From a7d8e28b29f2e7496357a161ba86219e4b4d815c Mon Sep 17 00:00:00 2001 From: Kun Qin Date: Tue, 6 Apr 2021 12:52:54 -0700 Subject: [PATCH] UefiCpuPkg: PiSmmCpuDxeSmm: Check buffer size before accessing REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3283 Current SMM Save State routine does not check the number of bytes to be read, when it comse to read IO_INFO, before casting the incoming buffer to EFI_SMM_SAVE_STATE_IO_INFO. This could potentially cause memory corruption due to extra bytes are written out of buffer boundary. This change adds a width check before copying IoInfo into output buffer. Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Cc: Rahul Kumar Signed-off-by: Kun Qin Reviewed-by: Ray Ni Reviewed-by: Laszlo Ersek Message-Id: <20210406195254.1018-2-kuqin12@gmail.com> --- UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 2 +- UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h index b8aa9e1769..2248a8c5ee 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h @@ -337,7 +337,7 @@ This function supports reading a CPU Save State register in SMBase relocation ha @retval EFI_SUCCESS The register was read from Save State. @retval EFI_NOT_FOUND The register is not defined for the Save State of Processor. -@retval EFI_INVALID_PARAMETER This or Buffer is NULL. +@retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requirement per Register type. **/ EFI_STATUS diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c index 661cc51f36..fc418c2500 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c @@ -343,7 +343,7 @@ ReadSaveStateRegisterByIndex ( @retval EFI_SUCCESS The register was read from Save State. @retval EFI_NOT_FOUND The register is not defined for the Save State of Processor. - @retval EFI_INVALID_PARAMETER This or Buffer is NULL. + @retval EFI_INVALID_PARAMETER Buffer is NULL, or Width does not meet requirement per Register type. **/ EFI_STATUS @@ -418,6 +418,13 @@ ReadSaveStateRegister ( return EFI_NOT_FOUND; } + // + // Make sure the incoming buffer is large enough to hold IoInfo before accessing + // + if (Width < sizeof (EFI_SMM_SAVE_STATE_IO_INFO)) { + return EFI_INVALID_PARAMETER; + } + // // Zero the IoInfo structure that will be returned in Buffer //