From 8f22a331b955bd3f8077c7fa83bafeec566d6718 Mon Sep 17 00:00:00 2001
From: Ard Biesheuvel <ard.biesheuvel@arm.com>
Date: Wed, 17 Jun 2020 17:32:16 +0200
Subject: [PATCH] EmbeddedPkg/NonCoherentDmaLib: avoid dereferencing bogus
 buffer address

The bounce buffering code in NonCoherentDmaLib copies data into the
bounce buffer using CopyMem(), but passes Map->HostAddress as the
source of the copy before it has been assigned its correct value.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Leif Lindholm <leif@nuviainc.com>
Reviewed-by: Andrei Warkentin <awarkentin@vmware.com>
---
 EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c b/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c
index 1153457654..9c8ef5bfb5 100644
--- a/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c
+++ b/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c
@@ -225,8 +225,7 @@ DmaMap (
     }
 
     if (Map->Operation == MapOperationBusMasterRead) {
-      CopyMem (Map->BufferAddress, (VOID *)(UINTN)Map->HostAddress,
-        *NumberOfBytes);
+      CopyMem (Map->BufferAddress, (VOID *)(UINTN)HostAddress, *NumberOfBytes);
     }
     mCpu->FlushDataCache (mCpu, (UINTN)Map->BufferAddress, AllocSize,
             EfiCpuFlushTypeWriteBack);