[edk2-devel] [PATCH v1 3/3] MdeModulePkg/Core/Pei: Fix pointer size mismatch in EvacuateTempRam()

Michael Kubacki mikuback at linux.microsoft.com
Thu Sep 9 03:46:01 UTC 2021 

From: Michael Kubacki <michael.kubacki at microsoft.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3512

In 32-bit PEI, the local variable pointers MigratedFvHeader and
RawDataFvHeader in EvacuateTempRam() will be 32-bit in size. The
pointers are currently passed to PeiServicesAllocatePages() which
expects a 64-bit output buffer of type EFI_PHYSICAL_ADDRESS.

When PeiServicesAllocatePages() writes to the buffer, the data
can overflow.

Cc: Jian J Wang <jian.j.wang at intel.com>
Cc: Liming Gao <gaoliming at byosoft.com.cn>
Cc: Dandan Bi <dandan.bi at intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki at microsoft.com>
---
 MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
index a050a6ed9646..f6bb906f38f3 100644
--- a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
+++ b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
@@ -1135,6 +1135,7 @@ EvacuateTempRam (
   volatile UINTN                FvIndex;
   volatile UINTN                FvChildIndex;
   UINTN                         ChildFvOffset;
+  EFI_PHYSICAL_ADDRESS          FvHeaderAddress;
   EFI_FIRMWARE_VOLUME_HEADER    *FvHeader;
   EFI_FIRMWARE_VOLUME_HEADER    *ChildFvHeader;
   EFI_FIRMWARE_VOLUME_HEADER    *MigratedFvHeader;
@@ -1186,9 +1187,10 @@ EvacuateTempRam (
       Status =  PeiServicesAllocatePages (
                   EfiBootServicesCode,
                   EFI_SIZE_TO_PAGES ((UINTN) FvHeader->FvLength),
-                  (EFI_PHYSICAL_ADDRESS *) &MigratedFvHeader
+                  &FvHeaderAddress
                   );
       ASSERT_EFI_ERROR (Status);
+      MigratedFvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvHeaderAddress;
 
       //
       // Allocate pool to save the raw PEIMs, which is used to keep consistent context across
@@ -1197,9 +1199,10 @@ EvacuateTempRam (
       Status =  PeiServicesAllocatePages (
                   EfiBootServicesCode,
                   EFI_SIZE_TO_PAGES ((UINTN) FvHeader->FvLength),
-                  (EFI_PHYSICAL_ADDRESS *) &RawDataFvHeader
+                  &FvHeaderAddress
                   );
       ASSERT_EFI_ERROR (Status);
+      RawDataFvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvHeaderAddress;
 
       DEBUG ((
         DEBUG_VERBOSE,
-- 
2.28.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#80402): https://edk2.groups.io/g/devel/message/80402
Mute This Topic: https://groups.io/mt/85477365/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list