Use SmmMemLib to check communication buffer.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: "Gao, Liming" <liming.gao@intel.com>
Reviewed-by: "Fan, Jeff" <jeff.fan@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16694 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Yao, Jiewen
2015-02-02 14:42:22 +00:00
committed by jyao1
parent d425764e3f
commit 842b1242d1
19 changed files with 109 additions and 573 deletions

View File

@@ -11,7 +11,7 @@
FpdtSmiHandler() will receive untrusted input and do basic validation.
Copyright (c) 2011 - 2013, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -39,6 +39,7 @@
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/SynchronizationLib.h>
#include <Library/SmmMemLib.h>
#define EXTENSION_RECORD_SIZE 0x1000
@@ -49,8 +50,6 @@ UINT32 mBootRecordSize = 0;
UINT32 mBootRecordMaxSize = 0;
UINT8 *mBootRecordBuffer = NULL;
EFI_SMRAM_DESCRIPTOR *mSmramRanges;
UINTN mSmramRangeCount;
SPIN_LOCK mSmmFpdtLock;
BOOLEAN mSmramIsOutOfResource = FALSE;
@@ -177,60 +176,6 @@ FpdtStatusCodeListenerSmm (
return EFI_SUCCESS;
}
/**
This function check if the address is in SMRAM.
@param Buffer the buffer address to be checked.
@param Length the buffer length to be checked.
@retval TRUE this address is in SMRAM.
@retval FALSE this address is NOT in SMRAM.
**/
BOOLEAN
InternalIsAddressInSmram (
IN EFI_PHYSICAL_ADDRESS Buffer,
IN UINT64 Length
)
{
UINTN Index;
for (Index = 0; Index < mSmramRangeCount; Index ++) {
if (((Buffer >= mSmramRanges[Index].CpuStart) && (Buffer < mSmramRanges[Index].CpuStart + mSmramRanges[Index].PhysicalSize)) ||
((mSmramRanges[Index].CpuStart >= Buffer) && (mSmramRanges[Index].CpuStart < Buffer + Length))) {
return TRUE;
}
}
return FALSE;
}
/**
This function check if the address refered by Buffer and Length is valid.
@param Buffer the buffer address to be checked.
@param Length the buffer length to be checked.
@retval TRUE this address is valid.
@retval FALSE this address is NOT valid.
**/
BOOLEAN
InternalIsAddressValid (
IN UINTN Buffer,
IN UINTN Length
)
{
if (Buffer > (MAX_ADDRESS - Length)) {
//
// Overflow happen
//
return FALSE;
}
if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)Buffer, (UINT64)Length)) {
return FALSE;
}
return TRUE;
}
/**
Communication service SMI Handler entry.
@@ -283,7 +228,7 @@ FpdtSmiHandler (
return EFI_SUCCESS;
}
if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM communication data buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -309,7 +254,7 @@ FpdtSmiHandler (
// Sanity check
//
SmmCommData->BootRecordSize = mBootRecordSize;
if (!InternalIsAddressValid ((UINTN)BootRecordData, mBootRecordSize)) {
if (!SmmIsBufferOutsideSmmValid ((UINTN)BootRecordData, mBootRecordSize)) {
DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM Data buffer in SMRAM or overflow!\n"));
Status = EFI_ACCESS_DENIED;
break;
@@ -350,8 +295,6 @@ FirmwarePerformanceSmmEntryPoint (
{
EFI_STATUS Status;
EFI_HANDLE Handle;
EFI_SMM_ACCESS2_PROTOCOL *SmmAccess;
UINTN Size;
//
// Initialize spin lock
@@ -374,28 +317,6 @@ FirmwarePerformanceSmmEntryPoint (
Status = mRscHandlerProtocol->Register (FpdtStatusCodeListenerSmm);
ASSERT_EFI_ERROR (Status);
//
// Get SMRAM information
//
Status = gBS->LocateProtocol (&gEfiSmmAccess2ProtocolGuid, NULL, (VOID **)&SmmAccess);
ASSERT_EFI_ERROR (Status);
Size = 0;
Status = SmmAccess->GetCapabilities (SmmAccess, &Size, NULL);
ASSERT (Status == EFI_BUFFER_TOO_SMALL);
Status = gSmst->SmmAllocatePool (
EfiRuntimeServicesData,
Size,
(VOID **)&mSmramRanges
);
ASSERT_EFI_ERROR (Status);
Status = SmmAccess->GetCapabilities (SmmAccess, &Size, mSmramRanges);
ASSERT_EFI_ERROR (Status);
mSmramRangeCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);
//
// Register SMI handler.
//

View File

@@ -4,7 +4,7 @@
# This module registers report status code listener to collect performance data
# for SMM boot performance records and S3 Suspend Performance Record.
#
# Copyright (c) 2011 - 2014, Intel Corporation. All rights reserved.<BR>
# Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@@ -50,6 +50,7 @@
MemoryAllocationLib
UefiBootServicesTableLib
SynchronizationLib
SmmMemLib
[Protocols]
gEfiSmmRscHandlerProtocolGuid ## CONSUMES

View File

@@ -43,7 +43,7 @@
Caution: This module requires additional review when modified.
This driver need to make sure the CommBuffer is not in the SMRAM range.
Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -56,6 +56,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <PiSmm.h>
#include <Library/SmmServicesTableLib.h>
#include <Library/SmmMemLib.h>
#include <Protocol/SmmSwapAddressRange.h>
#include "FaultTolerantWrite.h"
#include "FaultTolerantWriteSmmCommon.h"
@@ -64,68 +65,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
EFI_EVENT mFvbRegistration = NULL;
EFI_FTW_DEVICE *mFtwDevice = NULL;
EFI_SMRAM_DESCRIPTOR *mSmramRanges;
UINTN mSmramRangeCount;
///
/// The flag to indicate whether the platform has left the DXE phase of execution.
///
BOOLEAN mEndOfDxe = FALSE;
/**
This function check if the address is in SMRAM.
@param Buffer the buffer address to be checked.
@param Length the buffer length to be checked.
@retval TRUE this address is in SMRAM.
@retval FALSE this address is NOT in SMRAM.
**/
BOOLEAN
InternalIsAddressInSmram (
IN EFI_PHYSICAL_ADDRESS Buffer,
IN UINT64 Length
)
{
UINTN Index;
for (Index = 0; Index < mSmramRangeCount; Index ++) {
if (((Buffer >= mSmramRanges[Index].CpuStart) && (Buffer < mSmramRanges[Index].CpuStart + mSmramRanges[Index].PhysicalSize)) ||
((mSmramRanges[Index].CpuStart >= Buffer) && (mSmramRanges[Index].CpuStart < Buffer + Length))) {
return TRUE;
}
}
return FALSE;
}
/**
This function check if the address refered by Buffer and Length is valid.
@param Buffer the buffer address to be checked.
@param Length the buffer length to be checked.
@retval TRUE this address is valid.
@retval FALSE this address is NOT valid.
**/
BOOLEAN
InternalIsAddressValid (
IN UINTN Buffer,
IN UINTN Length
)
{
if (Buffer > (MAX_ADDRESS - Length)) {
//
// Overflow happen
//
return FALSE;
}
if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)Buffer, (UINT64)Length)) {
return FALSE;
}
return TRUE;
}
/**
Retrive the SMM FVB protocol interface by HANDLE.
@@ -391,7 +336,7 @@ SmmFaultTolerantWriteHandler (
}
CommBufferPayloadSize = TempCommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE;
if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -670,8 +615,6 @@ SmmFaultTolerantWriteInitialize (
)
{
EFI_STATUS Status;
EFI_SMM_ACCESS2_PROTOCOL *SmmAccess;
UINTN Size;
VOID *SmmEndOfDxeRegistration;
//
@@ -682,28 +625,6 @@ SmmFaultTolerantWriteInitialize (
return Status;
}
//
// Get SMRAM information
//
Status = gBS->LocateProtocol (&gEfiSmmAccess2ProtocolGuid, NULL, (VOID **)&SmmAccess);
ASSERT_EFI_ERROR (Status);
Size = 0;
Status = SmmAccess->GetCapabilities (SmmAccess, &Size, NULL);
ASSERT (Status == EFI_BUFFER_TOO_SMALL);
Status = gSmst->SmmAllocatePool (
EfiRuntimeServicesData,
Size,
(VOID **)&mSmramRanges
);
ASSERT_EFI_ERROR (Status);
Status = SmmAccess->GetCapabilities (SmmAccess, &Size, mSmramRanges);
ASSERT_EFI_ERROR (Status);
mSmramRangeCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);
//
// Register EFI_SMM_END_OF_DXE_PROTOCOL_GUID notify function.
//

View File

@@ -6,7 +6,7 @@
# depends on the full functionality SMM FVB protocol that support read, write/erase
# flash access.
#
# Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
# Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
@@ -54,6 +54,7 @@
UefiLib
PcdLib
ReportStatusCodeLib
SmmMemLib
[Guids]
#

View File

@@ -9,7 +9,7 @@
SmmLockBoxHandler(), SmmLockBoxRestore(), SmmLockBoxUpdate(), SmmLockBoxSave()
will receive untrusted input and do basic validation.
Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
@@ -30,7 +30,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/SmmMemLib.h>
#include <Library/LockBoxLib.h>
#include <Protocol/SmmReadyToLock.h>
#include <Protocol/SmmCommunication.h>
#include <Protocol/SmmAccess2.h>
@@ -39,63 +41,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
BOOLEAN mLocked = FALSE;
EFI_SMRAM_DESCRIPTOR *mSmramRanges;
UINTN mSmramRangeCount;
/**
This function check if the address is in SMRAM.
@param Buffer the buffer address to be checked.
@param Length the buffer length to be checked.
@retval TRUE this address is in SMRAM.
@retval FALSE this address is NOT in SMRAM.
**/
BOOLEAN
IsAddressInSmram (
IN EFI_PHYSICAL_ADDRESS Buffer,
IN UINT64 Length
)
{
UINTN Index;
for (Index = 0; Index < mSmramRangeCount; Index ++) {
if (((Buffer >= mSmramRanges[Index].CpuStart) && (Buffer < mSmramRanges[Index].CpuStart + mSmramRanges[Index].PhysicalSize)) ||
((mSmramRanges[Index].CpuStart >= Buffer) && (mSmramRanges[Index].CpuStart < Buffer + Length))) {
return TRUE;
}
}
return FALSE;
}
/**
This function check if the address refered by Buffer and Length is valid.
@param Buffer the buffer address to be checked.
@param Length the buffer length to be checked.
@retval TRUE this address is valid.
@retval FALSE this address is NOT valid.
**/
BOOLEAN
IsAddressValid (
IN UINTN Buffer,
IN UINTN Length
)
{
if (Buffer > (MAX_ADDRESS - Length)) {
//
// Overflow happen
//
return FALSE;
}
if (IsAddressInSmram ((EFI_PHYSICAL_ADDRESS)Buffer, (UINT64)Length)) {
return FALSE;
}
return TRUE;
}
/**
Dispatch function for SMM lock box save.
@@ -127,7 +72,7 @@ SmmLockBoxSave (
//
// Sanity check
//
if (!IsAddressValid ((UINTN)TempLockBoxParameterSave.Buffer, (UINTN)TempLockBoxParameterSave.Length)) {
if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterSave.Buffer, (UINTN)TempLockBoxParameterSave.Length)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Save address in SMRAM or buffer overflow!\n"));
LockBoxParameterSave->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
return ;
@@ -211,7 +156,7 @@ SmmLockBoxUpdate (
//
// Sanity check
//
if (!IsAddressValid ((UINTN)TempLockBoxParameterUpdate.Buffer, (UINTN)TempLockBoxParameterUpdate.Length)) {
if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterUpdate.Buffer, (UINTN)TempLockBoxParameterUpdate.Length)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Update address in SMRAM or buffer overflow!\n"));
LockBoxParameterUpdate->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
return ;
@@ -252,7 +197,7 @@ SmmLockBoxRestore (
//
// Sanity check
//
if (!IsAddressValid ((UINTN)TempLockBoxParameterRestore.Buffer, (UINTN)TempLockBoxParameterRestore.Length)) {
if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterRestore.Buffer, (UINTN)TempLockBoxParameterRestore.Length)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Restore address in SMRAM or buffer overflow!\n"));
LockBoxParameterRestore->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
return ;
@@ -341,7 +286,7 @@ SmmLockBoxHandler (
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size invalid!\n"));
return EFI_SUCCESS;
}
if (!IsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -444,30 +389,6 @@ SmmLockBoxEntryPoint (
EFI_STATUS Status;
EFI_HANDLE DispatchHandle;
VOID *Registration;
EFI_SMM_ACCESS2_PROTOCOL *SmmAccess;
UINTN Size;
//
// Get SMRAM information
//
Status = gBS->LocateProtocol (&gEfiSmmAccess2ProtocolGuid, NULL, (VOID **)&SmmAccess);
ASSERT_EFI_ERROR (Status);
Size = 0;
Status = SmmAccess->GetCapabilities (SmmAccess, &Size, NULL);
ASSERT (Status == EFI_BUFFER_TOO_SMALL);
Status = gSmst->SmmAllocatePool (
EfiRuntimeServicesData,
Size,
(VOID **)&mSmramRanges
);
ASSERT_EFI_ERROR (Status);
Status = SmmAccess->GetCapabilities (SmmAccess, &Size, mSmramRanges);
ASSERT_EFI_ERROR (Status);
mSmramRangeCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);
//
// Register LockBox communication handler

View File

@@ -6,7 +6,7 @@
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
# Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions
@@ -50,6 +50,7 @@
BaseMemoryLib
DebugLib
LockBoxLib
SmmMemLib
[Guids]
gEfiSmmLockBoxCommunicationGuid ## PRODUCES ## GUID # SmiHandlerRegister

View File

@@ -33,14 +33,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Protocol/SmmVarCheck.h>
#include <Library/SmmServicesTableLib.h>
#include <Library/SmmMemLib.h>
#include <Guid/VariableFormat.h>
#include <Guid/SmmVariableCommon.h>
#include "Variable.h"
EFI_SMRAM_DESCRIPTOR *mSmramRanges;
UINTN mSmramRangeCount;
extern VARIABLE_INFO_ENTRY *gVariableInfo;
EFI_HANDLE mSmmVariableHandle = NULL;
EFI_HANDLE mVariableHandle = NULL;
@@ -120,60 +118,6 @@ AtRuntime (
return mAtRuntime;
}
/**
This function check if the address is in SMRAM.
@param Buffer the buffer address to be checked.
@param Length the buffer length to be checked.
@retval TRUE this address is in SMRAM.
@retval FALSE this address is NOT in SMRAM.
**/
BOOLEAN
InternalIsAddressInSmram (
IN EFI_PHYSICAL_ADDRESS Buffer,
IN UINT64 Length
)
{
UINTN Index;
for (Index = 0; Index < mSmramRangeCount; Index ++) {
if (((Buffer >= mSmramRanges[Index].CpuStart) && (Buffer < mSmramRanges[Index].CpuStart + mSmramRanges[Index].PhysicalSize)) ||
((mSmramRanges[Index].CpuStart >= Buffer) && (mSmramRanges[Index].CpuStart < Buffer + Length))) {
return TRUE;
}
}
return FALSE;
}
/**
This function check if the address refered by Buffer and Length is valid.
@param Buffer the buffer address to be checked.
@param Length the buffer length to be checked.
@retval TRUE this address is valid.
@retval FALSE this address is NOT valid.
**/
BOOLEAN
InternalIsAddressValid (
IN UINTN Buffer,
IN UINTN Length
)
{
if (Buffer > (MAX_ADDRESS - Length)) {
//
// Overflow happen
//
return FALSE;
}
if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)Buffer, (UINT64)Length)) {
return FALSE;
}
return TRUE;
}
/**
Initializes a basic mutual exclusion lock.
@@ -528,7 +472,7 @@ SmmVariableHandler (
return EFI_SUCCESS;
}
if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -719,7 +663,7 @@ SmmVariableHandler (
// It is covered by previous CommBuffer check
//
if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) {
if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) {
DEBUG ((EFI_D_ERROR, "GetStatistics: SMM communication buffer in SMRAM!\n"));
Status = EFI_ACCESS_DENIED;
goto EXIT;
@@ -937,8 +881,6 @@ VariableServiceInitialize (
EFI_STATUS Status;
EFI_HANDLE VariableHandle;
VOID *SmmFtwRegistration;
EFI_SMM_ACCESS2_PROTOCOL *SmmAccess;
UINTN Size;
VOID *SmmEndOfDxeRegistration;
//
@@ -967,28 +909,6 @@ VariableServiceInitialize (
);
ASSERT_EFI_ERROR (Status);
//
// Get SMRAM information
//
Status = gBS->LocateProtocol (&gEfiSmmAccess2ProtocolGuid, NULL, (VOID **)&SmmAccess);
ASSERT_EFI_ERROR (Status);
Size = 0;
Status = SmmAccess->GetCapabilities (SmmAccess, &Size, NULL);
ASSERT (Status == EFI_BUFFER_TOO_SMALL);
Status = gSmst->SmmAllocatePool (
EfiRuntimeServicesData,
Size,
(VOID **)&mSmramRanges
);
ASSERT_EFI_ERROR (Status);
Status = SmmAccess->GetCapabilities (SmmAccess, &Size, mSmramRanges);
ASSERT_EFI_ERROR (Status);
mSmramRangeCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);
mVariableBufferPayloadSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) +
OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) - sizeof (VARIABLE_HEADER);

View File

@@ -64,6 +64,7 @@
HobLib
PcdLib
DevicePathLib
SmmMemLib
[Protocols]
gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES