Use SmmMemLib to check communication buffer.

Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com> Reviewed-by: "Gao, Liming" <liming.gao@intel.com> Reviewed-by: "Fan, Jeff" <jeff.fan@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16695 6f19259b-4bc3-4df7-8a09-765794883524
2015-02-02 14:43:28 +00:00 · 2015-02-02 14:43:28 +00:00 · 9054e55a22
parent 842b1242d1
commit 9054e55a22
3 changed files with 5 additions and 83 deletions
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@ -112,6 +112,7 @@
  SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableLib.inf
  MemoryAllocationLib|MdePkg/Library/SmmMemoryAllocationLib/SmmMemoryAllocationLib.inf
  ReportStatusCodeLib|MdeModulePkg/Library/SmmReportStatusCodeLib/SmmReportStatusCodeLib.inf
  SmmMemLib|MdePkg/Library/SmmMemLib/SmmMemLib.inf
  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.inf
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
@ -33,14 +33,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Protocol/SmmVarCheck.h>
 #include <Library/SmmServicesTableLib.h>
 #include <Library/SmmMemLib.h>
 #include <Guid/AuthenticatedVariableFormat.h>
 #include <Guid/SmmVariableCommon.h>
 #include "Variable.h"
 EFI_SMRAM_DESCRIPTOR                                 *mSmramRanges;
 UINTN                                                mSmramRangeCount;
 extern VARIABLE_INFO_ENTRY                           *gVariableInfo;
 EFI_HANDLE                                           mSmmVariableHandle      = NULL;
 EFI_HANDLE                                           mVariableHandle         = NULL;
@ -137,60 +135,6 @@ AtRuntime (
  return mAtRuntime;
 }
 /**
  This function check if the address is in SMRAM.
  @param Buffer  the buffer address to be checked.
  @param Length  the buffer length to be checked.
  @retval TRUE  this address is in SMRAM.
  @retval FALSE this address is NOT in SMRAM.
 **/
 BOOLEAN
 InternalIsAddressInSmram (
  IN EFI_PHYSICAL_ADDRESS  Buffer,
  IN UINT64                Length
  )
 {
  UINTN  Index;
  for (Index = 0; Index < mSmramRangeCount; Index ++) {
    if (((Buffer >= mSmramRanges[Index].CpuStart) && (Buffer < mSmramRanges[Index].CpuStart + mSmramRanges[Index].PhysicalSize)) ||
        ((mSmramRanges[Index].CpuStart >= Buffer) && (mSmramRanges[Index].CpuStart < Buffer + Length))) {
      return TRUE;
    }
  }
  return FALSE;
 }
 /**
  This function check if the address refered by Buffer and Length is valid.
  @param Buffer  the buffer address to be checked.
  @param Length  the buffer length to be checked.
  @retval TRUE  this address is valid.
  @retval FALSE this address is NOT valid.
 **/
 BOOLEAN
 InternalIsAddressValid (
  IN UINTN                 Buffer,
  IN UINTN                 Length
  )
 {
  if (Buffer > (MAX_ADDRESS - Length)) {
    //
    // Overflow happen
    //
    return FALSE;
  }
  if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)Buffer, (UINT64)Length)) {
    return FALSE;
  }
  return TRUE;
 }
 /**
  Initializes a basic mutual exclusion lock.
@ -550,7 +494,7 @@ SmmVariableHandler (
    return EFI_SUCCESS;
  }
-  if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
+  if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
    DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));
    return EFI_SUCCESS;
  }
@ -742,7 +686,7 @@ SmmVariableHandler (
      // It is covered by previous CommBuffer check 
      //
-      if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) {
+      if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) {
        DEBUG ((EFI_D_ERROR, "GetStatistics: SMM communication buffer in SMRAM!\n"));
        Status = EFI_ACCESS_DENIED;
        goto EXIT;
@ -961,8 +905,6 @@ VariableServiceInitialize (
  EFI_STATUS                              Status;
  EFI_HANDLE                              VariableHandle;
  VOID                                    *SmmFtwRegistration;
  EFI_SMM_ACCESS2_PROTOCOL                *SmmAccess;
  UINTN                                   Size;
  VOID                                    *SmmEndOfDxeRegistration;
  //
@ -991,28 +933,6 @@ VariableServiceInitialize (
                    );
  ASSERT_EFI_ERROR (Status);
  //
  // Get SMRAM information
  //
  Status = gBS->LocateProtocol (&gEfiSmmAccess2ProtocolGuid, NULL, (VOID **)&SmmAccess);
  ASSERT_EFI_ERROR (Status);
  Size = 0;
  Status = SmmAccess->GetCapabilities (SmmAccess, &Size, NULL);
  ASSERT (Status == EFI_BUFFER_TOO_SMALL);
  Status = gSmst->SmmAllocatePool (
                    EfiRuntimeServicesData,
                    Size,
                    (VOID **)&mSmramRanges
                    );
  ASSERT_EFI_ERROR (Status);
  Status = SmmAccess->GetCapabilities (SmmAccess, &Size, mSmramRanges);
  ASSERT_EFI_ERROR (Status);
  mSmramRangeCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);
  mVariableBufferPayloadSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) +
                               OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) - sizeof (VARIABLE_HEADER);
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
@ -75,6 +75,7 @@
  HobLib
  PcdLib
  DevicePathLib
  SmmMemLib
 [Protocols]
  gEfiSmmFirmwareVolumeBlockProtocolGuid        ## CONSUMES