SecurityPkg/VariableAuthenticated: Check if there is a NV Variable Storage header prior to use its attributes

The Variable PEI and RuntimeDxe drivers were using the attribute 'HeaderLength' of
EFI_FIRMWARE_VOLUME_HEADER without checking if a Firmware Volume Header was existing at
the base address.
In case the Firmware Volume Header does not exist or is corrupted, the attribute 'HeaderLength'
is a non valid value that can lead to a non valid physical address when accessing produces an
access error.

Signed-off-by: oliviermartin
Reviewed-by: rsun3
Reviewed-by: niruiyu



git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12845 6f19259b-4bc3-4df7-8a09-765794883524

SecurityPkg/VariableAuthenticated/Pei/Variable.c

@@ -359,6 +359,15 @@ GetVariableStore (
                                                            PcdGet64 (PcdFlashNvStorageVariableBase64) : 
                                                            PcdGet32 (PcdFlashNvStorageVariableBase)
                                                           );
+
+        //
+        // Check if the Firmware Volume is not corrupted
+        //
+        if ((FvHeader->Signature != EFI_FVH_SIGNATURE) || (!CompareGuid (&gEfiSystemNvDataFvGuid, &FvHeader->FileSystemGuid))) {
+          DEBUG ((EFI_D_ERROR, "Firmware Volume for Variable Store is corrupted\n"));
+          break;
+        }
+        
         VariableStoreHeader = (VARIABLE_STORE_HEADER *) ((UINT8 *) FvHeader + FvHeader->HeaderLength);
 
         if (IndexTable != NULL) {

SecurityPkg/VariableAuthenticated/Pei/Variable.h

@@ -29,6 +29,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 
 #include <Guid/AuthenticatedVariableFormat.h>
 #include <Guid/VariableIndexTable.h>
+#include <Guid/SystemNvDataGuid.h>
 
 typedef enum {
   VariableStoreTypeHob,

SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf

@@ -46,6 +46,7 @@
 [Guids]
   gEfiAuthenticatedVariableGuid
   gEfiVariableIndexTableGuid
+  gEfiSystemNvDataFvGuid
 
 [Ppis]
   gEfiPeiReadOnlyVariable2PpiGuid                ## SOMETIMES_PRODUCES (Not for boot mode RECOVERY)

SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c

@@ -1157,7 +1157,7 @@ VariableGetBestLanguage (
 
 **/
 VOID
-AutoUpdateLangVariable(
+AutoUpdateLangVariable (
   IN  CHAR16             *VariableName,
   IN  VOID               *Data,
   IN  UINTN              DataSize
@@ -2616,6 +2616,17 @@ VariableCommonInitialize (
   if (TempVariableStoreHeader == 0) {
     TempVariableStoreHeader = (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdFlashNvStorageVariableBase);
   }
+  
+  //
+  // Check if the Firmware Volume is not corrupted
+  //
+  if ((((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader))->Signature != EFI_FVH_SIGNATURE) ||
+      (!CompareGuid (&gEfiSystemNvDataFvGuid, &((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader))->FileSystemGuid))) {
+    Status = EFI_VOLUME_CORRUPTED;
+    DEBUG ((EFI_D_ERROR, "Firmware Volume for Variable Store is corrupted\n"));
+    goto Done;
+  }
+
   VariableStoreBase       = TempVariableStoreHeader + \
                               (((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader)) -> HeaderLength);
   VariableStoreLength     = (UINT64) PcdGet32 (PcdFlashNvStorageVariableSize) - \

SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h

@@ -39,6 +39,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Guid/EventGroup.h>
 #include <Guid/AuthenticatedVariableFormat.h>
 #include <Guid/ImageAuthentication.h>
+#include <Guid/SystemNvDataGuid.h>
 
 #define VARIABLE_RECLAIM_THRESHOLD (1024)
 

SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf

@@ -73,6 +73,7 @@
   gEfiCertPkcs7Guid
   gEfiCertRsa2048Guid
   gEfiSecureBootEnableDisableGuid
+  gEfiSystemNvDataFvGuid                        ## CONSUMES
 
 [Pcd]
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize

SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf

@@ -78,6 +78,7 @@
   gEfiCertPkcs7Guid
   gEfiCertRsa2048Guid
   gEfiSecureBootEnableDisableGuid
+  gEfiSystemNvDataFvGuid                        ## CONSUMES
 
 [Pcd]
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize