REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3283
Current SMM Save State routine does not check the number of bytes to be
read, when it comse to read IO_INFO, before casting the incoming buffer
to EFI_SMM_SAVE_STATE_IO_INFO. This could potentially cause memory
corruption due to extra bytes are written out of buffer boundary.
This change adds a width check before copying IoInfo into output buffer.
Cc: Eric Dong <eric.d...@intel.com>
Cc: Ray Ni <ray...@intel.com>
Cc: Laszlo Ersek <ler...@redhat.com>
Cc: Rahul Kumar <rahul1.ku...@intel.com>
Signed-off-by: Kun Qin <kuqi...@gmail.com>
---
UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
index 661cc51f361a..ec760e4c37ca 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c
@@ -418,6 +418,13 @@ ReadSaveStateRegister (
return EFI_NOT_FOUND;
}
+ //
+ // Make sure the incoming buffer is large enough to hold IoInfo before
accessing
+ //
+ if (Width < sizeof (EFI_SMM_SAVE_STATE_IO_INFO)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
//
// Zero the IoInfo structure that will be returned in Buffer
//
--
2.31.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#73409): https://edk2.groups.io/g/devel/message/73409
Mute This Topic: https://groups.io/mt/81642500/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
