The current code only checks whether PiSmmCore's fixed loading
address, but not its entire memory range, is in bounds of the
reserved area. Furthermore, it does not consider the module's fixed
loading address, which is relative to the reserved area, could
wraparound when added to the base address.

Fix both issues by performing sufficient bounds checks in a way that
is free from wraparounds.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Signed-off-by: Marvin Häuser <mhaeuser@posteo.de>
---
 MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
index 599a0cd01d80..259cd0bb8924 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
@@ -979,7 +979,8 @@ GetPeCoffImageFixLoadingAssignedAddress(
          //

          FixLoadingAddress = (EFI_PHYSICAL_ADDRESS)(SmramBase + (INT64)ValueInSectionHeader);

 

-         if (SmramBase + SmmCodeSize > FixLoadingAddress && SmramBase <=  FixLoadingAddress) {

+         if (ValueInSectionHeader < SmmCodeSize

+          && (UINTN)(ImageContext->ImageSize + ImageContext->SectionAlignment) <= SmmCodeSize - ValueInSectionHeader) {

            //

            // The assigned address is valid. Return the specified loading address

            //

-- 
2.31.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78886): https://edk2.groups.io/g/devel/message/78886
Mute This Topic: https://groups.io/mt/84754059/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-