Commit Graph

2686 Commits

Author SHA1 Message Date
Bret Barkelew 9338e23017 MdeModulePkg/ResetSystemRuntimeDxe: Remove DoS3 in warm reset
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1462

Original logic is that checking the CapsuleUpdate variable
and do the EnterS3WithImmediateWake if the system require a
capsule update. The EnterS3WithImmediateWake is usually
implemented in Platform ResetSystemLib instance and it may
do some operation for capsule update. For now, thess preparations
of capsule are platform reset notify functions' duty. Most
platforms need flush cache to memory before warm reset during
capsule update and this operation is added to capsule flow.
So it is safe to remove it and do not affect the capsule update
function.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-04-02 12:49:03 +08:00
Zhichao Gao a89fd3a359 MdeModulePkg/CapsuleRuntimeDxe: Add cache flush for IA32 and X64
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1462

The IA32 and X64 ARCH need cache flush function during capsule update.
And the cache flush is already implemented in arm ARCH, so add this
function CapsuleCacheWriteBack() to IA32 and X64 ARCH. And add a null
version for EBC.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-04-02 12:49:03 +08:00
Ray Ni 89910a39dc MdeModulePkg/HiiImage: Fix stack overflow when corrupted BMP is parsed (CVE-2018-12181)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135

For 4bit BMP, there are only 2^4 = 16 colors in the palette.
But when a corrupted BMP contains more than 16 colors in the palette,
today's implementation wrongly copies all colors to the local
PaletteValue[16] array which causes stack overflow.

The similar issue also exists in the logic to handle 8bit BMP.

The patch fixes the issue by only copies the first 16 or 256 colors
in the palette depending on the BMP type.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ray Ni <ray.ni@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-03-08 23:44:59 +08:00
Ray Ni ffe5f7a6b4 MdeModulePkg/HiiDatabase: Fix potential integer overflow (CVE-2018-12181)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ray Ni <ray.ni@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-03-08 23:44:58 +08:00
Hao Wu 38c9fbdcaa MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134

Originally, the block size of created Ram disks is hard-coded to 512
bytes. However, if the total size of the Ram disk is not a multiple of 512
bytes, there will be potential memory access issues when dealing with the
last block of the Ram disk.

This commit will adjust the block size of the Ram disks to ensure that the
total size is a multiple of the block size.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
2019-02-28 08:15:51 +08:00
Hao Wu fccdb88022 MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR (CVE-2018-12180)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134

The commit adds checks for detecting GPT and MBR partitions.

These checks will ensure that the device block size is big enough to hold
an MBR (512 bytes).

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
2019-02-28 08:15:42 +08:00
Zhichao Gao e2531da3b8 MdeModulePkg: change the function name ResetSystem
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1460

Change the function name form ResetSystem to RuntimeServiceResetSystem.
Because ResetSystem and EfiResetSystem would be used in ResetSystemLib
and RuntimeLib.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-02-22 09:45:43 +08:00
Star Zeng 4a7aa8d34a MdeModulePkg: Remove EmuVariableRuntimeDxe
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1323
Merge EmuVariable and Real variable driver.

The real variable driver has been updated to support emulated
variable NV mode.
This patch removes EmuVariableRuntimeDxe after platforms are
migrated to use the merged variable driver.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Acked-by: Julien Grall <julien.grall@arm.com>
2019-02-19 17:36:11 +08:00
Shenglei Zhang a083afa3fe MdeModulePkg/PropertiesTableAttributesDxe: Remove this driver
This functionality of this driver has been deprecated and
no platform employs this driver. It can be removed completely.
https://bugzilla.tianocore.org/show_bug.cgi?id=1475

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-02-19 16:15:23 +08:00
Shenglei Zhang 69544d224e MdeModulePkg/SmmS3SaveStateDxe: Change function parameter types
Change parameter Opcode from UINT16 to UINTN in
BootScriptWrite and BootScriptInsert.
https://bugzilla.tianocore.org/show_bug.cgi?id=1517

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-02-14 15:38:44 +08:00
Shenglei Zhang 5bdcfe3385 MdeModulePkg/S3SaveStateDxe: Change function parameter types
Change parameter Opcode from UINT16 to UINTN in
BootScriptWrite and BootScriptInsert.
https://bugzilla.tianocore.org/show_bug.cgi?id=1517

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-02-14 15:38:44 +08:00
Jiaxin Wu 463d994f9c MdeModulePkg/Ip4Dxe: Uninstall protocols when error happen in Driver Binding Start.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1447

This patch is to uninstall Ip4ServiceBindingProtocol and Ip4Config2Protocol when
error happen in Driver Binding Start.

Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Signed-off-by: Michael Turner <Michael.Turner@microsoft.com>
Reviewed-By: Ye Ting <ting.ye@intel.com>
2019-02-12 08:25:31 +08:00
Dandan Bi 44289eeafd MdeModulePkg: Fix coding style issues
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1479

Fix issues that reported by Edk2 coding style check tool(ECC) that:
Comment description should end with period '.'

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2019-02-02 21:41:38 +08:00
Shenglei Zhang 357fc11c35 MdeModulePkg/EbcDebugger: Use AsciiCharToUpper and CharToUpper
InternalUnicodeToUpper and InternalAsciiToUpper are internal functions,
so they are substituted by public functions AsciiCharToUpper and CharToUpper.
And their implements are removed.
https://bugzilla.tianocore.org/show_bug.cgi?id=1369

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
2019-01-31 20:19:16 +08:00
Shenglei Zhang cecbecb71d MdeModulePkg/EbcDebugger: Change function names
Change UnicodeToUpper to InternalUnicodeToUpper.
Change AsciiToUpper to InternalAsciiToUpper.
These changes are committed for bisectability, or build failure will
occur when 2/7 is applied. Because the introduced function names in
2/7 are the same as ones in EdbSupporting.c.
https://bugzilla.tianocore.org/show_bug.cgi?id=1369

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
2019-01-31 20:19:12 +08:00
Star Zeng 9084239f34 MdeModulePkg VariableStandaloneMm: Add PcdEmuVariableNvModeEnable in inf
It was missed in 7cd6995946 when rebasing
the patches after 688b2cad7b added
VariableStandaloneMm.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Dandan Bi <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
2019-01-25 11:41:14 +08:00
Star Zeng 3c007f3653 MdeModulePkg VariablePei: Don't check BOOT_IN_RECOVERY_MODE
Don't check BOOT_IN_RECOVERY_MODE, but check PcdEmuVariableNvModeEnable
which platform can configure flexibly.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Acked-by: Julien Grall <julien.grall@arm.com>
2019-01-24 10:52:37 +08:00
Star Zeng 7cd6995946 MdeModulePkg Variable: Add emulated variable NV mode support
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1323
Merge EmuVariable and Real variable driver.

Add emulated variable NV mode support in real variable driver.
Platform can configure PcdEmuVariableNvModeEnable statically
(build time) or dynamically (boot time) to support emulated
variable NV mode.

If PcdEmuVariableNvModeEnable is configured to dynamic, its
value should be set before Variable driver starts to work,
otherwise default value will take effect.

Then EmuVariableRuntimeDxe could be removed, the removal of
EmuVariableRuntimeDxe will be done after platforms are migrated
to use the merged variable driver.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Acked-by: Julien Grall <julien.grall@arm.com>
2019-01-24 10:52:36 +08:00
Star Zeng 602cd0b6ba MdeModulePkg Variable: type case VolatileBase to UINTN directly
Simplify
((UINTN) ((UINT8 *) VolatileBase + VolatileBase->Size))
to
((UINTN) VolatileBase + VolatileBase->Size)

This patch prepares for adding emulated variable NV mode
support in VariableRuntimeDxe.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Acked-by: Julien Grall <julien.grall@arm.com>
2019-01-24 10:52:34 +08:00
Star Zeng ebe34c96f4 MdeModulePkg Variable: Remove CacheOffset in UpdateVariable()
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1323
Merge EmuVariable and Real variable driver.

CacheOffset could be removed in UpdateVariable() after
//
// update the memory copy of Flash region.
//
CopyMem (
  (UINT8 *)mNvVariableCache + CacheOffset,
  (UINT8 *)NextVariable, VarSize
   );

is moved to be before mVariableModuleGlobal->NonVolatileLastVariableOffset
value is updated, like right before
mVariableModuleGlobal->NonVolatileLastVariableOffset +=
  HEADER_ALIGN (VarSize);

Except for the movement above, the patch also capitalizes the first
character of "update the memory copy of Flash region".

This patch prepares for adding emulated variable NV mode
support in VariableRuntimeDxe.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Acked-by: Julien Grall <julien.grall@arm.com>
2019-01-24 10:52:33 +08:00
Star Zeng b59fd889ac MdeModulePkg Variable: Abstract VariableWriteServiceInitializeDxe/Smm
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1323
Merge EmuVariable and Real variable driver.

Abstract VariableWriteServiceInitializeDxe/Smm from
FtwNotificationEvent/SmmFtwNotificationEvent, then
VariableWriteServiceInitializeDxe/Smm could be not aware
the NV storage is real or emulated.

This patch prepares for adding emulated variable NV mode
support in VariableRuntimeDxe.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Acked-by: Julien Grall <julien.grall@arm.com>
2019-01-24 10:52:32 +08:00
Star Zeng 904e0ca997 MdeModulePkg Variable: Not get NV PCD in VariableWriteServiceInitialize
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1323
Merge EmuVariable and Real variable driver.

Add macro NV_STORAGE_VARIABLE_BASE.
Not get NV PCD in VariableWriteServiceInitialize, but in
FtwNotificationEvent/SmmFtwNotificationEvent, then
VariableWriteServiceInitialize could be not aware the NV
storage is real or emulated.

This patch prepares for adding emulated variable NV mode
support in VariableRuntimeDxe.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Acked-by: Julien Grall <julien.grall@arm.com>
2019-01-24 10:52:32 +08:00
Star Zeng 5f0871e3d8 MdeModulePkg Variable: Move "extern XXX" to Variable.h
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1323
Merge EmuVariable and Real variable driver.

Move "extern XXX" to Variable.h from VariableDxe.c/VariableSmm.c.

This patch prepares for adding emulated variable NV mode
support in VariableRuntimeDxe.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Acked-by: Julien Grall <julien.grall@arm.com>
2019-01-24 10:52:31 +08:00
Star Zeng 701d603f32 MdeModulePkg Variable: Abstract InitRealNonVolatileVariableStore
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1323
Merge EmuVariable and Real variable driver.

Abstract InitRealNonVolatileVariableStore from
InitNonVolatileVariableStore.

This patch prepares for adding emulated variable NV mode
support in VariableRuntimeDxe.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Acked-by: Julien Grall <julien.grall@arm.com>
2019-01-24 10:52:30 +08:00
Star Zeng 874c8434d1 MdeModulePkg Variable: Add some missing changes for 9b18845
To improve performance 9b18845a4b
changed the code which read from physical MMIO address to read
from memory cache, but it missed some places that could be updated
the same away for performance optimization.

The patch updates these places as supplementary.

I found them when updating code for
https://bugzilla.tianocore.org/show_bug.cgi?id=1323
Merge EmuVariable and Real variable driver.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Acked-by: Julien Grall <julien.grall@arm.com>
2019-01-24 10:52:29 +08:00
Jiaxin Wu 710962016b MdeModulePkg/Dhcp4Dxe: Remove unnecessary NULL pointer check.
v3: Add the instance token check.

v2: The DHCP Instance might be destroyed in PxeDhcpDone. So,
we need safe-delete.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1469

Since the value of Instance is retrieved from the list Entry,
it can't be the NULL pointer, so just remove the unnecessary
check.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Hao A <hao.a.wu@intel.com>
Cc: Gao Liming <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Wu Hao A <hao.a.wu@intel.com>
2019-01-23 08:46:48 +08:00
Ard Biesheuvel 688b2cad7b MdeModulePkg/VariableRuntimeDxe: implement standalone MM version
Reuse most of the existing code to implement a variable runtime
driver that will be able to execute in the context of standalone
MM.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2019-01-16 20:10:51 +01:00
Ard Biesheuvel a855f63e2f MdeModulePkg/VariableRuntimeDxe: factor out boot service accesses
In preparation of providing a standalone MM based variable runtime
driver, move the existing SMM driver to the new MM services table,
and factor out some pieces that are specific to the traditional
driver, mainly related to the use of UEFI boot services, which are
not accessible to standalone MM drivers.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2019-01-16 20:10:51 +01:00
Ard Biesheuvel d0def00d33 MdeModulePkg/FaultTolerantWriteDxe: implement standalone MM version
Implement a new version of the fault tolerant write driver that can
be used in the context of a standalone MM implementation.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2019-01-16 20:10:51 +01:00
Ard Biesheuvel 22cedf5bbd MdeModulePkg/FaultTolerantWriteDxe: factor out boot service accesses
In preparation of providing a standalone MM based FTW driver, move
the existing SMM driver to the new MM services table, and factor out
some pieces that are specific to the traditional driver, mainly
related to the use of UEFI boot services, which are not accessible
to standalone MM drivers.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2019-01-16 20:10:51 +01:00
Eric Dong 306a58365a MdeModulePkg/BootScriptExecuteorDxe: check 64BIT_WAKE_F in FACS.OSPMFlags
((Facs->Flags & EFI_ACPI_4_0_OSPM_64BIT_WAKE__F) != 0))

In above code, Facs->OspmFlags should be used instead.
EFI_ACPI_4_0_OSPM_64BIT_WAKE__F is a bit in OSPM Enabled Firmware
Control Structure Flags field, not in Firmware Control Structure
Feature Flags.

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1430

Cc: Aleksiy <oleksiyy@ami.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
2019-01-15 13:17:26 +08:00
Hao Wu 49395ea0bc MdeModulePkg/Variable: Update to consume SpeculationBarrier
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1417

Since BaseLib API AsmLfence() is a x86 arch specific API and should be
avoided using in generic codes, this commit replaces the usage of
AsmLfence() with arch-generic API SpeculationBarrier().

Please note that speculation execution barriers are intended to be
asserted for SMM codes, hence, this commit still preserve an empty
implementation of the speculation execution barrier for the DXE codes.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2018-12-25 09:16:11 +08:00
Hao Wu 107775734d MdeModulePkg/SmmLockBox: Update to consume SpeculationBarrier
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1417

Since BaseLib API AsmLfence() is a x86 arch specific API and should be
avoided using in generic codes, this commit replaces the usage of
AsmLfence() with arch-generic API SpeculationBarrier().

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2018-12-25 09:16:04 +08:00
Hao Wu 0e8c5d8b3b MdeModulePkg/FaultTolerantWrite: Update to consume SpeculationBarrier
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1417

Since BaseLib API AsmLfence() is a x86 arch specific API and should be
avoided using in generic codes, this commit replaces the usage of
AsmLfence() with arch-generic API SpeculationBarrier().

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2018-12-25 09:15:57 +08:00
Siyuan Fu b36c046960 MdeModulePkg: Delete UefiPxeBcDxe in MdeModulePkg.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1278

This patch is to delete the UefiPxeBcDxe driver in MdeModulePkg. The
driver will not be maintained and can't co-work with the dual-stack
UefiPxeBcDxe in NetworkPkg.

People should use below NetworkPkg drivers instead:
  NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
Which is actively maintained with more bug fixes and new feature support.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Siyuan Fu <siyuan.fu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2018-12-24 15:10:05 +08:00
Siyuan Fu dff73e4c73 MdeModulePkg: Delete IScsiDxe in MdeModulePkg.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1278

This patch is to delete the IScsiDxe driver in MdeModulePkg. The driver
will not be maintained and can't co-work with the dual-stack IScsiDxe in
NetworkPkg.

People should use below NetworkPkg drivers instead:
  NetworkPkg/IScsiDxe/IScsiDxe.inf
Which is actively maintained with more bug fixes and new feature support.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Siyuan Fu <siyuan.fu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
2018-12-24 15:09:30 +08:00
Siyuan Fu 376a5dbe97 MdeModulePkg: Delete Tcp4Dxe in MdeModulePkg.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1278

This patch is to delete the Tcp4Dxe driver in MdeModulePkg. The driver
will not be maintained and can't co-work with the dual-stack TcpDxe in
NetworkPkg.

People should use below NetworkPkg drivers instead:
  NetworkPkg/TcpDxe/TcpDxe.inf
Which is actively maintained with more bug fixes and new feature support.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Siyuan Fu <siyuan.fu@intel.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2018-12-24 15:08:55 +08:00
Liming Gao 534efca06f MdeModulePkg PCD: Add DynamicEx PcdVpdBaseAddress64 for non SPI platform
https://bugzilla.tianocore.org/show_bug.cgi?id=1356
Current PcdVpdBaseAddress is 32bit static Pcd. NON SPI platform needs to
configure it as Dynamic PCD. Emulator platform (such as NT32) may set its
value to 64bit address.
To meet with this usage, 64bit DynamicEx PcdVpdBaseAddress64 is introduced.
If its value is not zero, it will be used.
If its value is zero, static PcdVpdBaseAddress will be used.
When NON SPI platform enables VPD PCD, they need to set PcdVpdBaseAddress64.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
2018-11-27 11:29:21 +08:00
Vijayenthiran Subramaniam a90c7df7ed MdeModulePkg/Variable: add debug logs in VariableServiceSetVariable
Print debug messages if size of the VariableName plus DataSize exceeds
Max(Auth|Voltaile)VariableSize bytes. The messages will be useful if any
platform specific value of Max(Auth|Voltaile)VariableSize PCDs have to
be changed.

Cc: Star Zeng <star.zeng@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-11-23 09:54:55 +08:00
Dandan Bi 63f151aadb MdeModulePkg/DisplayEngine: Remove useless NULL ptr check for NewPos
In function UiDisplayMenu, the NewPos ptr which used to point to the
highlight menu entry. It will always point to the menu entry which
need to be highlighted or the gMenuOption menu if the highlight menu
is not found.
So we can remove the NULL ptr check for NewPos in this function.
And add the ASSERT code to avoid if any false positive reports
of NULL pointer dereference issue raised from static analysis.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-11-21 13:01:02 +08:00
Liming Gao 114a75ad86 Revert "MdeModulePkg/DisplayEngine: Remove useless NULL ptr check for NewPos"
This reverts commit 8cd4e734cc.

It is not a real bug fix. It should not be pushed after
Hard Feature Freeze for edk2-stable201811 tag.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Bi Dandan <dandan.bi@intel.com>
2018-11-11 11:42:36 +08:00
Dandan Bi 8cd4e734cc MdeModulePkg/DisplayEngine: Remove useless NULL ptr check for NewPos
In function UiDisplayMenu, the NewPos ptr which used to point to the
highlight menu entry. It will always point to the menu entry which
need to be highlighted or the gMenuOption menu if the highlight menu
is not found.
So we can remove the NULL ptr check for NewPos in this function.
And add the ASSERT code to avoid if any false positive reports
of NULL pointer dereference issue raised from static analysis.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-11-08 13:40:08 +08:00
Jiaxin Wu fc5b790b39 MdeModulePkg/Mtftp4Dxe: Fix invalid configuration of MTFTP local port.
This patch is to fix the invalid setting of MTFTP local port. The
issue can be reproduced by tftp shell command by using [-l port]
option.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
2018-11-06 15:22:35 +08:00
Liming Gao dbeaf58555 MdeModulePkg: Remove the trailing space in three source files.
The recent changes in these three source files introduce the trailing space.
This patch removes them to follow edk2 coding style.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-11-02 22:15:52 +08:00
Hao Wu 27b9cb33e7 MdeModulePkg/UdfDxe: Memory free/use after free in ResolveSymlink()
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1279

For function ResolveSymlink(), the below codes:

    if (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent,
                    sizeof (UDF_FILE_INFO)) != 0) {
      CleanupFileInformation (&PreviousFile);
    }

    CopyMem ((VOID *)&PreviousFile, (VOID *)File, sizeof (UDF_FILE_INFO));

If the contents in 'PreviousFile' and 'File' are the same, call to
"CleanupFileInformation (&PreviousFile);" will free the buffers in 'File'
as well. This will lead to potential memory double free/use after free
issues.

This commit will add additional check to address the above issue.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2018-10-31 08:57:04 +08:00
Hao Wu bfb8c64cbf MdeModulePkg/UdfDxe: Content check for 'File' in ResolveSymlink()
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1279

The content within 'File' is the output data for ResolveSymlink(). This
commit will add checks to ensure the content in 'File' is valid.
Otherwise, possible null pointer dereference issue will occur during the
subsequent usage of the data returned by ResolveSymlink().

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2018-10-31 08:57:04 +08:00
Hao Wu 542b03d0a0 MdeModulePkg/UdfDxe: Check 'Component Type' within a Path Component
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1279

According to the ECMA-167 standard (3rd Edition - June 1997), Section
14.16.1.1, valid values are 1 to 5. All other values will be treated as a
corrupted volume.

This commit will add such check within function ResolveSymlink().

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2018-10-31 08:57:04 +08:00
Jiaxin Wu 9202304c18 MdeModulePke/Mtftp4Dxe: Correct the total received and saved block number.
The block returned from Mtftp4RemoveBlockNum is not the total received and
saved block number if it works in passive (Slave) mode.

The issue was exposed by the EMS test.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2018-10-29 08:31:10 +08:00
Liming Gao 3da7d99506 MdeModulePkg RegularExpressionDxe: Remove unknown build option for XCODE
This patch makes RegularExpressionDxe pass XCODE5 build.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-10-26 22:01:46 +08:00
Dandan Bi 979b7d802c MdeModulePkg/HiiDB: Make sure database update behaviors are atomic
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1235

When update contents in HiiDatabase, like:
1. Add/update/remove package list
2. Add/update string
3. Add/update image
We should make these operations atomic to prevent the
potential issue that the one update operation with
higher TPL may interrupt another.
This commit is to make the HiiDatabase update behaviors
atomic by adding EfiAcquireLock/EfiReleaseLock function.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-10-26 15:08:44 +08:00
Dandan Bi adb2c05012 MdeModulePkg/HiiDB: Reorganize codes of exporting HII settings
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1235

Function "HiiGetConfigurationSetting" may be called
when HiiDatabase contents have been updated.
And it is just to call function "HiiGetDatabaseInfo" to
get the contents in HiiDatabase and call function
"HiiGetConfigRespInfo" and get the configuration response
string form HII drivers.

So here we can remove function "HiiGetConfigurationSetting"
and make caller to call "HiiGetDatabaseInfo" and
"HiiGetConfigRespInfo" directly.

And thus it also can distinguish which code blocks are to
operate HiiDatabase contents and which code blocks are not.
Then it's easy to know which code blocks should be atomic
when updating HiiDatabase contents.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-10-26 15:08:40 +08:00
Hao Wu 68099b52b0 MdeModulePkg/UdfDxe: Avoid possible use of already-freed data
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1255

For function ReadFile():

If the line

  Status = GetAedAdsData (
   ...
   );

is reached multiple times during the 'for' loop, freeing the data pointed
by variable 'Data' may potentially lead to variable 'Ad' referencing the
already-freed data.

After calling function GetAllocationDescriptor(), 'Data' and 'Ad' may
point to the same memory (with some possible offset). Hence, this commit
will move the FreePool() call backwards to ensure the data will no longer
be used.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
2018-10-23 14:25:04 +08:00
Hao Wu 85acb5e8ff MdeModulePkg/UdfDxe: Add more check when getting PD from LongAd
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1254

This commit will add an additional check within function GetPdFromLongAd()
when getting a Partition Descriptor from given a Long Allocation
Descriptor.

According to UDF 2.60 Spec, Section 2.2.13:

> The partition reference numbers used are determined by the order of the
> Partition Maps in the LVD.

(Also the picture comes before the above contents)

And a more detailed explanation of the partition reference numbers is at
https://sites.google.com/site/udfintro/ (seems not a formal documentation
though), Section 5.3.6.

Based on the above findings, the 'PartitionReferenceNumber' field in a
Long Allocation Descriptor is used as an index to access the Partition
Maps data within a Logical Volume Descriptor.

Hence, the new check focuses on the validity of this
'PartitionReferenceNumber' field in a Long Allocation Descriptor. Since
the current implementation of UdfDxe driver supports only one partition on
a Logical Volume, so the value of 'PartitionReferenceNumber' should be 0.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
2018-10-23 14:24:58 +08:00
Hao Wu 32698a8f01 MdeModulePkg/UdfDxe: Update GetInfo() for FS VolumeLabel info request
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1175

This commit will update the UdfGetInfo() function with the support of
EFI_FILE_SYSTEM_VOLUME_LABEL data information request.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
2018-10-23 14:24:50 +08:00
Hao Wu 6a926aaed7 MdeModulePkg/UdfDxe: Fix a typo within SetFileInfo()
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1253

Within function SetFileInfo():
This commit will fix a typo where 'Minute' should be used instead of
'Second'.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
2018-10-23 14:24:23 +08:00
Hao Wu 6df465b212 MdeModulePkg/UdfDxe: Correct behavior for UdfSetPosition()
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1252

Calling the 'SetPosition' service of the EFI_FILE_PROTOCOL with 'Position'
equals to 0xFFFFFFFFFFFFFFFF for a file is to set the current position to
the end of the file. But the current implementation of function
UdfSetPosition() is to set it to the last byte (not EOF).

This commit will resolve this issue.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
2018-10-23 14:24:17 +08:00
Hao Wu 3b30351b75 MdeModulePkg/UdfDxe: Add boundary check for getting volume (free) size
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828

Within GetVolumeSize():

The boundary check will validate the 'NumberOfPartitions' field of a
Logical Volume Integrity Descriptor matches the data within the relating
Logical Volume Descriptor.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
2018-10-23 14:23:57 +08:00
Hao Wu 89f75aa04a MdeModulePkg/UdfDxe: Add boundary check for ComponentIdentifier decode
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828

Within ResolveSymlink():

The boundary check will validate the 'LengthofComponentIdentifier' field
of a Path Component matches the data within the relating (Extended) File
Entry.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
2018-10-23 14:23:35 +08:00
Hao Wu 5c0748f43f MdeModulePkg/UdfDxe: Add boundary check the read of FE/EFE
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828

Within ReadFile():

Add checks to ensure that when getting the raw data or the Allocation
Descriptors' data from a FE/EFE, it will not consume data beyond the
size of a FE/EFE.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
2018-10-23 14:23:25 +08:00
Hao Wu b9ae1705ad MdeModulePkg/UdfDxe: Refine boundary checks for file/path name string
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828

The commit refines the boundary checks for file/path name string to
prevent possible buffer overrun.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
2018-10-23 14:23:18 +08:00
Hao Wu 4df8f5bfa2 MdeModulePkg/PartitionDxe: Add check for underlying device block size
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828

Within FindAnchorVolumeDescriptorPointer():

Add a check for the underlying device block size to ensure it is greater
than the size of an Anchor Volume Descriptor Pointer.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
2018-10-23 14:23:09 +08:00
Hao Wu 5317e9ccaf MdeModulePkg/UdfDxe: Handle dead codes in FileSystemOperations.c
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1249

We found potential dead codes within File.c during the code coverage test.

After manual review, we think the below ones are positive reports:

A. For function GetAllocationDescriptor():
Due to the all the calling places for this function, the input parameter
'RecordingFlags' can only with value 'LongAdsSequence' or
'ShortAdsSequence'. Moreover, this is also mentioned in the function
description comments for GetAllocationDescriptor().

So the below code will never be reached:

  return EFI_DEVICE_ERROR;

This commit will add "ASSERT (FALSE);" before the above line to indicate
this and thus matching the function description comments.

B. For function GetAllocationDescriptorLsn():
Due to the all the calling places for this function, the input parameter
'RecordingFlags' can only with value 'LongAdsSequence' or
'ShortAdsSequence'. Moreover, this is also mentioned in the function
description comments for GetAllocationDescriptorLsn().

So the below code will never be reached:

  return EFI_UNSUPPORTED;

This commit will add "ASSERT (FALSE);" before the above line to indicate
this and thus matching the function description comments.

Cc: Paulo Alcantara <palcantara@suse.de>
Cc: Paulo Alcantara <paulo@paulo.ac>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-10-18 09:13:40 +08:00
Hao Wu 11941d3b1b MdeModulePkg/UdfDxe: Handle dead codes in File.c
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1249

We found potential dead codes within File.c during the code coverage test.

After manual review, we think the below ones are positive reports:

A. In function UdfRead():
  else if (IS_FID_DELETED_FILE (Parent->FileIdentifierDesc)) {
    Status = EFI_DEVICE_ERROR;
  }

A File Identifier Descriptor will be get from the UDF media only by
function ReadDirectoryEntry(). And within this function, all the File
Identifier Descriptor with 'DELETED_FILE' characteristics will be skipped
and will not be returned. Hence, the above codes in function UdfRead()
will never be hit.

This commit will add "ASSERT (FALSE);" before the above line to indicate
this.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-10-18 09:12:51 +08:00
Hao Wu f355dd3404 MdeModulePkg/UdfDxe: Use debug msg instead of ASSERT in UdfOpen()
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1248

Within function UdfOpen():
This commit will use debug messages instead of using ASSERT when an error
occurs after calling GetFileSize().

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-10-18 09:12:45 +08:00
Hao Wu 6086569e7e MdeModulePkg/UdfDxe: Use error handling when fail to return LSN
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1248

This commit will refine the ASSERTs in function GetLongAdLsn() and
GetAllocationDescriptorLsn() when the logical sector number cannot be
returned due to unrecognized media format.

Error handling logic will be used for those ASSERTs.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-10-18 09:12:43 +08:00
Hao Wu 5fb22f5920 MdeModulePkg/UdfDxe: ASSERT for false positives of NULL ptr deref
This commit adds ASSERTs to address false positive reports of NULL
pointer dereference issues raised from static analysis with regard to
function ReadDirectoryEntry().

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-10-18 09:12:41 +08:00
Hao Wu ebb12f5142 MdeModulePkg/UdfDxe: Use error handling for memory allocation failure
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1247

For functions DuplicateFid() and DuplicateFe(), this commit will use error
handling logic instead of ASSERTs for memory allocation failure.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-10-18 09:12:38 +08:00
Star Zeng b7dc8888f3 MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415

When SetVariable() to a time based auth variable with APPEND_WRITE
attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in
the input Data is earlier than current value, it will cause timestamp
zeroing.

This issue may bring time based auth variable downgrade problem.
For example:
A vendor released three certs at 2014, 2015, and 2016, and system
integrated the 2016 cert. User can SetVariable() with 2015 cert and
APPEND_WRITE attribute to cause timestamp zeroing first, then
SetVariable() with 2014 cert to downgrade the cert.

This patch fixes this issue.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-10-17 11:24:44 +08:00
Dongao Guo 6d665168b0 MdeModulePkg/RegularExpressionDxe: Add null pointer check
This is the part of commit 3948c510ed.

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dongao Guo <dongao.guo@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-10-16 15:24:23 +08:00
Liming Gao 2215855957 MdeModulePkg RegularExpressionDxe: Enable STDARG for variable arguments
Set macro for variable arguments, and remove the hard code definition
to avoid the potential duplicated definition.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Dongao Guo <dongao.guo@intel.com>
2018-10-15 15:55:54 +08:00
Dongao Guo 3948c510ed MdeModulePkg/RegularExpressionDxe: Add null pointer check
There are five check not necessary in logic ,just for pass static
analysis. More detail please refer to comment in code.
And the rest changes are all accepted by owner, they are reasonable.

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dongao Guo <dongao.guo@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-10-15 15:55:53 +08:00
Dongao Guo df8be9e50f MdeModulePkg/RegularExpressionDxe: Miss null pointer check
Oniguruma https://github.com/kkos/oniguruma
this change is merged from oniguruma develop branch.
from commit 1db8a2726dfad0401f928cb8474bd770f07040a7.

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dongao Guo <dongao.guo@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-10-15 15:55:53 +08:00
Dongao Guo a5def17714 MdeModulePkg/RegularExpressionDxe: Miss null pointer check
Oniguruma https://github.com/kkos/oniguruma
this change is merged from oniguruma develop branch.
from commit ea36d810f1d9b28f3ef20bd8d453bea2f7fb598b

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dongao Guo <dongao.guo@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-10-15 15:55:52 +08:00
Dongao Guo 16bd7c35df MdeModulePkg/RegularExpressionDxe: Miss null pointer check
Oniguruma https://github.com/kkos/oniguruma
this change is merged from oniguruma develop branch.
from commit 396a757dffafc0c7eb269433c29a0ba961d73ad6.

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dongao Guo <dongao.guo@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-10-15 15:55:51 +08:00
Star Zeng 425084cd45 MdeModulePkg PcdDxe: ASSERT PcdSetNvStoreDefaultId set
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1245

In current implementation and according to the description in
MdeModulePkg.dec, PcdSetNvStoreDefaultId should be set in PEI
phase to take effect.

This patch ASSERTs PcdSetNvStoreDefaultId set in PcdDxe to alert
the invalid operation.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2018-10-15 14:11:31 +08:00
Guo, Dongao 8122c6bc8b MdeModulePkg/RegularExpressionDxe:omit unused variable
comment unused variable to avoid warning,and modify inf build option.

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dongao Guo <dongao.guo@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-10-11 13:19:43 +08:00
Guo, Dongao 4ee787cc1b MdeModulePkg/RegularExpressionDxe:disable wraning to pass gcc4.8 build
There are three warnings reported by GCC 4.8 and the later GCC release
are workaround with them.
And all the three warnings are invalid,so I just disable warnings rather
than fix them at now.

Following is the analysis from Laszlo Ersek.
(1)

> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regcomp.c: In
> function 'compile_length_tree':
> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regcomp.c:1516:7:
> warning: 'len' may be used uninitialized in this function
> [-Wmaybe-uninitialized]
>    int len;
>        ^

I think this is an invalid warning; the type of the controlling expression
(node->type) is enum GimmickType, and the case labels cover all values of
the enum. An assert(0) could be added, I guess, but again, upstream
Oniguruma would be justified to reject the idea.

(2)

> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c: In
> function 'parse_callout_args.isra.10.constprop.30':
> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c:6753:25:
> warning: 'rl' may be used uninitialized in this function
> [-Wmaybe-uninitialized]
>   vals[n].l = rl;
>               ^

This warning is invalid, given:

  6749    if (cn > 0) {
  6750      long rl;
  6751      r = parse_long(enc, buf, bufend, 1, LONG_MAX, &rl);
  6752      if (r == ONIG_NORMAL) {
  6753        vals[n].l = rl;

Because parse_long() only returns ONIG_NORMAL after it sets (*rl).

(3)

> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c: In
> function 'parse_callout_of_name.constprop.29':
> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c:6861:38:
> warning: 'tag_end' may be used uninitialized in this function
> [-Wmaybe-uninitialized]
>      if (! is_allowed_callout_tag_name(enc, tag_start, tag_end))

This warning is also invalid, given:

  6852    if (c == '[') {
  6853      if (PEND) return ONIGERR_END_PATTERN_IN_GROUP;
  6854      tag_start = p;
  6855      while (! PEND) {
  6856        if (PEND) return ONIGERR_END_PATTERN_IN_GROUP;
  6857        tag_end = p;
  6858        PFETCH_S(c);
  6859        if (c == ']') break;
  6860      }
  6861      if (! is_allowed_callout_tag_name(enc, tag_start, tag_end))
  6862        return ONIGERR_INVALID_CALLOUT_TAG_NAME;
  6863

To see that, first we should note:
 #define PEND         (p < end ?  0 : 1)

therefore PEND doesn't change if neither "p" nor "end" change.

Second, when we reach line 6855 (the "while") for the very first time,
(!PEND) is certainly true (i.e., PEND is false), because otherwise we
would have bailed at line 6853. Therefore we reach line 6857, and assign
"tag_end". Regardless of whether we iterate zero or more *additional*
times around the loop, "tag_end" will have been set, whenever we reach
line 6861.

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dongao Guo <dongao.guo@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-10-11 13:19:41 +08:00
Dandan Bi 7f8aabef15 MdeModulePkg/HiiDB: Fix incorrect structure convention for checkbox
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1224

When covert IFR binary to EFI_IFR_CHECKBOX structure,
Current code has following incorrect code logic:
IfrCheckBox = (EFI_IFR_CHECKBOX *) (IfrOpHdr + 1);
The correct one should be:
IfrCheckBox = (EFI_IFR_CHECKBOX *) IfrOpHdr;

1. The bug is in function "UpdateDefaultSettingInFormPackage()"
which is to update the default setting of some HII Questions
in the IFR binary data. So it only has impact when platform
overrides default setting in HII VarStore through DynamicHii
PCD setting in Platform DSC file. If platform doesn't
override default setting, it has no impact.

2. The implementation updates the "Flags" filed in the
EFI_IFR_CHECKBOX structure to update the default
setting of checkbox.
If using "IfrCheckBox = (EFI_IFR_CHECKBOX *) (IfrOpHdr + 1);"
when wants to update the " Flags" filed in checkbox,
but in fact it will update the opcode binary
data(opcode binary length) behind checkbox binary.
And then it will cause Browser can't parse the IFR
binary data correctly. And then the possible symptom
is that some HII Question and forms may be not parsed
and then cannot be shown.

This patch is to fix this bug.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-10-09 22:20:08 +08:00
Jiaxin Wu fab334b278 MdeModulePkg/Tcp4Dxe: Remove the trailing white space in one line.
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
2018-10-09 08:43:28 +08:00
Hao Wu e83d841fdc MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194

Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.

If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.

This commit will focus on the SMI handler(s) registered within the
Variable\RuntimeDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.

For SMI handler SmmVariableHandler():

Under "case SMM_VARIABLE_FUNCTION_GET_VARIABLE:",
'SmmVariableHeader->NameSize' can be a potential cross boundary access of
the 'CommBuffer' (controlled external input) during speculative execution.

This cross boundary access is later used as the index to access array
'SmmVariableHeader->Name' by code:
"SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1]"
One can observe which part of the content within array was brought into
cache to possibly reveal the value of 'SmmVariableHeader->NameSize'.

Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.

And there are 2 similar cases under
"case SMM_VARIABLE_FUNCTION_SET_VARIABLE:" and
"case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:" as well.
This commits also handles them.

Also, under "case SMM_VARIABLE_FUNCTION_SET_VARIABLE:",
'(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize' points to
the 'CommBuffer' (with some offset) and then passed as parameter 'Data' to
function VariableServiceSetVariable().

Within function VariableServiceSetVariable(), there is a sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor for the data pointed by 'Data'.
If this check is speculatively bypassed, potential cross-boundary data
access for 'Data' is possible to be revealed via the below function calls
sequence during speculative execution:

AuthVariableLibProcessVariable()
ProcessVarWithPk() or ProcessVarWithKek()

Within function ProcessVarWithPk() or ProcessVarWithKek(), for the code
"PayloadSize = DataSize - AUTHINFO2_SIZE (Data);", 'AUTHINFO2_SIZE (Data)'
can be a cross boundary access during speculative execution.

Then, 'PayloadSize' is possible to be revealed by the function call
sequence:

AuthServiceInternalUpdateVariableWithTimeStamp()
mAuthVarLibContextIn->UpdateVariable()
VariableExLibUpdateVariable()
UpdateVariable()
CopyMem()

Hence, this commit adds a AsmLfence() after the sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor upon 'Data' within function
VariableServiceSetVariable() to prevent the speculative execution.

Also, please note that the change made within function
VariableServiceSetVariable() will affect DXE as well. However, since we
only focuses on the SMM codes, the commit will introduce a new module
internal function called VariableLoadFence() to handle this. This internal
function will have 2 implementations (1 for SMM, 1 for DXE). For the SMM
implementation, it is a wrapper to call the AsmLfence() API; for the DXE
implementation, it is empty.

A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
2018-09-30 13:06:42 +08:00
Hao Wu ee65b84e76 MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194

Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.

If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.

This commit will focus on the SMI handler(s) registered within the
SmmLockBox driver and insert AsmLfence API to mitigate the
bounds check bypass issue.

For SMI handler SmmLockBoxHandler():

Under "case EFI_SMM_LOCK_BOX_COMMAND_SAVE:", the 'CommBuffer' (controlled
external inputs) is passed to function SmmLockBoxSave().

'TempLockBoxParameterSave.Length' can be a potential cross boundary access
of the 'CommBuffer' during speculative execution. This cross boundary
access is later passed as parameter 'Length' into function SaveLockBox().

Within function SaveLockBox(), the value of 'Length' can be inferred by
code:
"CopyMem ((VOID *)(UINTN)SmramBuffer, (VOID *)(UINTN)Buffer, Length);".
One can observe which part of the content within 'Buffer' was brought into
cache to possibly reveal the value of 'Length'.

Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.

And there is a similar case under "case EFI_SMM_LOCK_BOX_COMMAND_UPDATE:"
function SmmLockBoxUpdate() as well. This commits also handles it.

A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
2018-09-30 13:06:42 +08:00
Hao Wu cb54cd2463 MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194

Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.

If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.

This commit will focus on the SMI handler(s) registered within the
FaultTolerantWriteDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.

For SMI handler SmmFaultTolerantWriteHandler():

Under "case FTW_FUNCTION_WRITE:", 'SmmFtwWriteHeader->Length' can be a
potential cross boundary access of the 'CommBuffer' (controlled external
inputs) during speculative execution. This cross boundary access is later
passed as parameter 'Length' into function FtwWrite().

Within function FtwWrite(), the value of 'Length' can be inferred by code:
"CopyMem (MyBuffer + Offset, Buffer, Length);". One can observe which part
of the content within 'Buffer' was brought into cache to possibly reveal
the value of 'Length'.

Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.

A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
2018-09-30 13:06:42 +08:00
shenglei 32fd20bb24 MdeModulePkg/FirmwarePerformanceDataTableDxe: Remove an unused PCD
The PCD below is unused, so it has been removed from inf.
gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize

Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: shenglei <shenglei.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-09-29 17:49:03 +08:00
Guo, Dongao b9cee524e6 MdeModulePkg/RegularExpressionDxe: modify inf to pass vs 2012 build
Add /wd4703 for passing VS 2012 build.This equals /wd4701 in VS2015.

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dongao Guo <dongao.guo@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-09-28 12:48:43 +08:00
Star Zeng 4063d37c6a MdeModulePkg Variable: Fix comment typo 'end' to 'start'
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1214
This patch only updates comment and function description, so has
no functionality impact.

This patch fixes comment typo 'end' to 'start' in GetStartPointer.

GetStartPointer for PEI and DXE has aligned function description,
but GetEndPointer does not.
This patch also aligns GetEndPointer's function description for
PEI and DXE.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
2018-09-28 11:13:34 +08:00
Star Zeng 2ad0581b1c MdeModulePkg S3SaveStateDxe: Use new EfiLocateFirstAcpiTable()
https://bugzilla.tianocore.org/show_bug.cgi?id=967
Request to add a library function for GetAcpiTable() in order
to get ACPI table using signature as input.

After evaluation, we found there are many duplicated code to
find ACPI table by signature in different modules.

This patch updates S3SaveStateDxe to use new
EfiLocateFirstAcpiTable() and remove the duplicated code.

Cc: Younas khan <pmdyounaskhan786@gmail.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-09-27 14:25:34 +08:00
Jiaxin Wu f120d15e6d MdeModulePkg/UefiPxeBcDxe: Add the clarification compared to UefiPxeBcDxe in NetworkPkg.
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1205

This patch is to add the driver usage/difference clarification
compared to UefiPxeBcDxe in NetworkPkg.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-09-27 09:00:05 +08:00
Jiaxin Wu d619dab698 MdeModulePkg/IScsiDxe: Add the clarification compared to IScsiDxe in NetworkPkg.
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1205

This patch is to add the driver usage/difference clarification
compared to IScsiDxe in NetworkPkg.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-09-27 09:00:04 +08:00
Jiaxin Wu 18e205754d MdeModulePkg/Tcp4Dxe: Add the clarification compared to TcpDxe in NetworkPkg.
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1205

This patch is to add the driver usage/difference clarification
compared to TcpDxe in NetworkPkg.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-09-27 09:00:03 +08:00
Jiaxin Wu 6c047cfab1 MdeModulePke/Mtftp4Dxe: Support windowsize in read request operation.
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=886

This patch is to support the TFTP windowsize option described in RFC 7440.
The feature allows the client and server to negotiate a window size of
consecutive blocks to send as an alternative for replacing the single-block
lockstep schema.

Currently, the windowsize for write request operation is not supported since
there is no real use cases.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Shao Ming <ming.shao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2018-09-27 08:59:59 +08:00
Dongao Guo b602265d55 MdeModulePkg RegularExpressionDxe: Update Oniguruma to 6.9.0
https://bugzilla.tianocore.org/show_bug.cgi?id=1200
Update Oniguruma to the latest version v6.9.0.
Oniguruma https://github.com/kkos/oniguruma
Verify VS2017, GCC5 build.
Verify RegularExpressionProtocol GetInfo() and Match() function.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dongao Guo <dongao.guo@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Cinnamon Shia <cinnamon.shia@hpe.com>
2018-09-25 08:52:51 +08:00
Jiaxin Wu 1737b7e3b4 MdeModulePkg/Ip4Dxe: Refine the coding style.
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1180
Remove the trailing white spaces.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
2018-09-18 09:30:57 +08:00
Dandan Bi f316a26013 MdeModulePkg: Avoid key notification called more than once
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=996

Issue:
In current code logic, when a key is pressed, it will search
the whole NotifyList to find whether a notification has been
registered with the keystroke. if yes, it will en-queue the
key for notification execution later. And now if different
notification functions have been registered with the same key,
then the key will be en-queued more than once. Then it will
cause the notification executed more than once.

This patch is to enhance the code logic to fix this issue.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-09-14 10:18:31 +08:00
Jiaxin Wu ecbd055d4e MdeModulePkg/Ip4Dxe: Sync the direct route entry setting.
v2: use "IP & Netmask" directly instead of defining an additional variable.

This patch is to sync the direct route entry setting in both the default
and Instance route table {Subnet, Mask, NextHope} (
https://bugzilla.tianocore.org/show_bug.cgi?id=1143).

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
2018-09-13 09:09:08 +08:00
Ruiyu Ni 5c9ac43f47 MdeModulePkg/ConPlatform: Support short-form USB device path
Today's implementation does an exact device path match to check
whether the device path of a console is in ConIn/ConOut/ErrOut.
But that doesn't work for the USB keyboard.
Because when a platform have multiple USB port, ConIn needs to
carry all device paths corresponding to each port.
Even worse, today's BDS core logic removes the device path from
ConIn/ConOut/ErrOut when the connection to that device path fails.
So if user switches the USB keyboard from one port to another across
boot, the USB keyboard doesn't work in the second boot.

ConPlatform driver solved this problem by adding the
IsHotPlugDevice() function. So that for USB keyboard, ConPlatform
doesn't care whether its device path is in ConIn or not.
But the rule is too loose, and now causes platform BDS cannot control
whether to enable USB keyboard as an active console.

The patch changes ConPlatform to support USB short-form device path
when checking whether the device path of a console is in
ConIn/ConOut/ErrOut.

The logic to always accept USB/PCCARD device as active console is
removed.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-09-12 10:12:05 +08:00
Chen A Chen de005223b7 MdeModulePkg: Removing ipf which is no longer supported from edk2.
Removing rules for Ipf sources file:
* Remove the source file which path with "ipf" and also listed in
  [Sources.IPF] section of INF file.
* Remove the source file which listed in [Components.IPF] section
  of DSC file and not listed in any other [Components] section.
* Remove the embedded Ipf code for MDE_CPU_IPF.

Removing rules for Inf file:
* Remove IPF from VALID_ARCHITECTURES comments.
* Remove DXE_SAL_DRIVER from LIBRARY_CLASS in [Defines] section.
* Remove the INF which only listed in [Components.IPF] section in DSC.
* Remove statements from [BuildOptions] that provide IPF specific flags.
* Remove any IPF sepcific sections.

Removing rules for Dec file:
* Remove [Includes.IPF] section from Dec.

Removing rules for Dsc file:
* Remove IPF from SUPPORTED_ARCHITECTURES in [Defines] section of DSC.
* Remove any IPF specific sections.
* Remove statements from [BuildOptions] that provide IPF specific flags.

Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chen A Chen <chen.a.chen@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-09-06 15:25:16 +08:00
Star Zeng 4a76d9b9a3 MdeModulePkg: Remove trailing white space
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1144

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
2018-09-06 09:17:03 +08:00
Bi, Dandan 04722cfa30 MdeModulePkg/Setup: Fix incorrect size used in AllocateCopyPool
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1115

When the type of HiiValue is EFI_IFR_TYPE_BUFFER,
its question type is EFI_IFR_ORDERED_LIST_OP.
And the buffer size allocated for Statement->BufferValue
of orderedList is "Statement->StorageWidth"
in IfrParse.c.

So here when backup the buffer value and copy the size of
"Statement->StorageWidth + sizeof(CHAR16)" is incorrect.

This patch is to fix this issue.

Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2018-09-04 09:14:46 +08:00
Fu Siyuan 12ae56cf28 MdeModulePkg/Network: Add 32bit subnet mask support for IP4 PXE boot.
This patch updates IP4 stack to support 32bit subnet mask in PXE boot process.
When 32bit subnet mask is used, the IP4 driver couldn't use the subnet mask to determine
whether destination IP address is on-link or not, so it will always try to send all the
packets to the destination IP address directly first, if failed it will continue
to try the default gateway.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
2018-09-03 08:36:55 +08:00
shenglei ae195de0a3 MdeModulePkg SetupBrowserDxe: Remove a redundant function
The function IsDevicePathExist that is never called
has been removed.
https://bugzilla.tianocore.org/show_bug.cgi?id=1062

Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: shenglei <shenglei.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-08-21 16:29:11 +08:00