tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add more SMRAM range check to 3 SMI handler. 

Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Eric Jin <eric.jin@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13477 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
czhang46 2012-06-27 05:08:49 +00:00
parent 86a7f72026
commit ccd2f6b0c6
2 changed files with 90 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
View File

@ -9,6 +9,13 @@
This library is mainly used by SMM Core to start performance logging to ensure that This library is mainly used by SMM Core to start performance logging to ensure that
SMM Performance and PerformanceEx Protocol are installed at the very beginning of SMM phase. SMM Performance and PerformanceEx Protocol are installed at the very beginning of SMM phase.
Caution: This module requires additional review when modified.
This driver will have external input - performance data and communicate buffer in SMM mode.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive untrusted input and do basic validation.
Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR> Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
@ -475,6 +482,9 @@ IsAddressInSmram (
This SMI handler provides services for the performance wrapper driver. This SMI handler provides services for the performance wrapper driver.
Caution: This function may receive untrusted input.
Communicate buffer and buffer size are external input, so this function will do basic validation.
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister(). @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
@param[in] RegisterContext Points to an optional handler context which was specified when the @param[in] RegisterContext Points to an optional handler context which was specified when the
handler was registered. handler was registered.
@ -506,7 +516,21 @@ SmmPerformanceHandlerEx (
GaugeEntryExArray = NULL; GaugeEntryExArray = NULL;
ASSERT (CommBuffer != NULL); //
// If input is invalid, stop processing this SMI
//
if (CommBuffer == NULL || CommBufferSize == NULL) {
return EFI_SUCCESS;
}
if(*CommBufferSize < sizeof (SMM_PERF_COMMUNICATE_EX)) {
return EFI_SUCCESS;
}
if (IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBuffer, *CommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SMM communcation data buffer is in SMRAM!\n"));
return EFI_SUCCESS;
}
SmmPerfCommData = (SMM_PERF_COMMUNICATE_EX *)CommBuffer; SmmPerfCommData = (SMM_PERF_COMMUNICATE_EX *)CommBuffer;
@ -528,9 +552,9 @@ SmmPerformanceHandlerEx (
// //
DataSize = SmmPerfCommData->NumberOfEntries * sizeof(GAUGE_DATA_ENTRY_EX); DataSize = SmmPerfCommData->NumberOfEntries * sizeof(GAUGE_DATA_ENTRY_EX);
if (IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)SmmPerfCommData->GaugeDataEx, DataSize)) { if (IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)SmmPerfCommData->GaugeDataEx, DataSize)) {
DEBUG ((EFI_D_ERROR, "Smm Performance Data buffer is in SMRAM!\n")); DEBUG ((EFI_D_ERROR, "SMM Performance Data buffer is in SMRAM!\n"));
Status = EFI_ACCESS_DENIED; Status = EFI_ACCESS_DENIED;
break ; break;
} }
GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
@ -543,11 +567,12 @@ SmmPerformanceHandlerEx (
break; break;
default: default:
ASSERT (FALSE);
Status = EFI_UNSUPPORTED; Status = EFI_UNSUPPORTED;
} }
SmmPerfCommData->ReturnStatus = Status; SmmPerfCommData->ReturnStatus = Status;
return EFI_SUCCESS; return EFI_SUCCESS;
} }
@ -556,6 +581,9 @@ SmmPerformanceHandlerEx (
This SMI handler provides services for the performance wrapper driver. This SMI handler provides services for the performance wrapper driver.
Caution: This function may receive untrusted input.
Communicate buffer and buffer size are external input, so this function will do basic validation.
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister(). @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
@param[in] RegisterContext Points to an optional handler context which was specified when the @param[in] RegisterContext Points to an optional handler context which was specified when the
handler was registered. handler was registered.
@ -589,7 +617,21 @@ SmmPerformanceHandler (
GaugeEntryExArray = NULL; GaugeEntryExArray = NULL;
ASSERT (CommBuffer != NULL); //
// If input is invalid, stop processing this SMI
//
if (CommBuffer == NULL || CommBufferSize == NULL) {
return EFI_SUCCESS;
}
if(*CommBufferSize < sizeof (SMM_PERF_COMMUNICATE)) {
return EFI_SUCCESS;
}
if (IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBuffer, *CommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SMM communcation data buffer is in SMRAM!\n"));
return EFI_SUCCESS;
}
SmmPerfCommData = (SMM_PERF_COMMUNICATE *)CommBuffer; SmmPerfCommData = (SMM_PERF_COMMUNICATE *)CommBuffer;
@ -611,9 +653,9 @@ SmmPerformanceHandler (
// //
DataSize = SmmPerfCommData->NumberOfEntries * sizeof(GAUGE_DATA_ENTRY); DataSize = SmmPerfCommData->NumberOfEntries * sizeof(GAUGE_DATA_ENTRY);
if (IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)SmmPerfCommData->GaugeData, DataSize)) { if (IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)SmmPerfCommData->GaugeData, DataSize)) {
DEBUG ((EFI_D_ERROR, "Smm Performance Data buffer is in SMRAM!\n")); DEBUG ((EFI_D_ERROR, "SMM Performance Data buffer is in SMRAM!\n"));
Status = EFI_ACCESS_DENIED; Status = EFI_ACCESS_DENIED;
break ; break;
} }
GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
@ -630,11 +672,12 @@ SmmPerformanceHandler (
break; break;
default: default:
ASSERT (FALSE);
Status = EFI_UNSUPPORTED; Status = EFI_UNSUPPORTED;
} }
SmmPerfCommData->ReturnStatus = Status; SmmPerfCommData->ReturnStatus = Status;
return EFI_SUCCESS; return EFI_SUCCESS;
} }

46
MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
View File

@ -4,6 +4,13 @@
This module registers report status code listener to collect performance data This module registers report status code listener to collect performance data
for SMM driver boot records and S3 Suspend Performance Record. for SMM driver boot records and S3 Suspend Performance Record.
Caution: This module requires additional review when modified.
This driver will have external input - communicate buffer in SMM mode.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
FpdtSmiHandler() will receive untrusted input and do basic validation.
Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR> Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
@ -204,6 +211,9 @@ InternalIsAddressInSmram (
This SMI handler provides services for report SMM boot records. This SMI handler provides services for report SMM boot records.
Caution: This function may receive untrusted input.
Communicate buffer and buffer size are external input, so this function will do basic validation.
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister(). @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
@param[in] RegisterContext Points to an optional handler context which was specified when the @param[in] RegisterContext Points to an optional handler context which was specified when the
handler was registered. handler was registered.
@ -211,10 +221,14 @@ InternalIsAddressInSmram (
be conveyed from a non-SMM environment into an SMM environment. be conveyed from a non-SMM environment into an SMM environment.
@param[in, out] CommBufferSize The size of the CommBuffer. @param[in, out] CommBufferSize The size of the CommBuffer.
@retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers should still be called. @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
@retval EFI_INVALID_PARAMETER The interrupt parameter is not valid. should still be called.
@retval EFI_ACCESS_DENIED The interrupt buffer can't be written. @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
@retval EFI_UNSUPPORTED The interrupt is not supported. still be called.
@retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
be called.
@retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
**/ **/
EFI_STATUS EFI_STATUS
EFIAPI EFIAPI
@ -228,14 +242,26 @@ FpdtSmiHandler (
EFI_STATUS Status; EFI_STATUS Status;
SMM_BOOT_RECORD_COMMUNICATE *SmmCommData; SMM_BOOT_RECORD_COMMUNICATE *SmmCommData;
ASSERT (CommBuffer != NULL); //
if (CommBuffer == NULL || *CommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) { // If input is invalid, stop processing this SMI
return EFI_INVALID_PARAMETER; //
if (CommBuffer == NULL || CommBufferSize == NULL) {
return EFI_SUCCESS;
}
if(*CommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {
return EFI_SUCCESS;
}
if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBuffer, *CommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SMM communication data buffer is in SMRAM!\n"));
return EFI_SUCCESS;
} }
Status = EFI_SUCCESS;
SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer; SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer;
Status = EFI_SUCCESS;
switch (SmmCommData->Function) { switch (SmmCommData->Function) {
case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE : case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE :
SmmCommData->BootRecordSize = mBootRecordSize; SmmCommData->BootRecordSize = mBootRecordSize;
@ -252,7 +278,7 @@ FpdtSmiHandler (
// //
SmmCommData->BootRecordSize = mBootRecordSize; SmmCommData->BootRecordSize = mBootRecordSize;
if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)SmmCommData->BootRecordData, mBootRecordSize)) { if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)SmmCommData->BootRecordData, mBootRecordSize)) {
DEBUG ((EFI_D_ERROR, "Smm Data buffer is in SMRAM!\n")); DEBUG ((EFI_D_ERROR, "SMM Data buffer is in SMRAM!\n"));
Status = EFI_ACCESS_DENIED; Status = EFI_ACCESS_DENIED;
break; break;
} }
@ -265,11 +291,11 @@ FpdtSmiHandler (
break; break;
default: default:
ASSERT (FALSE);
Status = EFI_UNSUPPORTED; Status = EFI_UNSUPPORTED;
} }
SmmCommData->ReturnStatus = Status; SmmCommData->ReturnStatus = Status;
return EFI_SUCCESS; return EFI_SUCCESS;
} }