From aba3b264df1a4c0fe5f3863affe6ba9cffcf15ac Mon Sep 17 00:00:00 2001
From: Mikhail Krichanov <mikhailkrichanov@gmail.com>
Date: Mon, 26 Feb 2024 11:56:44 +0300
Subject: [PATCH] Ring3: Added sanity checks.

---
 MdeModulePkg/Core/Dxe/DxeRing3/DxeRing3.c     |   1 +
 .../Core/Dxe/SysCall/SupportedProtocols.c     | 147 ++++++++++++------
 2 files changed, 97 insertions(+), 51 deletions(-)

diff --git a/MdeModulePkg/Core/Dxe/DxeRing3/DxeRing3.c b/MdeModulePkg/Core/Dxe/DxeRing3/DxeRing3.c
index db933998ee..ec2405c08e 100644
--- a/MdeModulePkg/Core/Dxe/DxeRing3/DxeRing3.c
+++ b/MdeModulePkg/Core/Dxe/DxeRing3/DxeRing3.c
@@ -156,6 +156,7 @@ Ring3Call (
       Status = Function5 (Data->Arguments[0], Data->Arguments[1], Data->Arguments[2], Data->Arguments[3], Data->Arguments[4]);
       break;
     default:
+      Status = EFI_UNSUPPORTED;
       break;
   }
 
diff --git a/MdeModulePkg/Core/Dxe/SysCall/SupportedProtocols.c b/MdeModulePkg/Core/Dxe/SysCall/SupportedProtocols.c
index 9d6837e729..edca2fd49f 100644
--- a/MdeModulePkg/Core/Dxe/SysCall/SupportedProtocols.c
+++ b/MdeModulePkg/Core/Dxe/SysCall/SupportedProtocols.c
@@ -237,24 +237,32 @@ CoreFileRead (
   UINTN                   *Ring3BufferSize;
   VOID                    *Ring3Buffer;
 
-  File = (RING3_EFI_FILE_PROTOCOL *)This;
-  DEBUG ((DEBUG_INFO, "Ring3 Read: check 1\n"));
+  File            = (RING3_EFI_FILE_PROTOCOL *)This;
+  Ring3Buffer     = NULL;
+  Ring3BufferSize = NULL;
 
   DisableSMAP ();
-  Status = CoreAllocatePool (EfiRing3MemoryType, sizeof (UINTN *), (VOID **)&Ring3BufferSize);
-  if (EFI_ERROR (Status)) {
-    EnableSMAP ();
-    return Status;
+  if (BufferSize != NULL) {
+    Status = CoreAllocatePool (EfiRing3MemoryType, sizeof (UINTN *), (VOID **)&Ring3BufferSize);
+    if (EFI_ERROR (Status)) {
+      EnableSMAP ();
+      return Status;
+    }
+
+    *Ring3BufferSize = *BufferSize;
   }
 
-  Status = CoreAllocatePool (EfiRing3MemoryType, *BufferSize, (VOID **)&Ring3Buffer);
-  if (EFI_ERROR (Status)) {
-    FreePool (Ring3BufferSize);
-    EnableSMAP ();
-    return Status;
+  if (Buffer != NULL) {
+    Status = CoreAllocatePool (EfiRing3MemoryType, *BufferSize, (VOID **)&Ring3Buffer);
+    if (EFI_ERROR (Status)) {
+      if (Ring3BufferSize != NULL) {
+        FreePool (Ring3BufferSize);
+      }
+      EnableSMAP ();
+      return Status;
+    }
   }
   EnableSMAP ();
-  DEBUG ((DEBUG_INFO, "Ring3 Read: check 2\n"));
 
   Status = GoToRing3 (
              3,
@@ -263,20 +271,22 @@ CoreFileRead (
              Ring3BufferSize,
              Ring3Buffer
              );
-  DEBUG ((DEBUG_INFO, "Ring3 Read: check 3\n"));
 
   DisableSMAP ();
-  if ((!EFI_ERROR (Status)) && (Ring3Buffer != NULL) && (Buffer != NULL)) {
+  if ((Ring3Buffer != NULL) && (Buffer != NULL) && (*BufferSize >= *Ring3BufferSize)) {
     CopyMem (Buffer, Ring3Buffer, *Ring3BufferSize);
+  }
+
+  if (Ring3Buffer != NULL) {
     FreePool (Ring3Buffer);
   }
 
-  *BufferSize = *Ring3BufferSize;
+  if (Ring3BufferSize != NULL) {
+    *BufferSize = *Ring3BufferSize;
 
-  DEBUG ((DEBUG_INFO, "Ring3 Read: check 3.5\n"));
-  FreePool (Ring3BufferSize);
+    FreePool (Ring3BufferSize);
+  }
   EnableSMAP ();
-  DEBUG ((DEBUG_INFO, "Ring3 Read: check 4\n"));
 
   return Status;
 }
@@ -325,13 +335,19 @@ CoreFileGetPosition (
   RING3_EFI_FILE_PROTOCOL *File;
   UINT64                  *Ring3Position;
 
-  File = (RING3_EFI_FILE_PROTOCOL *)This;
+  File          = (RING3_EFI_FILE_PROTOCOL *)This;
+  Ring3Position = NULL;
 
-  DisableSMAP ();
-  Status = CoreAllocatePool (EfiRing3MemoryType, sizeof (UINT64), (VOID **)&Ring3Position);
-  EnableSMAP ();
-  if (EFI_ERROR (Status)) {
-    return Status;
+  if (Position != NULL) {
+    DisableSMAP ();
+    Status = CoreAllocatePool (EfiRing3MemoryType, sizeof (UINT64), (VOID **)&Ring3Position);
+    if (EFI_ERROR (Status)) {
+      EnableSMAP ();
+      return Status;
+    }
+
+    *Ring3Position = *Position;
+    EnableSMAP ();
   }
 
   Status = GoToRing3 (
@@ -341,11 +357,13 @@ CoreFileGetPosition (
              Ring3Position
              );
 
-  DisableSMAP ();
-  *Position = *Ring3Position;
+  if (Ring3Position != NULL) {
+    DisableSMAP ();
+    *Position = *Ring3Position;
 
-  FreePool (Ring3Position);
-  EnableSMAP ();
+    FreePool (Ring3Position);
+    EnableSMAP ();
+  }
 
   return Status;
 }
@@ -366,31 +384,48 @@ CoreFileGetInfo (
   UINTN                   *Ring3BufferSize;
   VOID                    *Ring3Buffer;
 
-  File = (RING3_EFI_FILE_PROTOCOL *)This;
+  File                 = (RING3_EFI_FILE_PROTOCOL *)This;
+  Ring3Buffer          = NULL;
+  Ring3BufferSize      = NULL;
+  Ring3InformationType = NULL;
 
   DisableSMAP ();
-  Status = CoreAllocatePool (EfiRing3MemoryType, sizeof (UINTN *), (VOID **)&Ring3BufferSize);
-  if (EFI_ERROR (Status)) {
-    EnableSMAP ();
-    return Status;
+  if (BufferSize != NULL) {
+    Status = CoreAllocatePool (EfiRing3MemoryType, sizeof (UINTN *), (VOID **)&Ring3BufferSize);
+    if (EFI_ERROR (Status)) {
+      EnableSMAP ();
+      return Status;
+    }
+
+    *Ring3BufferSize = *BufferSize;
   }
 
-  Status = CoreAllocatePool (EfiRing3MemoryType, *BufferSize, (VOID **)&Ring3Buffer);
-  if (EFI_ERROR (Status)) {
-    FreePool (Ring3BufferSize);
-    EnableSMAP ();
-    return Status;
+  if (Buffer != NULL) {
+    Status = CoreAllocatePool (EfiRing3MemoryType, *BufferSize, (VOID **)&Ring3Buffer);
+    if (EFI_ERROR (Status)) {
+      if (Ring3BufferSize != NULL) {
+        FreePool (Ring3BufferSize);
+      }
+      EnableSMAP ();
+      return Status;
+    }
   }
 
-  Status = CoreAllocatePool (EfiRing3MemoryType, sizeof (EFI_GUID), (VOID **)&Ring3InformationType);
-  if (EFI_ERROR (Status)) {
-    FreePool (Ring3BufferSize);
-    FreePool (Ring3Buffer);
-    EnableSMAP ();
-    return Status;
-  }
+  if (InformationType != NULL) {
+    Status = CoreAllocatePool (EfiRing3MemoryType, sizeof (EFI_GUID), (VOID **)&Ring3InformationType);
+    if (EFI_ERROR (Status)) {
+      if (Ring3BufferSize != NULL) {
+        FreePool (Ring3BufferSize);
+      }
+      if (Ring3Buffer != NULL) {
+        FreePool (Ring3Buffer);
+      }
+      EnableSMAP ();
+      return Status;
+    }
 
-  CopyGuid (Ring3InformationType, InformationType);
+    CopyGuid (Ring3InformationType, InformationType);
+  }
   EnableSMAP ();
 
   Status = GoToRing3 (
@@ -403,13 +438,23 @@ CoreFileGetInfo (
              );
 
   DisableSMAP ();
-  *BufferSize = *Ring3BufferSize;
+  if ((Ring3Buffer != NULL) && (Buffer != NULL) && (*BufferSize >= *Ring3BufferSize)) {
+    CopyMem (Buffer, Ring3Buffer, *Ring3BufferSize);
+  }
 
-  CopyMem (Buffer, Ring3Buffer, *Ring3BufferSize);
+  if (Ring3BufferSize != NULL) {
+    *BufferSize = *Ring3BufferSize;
 
-  FreePool (Ring3BufferSize);
-  FreePool (Ring3Buffer);
-  FreePool (Ring3InformationType);
+    FreePool (Ring3BufferSize);
+  }
+
+  if (Ring3Buffer != NULL) {
+    FreePool (Ring3Buffer);
+  }
+
+  if (Ring3InformationType != NULL) {
+    FreePool (Ring3InformationType);
+  }
   EnableSMAP ();
 
   return Status;