tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove the complex buffer since the _LOCK_VARIABLE won't be allowed after leaving DXE phase. 

Add the variable name size check in the RequestToLock wrapper.

Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14377 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
niruiyu 2013-05-20 07:04:56 +00:00
parent 0ba17ade47
commit 51547bb879
3 changed files with 20 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
View File

@ -22,7 +22,6 @@ EFI_HANDLE mHandle = NULL;
EFI_EVENT mVirtualAddressChangeEvent = NULL; EFI_EVENT mVirtualAddressChangeEvent = NULL;
EFI_EVENT mFtwRegistration = NULL; EFI_EVENT mFtwRegistration = NULL;
extern BOOLEAN mEndOfDxe; extern BOOLEAN mEndOfDxe;
extern BOOLEAN mEnableLocking;
EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock = { VariableLockRequestToLock }; EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock = { VariableLockRequestToLock };
/** /**

40
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
View File

@ -717,48 +717,16 @@ SmmVariableHandler (
break; break;
case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE: case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE:
if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name)) { if (mEndOfDxe) {
DEBUG ((EFI_D_ERROR, "RequestToLock: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
//
// Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
//
CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) mVariableBufferPayload;
if (VariableToLock->NameSize > MAX_ADDRESS - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name)) {
//
// Prevent InfoSize overflow happen
//
Status = EFI_ACCESS_DENIED; Status = EFI_ACCESS_DENIED;
goto EXIT; } else {
} VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) SmmVariableFunctionHeader->Data;
if (VariableToLock->NameSize < sizeof (CHAR16) || VariableToLock->Name[VariableToLock->NameSize/sizeof (CHAR16) - 1] != L'\0') {
//
// Make sure VariableName is A Null-terminated string.
//
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
InfoSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + VariableToLock->NameSize;
//
// SMRAM range check already covered before
//
if (InfoSize > CommBufferPayloadSize) {
DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
Status = VariableLockRequestToLock ( Status = VariableLockRequestToLock (
NULL, NULL,
VariableToLock->Name, VariableToLock->Name,
&VariableToLock->Guid &VariableToLock->Guid
); );
}
break; break;
default: default:

14
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
View File

@ -186,6 +186,7 @@ VariableLockRequestToLock (
) )
{ {
EFI_STATUS Status; EFI_STATUS Status;
UINTN VariableNameSize;
UINTN PayloadSize; UINTN PayloadSize;
SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock; SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock;
@ -193,13 +194,22 @@ VariableLockRequestToLock (
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
VariableNameSize = StrSize (VariableName);
//
// If VariableName exceeds SMM payload limit. Return failure
//
if (VariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name)) {
return EFI_INVALID_PARAMETER;
}
AcquireLockOnlyAtBootTime(&mVariableServicesLock); AcquireLockOnlyAtBootTime(&mVariableServicesLock);
// //
// Init the communicate buffer. The buffer data size is: // Init the communicate buffer. The buffer data size is:
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize. // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.
// //
PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + StrSize (VariableName); PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + VariableNameSize;
Status = InitCommunicateBuffer ((VOID **) &VariableToLock, PayloadSize, SMM_VARIABLE_FUNCTION_LOCK_VARIABLE); Status = InitCommunicateBuffer ((VOID **) &VariableToLock, PayloadSize, SMM_VARIABLE_FUNCTION_LOCK_VARIABLE);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
goto Done; goto Done;
@ -207,7 +217,7 @@ VariableLockRequestToLock (
ASSERT (VariableToLock != NULL); ASSERT (VariableToLock != NULL);
CopyGuid (&VariableToLock->Guid, VendorGuid); CopyGuid (&VariableToLock->Guid, VendorGuid);
VariableToLock->NameSize = StrSize (VariableName); VariableToLock->NameSize = VariableNameSize;
CopyMem (VariableToLock->Name, VariableName, VariableToLock->NameSize); CopyMem (VariableToLock->Name, VariableName, VariableToLock->NameSize);
// //