diff options
| author | oliviermartin <oliviermartin@6f19259b-4bc3-4df7-8a09-765794883524> | 2011-12-13 09:42:36 +0000 |
|---|---|---|
| committer | oliviermartin <oliviermartin@6f19259b-4bc3-4df7-8a09-765794883524> | 2011-12-13 09:42:36 +0000 |
| commit | 299e86794b3a616d591066d1bae386bbf0ad9e88 (patch) | |
| tree | 743fefa87f8d1d259e10352dc8134d6a002730fc | |
| parent | a24cd13c8e8c17822731e2c6f827667528ce3fee (diff) | |
SecurityPkg/VariableAuthenticated: Check if there is a NV Variable Storage header prior to use its attributes
The Variable PEI and RuntimeDxe drivers were using the attribute 'HeaderLength' of
EFI_FIRMWARE_VOLUME_HEADER without checking if a Firmware Volume Header was existing at
the base address.
In case the Firmware Volume Header does not exist or is corrupted, the attribute 'HeaderLength'
is a non valid value that can lead to a non valid physical address when accessing produces an
access error.
Signed-off-by: oliviermartin
Reviewed-by: rsun3
Reviewed-by: niruiyu
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk@12845 6f19259b-4bc3-4df7-8a09-765794883524
7 files changed, 26 insertions, 1 deletions
diff --git a/edk2/SecurityPkg/VariableAuthenticated/Pei/Variable.c b/edk2/SecurityPkg/VariableAuthenticated/Pei/Variable.c index 7549be2dc..d27f67907 100644 --- a/edk2/SecurityPkg/VariableAuthenticated/Pei/Variable.c +++ b/edk2/SecurityPkg/VariableAuthenticated/Pei/Variable.c @@ -359,6 +359,15 @@ GetVariableStore ( PcdGet64 (PcdFlashNvStorageVariableBase64) :
PcdGet32 (PcdFlashNvStorageVariableBase)
);
+
+ //
+ // Check if the Firmware Volume is not corrupted
+ //
+ if ((FvHeader->Signature != EFI_FVH_SIGNATURE) || (!CompareGuid (&gEfiSystemNvDataFvGuid, &FvHeader->FileSystemGuid))) {
+ DEBUG ((EFI_D_ERROR, "Firmware Volume for Variable Store is corrupted\n"));
+ break;
+ }
+
VariableStoreHeader = (VARIABLE_STORE_HEADER *) ((UINT8 *) FvHeader + FvHeader->HeaderLength);
if (IndexTable != NULL) {
diff --git a/edk2/SecurityPkg/VariableAuthenticated/Pei/Variable.h b/edk2/SecurityPkg/VariableAuthenticated/Pei/Variable.h index 75d32dac5..a85d3bbab 100644 --- a/edk2/SecurityPkg/VariableAuthenticated/Pei/Variable.h +++ b/edk2/SecurityPkg/VariableAuthenticated/Pei/Variable.h @@ -29,6 +29,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/VariableIndexTable.h>
+#include <Guid/SystemNvDataGuid.h>
typedef enum {
VariableStoreTypeHob,
diff --git a/edk2/SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf b/edk2/SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf index 7863293ff..e74143cd1 100644 --- a/edk2/SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf +++ b/edk2/SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf @@ -46,6 +46,7 @@ [Guids]
gEfiAuthenticatedVariableGuid
gEfiVariableIndexTableGuid
+ gEfiSystemNvDataFvGuid
[Ppis]
gEfiPeiReadOnlyVariable2PpiGuid ## SOMETIMES_PRODUCES (Not for boot mode RECOVERY)
diff --git a/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c index 7d0d21502..e3fc48b49 100644 --- a/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c +++ b/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c @@ -1157,7 +1157,7 @@ VariableGetBestLanguage ( **/
VOID
-AutoUpdateLangVariable(
+AutoUpdateLangVariable (
IN CHAR16 *VariableName,
IN VOID *Data,
IN UINTN DataSize
@@ -2616,6 +2616,17 @@ VariableCommonInitialize ( if (TempVariableStoreHeader == 0) {
TempVariableStoreHeader = (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdFlashNvStorageVariableBase);
}
+
+ //
+ // Check if the Firmware Volume is not corrupted
+ //
+ if ((((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader))->Signature != EFI_FVH_SIGNATURE) ||
+ (!CompareGuid (&gEfiSystemNvDataFvGuid, &((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader))->FileSystemGuid))) {
+ Status = EFI_VOLUME_CORRUPTED;
+ DEBUG ((EFI_D_ERROR, "Firmware Volume for Variable Store is corrupted\n"));
+ goto Done;
+ }
+
VariableStoreBase = TempVariableStoreHeader + \
(((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)(TempVariableStoreHeader)) -> HeaderLength);
VariableStoreLength = (UINT64) PcdGet32 (PcdFlashNvStorageVariableSize) - \
diff --git a/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h b/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h index 91c7b4aac..58d1e5a8c 100644 --- a/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h +++ b/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h @@ -39,6 +39,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include <Guid/EventGroup.h>
#include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/ImageAuthentication.h>
+#include <Guid/SystemNvDataGuid.h>
#define VARIABLE_RECLAIM_THRESHOLD (1024)
diff --git a/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf index 7fcb640de..70717c457 100644 --- a/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +++ b/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf @@ -73,6 +73,7 @@ gEfiCertPkcs7Guid
gEfiCertRsa2048Guid
gEfiSecureBootEnableDisableGuid
+ gEfiSystemNvDataFvGuid ## CONSUMES
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
diff --git a/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf b/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf index 628c9829f..84762dc40 100644 --- a/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf +++ b/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf @@ -78,6 +78,7 @@ gEfiCertPkcs7Guid
gEfiCertRsa2048Guid
gEfiSecureBootEnableDisableGuid
+ gEfiSystemNvDataFvGuid ## CONSUMES
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
|