Modify the SRAT parsing logic to prevent reading past the table buffer
length provided.
Check if the Static Resource Allocation Structure's buffer fits in the
SRAT table buffer before its contents are dumped.
Prevent buffer overruns when reading the Static Resource Allocation
Structure's header.
References:
- ACPI 6.3, January 2019, Section 5.2.16
Signed-off-by: Krzysztof Koch <krzysztof.k...@arm.com>
---
Notes:
v1:
- Prevent buffer overruns in SRAT acpiview parser [Krzysztof]
ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c | 14
+++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git
a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c
b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c
index
59c77401eaab32b73a9f83fd4d63785221b3c222..a8aa420487bb6bf29fc38221d0b221573c64b8b3
100644
--- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c
+++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c
@@ -215,10 +215,22 @@ ParseAcpiSrat (
0,
NULL,
ResourcePtr,
- 2, // The length is 1 byte at offset 1
+ AcpiTableLength - Offset,
PARSER_PARAMS (SratResourceAllocationParser)
);
+ // Make sure the SRAT structure lies inside the table
+ if ((Offset + *SratRALength) > AcpiTableLength) {
+ IncrementErrorCount ();
+ Print (
+ L"ERROR: Invalid SRAT structure length. SratRALength = %d. " \
+ L"RemainingTableBufferLength = %d. SRAT parsing aborted.\n",
+ *SratRALength,
+ AcpiTableLength - Offset
+ );
+ return;
+ }
+
switch (*SratRAType) {
case EFI_ACPI_6_2_GICC_AFFINITY:
AsciiSPrint (
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#44761): https://edk2.groups.io/g/devel/message/44761
Mute This Topic: https://groups.io/mt/32676850/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
