tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-29 16:44:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

ShellPkg: acpiview: IORT: Prevent buffer overruns

Browse Source 
Modify the IORT table parsing logic to prevent reading past the buffer
lengths provided.

Change DumpIortNodeIdMappings() function's signature and implementation
to simplify buffer overrun prevention. Update all calls to this
function accordingly.

Modify the parser for each type of IORT node such that the offset from
the start of the node's buffer is tracked as the parsing function is
executed. Again, this change helps prevent buffer overruns.

Test that the IORT node buffer fits in the table buffer before the
node's buffer contents are dumped.

References:
- IO Remapping Table (Issue D), Platform Design Document, March 2018

Signed-off-by: Krzysztof Koch <krzysztof.koch@arm.com>
Reviewed-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Reviewed-by: Zhichao Gao <zhichao.gao@inte.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
This commit is contained in:
Krzysztof Koch 2019-08-01 16:44:04 -07:00 committed by Jaben Carsey
parent 1d12f0e671
commit 62cefaf44e
1 changed files with 105 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

191
ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c
View File

@ -247,42 +247,41 @@ STATIC CONST ACPI_PARSER IortNodePmcgParser[] = {
/** /**
This function parses the IORT Node Id Mapping array. This function parses the IORT Node Id Mapping array.
@param [in] Ptr Pointer to the start of the IORT Table. @param [in] Ptr Pointer to the start of the ID mapping array.
@param [in] Length Length of the buffer.
@param [in] MappingCount The ID Mapping count. @param [in] MappingCount The ID Mapping count.
@param [in] MappingOffset The offset of the ID Mapping array
from the start of the IORT table.
**/ **/
STATIC STATIC
VOID VOID
DumpIortNodeIdMappings ( DumpIortNodeIdMappings (
IN UINT8* Ptr, IN UINT8* Ptr,
IN UINT32 MappingCount, IN UINT32 Length,
IN UINT32 MappingOffset IN UINT32 MappingCount
) )
{ {
UINT8* IdMappingPtr;
UINT32 Index; UINT32 Index;
UINT32 Offset; UINT32 Offset;
CHAR8 Buffer[40]; // Used for AsciiName param of ParseAcpi CHAR8 Buffer[40]; // Used for AsciiName param of ParseAcpi
IdMappingPtr = Ptr + MappingOffset;
Index = 0; Index = 0;
while (Index < MappingCount) { Offset = 0;
while ((Index < MappingCount) &&
(Offset < Length)) {
AsciiSPrint ( AsciiSPrint (
Buffer, Buffer,
sizeof (Buffer), sizeof (Buffer),
"ID Mapping [%d]", "ID Mapping [%d]",
Index Index
); );
Offset = ParseAcpi ( Offset += ParseAcpi (
TRUE, TRUE,
4, 4,
Buffer, Buffer,
IdMappingPtr, Ptr + Offset,
20, Length - Offset,
PARSER_PARAMS (IortNodeIdMappingParser) PARSER_PARAMS (IortNodeIdMappingParser)
); );
IdMappingPtr += Offset;
Index++; Index++;
} }
} }
@ -309,8 +308,6 @@ DumpIortNodeSmmuV1V2 (
UINT32 Offset; UINT32 Offset;
CHAR8 Buffer[50]; // Used for AsciiName param of ParseAcpi CHAR8 Buffer[50]; // Used for AsciiName param of ParseAcpi
UINT8* ArrayPtr;
ParseAcpi ( ParseAcpi (
TRUE, TRUE,
2, 2,
@ -320,51 +317,55 @@ DumpIortNodeSmmuV1V2 (
PARSER_PARAMS (IortNodeSmmuV1V2Parser) PARSER_PARAMS (IortNodeSmmuV1V2Parser)
); );
ArrayPtr = Ptr + *InterruptContextOffset; Offset = *InterruptContextOffset;
Index = 0; Index = 0;
while (Index < *InterruptContextCount) {
while ((Index < *InterruptContextCount) &&
(Offset < Length)) {
AsciiSPrint ( AsciiSPrint (
Buffer, Buffer,
sizeof (Buffer), sizeof (Buffer),
"Context Interrupts Array [%d]", "Context Interrupts Array [%d]",
Index Index
); );
Offset = ParseAcpi ( Offset += ParseAcpi (
TRUE, TRUE,
4, 4,
Buffer, Buffer,
ArrayPtr, Ptr + Offset,
8, Length - Offset,
PARSER_PARAMS (InterruptArrayParser) PARSER_PARAMS (InterruptArrayParser)
); );
ArrayPtr += Offset;
Index++; Index++;
} }
ArrayPtr = Ptr + *PmuInterruptOffset; Offset = *PmuInterruptOffset;
Index = 0; Index = 0;
while (Index < *PmuInterruptCount) {
while ((Index < *PmuInterruptCount) &&
(Offset < Length)) {
AsciiSPrint ( AsciiSPrint (
Buffer, Buffer,
sizeof (Buffer), sizeof (Buffer),
"PMU Interrupts Array [%d]", "PMU Interrupts Array [%d]",
Index Index
); );
Offset = ParseAcpi ( Offset += ParseAcpi (
TRUE, TRUE,
4, 4,
Buffer, Buffer,
ArrayPtr, Ptr + Offset,
8, Length - Offset,
PARSER_PARAMS (InterruptArrayParser) PARSER_PARAMS (InterruptArrayParser)
); );
ArrayPtr += Offset;
Index++; Index++;
} }
if (*IortIdMappingCount != 0) { DumpIortNodeIdMappings (
DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); Ptr + MappingOffset,
} Length - MappingOffset,
MappingCount
);
} }
/** /**
@ -394,9 +395,11 @@ DumpIortNodeSmmuV3 (
PARSER_PARAMS (IortNodeSmmuV3Parser) PARSER_PARAMS (IortNodeSmmuV3Parser)
); );
if (*IortIdMappingCount != 0) { DumpIortNodeIdMappings (
DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); Ptr + MappingOffset,
} Length - MappingOffset,
MappingCount
);
} }
/** /**
@ -414,40 +417,40 @@ DumpIortNodeIts (
{ {
UINT32 Offset; UINT32 Offset;
UINT32 Index; UINT32 Index;
UINT8* ItsIdPtr;
CHAR8 Buffer[80]; // Used for AsciiName param of ParseAcpi CHAR8 Buffer[80]; // Used for AsciiName param of ParseAcpi
Offset = ParseAcpi ( Offset = ParseAcpi (
TRUE, TRUE,
2, 2,
"ITS Node", "ITS Node",
Ptr, Ptr,
Length, Length,
PARSER_PARAMS (IortNodeItsParser) PARSER_PARAMS (IortNodeItsParser)
); );
ItsIdPtr = Ptr + Offset;
Index = 0; Index = 0;
while (Index < *ItsCount) {
while ((Index < *ItsCount) &&
(Offset < Length)) {
AsciiSPrint ( AsciiSPrint (
Buffer, Buffer,
sizeof (Buffer), sizeof (Buffer),
"GIC ITS Identifier Array [%d]", "GIC ITS Identifier Array [%d]",
Index Index
); );
Offset = ParseAcpi ( Offset += ParseAcpi (
TRUE, TRUE,
4, 4,
Buffer, Buffer,
ItsIdPtr, Ptr + Offset,
4, Length - Offset,
PARSER_PARAMS (ItsIdParser) PARSER_PARAMS (ItsIdParser)
); );
ItsIdPtr += Offset;
Index++; Index++;
} }
// Note: ITS does not have the ID Mappings Array // Note: ITS does not have the ID Mappings Array
} }
/** /**
@ -470,8 +473,6 @@ DumpIortNodeNamedComponent (
{ {
UINT32 Offset; UINT32 Offset;
UINT32 Index; UINT32 Index;
UINT8* DeviceNamePtr;
UINT32 DeviceNameLength;
Offset = ParseAcpi ( Offset = ParseAcpi (
TRUE, TRUE,
@ -482,19 +483,22 @@ DumpIortNodeNamedComponent (
PARSER_PARAMS (IortNodeNamedComponentParser) PARSER_PARAMS (IortNodeNamedComponentParser)
); );
DeviceNamePtr = Ptr + Offset;
// Estimate the Device Name length // Estimate the Device Name length
DeviceNameLength = Length - Offset - (MappingCount * 20);
PrintFieldName (2, L"Device Object Name"); PrintFieldName (2, L"Device Object Name");
Index = 0; Index = 0;
while ((Index < DeviceNameLength) && (DeviceNamePtr[Index] != 0)) {
Print (L"%c", DeviceNamePtr[Index++]); while ((*(Ptr + Offset) != 0) &&
(Offset < Length)) {
Print (L"%c", *(Ptr + Offset));
Offset++;
} }
Print (L"\n"); Print (L"\n");
if (*IortIdMappingCount != 0) { DumpIortNodeIdMappings (
DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); Ptr + MappingOffset,
} Length - MappingOffset,
MappingCount
);
} }
/** /**
@ -524,9 +528,11 @@ DumpIortNodeRootComplex (
PARSER_PARAMS (IortNodeRootComplexParser) PARSER_PARAMS (IortNodeRootComplexParser)
); );
if (*IortIdMappingCount != 0) { DumpIortNodeIdMappings (
DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); Ptr + MappingOffset,
} Length - MappingOffset,
MappingCount
);
} }
/** /**
@ -554,11 +560,13 @@ DumpIortNodePmcg (
Ptr, Ptr,
Length, Length,
PARSER_PARAMS (IortNodePmcgParser) PARSER_PARAMS (IortNodePmcgParser)
); );
if (*IortIdMappingCount != 0) { DumpIortNodeIdMappings (
DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); Ptr + MappingOffset,
} Length - MappingOffset,
MappingCount
);
} }
/** /**
@ -605,23 +613,34 @@ ParseAcpiIort (
AcpiTableLength, AcpiTableLength,
PARSER_PARAMS (IortParser) PARSER_PARAMS (IortParser)
); );
Offset = *IortNodeOffset; Offset = *IortNodeOffset;
NodePtr = Ptr + Offset; NodePtr = Ptr + Offset;
Index = 0; Index = 0;
while ((Index < *IortNodeCount) && (Offset < AcpiTableLength)) { // Parse the specified number of IORT nodes or the IORT table buffer length.
// Whichever is minimum.
while ((Index++ < *IortNodeCount) &&
(Offset < AcpiTableLength)) {
// Parse the IORT Node Header // Parse the IORT Node Header
ParseAcpi ( ParseAcpi (
FALSE, FALSE,
0, 0,
"IORT Node Header", "IORT Node Header",
NodePtr, NodePtr,
16, AcpiTableLength - Offset,
PARSER_PARAMS (IortNodeHeaderParser) PARSER_PARAMS (IortNodeHeaderParser)
); );
if (*IortNodeLength == 0) {
// Make sure the IORT Node is inside the table
if ((Offset + (*IortNodeLength)) > AcpiTableLength) {
IncrementErrorCount (); IncrementErrorCount ();
Print (L"ERROR: Parser error. Invalid table data.\n"); Print (
L"ERROR: Invalid IORT node length. IortNodeLength = %d. " \
L"RemainingTableBufferLength = %d. IORT parsing aborted.\n",
*IortNodeLength,
AcpiTableLength - Offset
);
return; return;
} }