diff options
| author | Ryan Harkin <ryan.harkin@linaro.org> | 2013-04-18 17:19:36 +0100 |
|---|---|---|
| committer | Ryan Harkin <ryan.harkin@linaro.org> | 2013-04-18 17:19:36 +0100 |
| commit | 09259ca7b67143923d74f521a4f9b115489083cc (patch) | |
| tree | ce2dc3fb377cd4c59b485a8a7c1d1660c63a2edb /MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | |
| parent | 5b5852f667ba046ead4fd5029b25bff08eac0a94 (diff) | |
| parent | 4cbfd417d24602d2d9c05cc5693a6e6087d1c96d (diff) | |
Merge branch 'linaro-release' of git://git.linaro.org/arm/uefi/uefi-nextlinaro-uefi-2013.04
Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>
Diffstat (limited to 'MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c')
| -rw-r--r-- | MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c index 2a59ac16f..2fca25981 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c @@ -198,6 +198,16 @@ RuntimeServiceGetVariable ( return EFI_INVALID_PARAMETER;
}
+ if (*DataSize >= mVariableBufferSize) {
+ //
+ // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
+ // overflow to a small value and pass the check in InitCommunicateBuffer().
+ // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.
+ // And there will be further check to ensure the total size is also not > mVariableBufferSize.
+ //
+ return EFI_INVALID_PARAMETER;
+ }
+
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
//
@@ -275,6 +285,16 @@ RuntimeServiceGetNextVariableName ( return EFI_INVALID_PARAMETER;
}
+ if (*VariableNameSize >= mVariableBufferSize) {
+ //
+ // VariableNameSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
+ // overflow to a small value and pass the check in InitCommunicateBuffer().
+ // To protect against this vulnerability, return EFI_INVALID_PARAMETER if VariableNameSize is >= mVariableBufferSize.
+ // And there will be further check to ensure the total size is also not > mVariableBufferSize.
+ //
+ return EFI_INVALID_PARAMETER;
+ }
+
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
//
@@ -355,6 +375,16 @@ RuntimeServiceSetVariable ( return EFI_INVALID_PARAMETER;
}
+ if (DataSize >= mVariableBufferSize) {
+ //
+ // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to
+ // overflow to a small value and pass the check in InitCommunicateBuffer().
+ // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.
+ // And there will be further check to ensure the total size is also not > mVariableBufferSize.
+ //
+ return EFI_INVALID_PARAMETER;
+ }
+
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
//
|