tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MdeModulePkg/Core/Pei: Fix pointer size mismatch in EvacuateTempRam() 

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3512

In 32-bit PEI, the local variable pointers MigratedFvHeader and
RawDataFvHeader in EvacuateTempRam() will be 32-bit in size. The
pointers are currently passed to PeiServicesAllocatePages() which
expects a 64-bit output buffer of type EFI_PHYSICAL_ADDRESS.

When PeiServicesAllocatePages() writes to the buffer, the data
can overflow.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
This commit is contained in:
Michael Kubacki 2021-09-09 11:46:01 +08:00 committed by mergify[bot]
parent 6f501a7c9b
commit c19d18136e
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
View File

@ -1135,6 +1135,7 @@ EvacuateTempRam (
volatile UINTN FvIndex;
volatile UINTN FvChildIndex;
UINTN ChildFvOffset;
EFI_PHYSICAL_ADDRESS FvHeaderAddress;
EFI_FIRMWARE_VOLUME_HEADER *FvHeader;
EFI_FIRMWARE_VOLUME_HEADER *ChildFvHeader;
EFI_FIRMWARE_VOLUME_HEADER *MigratedFvHeader;
@ -1186,9 +1187,10 @@ EvacuateTempRam (
Status = PeiServicesAllocatePages (
EfiBootServicesCode,
EFI_SIZE_TO_PAGES ((UINTN) FvHeader->FvLength),
(EFI_PHYSICAL_ADDRESS *) &MigratedFvHeader
&FvHeaderAddress
);
ASSERT_EFI_ERROR (Status);
MigratedFvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvHeaderAddress;
//
// Allocate pool to save the raw PEIMs, which is used to keep consistent context across
@ -1197,9 +1199,10 @@ EvacuateTempRam (
Status = PeiServicesAllocatePages (
EfiBootServicesCode,
EFI_SIZE_TO_PAGES ((UINTN) FvHeader->FvLength),
(EFI_PHYSICAL_ADDRESS *) &RawDataFvHeader
&FvHeaderAddress
);
ASSERT_EFI_ERROR (Status);
RawDataFvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvHeaderAddress;
DEBUG ((
DEBUG_VERBOSE,