    return EFI_INVALID_PARAMETER;
+  }
   //
   // If buff1's end is less than the start of buff2, then it's ok.
   // Also, if buff1's start is beyond buff2's end, then it's ok.
   //
   if (((Buff1 + Size1) <=3D Buff2) || (Buff1 >=3D (Buff2 + Size2))) {
-    return FALSE;
+    *IsOverlapped =3D FALSE;
   }
=20
-  return TRUE;
+  return EFI_SUCCESS;
 }
=20
 /**
@@ -693,17 +698,18 @@ SmmEntryPoint (
       //
       // Synchronous SMI for SMM Core or request from Communicate protocol
       //
-      IsOverlapped =3D InternalIsBufferOverlapped (
+      Status =3D InternalIsBufferOverlapped (
                        (UINT8 *)CommunicationBuffer,
                        BufferSize,
                        (UINT8 *)gSmmCorePrivate,
-                       sizeof (*gSmmCorePrivate)
+                       sizeof (*gSmmCorePrivate),
+                       &IsOverlapped
                        );
-      if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferS=
ize) || IsOverlapped) {
+      if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferS=
ize) || EFI_ERROR(Status) || IsOverlapped) {
         //
         // If CommunicationBuffer is not in valid address scope,
         // or there is overlap between gSmmCorePrivate and CommunicationBu=
ffer,
-        // return EFI_INVALID_PARAMETER
+        // return EFI_ACCESS_DENIED
         //
         gSmmCorePrivate->CommunicationBuffer =3D NULL;
         gSmmCorePrivate->ReturnStatus        =3D EFI_ACCESS_DENIED;
diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiS=
mmCore/PiSmmIpl.c
index 4f00cebaf5ed..bd13cf97ec93 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
@@ -525,6 +525,11 @@ SmmCommunicationCommunicate (
=20
   CommunicateHeader =3D (EFI_SMM_COMMUNICATE_HEADER *)CommBuffer;
=20
+  if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF (EFI_SMM_CO=
MMUNICATE_HEADER, Data)) {
+    DEBUG ((DEBUG_ERROR, "MessageLength is invalid!\n"));
+    return EFI_INVALID_PARAMETER;
+  }
+
   if (CommSize =3D=3D NULL) {
     TempCommSize =3D OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + Commun=
icateHeader->MessageLength;
   } else {
--=20
2.20.1.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92157): https://edk2.groups.io/g/devel/message/92157
Mute This Topic: https://groups.io/mt/92830802/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-