If DataSize or VariableNameSize is near MAX_ADDRESS, this can cause the computed PayLoadSize to overflow to a small value and pass the check in InitCommunicateBuffer(). To protect against this vulnerability, check DataSize and VariableNameSize to make sure PayloadSize doesn't overflow.

Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14252 6f19259b-4bc3-4df7-8a09-765794883524
2013-04-08 06:56:08 +00:00 · 2013-04-08 06:56:08 +00:00 · 3588bb3529
parent 7a4d52add1
commit 3588bb3529
4 changed files with 70 additions and 0 deletions
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
@ -2755,6 +2755,11 @@ VariableCommonInitialize (
  }  
  ASSERT(VariableStoreHeader->Size == VariableStoreLength);
    
+  //
+  // The max variable or hardware error variable size should be < variable store size.
+  //
+  ASSERT(MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) < VariableStoreLength);
+
  //
  // Parse non-volatile variable data and get last variable offset.
  //
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
@ -198,6 +198,16 @@ RuntimeServiceGetVariable (
    return EFI_INVALID_PARAMETER;
  }

+  if (*DataSize >= mVariableBufferSize) {
+    //
+    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
+    // overflow to a small value and pass the check in InitCommunicateBuffer().
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.
+    //
+    return EFI_INVALID_PARAMETER;
+  }
+
  AcquireLockOnlyAtBootTime(&mVariableServicesLock);

  //
@ -275,6 +285,16 @@ RuntimeServiceGetNextVariableName (
    return EFI_INVALID_PARAMETER;
  }

+  if (*VariableNameSize >= mVariableBufferSize) {
+    //
+    // VariableNameSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
+    // overflow to a small value and pass the check in InitCommunicateBuffer().
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if VariableNameSize is >= mVariableBufferSize.
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.
+    //
+    return EFI_INVALID_PARAMETER;
+  }
+
  AcquireLockOnlyAtBootTime(&mVariableServicesLock);

  //
@ -355,6 +375,16 @@ RuntimeServiceSetVariable (
    return EFI_INVALID_PARAMETER;
  }

+  if (DataSize >= mVariableBufferSize) {
+    //
+    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
+    // overflow to a small value and pass the check in InitCommunicateBuffer().
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.
+    //
+    return EFI_INVALID_PARAMETER;
+  }
+
  AcquireLockOnlyAtBootTime(&mVariableServicesLock);
 
  //
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
@ -3223,6 +3223,11 @@ VariableCommonInitialize (
  }
  ASSERT(VariableStoreHeader->Size == VariableStoreLength);

+  //
+  // The max variable or hardware error variable size should be < variable store size.
+  //
+  ASSERT(MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) < VariableStoreLength);
+
  //
  // Parse non-volatile variable data and get last variable offset.
  //
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
@ -214,6 +214,16 @@ RuntimeServiceGetVariable (
    return EFI_INVALID_PARAMETER;
  }

+  if (*DataSize >= mVariableBufferSize) {
+    //
+    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
+    // overflow to a small value and pass the check in InitCommunicateBuffer().
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.
+    //
+    return EFI_INVALID_PARAMETER;
+  }
+
  AcquireLockOnlyAtBootTime(&mVariableServicesLock);

  //
@ -291,6 +301,16 @@ RuntimeServiceGetNextVariableName (
    return EFI_INVALID_PARAMETER;
  }

+  if (*VariableNameSize >= mVariableBufferSize) {
+    //
+    // VariableNameSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
+    // overflow to a small value and pass the check in InitCommunicateBuffer().
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if VariableNameSize is >= mVariableBufferSize.
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.
+    //
+    return EFI_INVALID_PARAMETER;
+  }
+
  AcquireLockOnlyAtBootTime(&mVariableServicesLock);

  //
@ -374,6 +394,16 @@ RuntimeServiceSetVariable (
    return EFI_INVALID_PARAMETER;
  }

+  if (DataSize >= mVariableBufferSize) {
+    //
+    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
+    // overflow to a small value and pass the check in InitCommunicateBuffer().
+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.
+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.
+    //
+    return EFI_INVALID_PARAMETER;
+  }
+
  AcquireLockOnlyAtBootTime(&mVariableServicesLock);
 
  //