diff options
| -rw-r--r-- | DuetPkg/PciBusNoEnumerationDxe/PciOptionRomSupport.c | 56 | ||||
| -rw-r--r-- | DuetPkg/PciBusNoEnumerationDxe/PciRomTable.c | 37 | ||||
| -rw-r--r-- | DuetPkg/PciRootBridgeNoEnumerationDxe/Ia32/PcatIo.c | 14 | ||||
| -rw-r--r-- | DuetPkg/PciRootBridgeNoEnumerationDxe/X64/PcatIo.c | 14 | ||||
| -rw-r--r-- | IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c | 12 | ||||
| -rw-r--r-- | IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c | 33 | ||||
| -rw-r--r-- | MdeModulePkg/Bus/Pci/PciBusDxe/PciOptionRomSupport.c | 70 | ||||
| -rw-r--r-- | OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c | 36 | ||||
| -rw-r--r-- | ShellPkg/Library/UefiShellDebug1CommandsLib/LoadPciRom.c | 40 |
9 files changed, 234 insertions, 78 deletions
diff --git a/DuetPkg/PciBusNoEnumerationDxe/PciOptionRomSupport.c b/DuetPkg/PciBusNoEnumerationDxe/PciOptionRomSupport.c index f1af103..28adb2b 100644 --- a/DuetPkg/PciBusNoEnumerationDxe/PciOptionRomSupport.c +++ b/DuetPkg/PciBusNoEnumerationDxe/PciOptionRomSupport.c @@ -1,6 +1,6 @@ /*++
-Copyright (c) 2005 - 2006, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -155,6 +155,7 @@ Returns: PCI_DATA_STRUCTURE *RomPcir;
UINT64 RomSize;
UINT64 RomImageSize;
+ UINT32 LegacyImageLength;
UINT8 *RomInMemory;
UINT8 CodeType;
@@ -207,6 +208,7 @@ Returns: RomBarOffset = RomBar;
retStatus = EFI_NOT_FOUND;
FirstCheck = TRUE;
+ LegacyImageLength = 0;
do {
PciDevice->PciRootBridgeIo->Mem.Read (
@@ -229,6 +231,15 @@ Returns: FirstCheck = FALSE;
OffsetPcir = RomHeader->PcirOffset;
+ //
+ // If the pointer to the PCI Data Structure is invalid, no further images can be located.
+ // The PCI Data Structure must be DWORD aligned.
+ //
+ if (OffsetPcir == 0 ||
+ (OffsetPcir & 3) != 0 ||
+ RomImageSize + OffsetPcir + sizeof (PCI_DATA_STRUCTURE) > RomSize) {
+ break;
+ }
PciDevice->PciRootBridgeIo->Mem.Read (
PciDevice->PciRootBridgeIo,
EfiPciWidthUint8,
@@ -236,8 +247,18 @@ Returns: sizeof (PCI_DATA_STRUCTURE),
(UINT8 *) RomPcir
);
+ //
+ // If a valid signature is not present in the PCI Data Structure, no further images can be located.
+ //
+ if (RomPcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+ break;
+ }
+ if (RomImageSize + RomPcir->ImageLength * 512 > RomSize) {
+ break;
+ }
if (RomPcir->CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
CodeType = PCI_CODE_TYPE_PCAT_IMAGE;
+ LegacyImageLength = ((UINT32)((EFI_LEGACY_EXPANSION_ROM_HEADER *)RomHeader)->Size512) * 512;
}
Indicator = RomPcir->Indicator;
RomImageSize = RomImageSize + RomPcir->ImageLength * 512;
@@ -249,7 +270,7 @@ Returns: // of the legacy length and the PCIR Image Length
//
if (CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
- RomImageSize = MAX(RomImageSize, (((EFI_LEGACY_EXPANSION_ROM_HEADER *)RomHeader)->Size512 * 512));
+ RomImageSize = MAX (RomImageSize, LegacyImageLength);
}
if (RomImageSize > 0) {
@@ -399,7 +420,6 @@ Returns: EFI_HANDLE ImageHandle;
EFI_STATUS Status;
EFI_STATUS retStatus;
- BOOLEAN FirstCheck;
BOOLEAN SkipImage;
UINT32 DestinationSize;
UINT32 ScratchSize;
@@ -410,6 +430,7 @@ Returns: EFI_DECOMPRESS_PROTOCOL *Decompress;
EFI_PCI_EXPANSION_ROM_HEADER *EfiRomHeader;
PCI_DATA_STRUCTURE *Pcir;
+ UINT32 InitializationSize;
Indicator = 0;
@@ -419,35 +440,36 @@ Returns: RomBar = PciDevice->PciIo.RomImage;
RomBarOffset = (UINT8 *) RomBar;
retStatus = EFI_NOT_FOUND;
- FirstCheck = TRUE;
+
+ if (RomBarOffset == NULL) {
+ return retStatus;
+ }
+ ASSERT (((EFI_PCI_EXPANSION_ROM_HEADER *) RomBarOffset)->Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE);
do {
EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) RomBarOffset;
if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
RomBarOffset = RomBarOffset + 512;
- if (FirstCheck) {
- break;
- } else {
- continue;
- }
+ continue;
}
- FirstCheck = FALSE;
Pcir = (PCI_DATA_STRUCTURE *) (RomBarOffset + EfiRomHeader->PcirOffset);
+ ASSERT (Pcir->Signature == PCI_DATA_STRUCTURE_SIGNATURE);
ImageSize = (UINT32) (Pcir->ImageLength * 512);
Indicator = Pcir->Indicator;
- if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
- (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE)) {
+ if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
+ (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) &&
+ ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+ (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER))) {
- if ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
- (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER)) {
+ ImageOffset = EfiRomHeader->EfiImageHeaderOffset;
+ InitializationSize = EfiRomHeader->InitializationSize * 512;
- ImageOffset = EfiRomHeader->EfiImageHeaderOffset;
- ImageSize = (UINT32) (EfiRomHeader->InitializationSize * 512);
+ if (InitializationSize <= ImageSize && ImageOffset < InitializationSize) {
ImageBuffer = (VOID *) (RomBarOffset + ImageOffset);
- ImageLength = ImageSize - (UINT32)ImageOffset;
+ ImageLength = InitializationSize - (UINT32)ImageOffset;
DecompressedImageBuffer = NULL;
//
diff --git a/DuetPkg/PciBusNoEnumerationDxe/PciRomTable.c b/DuetPkg/PciBusNoEnumerationDxe/PciRomTable.c index ed868e2..5085431 100644 --- a/DuetPkg/PciBusNoEnumerationDxe/PciRomTable.c +++ b/DuetPkg/PciBusNoEnumerationDxe/PciRomTable.c @@ -1,6 +1,6 @@ /*++
-Copyright (c) 2005 - 2007, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -133,6 +133,7 @@ Returns: VOID *DecompressedImageBuffer;
UINT32 ImageLength;
EFI_DECOMPRESS_PROTOCOL *Decompress;
+ UINT32 InitializationSize;
RomBar = (VOID *) (UINTN) PciOptionRomDescriptor->RomAddress;
RomSize = (UINTN) PciOptionRomDescriptor->RomLength;
@@ -151,24 +152,44 @@ Returns: EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) (UINTN) RomBarOffset;
- if (EfiRomHeader->Signature != 0xaa55) {
+
+ if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
return retStatus;
}
+ //
+ // If the pointer to the PCI Data Structure is invalid, no further images can be located.
+ // The PCI Data Structure must be DWORD aligned.
+ //
+ if (EfiRomHeader->PcirOffset == 0 ||
+ (EfiRomHeader->PcirOffset & 3) != 0 ||
+ RomBarOffset - (UINTN)RomBar + EfiRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > RomSize) {
+ break;
+ }
Pcir = (PCI_DATA_STRUCTURE *) (UINTN) (RomBarOffset + EfiRomHeader->PcirOffset);
+ //
+ // If a valid signature is not present in the PCI Data Structure, no further images can be located.
+ //
+ if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+ break;
+ }
ImageSize = Pcir->ImageLength * 512;
+ if (RomBarOffset - (UINTN)RomBar + ImageSize > RomSize) {
+ break;
+ }
if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
- (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) ) {
+ (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) &&
+ ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+ (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER))) {
- if ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
- (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER) ) {
+ ImageOffset = EfiRomHeader->EfiImageHeaderOffset;
+ InitializationSize = EfiRomHeader->InitializationSize * 512;
- ImageOffset = EfiRomHeader->EfiImageHeaderOffset;
- ImageSize = EfiRomHeader->InitializationSize * 512;
+ if (InitializationSize <= ImageSize && ImageOffset < InitializationSize) {
ImageBuffer = (VOID *) (UINTN) (RomBarOffset + ImageOffset);
- ImageLength = ImageSize - ImageOffset;
+ ImageLength = InitializationSize - ImageOffset;
DecompressedImageBuffer = NULL;
//
diff --git a/DuetPkg/PciRootBridgeNoEnumerationDxe/Ia32/PcatIo.c b/DuetPkg/PciRootBridgeNoEnumerationDxe/Ia32/PcatIo.c index 7395ce2..fbfc2fa 100644 --- a/DuetPkg/PciRootBridgeNoEnumerationDxe/Ia32/PcatIo.c +++ b/DuetPkg/PciRootBridgeNoEnumerationDxe/Ia32/PcatIo.c @@ -1,6 +1,6 @@ /*++
-Copyright (c) 2005 - 2008, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -436,8 +436,10 @@ CheckForRom ( Pcir.ImageLength = 0;
- if (EfiRomHeader.Signature == 0xaa55) {
-
+ if (EfiRomHeader.Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE &&
+ EfiRomHeader.PcirOffset != 0 &&
+ (EfiRomHeader.PcirOffset & 3) == 0 &&
+ RomBarSize + EfiRomHeader.PcirOffset + sizeof (PCI_DATA_STRUCTURE) <= MaxRomSize) {
ZeroMem (&Pcir, sizeof(Pcir));
IoDev->Mem.Read (
IoDev,
@@ -447,6 +449,12 @@ CheckForRom ( &Pcir
);
+ if (Pcir.Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+ break;
+ }
+ if (RomBarSize + Pcir.ImageLength * 512 > MaxRomSize) {
+ break;
+ }
if ((Pcir.Indicator & 0x80) == 0x00) {
LastImage = FALSE;
}
diff --git a/DuetPkg/PciRootBridgeNoEnumerationDxe/X64/PcatIo.c b/DuetPkg/PciRootBridgeNoEnumerationDxe/X64/PcatIo.c index 5320f56..1e4c218 100644 --- a/DuetPkg/PciRootBridgeNoEnumerationDxe/X64/PcatIo.c +++ b/DuetPkg/PciRootBridgeNoEnumerationDxe/X64/PcatIo.c @@ -1,6 +1,6 @@ /*++
-Copyright (c) 2005 - 2006, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -436,8 +436,10 @@ CheckForRom ( Pcir.ImageLength = 0;
- if (EfiRomHeader.Signature == 0xaa55) {
-
+ if (EfiRomHeader.Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE &&
+ EfiRomHeader.PcirOffset != 0 &&
+ (EfiRomHeader.PcirOffset & 3) == 0 &&
+ RomBarSize + EfiRomHeader.PcirOffset + sizeof (PCI_DATA_STRUCTURE) <= MaxRomSize) {
ZeroMem (&Pcir, sizeof(Pcir));
IoDev->Mem.Read (
IoDev,
@@ -447,6 +449,12 @@ CheckForRom ( &Pcir
);
+ if (Pcir.Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+ break;
+ }
+ if (RomBarSize + Pcir.ImageLength * 512 > MaxRomSize) {
+ break;
+ }
if ((Pcir.Indicator & 0x80) == 0x00) {
LastImage = FALSE;
}
diff --git a/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c b/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c index 2ae8dac..744a7e3 100644 --- a/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c +++ b/IntelFrameworkModulePkg/Csm/BiosThunk/Snp16Dxe/BiosSnp16.c @@ -1,6 +1,6 @@ /** @file
-Copyright (c) 1999 - 2010, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 1999 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
@@ -1226,6 +1226,16 @@ Undi16SimpleNetworkLoadUndi ( DEBUG ((DEBUG_INIT, "Option ROM found at %X\n", RomAddress));
+ //
+ // If the pointer to the PCI Data Structure is invalid, no further images can be located.
+ // The PCI Data Structure must be DWORD aligned.
+ //
+ if (PciExpansionRomHeader->PcirOffset == 0 ||
+ (PciExpansionRomHeader->PcirOffset & 3) != 0 ||
+ RomAddress + PciExpansionRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > 0x100000) {
+ break;
+ }
+
PciDataStructure = (PCI_DATA_STRUCTURE *) (RomAddress + PciExpansionRomHeader->PcirOffset);
if (PciDataStructure->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
diff --git a/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c b/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c index 59f6d90..45cdd03 100644 --- a/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c +++ b/IntelFrameworkModulePkg/Csm/LegacyBiosDxe/LegacyPci.c @@ -1,6 +1,6 @@ /** @file
-Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
@@ -304,14 +304,24 @@ GetPciLegacyRom ( BackupImage = NULL;
RomHeader.Raw = *Rom;
while (RomHeader.Generic->Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
- if (*ImageSize <
- RomHeader.Raw - (UINT8 *) *Rom + RomHeader.Generic->PcirOffset + sizeof (PCI_DATA_STRUCTURE)
- ) {
- return EFI_NOT_FOUND;
+ if (RomHeader.Generic->PcirOffset == 0 ||
+ (RomHeader.Generic->PcirOffset & 3) !=0 ||
+ *ImageSize < RomHeader.Raw - (UINT8 *) *Rom + RomHeader.Generic->PcirOffset + sizeof (PCI_DATA_STRUCTURE)) {
+ break;
}
Pcir = (PCI_3_0_DATA_STRUCTURE *) (RomHeader.Raw + RomHeader.Generic->PcirOffset);
+ //
+ // Check signature in the PCI Data Structure.
+ //
+ if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+ break;
+ }
+ if ((UINTN)(RomHeader.Raw - (UINT8 *) *Rom) + Pcir->ImageLength * 512 > *ImageSize) {
+ break;
+ }
+
if (Pcir->CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
Match = FALSE;
if (Pcir->VendorId == VendorId) {
@@ -2875,8 +2885,21 @@ LegacyBiosInstallPciRom ( }
LocalRomImage = *RomImage;
+ if (((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE ||
+ ((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset == 0 ||
+ (((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset & 3 ) != 0) {
+ mVgaInstallationInProgress = FALSE;
+ return EFI_UNSUPPORTED;
+ }
+
Pcir = (PCI_3_0_DATA_STRUCTURE *)
((UINT8 *) LocalRomImage + ((PCI_EXPANSION_ROM_HEADER *) LocalRomImage)->PcirOffset);
+
+ if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+ mVgaInstallationInProgress = FALSE;
+ return EFI_UNSUPPORTED;
+ }
+
ImageSize = Pcir->ImageLength * 512;
if (Pcir->Length >= 0x1C) {
OpromRevision = Pcir->Revision;
diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciOptionRomSupport.c b/MdeModulePkg/Bus/Pci/PciBusDxe/PciOptionRomSupport.c index 8fd0b3d..84c6f21 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciOptionRomSupport.c +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciOptionRomSupport.c @@ -1,7 +1,7 @@ /** @file
PCI Rom supporting funtions implementation for PCI Bus module.
-Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -53,6 +53,7 @@ LocalLoadFile2 ( UINT32 ScratchSize;
VOID *Scratch;
EFI_DECOMPRESS_PROTOCOL *Decompress;
+ UINT32 InitializationSize;
EfiOpRomImageNode = (MEDIA_RELATIVE_OFFSET_RANGE_DEVICE_PATH *) FilePath;
if ((EfiOpRomImageNode == NULL) ||
@@ -76,7 +77,7 @@ LocalLoadFile2 ( Pcir = (PCI_DATA_STRUCTURE *) ((UINT8 *) EfiRomHeader + EfiRomHeader->PcirOffset);
-
+ ASSERT (Pcir->Signature == PCI_DATA_STRUCTURE_SIGNATURE);
if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
(EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) &&
@@ -85,9 +86,14 @@ LocalLoadFile2 ( (EfiRomHeader->CompressionType <= EFI_PCI_EXPANSION_ROM_HEADER_COMPRESSED)
) {
- ImageSize = (UINT32) EfiRomHeader->InitializationSize * 512;
+ ImageSize = Pcir->ImageLength * 512;
+ InitializationSize = (UINT32) EfiRomHeader->InitializationSize * 512;
+ if (InitializationSize > ImageSize || EfiRomHeader->EfiImageHeaderOffset >= InitializationSize) {
+ return EFI_NOT_FOUND;
+ }
+
ImageBuffer = (UINT8 *) EfiRomHeader + EfiRomHeader->EfiImageHeaderOffset;
- ImageLength = ImageSize - EfiRomHeader->EfiImageHeaderOffset;
+ ImageLength = InitializationSize - EfiRomHeader->EfiImageHeaderOffset;
if (EfiRomHeader->CompressionType != EFI_PCI_EXPANSION_ROM_HEADER_COMPRESSED) {
//
@@ -321,23 +327,21 @@ ContainEfiImage ( {
PCI_EXPANSION_ROM_HEADER *RomHeader;
PCI_DATA_STRUCTURE *RomPcir;
- BOOLEAN FirstCheck;
- FirstCheck = TRUE;
- RomHeader = RomImage;
+ RomHeader = RomImage;
+ if (RomHeader == NULL) {
+ return FALSE;
+ }
+ ASSERT (RomHeader->Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE);
while ((UINT8 *) RomHeader < (UINT8 *) RomImage + RomSize) {
if (RomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
- if (FirstCheck) {
- return FALSE;
- } else {
- RomHeader = (PCI_EXPANSION_ROM_HEADER *) ((UINT8 *) RomHeader + 512);
- continue;
- }
+ RomHeader = (PCI_EXPANSION_ROM_HEADER *) ((UINT8 *) RomHeader + 512);
+ continue;
}
- FirstCheck = FALSE;
RomPcir = (PCI_DATA_STRUCTURE *) ((UINT8 *) RomHeader + RomHeader->PcirOffset);
+ ASSERT (RomPcir->Signature == PCI_DATA_STRUCTURE_SIGNATURE);
if (RomPcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) {
return TRUE;
@@ -378,6 +382,7 @@ LoadOpRomImage ( PCI_DATA_STRUCTURE *RomPcir;
UINT64 RomSize;
UINT64 RomImageSize;
+ UINT32 LegacyImageLength;
UINT8 *RomInMemory;
UINT8 CodeType;
@@ -430,6 +435,7 @@ LoadOpRomImage ( RomBarOffset = RomBar;
RetStatus = EFI_NOT_FOUND;
FirstCheck = TRUE;
+ LegacyImageLength = 0;
do {
PciDevice->PciRootBridgeIo->Mem.Read (
@@ -452,6 +458,15 @@ LoadOpRomImage ( FirstCheck = FALSE;
OffsetPcir = RomHeader->PcirOffset;
+ //
+ // If the pointer to the PCI Data Structure is invalid, no further images can be located.
+ // The PCI Data Structure must be DWORD aligned.
+ //
+ if (OffsetPcir == 0 ||
+ (OffsetPcir & 3) != 0 ||
+ RomImageSize + OffsetPcir + sizeof (PCI_DATA_STRUCTURE) > RomSize) {
+ break;
+ }
PciDevice->PciRootBridgeIo->Mem.Read (
PciDevice->PciRootBridgeIo,
EfiPciWidthUint8,
@@ -459,8 +474,18 @@ LoadOpRomImage ( sizeof (PCI_DATA_STRUCTURE),
(UINT8 *) RomPcir
);
+ //
+ // If a valid signature is not present in the PCI Data Structure, no further images can be located.
+ //
+ if (RomPcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+ break;
+ }
+ if (RomImageSize + RomPcir->ImageLength * 512 > RomSize) {
+ break;
+ }
if (RomPcir->CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
CodeType = PCI_CODE_TYPE_PCAT_IMAGE;
+ LegacyImageLength = ((UINT32)((EFI_LEGACY_EXPANSION_ROM_HEADER *)RomHeader)->Size512) * 512;
}
Indicator = RomPcir->Indicator;
RomImageSize = RomImageSize + RomPcir->ImageLength * 512;
@@ -472,7 +497,7 @@ LoadOpRomImage ( // of the legacy length and the PCIR Image Length
//
if (CodeType == PCI_CODE_TYPE_PCAT_IMAGE) {
- RomImageSize = MAX(RomImageSize, (((EFI_LEGACY_EXPANSION_ROM_HEADER *)RomHeader)->Size512 * 512));
+ RomImageSize = MAX (RomImageSize, LegacyImageLength);
}
if (RomImageSize > 0) {
@@ -635,7 +660,6 @@ ProcessOpRomImage ( EFI_HANDLE ImageHandle;
EFI_STATUS Status;
EFI_STATUS RetStatus;
- BOOLEAN FirstCheck;
EFI_PCI_EXPANSION_ROM_HEADER *EfiRomHeader;
PCI_DATA_STRUCTURE *Pcir;
EFI_DEVICE_PATH_PROTOCOL *PciOptionRomImageDevicePath;
@@ -651,21 +675,21 @@ ProcessOpRomImage ( RomBar = PciDevice->PciIo.RomImage;
RomBarOffset = (UINT8 *) RomBar;
RetStatus = EFI_NOT_FOUND;
- FirstCheck = TRUE;
+
+ if (RomBar == NULL) {
+ return RetStatus;
+ }
+ ASSERT (((EFI_PCI_EXPANSION_ROM_HEADER *) RomBarOffset)->Signature == PCI_EXPANSION_ROM_HEADER_SIGNATURE);
do {
EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) RomBarOffset;
if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
RomBarOffset += 512;
- if (FirstCheck) {
- break;
- } else {
- continue;
- }
+ continue;
}
- FirstCheck = FALSE;
Pcir = (PCI_DATA_STRUCTURE *) (RomBarOffset + EfiRomHeader->PcirOffset);
+ ASSERT (Pcir->Signature == PCI_DATA_STRUCTURE_SIGNATURE);
ImageSize = (UINT32) (Pcir->ImageLength * 512);
Indicator = Pcir->Indicator;
diff --git a/OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c index b0d045d..58531a8 100644 --- a/OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c +++ b/OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c @@ -1,7 +1,7 @@ /** @file
Platform BDS customizations.
- Copyright (c) 2004 - 2009, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -1489,6 +1489,7 @@ PciRomLoadEfiDriversFromRomImage ( VOID *DecompressedImageBuffer;
UINT32 ImageLength;
EFI_DECOMPRESS_PROTOCOL *Decompress;
+ UINT32 InitializationSize;
FileName = L"PciRomInMemory";
@@ -1503,24 +1504,43 @@ PciRomLoadEfiDriversFromRomImage ( EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) (UINTN) RomOffset;
- if (EfiRomHeader->Signature != 0xaa55) {
+ if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
return retStatus;
}
+ //
+ // If the pointer to the PCI Data Structure is invalid, no further images can be located.
+ // The PCI Data Structure must be DWORD aligned.
+ //
+ if (EfiRomHeader->PcirOffset == 0 ||
+ (EfiRomHeader->PcirOffset & 3) != 0 ||
+ RomOffset - (UINTN)Rom + EfiRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > RomSize) {
+ break;
+ }
Pcir = (PCI_DATA_STRUCTURE *) (UINTN) (RomOffset + EfiRomHeader->PcirOffset);
+ //
+ // If a valid signature is not present in the PCI Data Structure, no further images can be located.
+ //
+ if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+ break;
+ }
ImageSize = Pcir->ImageLength * 512;
+ if (RomOffset - (UINTN)Rom + ImageSize > RomSize) {
+ break;
+ }
if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
- (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) ) {
+ (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) &&
+ ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+ (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER))) {
- if ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
- (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER) ) {
+ ImageOffset = EfiRomHeader->EfiImageHeaderOffset;
+ InitializationSize = EfiRomHeader->InitializationSize * 512;
- ImageOffset = EfiRomHeader->EfiImageHeaderOffset;
- ImageSize = EfiRomHeader->InitializationSize * 512;
+ if (InitializationSize <= ImageSize && ImageOffset < InitializationSize) {
ImageBuffer = (VOID *) (UINTN) (RomOffset + ImageOffset);
- ImageLength = ImageSize - ImageOffset;
+ ImageLength = InitializationSize - ImageOffset;
DecompressedImageBuffer = NULL;
//
diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/LoadPciRom.c b/ShellPkg/Library/UefiShellDebug1CommandsLib/LoadPciRom.c index 8f10158..afc561f 100644 --- a/ShellPkg/Library/UefiShellDebug1CommandsLib/LoadPciRom.c +++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/LoadPciRom.c @@ -1,7 +1,7 @@ /** @file
Main file for LoadPciRom shell Debug1 function.
- Copyright (c) 2005 - 2011, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -221,6 +221,7 @@ LoadEfiDriversFromRomImage ( VOID *DecompressedImageBuffer;
UINT32 ImageLength;
EFI_DECOMPRESS_PROTOCOL *Decompress;
+ UINT32 InitializationSize;
ImageIndex = 0;
ReturnStatus = EFI_NOT_FOUND;
@@ -230,27 +231,46 @@ LoadEfiDriversFromRomImage ( EfiRomHeader = (EFI_PCI_EXPANSION_ROM_HEADER *) (UINTN) RomBarOffset;
- if (EfiRomHeader->Signature != 0xaa55) {
+ if (EfiRomHeader->Signature != PCI_EXPANSION_ROM_HEADER_SIGNATURE) {
ShellPrintHiiEx(-1, -1, NULL, STRING_TOKEN (STR_LOADPCIROM_CORRUPT), gShellDebug1HiiHandle, FileName, ImageIndex);
// PrintToken (STRING_TOKEN (STR_LOADPCIROM_IMAGE_CORRUPT), HiiHandle, ImageIndex);
return ReturnStatus;
}
+ //
+ // If the pointer to the PCI Data Structure is invalid, no further images can be located.
+ // The PCI Data Structure must be DWORD aligned.
+ //
+ if (EfiRomHeader->PcirOffset == 0 ||
+ (EfiRomHeader->PcirOffset & 3) != 0 ||
+ RomBarOffset - (UINTN)RomBar + EfiRomHeader->PcirOffset + sizeof (PCI_DATA_STRUCTURE) > RomSize) {
+ break;
+ }
+
Pcir = (PCI_DATA_STRUCTURE *) (UINTN) (RomBarOffset + EfiRomHeader->PcirOffset);
+ //
+ // If a valid signature is not present in the PCI Data Structure, no further images can be located.
+ //
+ if (Pcir->Signature != PCI_DATA_STRUCTURE_SIGNATURE) {
+ break;
+ }
ImageSize = Pcir->ImageLength * 512;
+ if (RomBarOffset - (UINTN)RomBar + ImageSize > RomSize) {
+ break;
+ }
if ((Pcir->CodeType == PCI_CODE_TYPE_EFI_IMAGE) &&
- (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE)
- ) {
+ (EfiRomHeader->EfiSignature == EFI_PCI_EXPANSION_ROM_HEADER_EFISIGNATURE) &&
+ ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
+ (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER))) {
+
+ ImageOffset = EfiRomHeader->EfiImageHeaderOffset;
+ InitializationSize = EfiRomHeader->InitializationSize * 512;
- if ((EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) ||
- (EfiRomHeader->EfiSubsystem == EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER)
- ) {
- ImageOffset = EfiRomHeader->EfiImageHeaderOffset;
- ImageSize = EfiRomHeader->InitializationSize * 512;
+ if (InitializationSize <= ImageSize && ImageOffset < InitializationSize) {
ImageBuffer = (VOID *) (UINTN) (RomBarOffset + ImageOffset);
- ImageLength = ImageSize - ImageOffset;
+ ImageLength = InitializationSize - ImageOffset;
DecompressedImageBuffer = NULL;
//
|