MdeModulePkg/PiSmmCore: SmmEntryPoint underflow (CVE-2021-38578)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3387 Added use of SafeIntLib to validate values are not causing overflows or underflows in user controlled values when calculating buffer sizes. Signed-off-by: Miki Demeter <miki.demeter@intel.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
This commit is contained in:
committed by
mergify[bot]
parent
c46204e25f
commit
cab1f02565
@@ -34,8 +34,8 @@
|
||||
#include <Library/UefiRuntimeLib.h>
|
||||
#include <Library/PcdLib.h>
|
||||
#include <Library/ReportStatusCodeLib.h>
|
||||
|
||||
#include "PiSmmCorePrivateData.h"
|
||||
#include <Library/SafeIntLib.h>
|
||||
|
||||
#define SMRAM_CAPABILITIES (EFI_MEMORY_WB | EFI_MEMORY_UC)
|
||||
|
||||
@@ -1354,6 +1354,7 @@ SmmSplitSmramEntry (
|
||||
@param[in] ReservedRangeToCompare Pointer to EFI_SMM_RESERVED_SMRAM_REGION to compare.
|
||||
|
||||
@retval TRUE There is overlap.
|
||||
@retval TRUE Math error.
|
||||
@retval FALSE There is no overlap.
|
||||
|
||||
**/
|
||||
@@ -1363,11 +1364,29 @@ SmmIsSmramOverlap (
|
||||
IN EFI_SMM_RESERVED_SMRAM_REGION *ReservedRangeToCompare
|
||||
)
|
||||
{
|
||||
UINT64 RangeToCompareEnd;
|
||||
UINT64 ReservedRangeToCompareEnd;
|
||||
UINT64 RangeToCompareEnd;
|
||||
UINT64 ReservedRangeToCompareEnd;
|
||||
BOOLEAN IsOverUnderflow1;
|
||||
BOOLEAN IsOverUnderflow2;
|
||||
|
||||
RangeToCompareEnd = RangeToCompare->CpuStart + RangeToCompare->PhysicalSize;
|
||||
ReservedRangeToCompareEnd = ReservedRangeToCompare->SmramReservedStart + ReservedRangeToCompare->SmramReservedSize;
|
||||
// Check for over or underflow.
|
||||
IsOverUnderflow1 = EFI_ERROR (
|
||||
SafeUint64Add (
|
||||
(UINT64)RangeToCompare->CpuStart,
|
||||
RangeToCompare->PhysicalSize,
|
||||
&RangeToCompareEnd
|
||||
)
|
||||
);
|
||||
IsOverUnderflow2 = EFI_ERROR (
|
||||
SafeUint64Add (
|
||||
(UINT64)ReservedRangeToCompare->SmramReservedStart,
|
||||
ReservedRangeToCompare->SmramReservedSize,
|
||||
&ReservedRangeToCompareEnd
|
||||
)
|
||||
);
|
||||
if (IsOverUnderflow1 || IsOverUnderflow2) {
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
if ((RangeToCompare->CpuStart >= ReservedRangeToCompare->SmramReservedStart) &&
|
||||
(RangeToCompare->CpuStart < ReservedRangeToCompareEnd))
|
||||
|
Reference in New Issue
Block a user