tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-24 22:24:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

MdeModulePkg/BDS: Fix a buffer overflow bug

Browse Source 
KeyOption points to a buffer holding the content of Key####.
So its size is smaller than EFI_BOOT_MANAGER_KEY_OPTION.
Old code to assign value to KeyOption->OptionNumber modifies
the memory outside of the KeyOption buffer.

The patch fixes this bug.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jeff Fan <jeff.fan@intel.com>
This commit is contained in:
Ruiyu Ni 2017-05-17 19:38:35 +08:00
parent a9fb7b7803
commit 7320b8ed18
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
MdeModulePkg/Library/UefiBootManagerLib/BmHotkey.c
View File

@ -42,7 +42,7 @@ VOID *mBmTxtInExRegistration = NULL;
**/ **/
UINTN UINTN
BmSizeOfKeyOption ( BmSizeOfKeyOption (
EFI_BOOT_MANAGER_KEY_OPTION *KeyOption IN CONST EFI_BOOT_MANAGER_KEY_OPTION *KeyOption
) )
{ {
return OFFSET_OF (EFI_BOOT_MANAGER_KEY_OPTION, Keys) return OFFSET_OF (EFI_BOOT_MANAGER_KEY_OPTION, Keys)
@ -61,8 +61,8 @@ BmSizeOfKeyOption (
**/ **/
BOOLEAN BOOLEAN
BmIsKeyOptionValid ( BmIsKeyOptionValid (
IN EFI_BOOT_MANAGER_KEY_OPTION *KeyOption, IN CONST EFI_BOOT_MANAGER_KEY_OPTION *KeyOption,
IN UINTN KeyOptionSize IN UINTN KeyOptionSize
) )
{ {
UINT16 OptionName[BM_OPTION_NAME_LEN]; UINT16 OptionName[BM_OPTION_NAME_LEN];
@ -158,16 +158,15 @@ BmCollectKeyOptions (
{ {
UINTN Index; UINTN Index;
BM_COLLECT_KEY_OPTIONS_PARAM *Param; BM_COLLECT_KEY_OPTIONS_PARAM *Param;
EFI_BOOT_MANAGER_KEY_OPTION *KeyOption; VOID *KeyOption;
UINT16 OptionNumber; UINT16 OptionNumber;
UINTN KeyOptionSize; UINTN KeyOptionSize;
Param = (BM_COLLECT_KEY_OPTIONS_PARAM *) Context; Param = (BM_COLLECT_KEY_OPTIONS_PARAM *) Context;
if (BmIsKeyOptionVariable (Name, Guid, &OptionNumber)) { if (BmIsKeyOptionVariable (Name, Guid, &OptionNumber)) {
GetEfiGlobalVariable2 (Name, (VOID**) &KeyOption, &KeyOptionSize); GetEfiGlobalVariable2 (Name, &KeyOption, &KeyOptionSize);
ASSERT (KeyOption != NULL); ASSERT (KeyOption != NULL);
KeyOption->OptionNumber = OptionNumber;
if (BmIsKeyOptionValid (KeyOption, KeyOptionSize)) { if (BmIsKeyOptionValid (KeyOption, KeyOptionSize)) {
Param->KeyOptions = ReallocatePool ( Param->KeyOptions = ReallocatePool (
Param->KeyOptionCount * sizeof (EFI_BOOT_MANAGER_KEY_OPTION), Param->KeyOptionCount * sizeof (EFI_BOOT_MANAGER_KEY_OPTION),
@ -179,12 +178,13 @@ BmCollectKeyOptions (
// Insert the key option in order // Insert the key option in order
// //
for (Index = 0; Index < Param->KeyOptionCount; Index++) { for (Index = 0; Index < Param->KeyOptionCount; Index++) {
if (KeyOption->OptionNumber < Param->KeyOptions[Index].OptionNumber) { if (OptionNumber < Param->KeyOptions[Index].OptionNumber) {
break; break;
} }
} }
CopyMem (&Param->KeyOptions[Index + 1], &Param->KeyOptions[Index], (Param->KeyOptionCount - Index) * sizeof (EFI_BOOT_MANAGER_KEY_OPTION)); CopyMem (&Param->KeyOptions[Index + 1], &Param->KeyOptions[Index], (Param->KeyOptionCount - Index) * sizeof (EFI_BOOT_MANAGER_KEY_OPTION));
CopyMem (&Param->KeyOptions[Index], KeyOption, BmSizeOfKeyOption (KeyOption)); CopyMem (&Param->KeyOptions[Index], KeyOption, KeyOptionSize);
Param->KeyOptions[Index].OptionNumber = OptionNumber;
Param->KeyOptionCount++; Param->KeyOptionCount++;
} }
FreePool (KeyOption); FreePool (KeyOption);