Sync patch r14292 from main trunk.

Fix a potential SMM memory dump issue. If pass communication buffer with DataBuffer to SMM SetVariable which is big enough to cover SMM range. Then GetVariable can dump SMM memory contents. Add more range check for SetVariable git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/branches/UDK2010.SR1@14301 6f19259b-4bc3-4df7-8a09-765794883524
author: vanjeff <vanjeff@6f19259b-4bc3-4df7-8a09-765794883524> 2013-04-19 07:56:49 +0000
committer: vanjeff <vanjeff@6f19259b-4bc3-4df7-8a09-765794883524> 2013-04-19 07:56:49 +0000
commit: f5619f5bd3e8f68ea8605e52770446e6db26c2c4 (patch)
tree: 88fece693d2c998b3b71dea36c7a4f74be93cf97
parent: b9b3c5db027390838215a771c43361cb34573bad (diff)
download: edk2-f5619f5bd3e8f68ea8605e52770446e6db26c2c4.zip
edk2-f5619f5bd3e8f68ea8605e52770446e6db26c2c4.tar.gz
edk2-f5619f5bd3e8f68ea8605e52770446e6db26c2c4.tar.bz2
2 files changed, 26 insertions, 0 deletions
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
index 15e55d4..1fbdde5 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
@@ -482,6 +482,19 @@ SmmVariableHandler (
       
     case SMM_VARIABLE_FUNCTION_SET_VARIABLE:
       SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data;
+      InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
+                 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
+
+      //
+      // SMRAM range check already covered before
+      // Data buffer should not contain SMM range
+      //
+      if (InfoSize > *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
+        DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));
+        Status = EFI_ACCESS_DENIED;
+        goto EXIT;
+      }
+
       Status = VariableServiceSetVariable (
                  SmmVariableHeader->Name,
                  &SmmVariableHeader->Guid,
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
index c8ee79a..01c605f 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
@@ -488,6 +488,19 @@ SmmVariableHandler (
       
     case SMM_VARIABLE_FUNCTION_SET_VARIABLE:
       SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data;
+      InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
+                 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
+
+      //
+      // SMRAM range check already covered before
+      // Data buffer should not contain SMM range
+      //
+      if (InfoSize > *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
+        DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));
+        Status = EFI_ACCESS_DENIED;
+        goto EXIT;
+      }
+
       Status = VariableServiceSetVariable (
                  SmmVariableHeader->Name,
                  &SmmVariableHeader->Guid,
author	vanjeff <vanjeff@6f19259b-4bc3-4df7-8a09-765794883524>	2013-04-19 07:56:49 +0000
committer	vanjeff <vanjeff@6f19259b-4bc3-4df7-8a09-765794883524>	2013-04-19 07:56:49 +0000
commit	f5619f5bd3e8f68ea8605e52770446e6db26c2c4 (patch)
tree	88fece693d2c998b3b71dea36c7a4f74be93cf97
parent	b9b3c5db027390838215a771c43361cb34573bad (diff)
download	edk2-f5619f5bd3e8f68ea8605e52770446e6db26c2c4.zip edk2-f5619f5bd3e8f68ea8605e52770446e6db26c2c4.tar.gz edk2-f5619f5bd3e8f68ea8605e52770446e6db26c2c4.tar.bz2