Add check to make sure the data be valid.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gao, Liming <liming.gao@intel.com>
Reviewed-by: Zeng, Star <star.zeng@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15393 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Gao, Liming 2014-03-26 09:27:01 +00:00 committed by lgao4
parent f85acc224c
commit 9f25f7ddd0
2 changed files with 57 additions and 13 deletions

View File

@ -13,7 +13,7 @@
4. It save all the mapping info in NV variables which will be consumed 4. It save all the mapping info in NV variables which will be consumed
by platform override protocol driver to publish the platform override protocol. by platform override protocol driver to publish the platform override protocol.
Copyright (c) 2007 - 2013, Intel Corporation. All rights reserved.<BR> Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -1240,6 +1240,7 @@ PlatOverMngrRouteConfig (
EFI_CALLBACK_INFO *Private; EFI_CALLBACK_INFO *Private;
UINT16 KeyValue; UINT16 KeyValue;
PLAT_OVER_MNGR_DATA *FakeNvData; PLAT_OVER_MNGR_DATA *FakeNvData;
EFI_STATUS Status;
if (Configuration == NULL || Progress == NULL) { if (Configuration == NULL || Progress == NULL) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
@ -1260,11 +1261,12 @@ PlatOverMngrRouteConfig (
return EFI_SUCCESS; return EFI_SUCCESS;
} }
Status = EFI_SUCCESS;
if (mCurrentPage == FORM_ID_DRIVER) { if (mCurrentPage == FORM_ID_DRIVER) {
KeyValue = KEY_VALUE_DRIVER_GOTO_ORDER; KeyValue = KEY_VALUE_DRIVER_GOTO_ORDER;
UpdatePrioritySelectPage (Private, KeyValue, FakeNvData); UpdatePrioritySelectPage (Private, KeyValue, FakeNvData);
KeyValue = KEY_VALUE_ORDER_SAVE_AND_EXIT; KeyValue = KEY_VALUE_ORDER_SAVE_AND_EXIT;
CommintChanges (Private, KeyValue, FakeNvData); Status = CommintChanges (Private, KeyValue, FakeNvData);
// //
// Since UpdatePrioritySelectPage will change mCurrentPage, // Since UpdatePrioritySelectPage will change mCurrentPage,
// should ensure the mCurrentPage still indicate the second page here // should ensure the mCurrentPage still indicate the second page here
@ -1274,10 +1276,10 @@ PlatOverMngrRouteConfig (
if (mCurrentPage == FORM_ID_ORDER) { if (mCurrentPage == FORM_ID_ORDER) {
KeyValue = KEY_VALUE_ORDER_SAVE_AND_EXIT; KeyValue = KEY_VALUE_ORDER_SAVE_AND_EXIT;
CommintChanges (Private, KeyValue, FakeNvData); Status = CommintChanges (Private, KeyValue, FakeNvData);
} }
return EFI_SUCCESS; return Status;
} }
/** /**

View File

@ -1,7 +1,7 @@
/** @file /** @file
Implementation of the shared functions to do the platform driver vverride mapping. Implementation of the shared functions to do the platform driver vverride mapping.
Copyright (c) 2007 - 2009, Intel Corporation. All rights reserved.<BR> Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -691,12 +691,17 @@ InitOverridesMapping (
// //
VariableNum = 1; VariableNum = 1;
Corrupted = FALSE; Corrupted = FALSE;
NotEnd = 0;
do { do {
VariableIndex = VariableBuffer; VariableIndex = VariableBuffer;
// if (VariableIndex + sizeof (UINT32) > (UINT8 *) VariableBuffer + BufferSize) {
// End flag Corrupted = TRUE;
// } else {
NotEnd = *(UINT32*) VariableIndex; //
// End flag
//
NotEnd = *(UINT32*) VariableIndex;
}
// //
// Traverse the entries containing the mapping that Controller Device Path // Traverse the entries containing the mapping that Controller Device Path
// to a set of Driver Device Paths within this variable. // to a set of Driver Device Paths within this variable.
@ -706,6 +711,10 @@ InitOverridesMapping (
// //
// Check signature of this entry // Check signature of this entry
// //
if (VariableIndex + sizeof (UINT32) > (UINT8 *) VariableBuffer + BufferSize) {
Corrupted = TRUE;
break;
}
Signature = *(UINT32 *) VariableIndex; Signature = *(UINT32 *) VariableIndex;
if (Signature != PLATFORM_OVERRIDE_ITEM_SIGNATURE) { if (Signature != PLATFORM_OVERRIDE_ITEM_SIGNATURE) {
Corrupted = TRUE; Corrupted = TRUE;
@ -722,6 +731,10 @@ InitOverridesMapping (
// //
// Get DriverNum // Get DriverNum
// //
if (VariableIndex + sizeof (UINT32) >= (UINT8 *) VariableBuffer + BufferSize) {
Corrupted = TRUE;
break;
}
DriverNumber = *(UINT32*) VariableIndex; DriverNumber = *(UINT32*) VariableIndex;
OverrideItem->DriverInfoNum = DriverNumber; OverrideItem->DriverInfoNum = DriverNumber;
VariableIndex = VariableIndex + sizeof (UINT32); VariableIndex = VariableIndex + sizeof (UINT32);
@ -735,6 +748,14 @@ InitOverridesMapping (
// Align the VariableIndex since the controller device path may not be aligned, refer to the SaveOverridesMapping() // Align the VariableIndex since the controller device path may not be aligned, refer to the SaveOverridesMapping()
// //
VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) & (sizeof(UINT32) - 1)); VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) & (sizeof(UINT32) - 1));
//
// Check buffer overflow.
//
if ((OverrideItem->ControllerDevicePath == NULL) || (VariableIndex < (UINT8 *) ControllerDevicePath) ||
(VariableIndex > (UINT8 *) VariableBuffer + BufferSize)) {
Corrupted = TRUE;
break;
}
// //
// Get all DriverImageDevicePath[] // Get all DriverImageDevicePath[]
@ -756,8 +777,20 @@ InitOverridesMapping (
VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) & (sizeof(UINT32) - 1)); VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) & (sizeof(UINT32) - 1));
InsertTailList (&OverrideItem->DriverInfoList, &DriverImageInfo->Link); InsertTailList (&OverrideItem->DriverInfoList, &DriverImageInfo->Link);
//
// Check buffer overflow
//
if ((DriverImageInfo->DriverImagePath == NULL) || (VariableIndex < (UINT8 *) DriverDevicePath) ||
(VariableIndex < (UINT8 *) VariableBuffer + BufferSize)) {
Corrupted = TRUE;
break;
}
} }
InsertTailList (MappingDataBase, &OverrideItem->Link); InsertTailList (MappingDataBase, &OverrideItem->Link);
if (Corrupted) {
break;
}
} }
FreePool (VariableBuffer); FreePool (VariableBuffer);
@ -866,11 +899,11 @@ DeleteOverridesVariables (
// //
// Check NotEnd to get all PlatDriOverX variable(s) // Check NotEnd to get all PlatDriOverX variable(s)
// //
while ((*(UINT32*)VariableBuffer) != 0) { while ((VariableBuffer != NULL) && ((*(UINT32*)VariableBuffer) != 0)) {
FreePool (VariableBuffer);
UnicodeSPrint (OverrideVariableName, sizeof (OverrideVariableName), L"PlatDriOver%d", VariableNum); UnicodeSPrint (OverrideVariableName, sizeof (OverrideVariableName), L"PlatDriOver%d", VariableNum);
VariableBuffer = GetVariableAndSize (OverrideVariableName, &gEfiCallerIdGuid, &BufferSize); VariableBuffer = GetVariableAndSize (OverrideVariableName, &gEfiCallerIdGuid, &BufferSize);
VariableNum++; VariableNum++;
ASSERT (VariableBuffer != NULL);
} }
// //
@ -1057,10 +1090,19 @@ SaveOverridesMapping (
VariableNeededSize, VariableNeededSize,
VariableBuffer VariableBuffer
); );
ASSERT (!EFI_ERROR(Status)); FreePool (VariableBuffer);
if (EFI_ERROR (Status)) {
if (NumIndex > 0) {
//
// Delete all PlatDriOver variables when full mapping can't be set.
//
DeleteOverridesVariables ();
}
return Status;
}
NumIndex ++; NumIndex ++;
FreePool (VariableBuffer);
} }
return EFI_SUCCESS; return EFI_SUCCESS;