OvmfPkg: SataControllerDxe: SataControllerStop: fix use after free

It would be possible to remove the UAF without local variables, by calling
SataPrivateData->PciIo->Attributes() before releasing SataPrivateData.

However, by keeping the location of the call (for which temporary
variables are necessary), we continue to match the error path logic in
SataControllerStart(), which is always recommended.

Reported-by: wang xiaofeng <winggundum82@163.com>
Fixes: bcab714134
Cc: wang xiaofeng <winggundum82@163.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
This commit is contained in:
Laszlo Ersek 2016-04-26 13:57:32 +02:00
parent 81310a62be
commit 0b448dd8b2
1 changed files with 11 additions and 6 deletions

View File

@ -570,6 +570,8 @@ SataControllerStop (
EFI_STATUS Status; EFI_STATUS Status;
EFI_IDE_CONTROLLER_INIT_PROTOCOL *IdeInit; EFI_IDE_CONTROLLER_INIT_PROTOCOL *IdeInit;
EFI_SATA_CONTROLLER_PRIVATE_DATA *SataPrivateData; EFI_SATA_CONTROLLER_PRIVATE_DATA *SataPrivateData;
EFI_PCI_IO_PROTOCOL *PciIo;
UINT64 OriginalPciAttributes;
// //
// Open the produced protocol // Open the produced protocol
@ -589,6 +591,9 @@ SataControllerStop (
SataPrivateData = SATA_CONTROLLER_PRIVATE_DATA_FROM_THIS (IdeInit); SataPrivateData = SATA_CONTROLLER_PRIVATE_DATA_FROM_THIS (IdeInit);
ASSERT (SataPrivateData != NULL); ASSERT (SataPrivateData != NULL);
PciIo = SataPrivateData->PciIo;
OriginalPciAttributes = SataPrivateData->OriginalPciAttributes;
// //
// Uninstall the IDE Controller Init Protocol from this instance // Uninstall the IDE Controller Init Protocol from this instance
// //
@ -616,10 +621,10 @@ SataControllerStop (
// //
// Restore original PCI attributes // Restore original PCI attributes
// //
SataPrivateData->PciIo->Attributes ( PciIo->Attributes (
SataPrivateData->PciIo, PciIo,
EfiPciIoAttributeOperationSet, EfiPciIoAttributeOperationSet,
SataPrivateData->OriginalPciAttributes, OriginalPciAttributes,
NULL NULL
); );