Re: 回复: [edk2-devel] [PATCH EDK2 v1 1/1] MdeModulePkg/PiSmmCore:Avoid overflow risk
On 2022/8/15 9:12, gaoliming wrote:
> Wenyi:
> I add my comments below.
Thank you for your comments. I agree with you that overflow can be treated as
overlap. I will update the patch and send it later.
Thanks
Wenyi
>
>> -邮件原件-
>> 发件人: devel@edk2.groups.io 代表 wenyi,xie via
>> groups.io
>> 发送时间: 2022年8月5日 15:21
>> 收件人: devel@edk2.groups.io; jian.j.w...@intel.com;
>> gaolim...@byosoft.com.cn; eric.d...@intel.com; ray...@intel.com
>> 抄送: songdongku...@huawei.com; xiewen...@huawei.com
>> 主题: [edk2-devel] [PATCH EDK2 v1 1/1] MdeModulePkg/PiSmmCore:Avoid
>> overflow risk
>>
>> As the CommunicationBuffer plus BufferSize may overflow, check the
>> value first before using.
>>
>> Cc: Jian J Wang
>> Cc: Liming Gao
>> Cc: Eric Dong
>> Cc: Ray Ni
>> Signed-off-by: Wenyi Xie
>> ---
>> MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 22 +---
>> MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 5 +
>> 2 files changed, 19 insertions(+), 8 deletions(-)
>>
>> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
>> b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
>> index 9e5c6cbe33dd..fcf8c61d7f1b 100644
>> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
>> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
>> @@ -613,23 +613,28 @@ SmmEndOfS3ResumeHandler (
>>@retval FALSE Buffer doesn't overlap.
>>
>> **/
>> -BOOLEAN
>> +EFI_STATUS
>> InternalIsBufferOverlapped (
>>IN UINT8 *Buff1,
>>IN UINTN Size1,
>>IN UINT8 *Buff2,
>> - IN UINTN Size2
>> + IN UINTN Size2,
>> + IN BOOLEAN *IsOverlapped
>>)
>> {
>> + *IsOverlapped = TRUE;
>> + if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN -
>> Size2)) {
>> +return EFI_INVALID_PARAMETER;
>> + }
>>//
>>// If buff1's end is less than the start of buff2, then it's ok.
>>// Also, if buff1's start is beyond buff2's end, then it's ok.
>>//
>>if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) {
>> -return FALSE;
>> +*IsOverlapped = FALSE;
>>}
>>
>> - return TRUE;
>> + return EFI_SUCCESS;
>> }
>>
> If Buff1 + Size1 overflows MAX_UINTN, it can be also regarded as overlap,
> return TRUE.
>
> If you think overflow is not overlap, please also update function
> InternalIsBufferOverlapped name and description to avoid confuse.
>
> Thanks
> Liming
>
>> /**
>> @@ -693,17 +698,18 @@ SmmEntryPoint (
>>//
>>// Synchronous SMI for SMM Core or request from Communicate
>> protocol
>>//
>> - IsOverlapped = InternalIsBufferOverlapped (
>> + Status = InternalIsBufferOverlapped (
>> (UINT8 *)CommunicationBuffer,
>> BufferSize,
>> (UINT8 *)gSmmCorePrivate,
>> - sizeof (*gSmmCorePrivate)
>> + sizeof (*gSmmCorePrivate),
>> + &IsOverlapped
>> );
>> - if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer,
>> BufferSize) || IsOverlapped) {
>> + if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer,
>> BufferSize) || EFI_ERROR(Status) || IsOverlapped) {
>> //
>> // If CommunicationBuffer is not in valid address scope,
>> // or there is overlap between gSmmCorePrivate and
>> CommunicationBuffer,
>> -// return EFI_INVALID_PARAMETER
>> +// return EFI_ACCESS_DENIED
>> //
>> gSmmCorePrivate->CommunicationBuffer = NULL;
>> gSmmCorePrivate->ReturnStatus= EFI_ACCESS_DENIED;
>> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
>> b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
>> index 4f00cebaf5ed..bd13cf97ec93 100644
>> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
>> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
>> @@ -525,6 +525,11 @@ SmmCommunicationCommunicate (
>>
>>CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER
>> *)CommBuffer;
>>
>> + if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF
>> (EFI_SMM_COMMUNICATE_HEADER, Data)) {
>> +DEBUG ((DEBUG_ERROR, "MessageLength is invalid!\n"));
>> +return EFI_INVALID_PARAMETER;
>> + }
>> +
>>if (CommSize == NULL) {
>> TempCommSize = OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER,
>> Data) + CommunicateHeader->MessageLength;
>>} else {
>> --
>> 2.20.1.windows.1
>>
>>
>>
>>
>>
>
>
>
> .
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92407): https://edk2.groups.io/g/devel/message/92407
Mute This Topic: https://groups.io/mt/93027797/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
回复: [edk2-devel] [PATCH EDK2 v1 1/1] MdeModulePkg/PiSmmCore:Avoid overflow risk
Wenyi:
I add my comments below.
> -邮件原件-
> 发件人: devel@edk2.groups.io 代表 wenyi,xie via
> groups.io
> 发送时间: 2022年8月5日 15:21
> 收件人: devel@edk2.groups.io; jian.j.w...@intel.com;
> gaolim...@byosoft.com.cn; eric.d...@intel.com; ray...@intel.com
> 抄送: songdongku...@huawei.com; xiewen...@huawei.com
> 主题: [edk2-devel] [PATCH EDK2 v1 1/1] MdeModulePkg/PiSmmCore:Avoid
> overflow risk
>
> As the CommunicationBuffer plus BufferSize may overflow, check the
> value first before using.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Eric Dong
> Cc: Ray Ni
> Signed-off-by: Wenyi Xie
> ---
> MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 22 +---
> MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 5 +
> 2 files changed, 19 insertions(+), 8 deletions(-)
>
> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> index 9e5c6cbe33dd..fcf8c61d7f1b 100644
> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> @@ -613,23 +613,28 @@ SmmEndOfS3ResumeHandler (
>@retval FALSE Buffer doesn't overlap.
>
> **/
> -BOOLEAN
> +EFI_STATUS
> InternalIsBufferOverlapped (
>IN UINT8 *Buff1,
>IN UINTN Size1,
>IN UINT8 *Buff2,
> - IN UINTN Size2
> + IN UINTN Size2,
> + IN BOOLEAN *IsOverlapped
>)
> {
> + *IsOverlapped = TRUE;
> + if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN -
> Size2)) {
> +return EFI_INVALID_PARAMETER;
> + }
>//
>// If buff1's end is less than the start of buff2, then it's ok.
>// Also, if buff1's start is beyond buff2's end, then it's ok.
>//
>if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) {
> -return FALSE;
> +*IsOverlapped = FALSE;
>}
>
> - return TRUE;
> + return EFI_SUCCESS;
> }
>
If Buff1 + Size1 overflows MAX_UINTN, it can be also regarded as overlap,
return TRUE.
If you think overflow is not overlap, please also update function
InternalIsBufferOverlapped name and description to avoid confuse.
Thanks
Liming
> /**
> @@ -693,17 +698,18 @@ SmmEntryPoint (
>//
>// Synchronous SMI for SMM Core or request from Communicate
> protocol
>//
> - IsOverlapped = InternalIsBufferOverlapped (
> + Status = InternalIsBufferOverlapped (
> (UINT8 *)CommunicationBuffer,
> BufferSize,
> (UINT8 *)gSmmCorePrivate,
> - sizeof (*gSmmCorePrivate)
> + sizeof (*gSmmCorePrivate),
> + &IsOverlapped
> );
> - if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer,
> BufferSize) || IsOverlapped) {
> + if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer,
> BufferSize) || EFI_ERROR(Status) || IsOverlapped) {
> //
> // If CommunicationBuffer is not in valid address scope,
> // or there is overlap between gSmmCorePrivate and
> CommunicationBuffer,
> -// return EFI_INVALID_PARAMETER
> +// return EFI_ACCESS_DENIED
> //
> gSmmCorePrivate->CommunicationBuffer = NULL;
> gSmmCorePrivate->ReturnStatus= EFI_ACCESS_DENIED;
> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> index 4f00cebaf5ed..bd13cf97ec93 100644
> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> @@ -525,6 +525,11 @@ SmmCommunicationCommunicate (
>
>CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER
> *)CommBuffer;
>
> + if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF
> (EFI_SMM_COMMUNICATE_HEADER, Data)) {
> +DEBUG ((DEBUG_ERROR, "MessageLength is invalid!\n"));
> +return EFI_INVALID_PARAMETER;
> + }
> +
>if (CommSize == NULL) {
> TempCommSize = OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER,
> Data) + CommunicateHeader->MessageLength;
>} else {
> --
> 2.20.1.windows.1
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92406): https://edk2.groups.io/g/devel/message/92406
Mute This Topic: https://groups.io/mt/93027797/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH EDK2 v1 1/1] MdeModulePkg/PiSmmCore:Avoid overflow risk
As the CommunicationBuffer plus BufferSize may overflow, check the
value first before using.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Eric Dong
Cc: Ray Ni
Signed-off-by: Wenyi Xie
---
MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 22 +---
MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 5 +
2 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
index 9e5c6cbe33dd..fcf8c61d7f1b 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
@@ -613,23 +613,28 @@ SmmEndOfS3ResumeHandler (
@retval FALSE Buffer doesn't overlap.
**/
-BOOLEAN
+EFI_STATUS
InternalIsBufferOverlapped (
IN UINT8 *Buff1,
IN UINTN Size1,
IN UINT8 *Buff2,
- IN UINTN Size2
+ IN UINTN Size2,
+ IN BOOLEAN *IsOverlapped
)
{
+ *IsOverlapped = TRUE;
+ if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN -
Size2)) {
+return EFI_INVALID_PARAMETER;
+ }
//
// If buff1's end is less than the start of buff2, then it's ok.
// Also, if buff1's start is beyond buff2's end, then it's ok.
//
if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) {
-return FALSE;
+*IsOverlapped = FALSE;
}
- return TRUE;
+ return EFI_SUCCESS;
}
/**
@@ -693,17 +698,18 @@ SmmEntryPoint (
//
// Synchronous SMI for SMM Core or request from Communicate protocol
//
- IsOverlapped = InternalIsBufferOverlapped (
+ Status = InternalIsBufferOverlapped (
(UINT8 *)CommunicationBuffer,
BufferSize,
(UINT8 *)gSmmCorePrivate,
- sizeof (*gSmmCorePrivate)
+ sizeof (*gSmmCorePrivate),
+ &IsOverlapped
);
- if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize)
|| IsOverlapped) {
+ if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize)
|| EFI_ERROR(Status) || IsOverlapped) {
//
// If CommunicationBuffer is not in valid address scope,
// or there is overlap between gSmmCorePrivate and CommunicationBuffer,
-// return EFI_INVALID_PARAMETER
+// return EFI_ACCESS_DENIED
//
gSmmCorePrivate->CommunicationBuffer = NULL;
gSmmCorePrivate->ReturnStatus= EFI_ACCESS_DENIED;
diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
index 4f00cebaf5ed..bd13cf97ec93 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
@@ -525,6 +525,11 @@ SmmCommunicationCommunicate (
CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommBuffer;
+ if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF
(EFI_SMM_COMMUNICATE_HEADER, Data)) {
+DEBUG ((DEBUG_ERROR, "MessageLength is invalid!\n"));
+return EFI_INVALID_PARAMETER;
+ }
+
if (CommSize == NULL) {
TempCommSize = OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) +
CommunicateHeader->MessageLength;
} else {
--
2.20.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92157): https://edk2.groups.io/g/devel/message/92157
Mute This Topic: https://groups.io/mt/92830802/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
