Acked-by: Jian J Wang <jian.j.w...@intel.com> > -----Original Message----- > From: Wu, Hao A <hao.a...@intel.com> > Sent: Thursday, February 06, 2020 9:44 AM > To: devel@edk2.groups.io > Cc: Wu, Hao A <hao.a...@intel.com>; Dong, Eric <eric.d...@intel.com>; > Wang, Jian J <jian.j.w...@intel.com> > Subject: [PATCH v1] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric > truncation (CVE-2019-14563) > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2001 > > For S3BootScriptLib APIs: > > S3BootScriptSaveIoWrite > S3BootScriptSaveMemWrite > S3BootScriptSavePciCfgWrite > S3BootScriptSavePciCfg2Write > S3BootScriptSaveSmbusExecute > S3BootScriptSaveInformation > S3BootScriptSaveInformationAsciiString > S3BootScriptLabel (happen in S3BootScriptLabelInternal()) > > possible numeric truncations will happen that may lead to S3 boot script > entry with improper size being returned to store the boot script data. > This commit will add checks to prevent this kind of issue. > > Please note that the remaining S3BootScriptLib APIs: > > S3BootScriptSaveIoReadWrite > S3BootScriptSaveMemReadWrite > S3BootScriptSavePciCfgReadWrite > S3BootScriptSavePciCfg2ReadWrite > S3BootScriptSaveStall > S3BootScriptSaveDispatch2 > S3BootScriptSaveDispatch > S3BootScriptSaveMemPoll > S3BootScriptSaveIoPoll > S3BootScriptSavePciPoll > S3BootScriptSavePci2Poll > S3BootScriptCloseTable > S3BootScriptExecute > S3BootScriptMoveLastOpcode > S3BootScriptCompare > > are not affected by such numeric truncation. > > Cc: Eric Dong <eric.d...@intel.com> > Cc: Jian J Wang <jian.j.w...@intel.com> > Signed-off-by: Hao A Wu <hao.a...@intel.com> > Reviewed-by: Laszlo Ersek <ler...@redhat.com> > --- > MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c | 52 > +++++++++++++++++++- > 1 file changed, 51 insertions(+), 1 deletion(-) > > diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c > b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c > index 9106e7d0f9..9315fc9f01 100644 > --- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c > +++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c > @@ -1,7 +1,7 @@ > /** @file > Save the S3 data to S3 boot script. > > - Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR> > + Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR> > > SPDX-License-Identifier: BSD-2-Clause-Patent > > @@ -1006,6 +1006,14 @@ S3BootScriptSaveIoWrite ( > EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite; > > WidthInByte = (UINT8) (0x01 << (Width & 0x03)); > + > + // > + // Truncation check > + // > + if ((Count > MAX_UINT8) || > + (WidthInByte * Count > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_IO_WRITE))) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * > Count)); > > Script = S3BootScriptGetEntryAddAddress (Length); > @@ -1102,6 +1110,14 @@ S3BootScriptSaveMemWrite ( > EFI_BOOT_SCRIPT_MEM_WRITE ScriptMemWrite; > > WidthInByte = (UINT8) (0x01 << (Width & 0x03)); > + > + // > + // Truncation check > + // > + if ((Count > MAX_UINT8) || > + (WidthInByte * Count > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_MEM_WRITE))) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * > Count)); > > Script = S3BootScriptGetEntryAddAddress (Length); > @@ -1206,6 +1222,14 @@ S3BootScriptSavePciCfgWrite ( > } > > WidthInByte = (UINT8) (0x01 << (Width & 0x03)); > + > + // > + // Truncation check > + // > + if ((Count > MAX_UINT8) || > + (WidthInByte * Count > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE))) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + > (WidthInByte * Count)); > > Script = S3BootScriptGetEntryAddAddress (Length); > @@ -1324,6 +1348,14 @@ S3BootScriptSavePciCfg2Write ( > } > > WidthInByte = (UINT8) (0x01 << (Width & 0x03)); > + > + // > + // Truncation check > + // > + if ((Count > MAX_UINT8) || > + (WidthInByte * Count > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE))) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + > (WidthInByte * Count)); > > Script = S3BootScriptGetEntryAddAddress (Length); > @@ -1549,6 +1581,12 @@ S3BootScriptSaveSmbusExecute ( > return Status; > } > > + // > + // Truncation check > + // > + if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) > { > + return RETURN_OUT_OF_RESOURCES; > + } > DataSize = (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + > BufferLength); > > Script = S3BootScriptGetEntryAddAddress (DataSize); > @@ -1736,6 +1774,12 @@ S3BootScriptSaveInformation ( > UINT8 *Script; > EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; > > + // > + // Truncation check > + // > + if (InformationLength > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_INFORMATION)) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + > InformationLength); > > Script = S3BootScriptGetEntryAddAddress (Length); > @@ -2195,6 +2239,12 @@ S3BootScriptLabelInternal ( > UINT8 *Script; > EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; > > + // > + // Truncation check > + // > + if (InformationLength > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_INFORMATION)) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + > InformationLength); > > Script = S3BootScriptGetEntryAddAddress (Length); > -- > 2.12.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54005): https://edk2.groups.io/g/devel/message/54005 Mute This Topic: https://groups.io/mt/71012031/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
