ShellPkg: acpiview: Validate ACPI table 'Length' field

Check if the ACPI table length, as reported in the ACPI table header, is
big enough to fit at least the header itself.

If not, report an error to the user and stop parsing the table in order
to prevent buffer overruns.

Signed-off-by: Krzysztof Koch <krzysztof.koch@arm.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Reviewed-by: Zhichao Gao <zhichao.gao@intel.com>

1 files changed, 19 insertions, 1 deletions

diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParser.c
index d5500bc..501967c 100644
--- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParser.c
+++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiTableParser.c
@@ -1,7 +1,7 @@
 /** @file

   ACPI table parser

 

-  Copyright (c) 2016 - 2019, ARM Limited. All rights reserved.

+  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.

   SPDX-License-Identifier: BSD-2-Clause-Patent

 **/

 

@@ -176,6 +176,7 @@ ProcessAcpiTable (
   CONST UINT32* AcpiTableSignature;

   CONST UINT32* AcpiTableLength;

   CONST UINT8*  AcpiTableRevision;

+  CONST UINT8*  SignaturePtr;

   PARSE_ACPI_TABLE_PROC ParserProc;

 

   ParseAcpiHeader (

@@ -193,6 +194,23 @@ ProcessAcpiTable (
 

   if (Trace) {

     DumpRaw (Ptr, *AcpiTableLength);

+

+    // Do not process the ACPI table any further if the table length read

+    // is invalid. The ACPI table should at least contain the table header.

+    if (*AcpiTableLength < sizeof (EFI_ACPI_DESCRIPTION_HEADER)) {

+      SignaturePtr = (CONST UINT8*)AcpiTableSignature;

+      IncrementErrorCount ();

+      Print (

+        L"ERROR: Invalid %c%c%c%c table length. Length = %d\n",

+        SignaturePtr[0],

+        SignaturePtr[1],

+        SignaturePtr[2],

+        SignaturePtr[3],

+        *AcpiTableLength

+        );

+      return;

+    }

+

     if (GetConsistencyChecking ()) {

       VerifyChecksum (TRUE, Ptr, *AcpiTableLength);

     }