sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

If DataSize or VariableNameSize is near MAX_ADDRESS, this can cause the computed PayLoadSize to overflow to a small value and pass the check in InitCommunicateBuffer(). To protect against this vulnerability, check DataSize and VariableNameSize to make sure PayloadSize doesn't overflow.

Browse Source 
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14252 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
lzeng14
2013-04-08 06:56:08 +00:00
parent 7a4d52add1
commit 3588bb3529
4 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
View File

@ -2755,6 +2755,11 @@ VariableCommonInitialize (
}
ASSERT(VariableStoreHeader->Size == VariableStoreLength);
//
// The max variable or hardware error variable size should be < variable store size.
//
ASSERT(MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) < VariableStoreLength);
//
// Parse non-volatile variable data and get last variable offset.
//