From nobody Sun May 5 22:13:20 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78886+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78886+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=posteo.de ARC-Seal: i=1; a=rsa-sha256; t=1628451638; cv=none; d=zohomail.com; s=zohoarc; b=CIE/Q/+3dIlXshml0Pi/Q7ayXohkzINf7L7oiDMFl8xo0U0BP3CW7iV3D9e99Lx0yQLjVvTHNOeW91Dfx0Fqf09vEfJSBFGFmTaAQSBDukhpmae5NoWCQRxpERuVpch03j3DbAvFIZuB1pd0nN1ormt86nDzfRE0plbzhXpH7mw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1628451638; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=6mzX3pf9hGS0AdepqFzFoFB+mV3zNPiTFPJc54CQY7g=; b=Ob1ufVmW8WoL+2PS8pKV+mp9jN4XR/V7ZHsMAx1cgM0p8+vwO2/if/9qc/Cr57WFbNSzAd3VUp/O53UKQtx/Xd1RLpYUfuGy3NFCgdrABgo2lzDqC+8gmkIjiMzCVgMjCVC69LqfSpN1d7A6+hojmi8BIABiIyJ3Ab4foUyiUcU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78886+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1628451638562891.0359782813465; Sun, 8 Aug 2021 12:40:38 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id x7JKYY1788612xbohjZURajN; Sun, 08 Aug 2021 12:40:38 -0700 X-Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) by mx.groups.io with SMTP id smtpd.web11.13762.1628451637455413372 for ; Sun, 08 Aug 2021 12:40:37 -0700 X-Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id C543A240104 for ; Sun, 8 Aug 2021 21:40:35 +0200 (CEST) X-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4GjV1b1Y2bz6tmF; Sun, 8 Aug 2021 21:40:35 +0200 (CEST) From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Eric Dong , Ray Ni , Vitaly Cheptsov Subject: [edk2-devel] [PATCH] MdeModulePkg/PiSmmIpl: Correct fixed load address bounds check Date: Sun, 8 Aug 2021 19:39:44 +0000 Message-Id: <6af4f19ca2149040ff5a722be5749ff01ede7e9c.1628358615.git.mhaeuser@posteo.de> In-Reply-To: <5df11a13422732b9c03c120775a2b4dd0a49182f.1628444003.git.mhaeuser@posteo.de> References: <5df11a13422732b9c03c120775a2b4dd0a49182f.1628444003.git.mhaeuser@posteo.de> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mhaeuser@posteo.de X-Gm-Message-State: bc5Q0MGXszcI4FuwDJOgeLWPx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1628451638; bh=iNnXYirHVqzq5PiM7G+TXqXd1+4Fhvp8OaXVqtO22bM=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=M+QEYSe7uN91rCh4/cxU/roFC9Qt3ueQCk4HaUWIQtee8ijTAO4FwZl0M/hukwgPVoU fLCBRskflBG5rm4ybtf44NeB8UO3hpjnPRUxoF5wgUsOP2zXaqvXCZxiwZHeblthIG9V+ x8G54gur6PnFIuSxSL8nskdufU6NZkk2+oQ= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1628451639598100033 Content-Type: text/plain; charset="utf-8" The current code only checks whether PiSmmCore's fixed loading address, but not its entire memory range, is in bounds of the reserved area. Furthermore, it does not consider the module's fixed loading address, which is relative to the reserved area, could wraparound when added to the base address. Fix both issues by performing sufficient bounds checks in a way that is free from wraparounds. Cc: Jian J Wang Cc: Hao A Wu Cc: Eric Dong Cc: Ray Ni Cc: Vitaly Cheptsov Signed-off-by: Marvin H=C3=A4user --- MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiS= mmCore/PiSmmIpl.c index 599a0cd01d80..259cd0bb8924 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c @@ -979,7 +979,8 @@ GetPeCoffImageFixLoadingAssignedAddress( // FixLoadingAddress =3D (EFI_PHYSICAL_ADDRESS)(SmramBase + (INT64)V= alueInSectionHeader); =20 - if (SmramBase + SmmCodeSize > FixLoadingAddress && SmramBase <=3D= FixLoadingAddress) { + if (ValueInSectionHeader < SmmCodeSize + && (UINTN)(ImageContext->ImageSize + ImageContext->SectionAlignm= ent) <=3D SmmCodeSize - ValueInSectionHeader) { // // The assigned address is valid. Return the specified loading = address // --=20 2.31.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78886): https://edk2.groups.io/g/devel/message/78886 Mute This Topic: https://groups.io/mt/84754059/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-