mirror of https://github.com/acidanthera/audk.git
If DataSize or VariableNameSize is near MAX_ADDRESS, this can cause the computed PayLoadSize to overflow to a small value and pass the check in InitCommunicateBuffer(). To protect against this vulnerability, check DataSize and VariableNameSize to make sure PayloadSize doesn't overflow.
Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14252 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
parent
7a4d52add1
commit
3588bb3529
|
@ -2755,6 +2755,11 @@ VariableCommonInitialize (
|
||||||
}
|
}
|
||||||
ASSERT(VariableStoreHeader->Size == VariableStoreLength);
|
ASSERT(VariableStoreHeader->Size == VariableStoreLength);
|
||||||
|
|
||||||
|
//
|
||||||
|
// The max variable or hardware error variable size should be < variable store size.
|
||||||
|
//
|
||||||
|
ASSERT(MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) < VariableStoreLength);
|
||||||
|
|
||||||
//
|
//
|
||||||
// Parse non-volatile variable data and get last variable offset.
|
// Parse non-volatile variable data and get last variable offset.
|
||||||
//
|
//
|
||||||
|
|
|
@ -198,6 +198,16 @@ RuntimeServiceGetVariable (
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (*DataSize >= mVariableBufferSize) {
|
||||||
|
//
|
||||||
|
// DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
|
||||||
|
// overflow to a small value and pass the check in InitCommunicateBuffer().
|
||||||
|
// To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.
|
||||||
|
// And there will be further check to ensure the total size is also not > mVariableBufferSize.
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
||||||
|
|
||||||
//
|
//
|
||||||
|
@ -275,6 +285,16 @@ RuntimeServiceGetNextVariableName (
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (*VariableNameSize >= mVariableBufferSize) {
|
||||||
|
//
|
||||||
|
// VariableNameSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
|
||||||
|
// overflow to a small value and pass the check in InitCommunicateBuffer().
|
||||||
|
// To protect against this vulnerability, return EFI_INVALID_PARAMETER if VariableNameSize is >= mVariableBufferSize.
|
||||||
|
// And there will be further check to ensure the total size is also not > mVariableBufferSize.
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
||||||
|
|
||||||
//
|
//
|
||||||
|
@ -355,6 +375,16 @@ RuntimeServiceSetVariable (
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (DataSize >= mVariableBufferSize) {
|
||||||
|
//
|
||||||
|
// DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
|
||||||
|
// overflow to a small value and pass the check in InitCommunicateBuffer().
|
||||||
|
// To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.
|
||||||
|
// And there will be further check to ensure the total size is also not > mVariableBufferSize.
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
||||||
|
|
||||||
//
|
//
|
||||||
|
|
|
@ -3223,6 +3223,11 @@ VariableCommonInitialize (
|
||||||
}
|
}
|
||||||
ASSERT(VariableStoreHeader->Size == VariableStoreLength);
|
ASSERT(VariableStoreHeader->Size == VariableStoreLength);
|
||||||
|
|
||||||
|
//
|
||||||
|
// The max variable or hardware error variable size should be < variable store size.
|
||||||
|
//
|
||||||
|
ASSERT(MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) < VariableStoreLength);
|
||||||
|
|
||||||
//
|
//
|
||||||
// Parse non-volatile variable data and get last variable offset.
|
// Parse non-volatile variable data and get last variable offset.
|
||||||
//
|
//
|
||||||
|
|
|
@ -214,6 +214,16 @@ RuntimeServiceGetVariable (
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (*DataSize >= mVariableBufferSize) {
|
||||||
|
//
|
||||||
|
// DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
|
||||||
|
// overflow to a small value and pass the check in InitCommunicateBuffer().
|
||||||
|
// To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.
|
||||||
|
// And there will be further check to ensure the total size is also not > mVariableBufferSize.
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
||||||
|
|
||||||
//
|
//
|
||||||
|
@ -291,6 +301,16 @@ RuntimeServiceGetNextVariableName (
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (*VariableNameSize >= mVariableBufferSize) {
|
||||||
|
//
|
||||||
|
// VariableNameSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
|
||||||
|
// overflow to a small value and pass the check in InitCommunicateBuffer().
|
||||||
|
// To protect against this vulnerability, return EFI_INVALID_PARAMETER if VariableNameSize is >= mVariableBufferSize.
|
||||||
|
// And there will be further check to ensure the total size is also not > mVariableBufferSize.
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
||||||
|
|
||||||
//
|
//
|
||||||
|
@ -374,6 +394,16 @@ RuntimeServiceSetVariable (
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (DataSize >= mVariableBufferSize) {
|
||||||
|
//
|
||||||
|
// DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
|
||||||
|
// overflow to a small value and pass the check in InitCommunicateBuffer().
|
||||||
|
// To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.
|
||||||
|
// And there will be further check to ensure the total size is also not > mVariableBufferSize.
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
||||||
|
|
||||||
//
|
//
|
||||||
|
|
Loading…
Reference in New Issue