[edk2] MdeModulePkg Maintainer: Buffer overflow bug in DXE IPL.

Fri, 20 Jun 2014 15:49:24 -0700 

There is a call to PeiServiceAllocatePage() that passes in address of a pointer 
(IA32 sizeof (VOID *) == 4), but it casts this to a pointer to 
EFI_PHYSICAL_ADDRESS that is always UINT64. This means that 4 bytes of the 
stack are overwritten. 

https://svn.code.sf.net/p/edk2/code/trunk/edk2/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
  X64_IDT_TABLE             *IdtTableForX64;
    Status = PeiServicesAllocatePages (
               EfiBootServicesData,
               EFI_SIZE_TO_PAGES(sizeof (X64_IDT_TABLE) + SizeOfTemplate * 
IDT_ENTRY_COUNT),
               (EFI_PHYSICAL_ADDRESS *) &IdtTableForX64
               );
It should be:
IdtTableForX64 = AllocatePages (EFI_SIZE_TO_PAGES(sizeof (X64_IDT_TABLE) + 
SizeOfTemplate * IDT_ENTRY_COUNT));
I don’t think the bug causes any detectable error, since it is likely that 
Index is being over written, and it is set later in the function.

Thanks,

Andrew Fish

PS Also does it make sense for the DXE IPL to init a vector table? It looks 
like there are only 1 library call, GetNextGuidHob(), prior to the DXE Core 
calling InitializeCpuExceptionHandlers(). So it seems like the window to catch 
a bug is very small. There could always be a version of CpuExecptionHandlerLIb 
that just does the imp $ (imp .). 


https://svn.code.sf.net/p/edk2/code/trunk/edk2/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
VOID
EFIAPI
DxeMain (
  IN  VOID *HobStart
  )
{
  EFI_STATUS                    Status;
  EFI_PHYSICAL_ADDRESS          MemoryBaseAddress;
  UINT64                        MemoryLength;
  PE_COFF_LOADER_IMAGE_CONTEXT  ImageContext;
  UINTN                         Index;
  EFI_HOB_GUID_TYPE             *GuidHob;
  EFI_VECTOR_HANDOFF_INFO       *VectorInfoList;
  EFI_VECTOR_HANDOFF_INFO       *VectorInfo;

  //
  // Setup the default exception handlers
  //
  VectorInfoList = NULL;
  GuidHob = GetNextGuidHob (&gEfiVectorHandoffInfoPpiGuid, HobStart);
  if (GuidHob != NULL) {
    VectorInfoList = (EFI_VECTOR_HANDOFF_INFO *) (GET_GUID_HOB_DATA(GuidHob));
  }
  Status = InitializeCpuExceptionHandlers (VectorInfoList);
  ASSERT_EFI_ERROR (Status);


------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Reply via email to