1. Fix TOCTOU issue in VariableSmm, FtwSmm, FpdtSmm, SmmCorePerformance SMM handler. For VariableSmm, pre-allocate a mVariableBufferPayload buffer with mVariableBufferPayloadSize(match with mVariableBufferPayloadSize in VariableSmmRuntimeDxe) to hold communicate buffer payload to avoid TOCTOU issue.
2. Add check to ensure CommBufferPayloadSize not exceed mVariableBufferPayloadSize or is enough to hold function structure in VariableSmm and FtwSmm. 3. Align FtwGetLastWrite() in FaultTolerantWriteSmmDxe.c to FtwGetLastWrite() in FaultTolerantWrite.c. Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14325 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
lzeng14
@@ -540,6 +540,9 @@ SmmPerformanceHandlerEx (
|
||||
SMM_PERF_COMMUNICATE_EX *SmmPerfCommData;
|
||||
GAUGE_DATA_ENTRY_EX *GaugeEntryExArray;
|
||||
UINTN DataSize;
|
||||
GAUGE_DATA_ENTRY_EX *GaugeDataEx;
|
||||
UINTN NumberOfEntries;
|
||||
UINTN LogEntryKey;
|
||||
|
||||
GaugeEntryExArray = NULL;
|
||||
|
||||
@@ -555,7 +558,7 @@ SmmPerformanceHandlerEx (
|
||||
}
|
||||
|
||||
if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
|
||||
DEBUG ((EFI_D_ERROR, "SMM communcation data buffer in SMRAM or overflow!\n"));
|
||||
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandlerEx: SMM communcation data buffer in SMRAM or overflow!\n"));
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -568,8 +571,11 @@ SmmPerformanceHandlerEx (
|
||||
break;
|
||||
|
||||
case SMM_PERF_FUNCTION_GET_GAUGE_DATA :
|
||||
if ( SmmPerfCommData->GaugeDataEx == NULL || SmmPerfCommData->NumberOfEntries == 0 ||
|
||||
(SmmPerfCommData->LogEntryKey + SmmPerfCommData->NumberOfEntries) > mGaugeData->NumberOfEntries) {
|
||||
GaugeDataEx = SmmPerfCommData->GaugeDataEx;
|
||||
NumberOfEntries = SmmPerfCommData->NumberOfEntries;
|
||||
LogEntryKey = SmmPerfCommData->LogEntryKey;
|
||||
if (GaugeDataEx == NULL || NumberOfEntries == 0 || LogEntryKey > mGaugeData->NumberOfEntries ||
|
||||
NumberOfEntries > mGaugeData->NumberOfEntries || (LogEntryKey + NumberOfEntries) > mGaugeData->NumberOfEntries) {
|
||||
Status = EFI_INVALID_PARAMETER;
|
||||
break;
|
||||
}
|
||||
@@ -577,17 +583,17 @@ SmmPerformanceHandlerEx (
|
||||
//
|
||||
// Sanity check
|
||||
//
|
||||
DataSize = SmmPerfCommData->NumberOfEntries * sizeof(GAUGE_DATA_ENTRY_EX);
|
||||
if (!IsAddressValid ((UINTN)SmmPerfCommData->GaugeDataEx, DataSize)) {
|
||||
DEBUG ((EFI_D_ERROR, "SMM Performance Data buffer in SMRAM or overflow!\n"));
|
||||
DataSize = NumberOfEntries * sizeof(GAUGE_DATA_ENTRY_EX);
|
||||
if (!IsAddressValid ((UINTN)GaugeDataEx, DataSize)) {
|
||||
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandlerEx: SMM Performance Data buffer in SMRAM or overflow!\n"));
|
||||
Status = EFI_ACCESS_DENIED;
|
||||
break;
|
||||
}
|
||||
|
||||
GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
|
||||
CopyMem(
|
||||
(UINT8 *) (SmmPerfCommData->GaugeDataEx),
|
||||
(UINT8 *) &GaugeEntryExArray[SmmPerfCommData->LogEntryKey],
|
||||
(UINT8 *) GaugeDataEx,
|
||||
(UINT8 *) &GaugeEntryExArray[LogEntryKey],
|
||||
DataSize
|
||||
);
|
||||
Status = EFI_SUCCESS;
|
||||
@@ -640,6 +646,8 @@ SmmPerformanceHandler (
|
||||
GAUGE_DATA_ENTRY_EX *GaugeEntryExArray;
|
||||
UINTN DataSize;
|
||||
UINTN Index;
|
||||
GAUGE_DATA_ENTRY *GaugeData;
|
||||
UINTN NumberOfEntries;
|
||||
UINTN LogEntryKey;
|
||||
|
||||
GaugeEntryExArray = NULL;
|
||||
@@ -656,7 +664,7 @@ SmmPerformanceHandler (
|
||||
}
|
||||
|
||||
if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
|
||||
DEBUG ((EFI_D_ERROR, "SMM communcation data buffer in SMRAM or overflow!\n"));
|
||||
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM communcation data buffer in SMRAM or overflow!\n"));
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -669,8 +677,11 @@ SmmPerformanceHandler (
|
||||
break;
|
||||
|
||||
case SMM_PERF_FUNCTION_GET_GAUGE_DATA :
|
||||
if ( SmmPerfCommData->GaugeData == NULL || SmmPerfCommData->NumberOfEntries == 0 ||
|
||||
(SmmPerfCommData->LogEntryKey + SmmPerfCommData->NumberOfEntries) > mGaugeData->NumberOfEntries) {
|
||||
GaugeData = SmmPerfCommData->GaugeData;
|
||||
NumberOfEntries = SmmPerfCommData->NumberOfEntries;
|
||||
LogEntryKey = SmmPerfCommData->LogEntryKey;
|
||||
if (GaugeData == NULL || NumberOfEntries == 0 || LogEntryKey > mGaugeData->NumberOfEntries ||
|
||||
NumberOfEntries > mGaugeData->NumberOfEntries || (LogEntryKey + NumberOfEntries) > mGaugeData->NumberOfEntries) {
|
||||
Status = EFI_INVALID_PARAMETER;
|
||||
break;
|
||||
}
|
||||
@@ -678,19 +689,18 @@ SmmPerformanceHandler (
|
||||
//
|
||||
// Sanity check
|
||||
//
|
||||
DataSize = SmmPerfCommData->NumberOfEntries * sizeof(GAUGE_DATA_ENTRY);
|
||||
if (!IsAddressValid ((UINTN)SmmPerfCommData->GaugeData, DataSize)) {
|
||||
DEBUG ((EFI_D_ERROR, "SMM Performance Data buffer in SMRAM or overflow!\n"));
|
||||
DataSize = NumberOfEntries * sizeof(GAUGE_DATA_ENTRY);
|
||||
if (!IsAddressValid ((UINTN)GaugeData, DataSize)) {
|
||||
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM Performance Data buffer in SMRAM or overflow!\n"));
|
||||
Status = EFI_ACCESS_DENIED;
|
||||
break;
|
||||
}
|
||||
|
||||
GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
|
||||
|
||||
LogEntryKey = SmmPerfCommData->LogEntryKey;
|
||||
for (Index = 0; Index < SmmPerfCommData->NumberOfEntries; Index++) {
|
||||
for (Index = 0; Index < NumberOfEntries; Index++) {
|
||||
CopyMem(
|
||||
(UINT8 *) &(SmmPerfCommData->GaugeData[Index]),
|
||||
(UINT8 *) &GaugeData[Index],
|
||||
(UINT8 *) &GaugeEntryExArray[LogEntryKey++],
|
||||
sizeof (GAUGE_DATA_ENTRY)
|
||||
);
|
||||
|
||||
Reference in New Issue
Block a user