ShellPkg: acpiview: Validate ACPI table 'Length' field

Check if the ACPI table length, as reported in the ACPI table header, is big enough to fit at least the header itself. If not, report an error to the user and stop parsing the table in order to prevent buffer overruns. Signed-off-by: Krzysztof Koch <krzysztof.koch@arm.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Reviewed-by: Zhichao Gao <zhichao.gao@intel.com>
2020-02-11 18:01:17 +08:00 · 2020-02-11 18:01:17 +08:00 · 6d8f4bafad
parent 0b9026a823
commit 6d8f4bafad
1 changed files with 19 additions and 1 deletions
--- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParser.c
+++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParser.c
@ -1,7 +1,7 @@
 /** @file
  ACPI table parser

-  Copyright (c) 2016 - 2019, ARM Limited. All rights reserved.
+  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
  SPDX-License-Identifier: BSD-2-Clause-Patent
 **/

@ -176,6 +176,7 @@ ProcessAcpiTable (
  CONST UINT32* AcpiTableSignature;
  CONST UINT32* AcpiTableLength;
  CONST UINT8*  AcpiTableRevision;
+  CONST UINT8*  SignaturePtr;
  PARSE_ACPI_TABLE_PROC ParserProc;

  ParseAcpiHeader (
@ -193,6 +194,23 @@ ProcessAcpiTable (

  if (Trace) {
    DumpRaw (Ptr, *AcpiTableLength);
+
+    // Do not process the ACPI table any further if the table length read
+    // is invalid. The ACPI table should at least contain the table header.
+    if (*AcpiTableLength < sizeof (EFI_ACPI_DESCRIPTION_HEADER)) {
+      SignaturePtr = (CONST UINT8*)AcpiTableSignature;
+      IncrementErrorCount ();
+      Print (
+        L"ERROR: Invalid %c%c%c%c table length. Length = %d\n",
+        SignaturePtr[0],
+        SignaturePtr[1],
+        SignaturePtr[2],
+        SignaturePtr[3],
+        *AcpiTableLength
+        );
+      return;
+    }
+
    if (GetConsistencyChecking ()) {
      VerifyChecksum (TRUE, Ptr, *AcpiTableLength);
    }