MdeModulePkg PiSmmCore: Prevent overlap for gSmmCorePrivate and CommBuffer

InternalIsBufferOverlapped() is created to check overlap between buffers. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18312 6f19259b-4bc3-4df7-8a09-765794883524
2015-08-26 01:10:39 +00:00 · 2015-08-26 01:10:39 +00:00 · 3b657538dc
parent 173a1e688c
commit 3b657538dc
1 changed files with 42 additions and 2 deletions
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
@ -378,6 +378,37 @@ SmmEndOfDxeHandler (
  return Status;
 }

+/**
+  Determine if two buffers overlap in memory.
+
+  @param[in] Buff1  Pointer to first buffer
+  @param[in] Size1  Size of Buff1
+  @param[in] Buff2  Pointer to second buffer
+  @param[in] Size2  Size of Buff2
+
+  @retval TRUE      Buffers overlap in memory.
+  @retval FALSE     Buffer doesn't overlap.
+
+**/
+BOOLEAN
+InternalIsBufferOverlapped (
+  IN UINT8      *Buff1,
+  IN UINTN      Size1,
+  IN UINT8      *Buff2,
+  IN UINTN      Size2
+  )
+{
+  //
+  // If buff1's end is less than the start of buff2, then it's ok.
+  // Also, if buff1's start is beyond buff2's end, then it's ok.
+  //
+  if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) {
+    return FALSE;
+  }
+
+  return TRUE;
+}
+
 /**
  The main entry point to SMM Foundation.

@ -396,6 +427,7 @@ SmmEntryPoint (
  EFI_STATUS                  Status;
  EFI_SMM_COMMUNICATE_HEADER  *CommunicateHeader;
  BOOLEAN                     InLegacyBoot;
+  BOOLEAN                     IsOverlapped;

  PERF_START (NULL, "SMM", NULL, 0) ;

@ -427,9 +459,17 @@ SmmEntryPoint (
      //
      // Synchronous SMI for SMM Core or request from Communicate protocol
      //
-      if (!SmmIsBufferOutsideSmmValid ((UINTN)gSmmCorePrivate->CommunicationBuffer, gSmmCorePrivate->BufferSize)) {
+      IsOverlapped = InternalIsBufferOverlapped (
+                       (UINT8 *) gSmmCorePrivate->CommunicationBuffer,
+                       gSmmCorePrivate->BufferSize,
+                       (UINT8 *) gSmmCorePrivate,
+                       sizeof (*gSmmCorePrivate)
+                       );
+      if (!SmmIsBufferOutsideSmmValid ((UINTN)gSmmCorePrivate->CommunicationBuffer, gSmmCorePrivate->BufferSize) || IsOverlapped) {
        //
-        // If CommunicationBuffer is not in valid address scope, return EFI_INVALID_PARAMETER
+        // If CommunicationBuffer is not in valid address scope,
+        // or there is overlap between gSmmCorePrivate and CommunicationBuffer,
+        // return EFI_INVALID_PARAMETER
        //
        gSmmCorePrivate->CommunicationBuffer = NULL;
        gSmmCorePrivate->ReturnStatus = EFI_INVALID_PARAMETER;