Fix potential overflow for SetVariable interface

Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by  : Guo Dong   <dong.guo@intel.com>
Reviewed-by  : Siyuan Fu  <siyuan.fu@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14305 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
czhang46
2013-04-22 08:52:58 +00:00
parent b6d1508f17
commit 56251c669f
6 changed files with 56 additions and 19 deletions

View File

@@ -2218,14 +2218,20 @@ VariableServiceSetVariable (
return EFI_INVALID_PARAMETER;
}
if ((UINTN)(~0) - DataSize < StrSize(VariableName)){
//
// Prevent whole variable size overflow
//
return EFI_INVALID_PARAMETER;
}
//
// The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
//
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
if ((DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) ||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
if ( StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
@@ -2236,8 +2242,7 @@ VariableServiceSetVariable (
// The size of the VariableName, including the Unicode Null in bytes plus
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
//
if ((DataSize > PcdGet32 (PcdMaxVariableSize)) ||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize))) {
if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
return EFI_INVALID_PARAMETER;
}
}

View File

@@ -424,6 +424,13 @@ RuntimeServiceSetVariable (
return EFI_INVALID_PARAMETER;
}
if ((UINTN)(~0) - StrSize (VariableName) < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {
//
// Prevent PayloadSize overflow
//
return EFI_INVALID_PARAMETER;
}
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
//