mirror of https://github.com/acidanthera/audk.git
Fix potential overflow for SetVariable interface
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by : Guo Dong <dong.guo@intel.com> Reviewed-by : Siyuan Fu <siyuan.fu@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14305 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
parent
b6d1508f17
commit
56251c669f
|
@ -3,7 +3,7 @@
|
||||||
Emulation Variable services operate on the runtime volatile memory.
|
Emulation Variable services operate on the runtime volatile memory.
|
||||||
The nonvolatile variable space doesn't exist.
|
The nonvolatile variable space doesn't exist.
|
||||||
|
|
||||||
Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
|
Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
|
||||||
This program and the accompanying materials
|
This program and the accompanying materials
|
||||||
are licensed and made available under the terms and conditions of the BSD License
|
are licensed and made available under the terms and conditions of the BSD License
|
||||||
which accompanies this distribution. The full text of the license may be found at
|
which accompanies this distribution. The full text of the license may be found at
|
||||||
|
@ -1397,14 +1397,22 @@ EmuSetVariable (
|
||||||
if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) {
|
if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) {
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if ((UINTN)(~0) - DataSize < StrSize(VariableName)){
|
||||||
|
//
|
||||||
|
// Prevent whole variable size overflow
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
// The size of the VariableName, including the Unicode Null in bytes plus
|
// The size of the VariableName, including the Unicode Null in bytes plus
|
||||||
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
|
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
|
||||||
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
|
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
|
||||||
//
|
//
|
||||||
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
|
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
|
||||||
if ((DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) ||
|
if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
|
||||||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
|
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
//
|
//
|
||||||
|
@ -1418,8 +1426,7 @@ EmuSetVariable (
|
||||||
// The size of the VariableName, including the Unicode Null in bytes plus
|
// The size of the VariableName, including the Unicode Null in bytes plus
|
||||||
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
|
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
|
||||||
//
|
//
|
||||||
if ((DataSize > PcdGet32 (PcdMaxVariableSize)) ||
|
if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
|
||||||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize))) {
|
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2218,14 +2218,20 @@ VariableServiceSetVariable (
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ((UINTN)(~0) - DataSize < StrSize(VariableName)){
|
||||||
|
//
|
||||||
|
// Prevent whole variable size overflow
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
// The size of the VariableName, including the Unicode Null in bytes plus
|
// The size of the VariableName, including the Unicode Null in bytes plus
|
||||||
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
|
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
|
||||||
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
|
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
|
||||||
//
|
//
|
||||||
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
|
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
|
||||||
if ((DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) ||
|
if ( StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
|
||||||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
|
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
|
if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
|
||||||
|
@ -2236,8 +2242,7 @@ VariableServiceSetVariable (
|
||||||
// The size of the VariableName, including the Unicode Null in bytes plus
|
// The size of the VariableName, including the Unicode Null in bytes plus
|
||||||
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
|
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
|
||||||
//
|
//
|
||||||
if ((DataSize > PcdGet32 (PcdMaxVariableSize)) ||
|
if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
|
||||||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize))) {
|
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -424,6 +424,13 @@ RuntimeServiceSetVariable (
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ((UINTN)(~0) - StrSize (VariableName) < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {
|
||||||
|
//
|
||||||
|
// Prevent PayloadSize overflow
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
||||||
|
|
||||||
//
|
//
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/** @file
|
/** @file
|
||||||
The implementation of Extended SAL variable services.
|
The implementation of Extended SAL variable services.
|
||||||
|
|
||||||
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
|
Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
|
||||||
This program and the accompanying materials
|
This program and the accompanying materials
|
||||||
are licensed and made available under the terms and conditions of the BSD License
|
are licensed and made available under the terms and conditions of the BSD License
|
||||||
which accompanies this distribution. The full text of the license may be found at
|
which accompanies this distribution. The full text of the license may be found at
|
||||||
|
@ -2591,6 +2591,14 @@ EsalSetVariable (
|
||||||
PayloadSize = DataSize;
|
PayloadSize = DataSize;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if ((UINTN)(~0) - PayloadSize < StrSize(VariableName)){
|
||||||
|
//
|
||||||
|
// Prevent whole variable size overflow
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
VariableGlobal = &Global->VariableGlobal[VirtualMode];
|
VariableGlobal = &Global->VariableGlobal[VirtualMode];
|
||||||
Instance = Global->FvbInstance;
|
Instance = Global->FvbInstance;
|
||||||
|
|
||||||
|
@ -2599,8 +2607,7 @@ EsalSetVariable (
|
||||||
// For variable for hardware error record, the size of the VariableName, including the Unicode Null
|
// For variable for hardware error record, the size of the VariableName, including the Unicode Null
|
||||||
// in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxHardwareErrorVariableSize) bytes.
|
// in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxHardwareErrorVariableSize) bytes.
|
||||||
//
|
//
|
||||||
if ((PayloadSize > PcdGet32(PcdMaxHardwareErrorVariableSize)) ||
|
if (StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
|
||||||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxHardwareErrorVariableSize))) {
|
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
//
|
//
|
||||||
|
@ -2616,8 +2623,7 @@ EsalSetVariable (
|
||||||
// For variable not for hardware error record, the size of the VariableName, including the
|
// For variable not for hardware error record, the size of the VariableName, including the
|
||||||
// Unicode Null in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxVariableSize) bytes.
|
// Unicode Null in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxVariableSize) bytes.
|
||||||
//
|
//
|
||||||
if ((PayloadSize > PcdGet32(PcdMaxVariableSize)) ||
|
if (StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
|
||||||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxVariableSize))) {
|
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2664,14 +2664,20 @@ VariableServiceSetVariable (
|
||||||
PayloadSize = DataSize;
|
PayloadSize = DataSize;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ((UINTN)(~0) - PayloadSize < StrSize(VariableName)){
|
||||||
|
//
|
||||||
|
// Prevent whole variable size overflow
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
// The size of the VariableName, including the Unicode Null in bytes plus
|
// The size of the VariableName, including the Unicode Null in bytes plus
|
||||||
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
|
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
|
||||||
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
|
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
|
||||||
//
|
//
|
||||||
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
|
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
|
||||||
if ((PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) ||
|
if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
|
||||||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
|
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
|
if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
|
||||||
|
@ -2682,8 +2688,7 @@ VariableServiceSetVariable (
|
||||||
// The size of the VariableName, including the Unicode Null in bytes plus
|
// The size of the VariableName, including the Unicode Null in bytes plus
|
||||||
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
|
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
|
||||||
//
|
//
|
||||||
if ((PayloadSize > PcdGet32 (PcdMaxVariableSize)) ||
|
if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
|
||||||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize))) {
|
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -442,6 +442,13 @@ RuntimeServiceSetVariable (
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ((UINTN)(~0) - StrSize (VariableName) < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {
|
||||||
|
//
|
||||||
|
// Prevent PayloadSize overflow
|
||||||
|
//
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
||||||
|
|
||||||
//
|
//
|
||||||
|
|
Loading…
Reference in New Issue