tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add more exact SMM check in SmmFaultTolerantWriteHandler. 

Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Elvin Li <elvin.li@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13763 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
lzeng14 2012-09-28 02:30:25 +00:00
parent 0758c830f7
commit 7ea4cf3f59
1 changed files with 44 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
View File

@ -337,9 +337,19 @@ SmmFaultTolerantWriteHandler (
SMM_FTW_GET_LAST_WRITE_HEADER *SmmFtwGetLastWriteHeader; SMM_FTW_GET_LAST_WRITE_HEADER *SmmFtwGetLastWriteHeader;
VOID *PrivateData; VOID *PrivateData;
EFI_HANDLE SmmFvbHandle; EFI_HANDLE SmmFvbHandle;
UINTN InfoSize;
ASSERT (CommBuffer != NULL);
ASSERT (CommBufferSize != NULL); //
// If input is invalid, stop processing this SMI
//
if (CommBuffer == NULL || CommBufferSize == NULL) {
return EFI_SUCCESS;
}
if (*CommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) {
return EFI_SUCCESS;
}
if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBuffer, *CommBufferSize)) { if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBuffer, *CommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SMM communication buffer size is in SMRAM!\n")); DEBUG ((EFI_D_ERROR, "SMM communication buffer size is in SMRAM!\n"));
@ -350,6 +360,17 @@ SmmFaultTolerantWriteHandler (
switch (SmmFtwFunctionHeader->Function) { switch (SmmFtwFunctionHeader->Function) {
case FTW_FUNCTION_GET_MAX_BLOCK_SIZE: case FTW_FUNCTION_GET_MAX_BLOCK_SIZE:
SmmGetMaxBlockSizeHeader = (SMM_FTW_GET_MAX_BLOCK_SIZE_HEADER *) SmmFtwFunctionHeader->Data; SmmGetMaxBlockSizeHeader = (SMM_FTW_GET_MAX_BLOCK_SIZE_HEADER *) SmmFtwFunctionHeader->Data;
InfoSize = sizeof (SMM_FTW_GET_MAX_BLOCK_SIZE_HEADER);
//
// SMRAM range check already covered before
//
if (InfoSize > *CommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE) {
DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));
Status = EFI_ACCESS_DENIED;
break;
}
Status = FtwGetMaxBlockSize ( Status = FtwGetMaxBlockSize (
&mFtwDevice->FtwInstance, &mFtwDevice->FtwInstance,
&SmmGetMaxBlockSizeHeader->BlockSize &SmmGetMaxBlockSizeHeader->BlockSize
@ -409,21 +430,27 @@ SmmFaultTolerantWriteHandler (
case FTW_FUNCTION_GET_LAST_WRITE: case FTW_FUNCTION_GET_LAST_WRITE:
SmmFtwGetLastWriteHeader = (SMM_FTW_GET_LAST_WRITE_HEADER *) SmmFtwFunctionHeader->Data; SmmFtwGetLastWriteHeader = (SMM_FTW_GET_LAST_WRITE_HEADER *) SmmFtwFunctionHeader->Data;
if (((UINT8*)SmmFtwGetLastWriteHeader->Data > (UINT8*)CommBuffer) && InfoSize = OFFSET_OF (SMM_FTW_GET_LAST_WRITE_HEADER, Data) + SmmFtwGetLastWriteHeader->PrivateDataSize;
((UINT8*)SmmFtwGetLastWriteHeader->Data + SmmFtwGetLastWriteHeader->PrivateDataSize <= (UINT8*)CommBuffer + (*CommBufferSize))) {
Status = FtwGetLastWrite ( //
&mFtwDevice->FtwInstance, // SMRAM range check already covered before
&SmmFtwGetLastWriteHeader->CallerId, //
&SmmFtwGetLastWriteHeader->Lba, if (InfoSize > *CommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE) {
&SmmFtwGetLastWriteHeader->Offset, DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));
&SmmFtwGetLastWriteHeader->Length, Status = EFI_ACCESS_DENIED;
&SmmFtwGetLastWriteHeader->PrivateDataSize, break;
(VOID *)SmmFtwGetLastWriteHeader->Data,
&SmmFtwGetLastWriteHeader->Complete
);
} else {
Status = EFI_INVALID_PARAMETER;
} }
Status = FtwGetLastWrite (
&mFtwDevice->FtwInstance,
&SmmFtwGetLastWriteHeader->CallerId,
&SmmFtwGetLastWriteHeader->Lba,
&SmmFtwGetLastWriteHeader->Offset,
&SmmFtwGetLastWriteHeader->Length,
&SmmFtwGetLastWriteHeader->PrivateDataSize,
(VOID *)SmmFtwGetLastWriteHeader->Data,
&SmmFtwGetLastWriteHeader->Complete
);
break; break;
default: default: