1. Fix TOCTOU issue in VariableSmm, FtwSmm, FpdtSmm, SmmCorePerformance SMM handler. For VariableSmm, pre-allocate a mVariableBufferPayload buffer with mVariableBufferPayloadSize(match with mVariableBufferPayloadSize in VariableSmmRuntimeDxe) to hold communicate buffer payload to avoid TOCTOU issue.
2. Add check to ensure CommBufferPayloadSize not exceed mVariableBufferPayloadSize or is enough to hold function structure in VariableSmm and FtwSmm. 3. Align FtwGetLastWrite() in FaultTolerantWriteSmmDxe.c to FtwGetLastWrite() in FaultTolerantWrite.c. Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14325 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
@@ -3,7 +3,7 @@
|
||||
Implement the Fault Tolerant Write (FTW) protocol based on SMM FTW
|
||||
module.
|
||||
|
||||
Copyright (c) 2011, Intel Corporation. All rights reserved. <BR>
|
||||
Copyright (c) 2011 - 2013, Intel Corporation. All rights reserved. <BR>
|
||||
This program and the accompanying materials
|
||||
are licensed and made available under the terms and conditions of the BSD License
|
||||
which accompanies this distribution. The full text of the license may be found at
|
||||
@@ -463,13 +463,17 @@ FtwGetLastWrite (
|
||||
// Get data from SMM
|
||||
//
|
||||
*PrivateDataSize = SmmFtwGetLastWriteHeader->PrivateDataSize;
|
||||
if (!EFI_ERROR (Status)) {
|
||||
if (Status == EFI_SUCCESS || Status == EFI_BUFFER_TOO_SMALL) {
|
||||
*Lba = SmmFtwGetLastWriteHeader->Lba;
|
||||
*Offset = SmmFtwGetLastWriteHeader->Offset;
|
||||
*Length = SmmFtwGetLastWriteHeader->Length;
|
||||
*Complete = SmmFtwGetLastWriteHeader->Complete;
|
||||
CopyGuid (CallerId, &SmmFtwGetLastWriteHeader->CallerId);
|
||||
CopyMem (PrivateData, SmmFtwGetLastWriteHeader->Data, *PrivateDataSize);
|
||||
if (Status == EFI_SUCCESS) {
|
||||
CopyMem (PrivateData, SmmFtwGetLastWriteHeader->Data, *PrivateDataSize);
|
||||
}
|
||||
} else if (Status == EFI_NOT_FOUND) {
|
||||
*Complete = SmmFtwGetLastWriteHeader->Complete;
|
||||
}
|
||||
|
||||
FreePool (SmmCommunicateHeader);
|
||||
|
Reference in New Issue
Block a user