sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MdeModulePkg/PiSmmCore: SmmEntryPoint underflow (CVE-2021-38578)

Browse Source 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3387

Added use of SafeIntLib to validate values are not causing overflows or
underflows in user controlled values when calculating buffer sizes.

Signed-off-by: Miki Demeter <miki.demeter@intel.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
This commit is contained in:
Miki Demeter
2022-10-27 16:20:54 -07:00
committed by mergify[bot]
parent c46204e25f
commit cab1f02565
5 changed files with 59 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
View File

@@ -34,8 +34,8 @@
#include <Library/UefiRuntimeLib.h>
#include <Library/PcdLib.h>
#include <Library/ReportStatusCodeLib.h>
#include "PiSmmCorePrivateData.h"
#include <Library/SafeIntLib.h>
#define SMRAM_CAPABILITIES (EFI_MEMORY_WB | EFI_MEMORY_UC)
@@ -1354,6 +1354,7 @@ SmmSplitSmramEntry (
@param[in] ReservedRangeToCompare Pointer to EFI_SMM_RESERVED_SMRAM_REGION to compare.
@retval TRUE There is overlap.
@retval TRUE Math error.
@retval FALSE There is no overlap.
**/
@@ -1363,11 +1364,29 @@ SmmIsSmramOverlap (
IN EFI_SMM_RESERVED_SMRAM_REGION *ReservedRangeToCompare
)
{
UINT64 RangeToCompareEnd;
UINT64 ReservedRangeToCompareEnd;
UINT64 RangeToCompareEnd;
UINT64 ReservedRangeToCompareEnd;
BOOLEAN IsOverUnderflow1;
BOOLEAN IsOverUnderflow2;
RangeToCompareEnd = RangeToCompare->CpuStart + RangeToCompare->PhysicalSize;
ReservedRangeToCompareEnd = ReservedRangeToCompare->SmramReservedStart + ReservedRangeToCompare->SmramReservedSize;
// Check for over or underflow.
IsOverUnderflow1 = EFI_ERROR (
SafeUint64Add (
(UINT64)RangeToCompare->CpuStart,
RangeToCompare->PhysicalSize,
&RangeToCompareEnd
)
);
IsOverUnderflow2 = EFI_ERROR (
SafeUint64Add (
(UINT64)ReservedRangeToCompare->SmramReservedStart,
ReservedRangeToCompare->SmramReservedSize,
&ReservedRangeToCompareEnd
)
);
if (IsOverUnderflow1 || IsOverUnderflow2) {
return TRUE;
}
if ((RangeToCompare->CpuStart >= ReservedRangeToCompare->SmramReservedStart) &&
(RangeToCompare->CpuStart < ReservedRangeToCompareEnd))