Fix potential overflow for SetVariable interface

Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by  : Guo Dong   <dong.guo@intel.com>
Reviewed-by  : Siyuan Fu  <siyuan.fu@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14305 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
czhang46 2013-04-22 08:52:58 +00:00
parent b6d1508f17
commit 56251c669f
6 changed files with 56 additions and 19 deletions

View File

@ -3,7 +3,7 @@
Emulation Variable services operate on the runtime volatile memory. Emulation Variable services operate on the runtime volatile memory.
The nonvolatile variable space doesn't exist. The nonvolatile variable space doesn't exist.
Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR> Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -1397,14 +1397,22 @@ EmuSetVariable (
if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) { if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
if ((UINTN)(~0) - DataSize < StrSize(VariableName)){
//
// Prevent whole variable size overflow
//
return EFI_INVALID_PARAMETER;
}
// //
// The size of the VariableName, including the Unicode Null in bytes plus // The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize) // the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others. // bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
// //
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
if ((DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) || if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
// //
@ -1418,8 +1426,7 @@ EmuSetVariable (
// The size of the VariableName, including the Unicode Null in bytes plus // The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes. // the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
// //
if ((DataSize > PcdGet32 (PcdMaxVariableSize)) || if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize))) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
} }

View File

@ -2218,14 +2218,20 @@ VariableServiceSetVariable (
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
if ((UINTN)(~0) - DataSize < StrSize(VariableName)){
//
// Prevent whole variable size overflow
//
return EFI_INVALID_PARAMETER;
}
// //
// The size of the VariableName, including the Unicode Null in bytes plus // The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize) // the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others. // bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
// //
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
if ((DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) || if ( StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
if (!IsHwErrRecVariable(VariableName, VendorGuid)) { if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
@ -2236,8 +2242,7 @@ VariableServiceSetVariable (
// The size of the VariableName, including the Unicode Null in bytes plus // The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes. // the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
// //
if ((DataSize > PcdGet32 (PcdMaxVariableSize)) || if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize))) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
} }

View File

@ -424,6 +424,13 @@ RuntimeServiceSetVariable (
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
if ((UINTN)(~0) - StrSize (VariableName) < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {
//
// Prevent PayloadSize overflow
//
return EFI_INVALID_PARAMETER;
}
AcquireLockOnlyAtBootTime(&mVariableServicesLock); AcquireLockOnlyAtBootTime(&mVariableServicesLock);
// //

View File

@ -1,7 +1,7 @@
/** @file /** @file
The implementation of Extended SAL variable services. The implementation of Extended SAL variable services.
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR> Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -2591,6 +2591,14 @@ EsalSetVariable (
PayloadSize = DataSize; PayloadSize = DataSize;
} }
if ((UINTN)(~0) - PayloadSize < StrSize(VariableName)){
//
// Prevent whole variable size overflow
//
return EFI_INVALID_PARAMETER;
}
VariableGlobal = &Global->VariableGlobal[VirtualMode]; VariableGlobal = &Global->VariableGlobal[VirtualMode];
Instance = Global->FvbInstance; Instance = Global->FvbInstance;
@ -2599,8 +2607,7 @@ EsalSetVariable (
// For variable for hardware error record, the size of the VariableName, including the Unicode Null // For variable for hardware error record, the size of the VariableName, including the Unicode Null
// in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxHardwareErrorVariableSize) bytes. // in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxHardwareErrorVariableSize) bytes.
// //
if ((PayloadSize > PcdGet32(PcdMaxHardwareErrorVariableSize)) || if (StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxHardwareErrorVariableSize))) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
// //
@ -2616,8 +2623,7 @@ EsalSetVariable (
// For variable not for hardware error record, the size of the VariableName, including the // For variable not for hardware error record, the size of the VariableName, including the
// Unicode Null in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxVariableSize) bytes. // Unicode Null in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxVariableSize) bytes.
// //
if ((PayloadSize > PcdGet32(PcdMaxVariableSize)) || if (StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxVariableSize))) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
} }

View File

@ -2664,14 +2664,20 @@ VariableServiceSetVariable (
PayloadSize = DataSize; PayloadSize = DataSize;
} }
if ((UINTN)(~0) - PayloadSize < StrSize(VariableName)){
//
// Prevent whole variable size overflow
//
return EFI_INVALID_PARAMETER;
}
// //
// The size of the VariableName, including the Unicode Null in bytes plus // The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize) // the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others. // bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
// //
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
if ((PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) || if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
if (!IsHwErrRecVariable(VariableName, VendorGuid)) { if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
@ -2682,8 +2688,7 @@ VariableServiceSetVariable (
// The size of the VariableName, including the Unicode Null in bytes plus // The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes. // the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
// //
if ((PayloadSize > PcdGet32 (PcdMaxVariableSize)) || if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize))) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
} }

View File

@ -442,6 +442,13 @@ RuntimeServiceSetVariable (
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
if ((UINTN)(~0) - StrSize (VariableName) < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {
//
// Prevent PayloadSize overflow
//
return EFI_INVALID_PARAMETER;
}
AcquireLockOnlyAtBootTime(&mVariableServicesLock); AcquireLockOnlyAtBootTime(&mVariableServicesLock);
// //