sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CapsulePei coalesce need add more sanity check for each Capsule Fragment.

Browse Source 
Signed-off by: jiewen yao <jiewen.yao@intel.com>
Reviewed by: elvin li <elvin.li@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15137 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
jyao1
2014-01-17 03:51:01 +00:00
committed by jyao1
parent 3a1966c4e2
commit ff284c56a1
3 changed files with 333 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
MdeModulePkg/Universal/CapsulePei/UefiCapsule.c
View File

@@ -1,7 +1,7 @@
/** @file
Capsule update PEIM for UEFI2.0
Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2006 - 2014, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
@@ -987,25 +987,28 @@ CreateState (
EFI_CAPSULE_PEIM_PRIVATE_DATA *PrivateData;
UINTN Size;
EFI_PHYSICAL_ADDRESS NewBuffer;
UINT32 *DataPtr;
UINT32 CapsuleNumber;
UINTN CapsuleNumber;
UINT32 Index;
EFI_PHYSICAL_ADDRESS BaseAddress;
UINT64 Length;
DataPtr = NULL;
CapsuleNumber = 0;
PrivateData = (EFI_CAPSULE_PEIM_PRIVATE_DATA *) CapsuleBase;
if (PrivateData->Signature != EFI_CAPSULE_PEIM_PRIVATE_DATA_SIGNATURE) {
return EFI_VOLUME_CORRUPTED;
}
if (PrivateData->CapsuleAllImageSize >= MAX_ADDRESS) {
DEBUG ((EFI_D_ERROR, "CapsuleAllImageSize too big - 0x%lx\n", PrivateData->CapsuleAllImageSize));
return EFI_OUT_OF_RESOURCES;
}
if (PrivateData->CapsuleNumber >= MAX_ADDRESS) {
DEBUG ((EFI_D_ERROR, "CapsuleNumber too big - 0x%lx\n", PrivateData->CapsuleNumber));
return EFI_OUT_OF_RESOURCES;
}
//
// Capsule Number and Capsule Offset is in the tail of Capsule data.
//
Size = (UINTN) PrivateData->CapsuleSize;
DataPtr = (UINT32*)((UINTN)CapsuleBase + (UINTN)sizeof(EFI_CAPSULE_PEIM_PRIVATE_DATA)+ Size);
DataPtr = (UINT32*)(((UINTN) DataPtr + sizeof(UINT32) - 1) & ~(sizeof (UINT32) - 1));
CapsuleNumber = *DataPtr++;
Size = (UINTN)PrivateData->CapsuleAllImageSize;
CapsuleNumber = (UINTN)PrivateData->CapsuleNumber;
//
// Allocate the memory so that it gets preserved into DXE
//
@@ -1022,8 +1025,8 @@ CreateState (
//
// Copy to our new buffer for DXE
//
DEBUG ((EFI_D_INFO, "Capsule copy from 0x%8X to 0x%8X with size 0x%8X\n", (UINTN) (PrivateData + 1), (UINTN) NewBuffer, Size));
CopyMem ((VOID *) (UINTN) NewBuffer, (VOID *) (UINTN) (PrivateData + 1), Size);
DEBUG ((EFI_D_INFO, "Capsule copy from 0x%8X to 0x%8X with size 0x%8X\n", (UINTN)((UINT8 *)PrivateData + sizeof(EFI_CAPSULE_PEIM_PRIVATE_DATA) + (CapsuleNumber - 1) * sizeof(UINT64)), (UINTN) NewBuffer, Size));
CopyMem ((VOID *) (UINTN) NewBuffer, (VOID *) (UINTN) ((UINT8 *)PrivateData + sizeof(EFI_CAPSULE_PEIM_PRIVATE_DATA) + (CapsuleNumber - 1) * sizeof(UINT64)), Size);
//
// Check for test data pattern. If it is the test pattern, then we'll
// test it ans still create the HOB so that it can be used to verify
@@ -1039,7 +1042,7 @@ CreateState (
// Build the UEFI Capsule Hob for each capsule image.
//
for (Index = 0; Index < CapsuleNumber; Index ++) {
BaseAddress = NewBuffer + DataPtr[Index];
BaseAddress = NewBuffer + PrivateData->CapsuleOffset[Index];
Length = ((EFI_CAPSULE_HEADER *)((UINTN) BaseAddress))->CapsuleImageSize;
BuildCvHob (BaseAddress, Length);