From nobody Wed May 1 00:37:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+92424+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+92424+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1660563943; cv=none; d=zohomail.com; s=zohoarc; b=eLcgYG8lFlScxZKtzLBXEYrtimicr1/oValcCxyuhY24dVrCBHqJ7gH07QollWJSoMA836AhY5bPrlSGeeoaHqDwyhIOSLOwoMovNUI3yln+RIrNfljhvJPyhuxITlfcyZZOXSFrOraLGiHa6I8mrt9sdVYsbc+SH/35B38bQWU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1660563943; h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=W75krbOdXUfU/+W0hyAzJdOUpy8Hy/sKVnDmG9FMGvU=; b=hQEMK67nIy66PtxGqKJLzJkZ8lowlUC0Pmj9Itb6gnm4eSNRxlbPas0uz44gcrG2AZN1m/5J3DIjZ+d0DQJuhPtFEKWMeieH7lk7yu/ekESycpWwHGlun9mOXGnq/OBapUxpS23b9kvaB3trmzfbc/hkQjqF1G/OP+82zWjkKyo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+92424+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1660563943970101.84886757807692; Mon, 15 Aug 2022 04:45:43 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id Ng6hYY1788612xJ3RF95dhyc; Mon, 15 Aug 2022 04:45:42 -0700 X-Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by mx.groups.io with SMTP id smtpd.web09.839.1660563941090243276 for ; Mon, 15 Aug 2022 04:45:41 -0700 X-Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4M5sp30nr3zkWPV; Mon, 15 Aug 2022 19:42:19 +0800 (CST) X-Received: from kwepemm600004.china.huawei.com (7.193.23.242) by dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 15 Aug 2022 19:45:37 +0800 X-Received: from kwephisprg16640.huawei.com (10.247.83.252) by kwepemm600004.china.huawei.com (7.193.23.242) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 15 Aug 2022 19:45:36 +0800 From: "wenyi,xie via groups.io" To: , , , , CC: , Subject: [edk2-devel] [PATCH EDK2 v2 1/1] MdeModulePkg/PiSmmCore:Avoid overflow risk Date: Mon, 15 Aug 2022 19:45:29 +0800 Message-ID: <20220815114529.665138-2-xiewenyi2@huawei.com> In-Reply-To: <20220815114529.665138-1-xiewenyi2@huawei.com> References: <20220815114529.665138-1-xiewenyi2@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.247.83.252] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To kwepemm600004.china.huawei.com (7.193.23.242) X-CFilter-Loop: Reflected Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,xiewenyi2@huawei.com X-Gm-Message-State: AI2DP7VKYgrBeA4MrHO7xnVqx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1660563942; bh=0g/4Clo2t3Zzew88mVJAVI2GS4iqmcbmXDeJZ5Vwaa0=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=vj3ZnN1qXZGvAgJOcUhYQgH43Xi5mYokyVhNuDpzhFsFVJNXlwWEsOQPktsHCQjm6jH 957TS8C+EotSYS/gAIJ9yVbl6cQGB0ebJtMvZclDo6OuYf+EFAzO/6/z/irRz3AxJEFhm DXOaII8D8ABlv2OIasUANCCfLrnuaTBanHU= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1660563944540100006 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" As the CommunicationBuffer plus BufferSize may overflow, check the value first before using. Cc: Jian J Wang Cc: Liming Gao Cc: Eric Dong Cc: Ray Ni Signed-off-by: Wenyi Xie --- MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 5 ++++- MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/Pi= SmmCore/PiSmmCore.c index 9e5c6cbe33dd..a2a97a4056ee 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c @@ -621,6 +621,9 @@ InternalIsBufferOverlapped ( IN UINTN Size2 ) { + if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN - Si= ze2)) { + return TRUE; + } // // If buff1's end is less than the start of buff2, then it's ok. // Also, if buff1's start is beyond buff2's end, then it's ok. @@ -703,7 +706,7 @@ SmmEntryPoint ( // // If CommunicationBuffer is not in valid address scope, // or there is overlap between gSmmCorePrivate and CommunicationBu= ffer, - // return EFI_INVALID_PARAMETER + // return EFI_ACCESS_DENIED // gSmmCorePrivate->CommunicationBuffer =3D NULL; gSmmCorePrivate->ReturnStatus =3D EFI_ACCESS_DENIED; diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiS= mmCore/PiSmmIpl.c index 4f00cebaf5ed..fe3e6ba54281 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c @@ -525,6 +525,10 @@ SmmCommunicationCommunicate ( =20 CommunicateHeader =3D (EFI_SMM_COMMUNICATE_HEADER *)CommBuffer; =20 + if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF (EFI_SMM_CO= MMUNICATE_HEADER, Data)) { + return EFI_INVALID_PARAMETER; + } + if (CommSize =3D=3D NULL) { TempCommSize =3D OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + Commun= icateHeader->MessageLength; } else { --=20 2.20.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92424): https://edk2.groups.io/g/devel/message/92424 Mute This Topic: https://groups.io/mt/93034134/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-