回复: [edk2-devel] [RESEND PATCH 1/1] MdeModulePkg: Fix PiSmmCore integer over- and underflows.

gaoliming via groups.io gaoliming=byosoft.com.cn at groups.io
Mon Oct 10 02:02:23 UTC 2022 

The code change is good to me. 

Reviewed-by: Liming Gao <gaoliming at byosoft.com.cn>

Thanks
Liming
> -----邮件原件-----
> 发件人: devel at edk2.groups.io <devel at edk2.groups.io> 代表 Gerd
> Hoffmann
> 发送时间: 2022年10月4日 22:27
> 收件人: devel at edk2.groups.io
> 抄送: Pawel Polawski <ppolawsk at redhat.com>; Liming Gao
> <gaoliming at byosoft.com.cn>; Jian J Wang <jian.j.wang at intel.com>; Eric
> Dong <eric.dong at intel.com>; Ray Ni <ray.ni at intel.com>; Oliver Steffen
> <osteffen at redhat.com>; Gerd Hoffmann <kraxel at redhat.com>
> 主题: [edk2-devel] [RESEND PATCH 1/1] MdeModulePkg: Fix PiSmmCore
> integer over- and underflows.
> 
> Prevents potential math over and underflows when comparing buffers
> for SMM validity.
> 
> Original patch uploaded to bugzilla by Bret Barkelew <bret at corthon.com>.
> I've adapted the patch to latest master, uncristified, dropped MU
> comments.
> 
> Ref: CVE-2021-38578
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3387
> Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
> ---
>  MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf |  1 +
>  MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf  |  1 +
>  MdeModulePkg/Core/PiSmmCore/PiSmmCore.h   |  1 +
>  MdeModulePkg/Core/PiSmmCore/PiSmmCore.c   | 32
> ++++++++++++++++-------
>  MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c    | 10 +++++--
>  5 files changed, 34 insertions(+), 11 deletions(-)
> 
> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf
> b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf
> index c8bfae3860fc..3df44b38f13c 100644
> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf
> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf
> @@ -60,6 +60,7 @@ [LibraryClasses]
>    PerformanceLib
>    HobLib
>    SmmMemLib
> +  SafeIntLib
> 
>  [Protocols]
>    gEfiDxeSmmReadyToLockProtocolGuid             ## UNDEFINED #
> SmiHandlerRegister
> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
> b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
> index 6109d6b5449c..ddeb39cee266 100644
> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
> @@ -46,6 +46,7 @@ [LibraryClasses]
>    DxeServicesLib
>    PcdLib
>    ReportStatusCodeLib
> +  SafeIntLib
> 
>  [Protocols]
>    gEfiSmmBase2ProtocolGuid                      ## PRODUCES
> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h
> b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h
> index 71422b9dfcdf..b8a490a8c3b5 100644
> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h
> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h
> @@ -54,6 +54,7 @@
>  #include <Library/PerformanceLib.h>
>  #include <Library/HobLib.h>
>  #include <Library/SmmMemLib.h>
> +#include <Library/SafeIntLib.h>
> 
>  #include "PiSmmCorePrivateData.h"
>  #include "HeapGuard.h"
> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> index 9e5c6cbe33dd..5ef8b31ee361 100644
> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> @@ -610,6 +610,7 @@ SmmEndOfS3ResumeHandler (
>    @param[in] Size2  Size of Buff2
> 
>    @retval TRUE      Buffers overlap in memory.
> +  @retval TRUE      Math error.
>    @retval FALSE     Buffer doesn't overlap.
> 
>  **/
> @@ -621,11 +622,21 @@ InternalIsBufferOverlapped (
>    IN UINTN  Size2
>    )
>  {
> +  UINTN  End1;
> +  UINTN  End2;
> +
> +  // Prevents potential math over and underflows.
> +  if (EFI_ERROR (SafeUintnAdd ((UINTN)Buff1, Size1, &End1)) ||
> +      EFI_ERROR (SafeUintnAdd ((UINTN)Buff2, Size2, &End2)))
> +  {
> +    return TRUE;
> +  }
> +
>    //
>    // If buff1's end is less than the start of buff2, then it's ok.
>    // Also, if buff1's start is beyond buff2's end, then it's ok.
>    //
> -  if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) {
> +  if ((End1 <= (UINTN)Buff2) || ((UINTN)Buff1 >= End2)) {
>      return FALSE;
>    }
> 
> @@ -699,7 +710,10 @@ SmmEntryPoint (
>                         (UINT8 *)gSmmCorePrivate,
>                         sizeof (*gSmmCorePrivate)
>                         );
> -      if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer,
> BufferSize) || IsOverlapped) {
> +      if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer,
> BufferSize) ||
> +          IsOverlapped ||
> +          EFI_ERROR (SafeUintnSub (BufferSize, OFFSET_OF
> (EFI_SMM_COMMUNICATE_HEADER, Data), &BufferSize)))
> +      {
>          //
>          // If CommunicationBuffer is not in valid address scope,
>          // or there is overlap between gSmmCorePrivate and
> CommunicationBuffer,
> @@ -709,13 +723,13 @@ SmmEntryPoint (
>          gSmmCorePrivate->ReturnStatus        = EFI_ACCESS_DENIED;
>        } else {
>          CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER
> *)CommunicationBuffer;
> -        BufferSize       -= OFFSET_OF
> (EFI_SMM_COMMUNICATE_HEADER, Data);
> -        Status            = SmiManage (
> -                              &CommunicateHeader->HeaderGuid,
> -                              NULL,
> -                              CommunicateHeader->Data,
> -                              &BufferSize
> -                              );
> +        // BufferSize was updated by the SafeUintnSub() call above.
> +        Status = SmiManage (
> +                   &CommunicateHeader->HeaderGuid,
> +                   NULL,
> +                   CommunicateHeader->Data,
> +                   &BufferSize
> +                   );
>          //
>          // Update CommunicationBuffer, BufferSize and ReturnStatus
>          // Communicate service finished, reset the pointer to CommBuffer
> to NULL
> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> index 4f00cebaf5ed..f08ca55e26b7 100644
> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> @@ -34,6 +34,7 @@
>  #include <Library/UefiRuntimeLib.h>
>  #include <Library/PcdLib.h>
>  #include <Library/ReportStatusCodeLib.h>
> +#include <Library/SafeIntLib.h>
> 
>  #include "PiSmmCorePrivateData.h"
> 
> @@ -1354,6 +1355,7 @@ SmmSplitSmramEntry (
>    @param[in] ReservedRangeToCompare     Pointer to
> EFI_SMM_RESERVED_SMRAM_REGION to compare.
> 
>    @retval TRUE  There is overlap.
> +  @retval TRUE  Math error.
>    @retval FALSE There is no overlap.
> 
>  **/
> @@ -1366,8 +1368,12 @@ SmmIsSmramOverlap (
>    UINT64  RangeToCompareEnd;
>    UINT64  ReservedRangeToCompareEnd;
> 
> -  RangeToCompareEnd         = RangeToCompare->CpuStart +
> RangeToCompare->PhysicalSize;
> -  ReservedRangeToCompareEnd =
> ReservedRangeToCompare->SmramReservedStart +
> ReservedRangeToCompare->SmramReservedSize;
> +  // Prevents potential math over and underflows.
> +  if (EFI_ERROR (SafeUint64Add ((UINT64)RangeToCompare->CpuStart,
> RangeToCompare->PhysicalSize, &RangeToCompareEnd)) ||
> +      EFI_ERROR (SafeUint64Add
> ((UINT64)ReservedRangeToCompare->SmramReservedStart,
> ReservedRangeToCompare->SmramReservedSize,
> &ReservedRangeToCompareEnd)))
> +  {
> +    return TRUE;
> +  }
> 
>    if ((RangeToCompare->CpuStart >=
> ReservedRangeToCompare->SmramReservedStart) &&
>        (RangeToCompare->CpuStart < ReservedRangeToCompareEnd))
> --
> 2.37.3
> 
> 
> 
> 
> 





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94858): https://edk2.groups.io/g/devel/message/94858
Mute This Topic: https://groups.io/mt/94228599/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list