Changeset 58459 in vbox for trunk/src/VBox/Devices/EFI/Firmware/MdeModulePkg/Universal/LockBox

Timestamp:

Oct 28, 2015 8:17:18 PM (9 years ago)

Author:

vboxsync

Message:

EFI/Firmware: 'svn merge ^{/vendor/edk2/UDK2010.SR1} /vendor/edk2/current .', reverting and removing files+dirs listed in ReadMe.vbox, resolving conflicts with help from ../UDK2014.SP1/. This is a raw untested merge.

Location:

trunk/src/VBox/Devices/EFI/Firmware

Files:

• . (modified) (1 prop)
• MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c (modified) (18 diffs)
• MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf (modified) (4 diffs)

trunk/src/VBox/Devices/EFI/Firmware/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c

@@ -1 +1 @@
 /** @file
-
-Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
+  LockBox SMM driver.
+  
+  Caution: This module requires additional review when modified.
+  This driver will have external input - communicate buffer in SMM mode.
+  This external input must be validated carefully to avoid security issue like
+  buffer overflow, integer overflow.
+  
+  SmmLockBoxHandler(), SmmLockBoxRestore(), SmmLockBoxUpdate(), SmmLockBoxSave()
+  will receive untrusted input and do basic validation.
+
+Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
 
 This program and the accompanying materials
@@ -22 +31 @@
 #include <Library/BaseMemoryLib.h>
 #include <Library/DebugLib.h>
+#include <Library/SmmMemLib.h>
 #include <Library/LockBoxLib.h>
+
 #include <Protocol/SmmReadyToLock.h>
 #include <Protocol/SmmCommunication.h>
-#include <Protocol/SmmAccess2.h>
 #include <Protocol/LockBox.h>
 #include <Guid/SmmLockBox.h>
@@ -31 +41 @@
 BOOLEAN              mLocked = FALSE;
 
-EFI_SMRAM_DESCRIPTOR *mSmramRanges;
-UINTN                mSmramRangeCount;
-
-/**
-  This function check if the address is in SMRAM.
-
-  @param Buffer  the buffer address to be checked.
-  @param Length  the buffer length to be checked.
-
-  @retval TRUE  this address is in SMRAM.
-  @retval FALSE this address is NOT in SMRAM.
-**/
-BOOLEAN
-IsAddressInSmram (
-  IN EFI_PHYSICAL_ADDRESS  Buffer,
-  IN UINT64                Length
-  )
-{
-  UINTN  Index;
-
-  for (Index = 0; Index < mSmramRangeCount; Index ++) {
-    if (((Buffer >= mSmramRanges[Index].CpuStart) && (Buffer < mSmramRanges[Index].CpuStart + mSmramRanges[Index].PhysicalSize)) ||
-        ((mSmramRanges[Index].CpuStart >= Buffer) && (mSmramRanges[Index].CpuStart < Buffer + Length))) {
-      return TRUE;
-    }
-  }
-
-  return FALSE;
-}
-
 /**
   Dispatch function for SMM lock box save.
+
+  Caution: This function may receive untrusted input.
+  Restore buffer and length are external input, so this function will validate
+  it is in SMRAM.
 
   @param LockBoxParameterSave  parameter of lock box save 
@@ -72 +56 @@
 {
   EFI_STATUS                  Status;
+  EFI_SMM_LOCK_BOX_PARAMETER_SAVE TempLockBoxParameterSave;
 
   //
@@ -82 +67 @@
   }
 
+  CopyMem (&TempLockBoxParameterSave, LockBoxParameterSave, sizeof (EFI_SMM_LOCK_BOX_PARAMETER_SAVE));
+
+  //
+  // Sanity check
+  //
+  if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterSave.Buffer, (UINTN)TempLockBoxParameterSave.Length)) {
+    DEBUG ((EFI_D_ERROR, "SmmLockBox Save address in SMRAM or buffer overflow!\n"));
+    LockBoxParameterSave->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
+    return ;
+  }
+
   //
   // Save data
   //
   Status = SaveLockBox (
-             &LockBoxParameterSave->Guid,
-             (VOID *)(UINTN)LockBoxParameterSave->Buffer,
-             (UINTN)LockBoxParameterSave->Length
+             &TempLockBoxParameterSave.Guid,
+             (VOID *)(UINTN)TempLockBoxParameterSave.Buffer,
+             (UINTN)TempLockBoxParameterSave.Length
              );
   LockBoxParameterSave->Header.ReturnStatus = (UINT64)Status;
@@ -105 +101 @@
 {
   EFI_STATUS                    Status;
+  EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES TempLockBoxParameterSetAttributes;
 
   //
@@ -115 +112 @@
   }
 
+  CopyMem (&TempLockBoxParameterSetAttributes, LockBoxParameterSetAttributes, sizeof (EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES));
+
   //
   // Update data
   //
   Status = SetLockBoxAttributes (
-             &LockBoxParameterSetAttributes->Guid,
-             LockBoxParameterSetAttributes->Attributes
+             &TempLockBoxParameterSetAttributes.Guid,
+             TempLockBoxParameterSetAttributes.Attributes
              );
   LockBoxParameterSetAttributes->Header.ReturnStatus = (UINT64)Status;
@@ -129 +128 @@
   Dispatch function for SMM lock box update.
 
+  Caution: This function may receive untrusted input.
+  Restore buffer and length are external input, so this function will validate
+  it is in SMRAM.
+
   @param LockBoxParameterUpdate  parameter of lock box update 
 **/
@@ -137 +140 @@
 {
   EFI_STATUS                    Status;
+  EFI_SMM_LOCK_BOX_PARAMETER_UPDATE TempLockBoxParameterUpdate;
 
   //
@@ -147 +151 @@
   }
 
+  CopyMem (&TempLockBoxParameterUpdate, LockBoxParameterUpdate, sizeof (EFI_SMM_LOCK_BOX_PARAMETER_UPDATE));
+
+  //
+  // Sanity check
+  //
+  if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterUpdate.Buffer, (UINTN)TempLockBoxParameterUpdate.Length)) {
+    DEBUG ((EFI_D_ERROR, "SmmLockBox Update address in SMRAM or buffer overflow!\n"));
+    LockBoxParameterUpdate->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
+    return ;
+  }
+
   //
   // Update data
   //
   Status = UpdateLockBox (
-             &LockBoxParameterUpdate->Guid,
-             (UINTN)LockBoxParameterUpdate->Offset,
-             (VOID *)(UINTN)LockBoxParameterUpdate->Buffer,
-             (UINTN)LockBoxParameterUpdate->Length
+             &TempLockBoxParameterUpdate.Guid,
+             (UINTN)TempLockBoxParameterUpdate.Offset,
+             (VOID *)(UINTN)TempLockBoxParameterUpdate.Buffer,
+             (UINTN)TempLockBoxParameterUpdate.Length
              );
   LockBoxParameterUpdate->Header.ReturnStatus = (UINT64)Status;
@@ -163 +178 @@
   Dispatch function for SMM lock box restore.
 
+  Caution: This function may receive untrusted input.
+  Restore buffer and length are external input, so this function will validate
+  it is in SMRAM.
+
   @param LockBoxParameterRestore  parameter of lock box restore 
 **/
@@ -171 +190 @@
 {
   EFI_STATUS                     Status;
-
-  //
-  // Sanity check
-  //
-  if (IsAddressInSmram (LockBoxParameterRestore->Buffer, LockBoxParameterRestore->Length)) {
-    DEBUG ((EFI_D_ERROR, "SmmLockBox Restore address in SMRAM!\n"));
+  EFI_SMM_LOCK_BOX_PARAMETER_RESTORE TempLockBoxParameterRestore;
+
+  CopyMem (&TempLockBoxParameterRestore, LockBoxParameterRestore, sizeof (EFI_SMM_LOCK_BOX_PARAMETER_RESTORE));
+
+  //
+  // Sanity check
+  //
+  if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterRestore.Buffer, (UINTN)TempLockBoxParameterRestore.Length)) {
+    DEBUG ((EFI_D_ERROR, "SmmLockBox Restore address in SMRAM or buffer overflow!\n"));
     LockBoxParameterRestore->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
     return ;
@@ -184 +206 @@
   // Restore data
   //
-  if ((LockBoxParameterRestore->Length == 0) && (LockBoxParameterRestore->Buffer == 0)) {
+  if ((TempLockBoxParameterRestore.Length == 0) && (TempLockBoxParameterRestore.Buffer == 0)) {
     Status = RestoreLockBox (
-               &LockBoxParameterRestore->Guid,
+               &TempLockBoxParameterRestore.Guid,
                NULL,
                NULL
@@ -192 +214 @@
   } else {
     Status = RestoreLockBox (
-               &LockBoxParameterRestore->Guid,
-               (VOID *)(UINTN)LockBoxParameterRestore->Buffer,
-               (UINTN *)&LockBoxParameterRestore->Length
+               &TempLockBoxParameterRestore.Guid,
+               (VOID *)(UINTN)TempLockBoxParameterRestore.Buffer,
+               (UINTN *)&TempLockBoxParameterRestore.Length
                );
   }
@@ -220 +242 @@
 /**
   Dispatch function for a Software SMI handler.
+
+  Caution: This function may receive untrusted input.
+  Communicate buffer and buffer size are external input, so this function will do basic validation.
 
   @param DispatchHandle  The unique handle assigned to this handler by SmiHandlerRegister().
@@ -241 +266 @@
 {
   EFI_SMM_LOCK_BOX_PARAMETER_HEADER *LockBoxParameterHeader;
+  UINTN                             TempCommBufferSize;
 
   DEBUG ((EFI_D_ERROR, "SmmLockBox SmmLockBoxHandler Enter\n"));
+
+  //
+  // If input is invalid, stop processing this SMI
+  //
+  if (CommBuffer == NULL || CommBufferSize == NULL) {
+    return EFI_SUCCESS;
+  }
+
+  TempCommBufferSize = *CommBufferSize;
+
+  //
+  // Sanity check
+  //
+  if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_HEADER)) {
+    DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size invalid!\n"));
+    return EFI_SUCCESS;
+  }
+  if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
+    DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer in SMRAM or overflow!\n"));
+    return EFI_SUCCESS;
+  }
 
   LockBoxParameterHeader = (EFI_SMM_LOCK_BOX_PARAMETER_HEADER *)((UINTN)CommBuffer);
@@ -254 +301 @@
   switch (LockBoxParameterHeader->Command) {
   case EFI_SMM_LOCK_BOX_COMMAND_SAVE:
+    if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SAVE)) {
+      DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for SAVE invalid!\n"));
+      break;
+    }
     SmmLockBoxSave ((EFI_SMM_LOCK_BOX_PARAMETER_SAVE *)(UINTN)LockBoxParameterHeader);
     break;
   case EFI_SMM_LOCK_BOX_COMMAND_UPDATE:
+    if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_UPDATE)) {
+      DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for UPDATE invalid!\n"));
+      break;
+    }
     SmmLockBoxUpdate ((EFI_SMM_LOCK_BOX_PARAMETER_UPDATE *)(UINTN)LockBoxParameterHeader);
     break;
   case EFI_SMM_LOCK_BOX_COMMAND_RESTORE:
+    if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE)) {
+      DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for RESTORE invalid!\n"));
+      break;
+    }
     SmmLockBoxRestore ((EFI_SMM_LOCK_BOX_PARAMETER_RESTORE *)(UINTN)LockBoxParameterHeader);
     break;
   case EFI_SMM_LOCK_BOX_COMMAND_SET_ATTRIBUTES:
+    if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES)) {
+      DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for SET_ATTRIBUTES invalid!\n"));
+      break;
+    }
     SmmLockBoxSetAttributes ((EFI_SMM_LOCK_BOX_PARAMETER_SET_ATTRIBUTES *)(UINTN)LockBoxParameterHeader);
     break;
   case EFI_SMM_LOCK_BOX_COMMAND_RESTORE_ALL_IN_PLACE:
+    if (TempCommBufferSize < sizeof(EFI_SMM_LOCK_BOX_PARAMETER_RESTORE_ALL_IN_PLACE)) {
+      DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer Size for RESTORE_ALL_IN_PLACE invalid!\n"));
+      break;
+    }
     SmmLockBoxRestoreAllInPlace ((EFI_SMM_LOCK_BOX_PARAMETER_RESTORE_ALL_IN_PLACE *)(UINTN)LockBoxParameterHeader);
     break;
   default:
+    DEBUG ((EFI_D_ERROR, "SmmLockBox Command invalid!\n"));
     break;
   }
@@ -321 +389 @@
   EFI_HANDLE                    DispatchHandle;
   VOID                          *Registration;
-  EFI_SMM_ACCESS2_PROTOCOL      *SmmAccess;
-  UINTN                         Size;
-
-  //
-  // Get SMRAM information
-  //
-  Status = gBS->LocateProtocol (&gEfiSmmAccess2ProtocolGuid, NULL, (VOID **)&SmmAccess);
-  ASSERT_EFI_ERROR (Status);
-
-  Size = 0;
-  Status = SmmAccess->GetCapabilities (SmmAccess, &Size, NULL);
-  ASSERT (Status == EFI_BUFFER_TOO_SMALL);
-
-  Status = gSmst->SmmAllocatePool (
-                    EfiRuntimeServicesData,
-                    Size,
-                    (VOID **)&mSmramRanges
-                    );
-  ASSERT_EFI_ERROR (Status);
-
-  Status = SmmAccess->GetCapabilities (SmmAccess, &Size, mSmramRanges);
-  ASSERT_EFI_ERROR (Status);
-
-  mSmramRangeCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);
 
   //

trunk/src/VBox/Devices/EFI/Firmware/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf

@@ -1 +1 @@
 ## @file
-#  Component description file for LockBox SMM driver.
+#  LockBox SMM driver.
 #
-#  Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
+#  Caution: This module requires additional review when modified.
+#  This driver will have external input - communicate buffer in SMM mode.
+#  This external input must be validated carefully to avoid security issue like
+#  buffer overflow, integer overflow.
+#
+#  Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
 #
 #  This program and the accompanying materials
@@ -18 +23 @@
   INF_VERSION                    = 0x00010005
   BASE_NAME                      = SmmLockBox
+  MODULE_UNI_FILE                = SmmLockBox.uni
   FILE_GUID                      = 33FB3535-F15E-4c17-B303-5EB94595ECB6
   MODULE_TYPE                    = DXE_SMM_DRIVER
@@ -40 +46 @@
   UefiDriverEntryPoint
   UefiBootServicesTableLib
-  UefiRuntimeServicesTableLib
   SmmServicesTableLib
   BaseLib
@@ -46 +51 @@
   DebugLib
   LockBoxLib
+  SmmMemLib
 
 [Guids]
-  gEfiSmmLockBoxCommunicationGuid    ## PRODUCED
+  gEfiSmmLockBoxCommunicationGuid   ## PRODUCES ## GUID # SmiHandlerRegister
 
 [Protocols]
-  gEfiSmmReadyToLockProtocolGuid     ## CONSUMED
-  gEfiSmmAccess2ProtocolGuid         ## CONSUMED
-  gEfiLockBoxProtocolGuid            ## PRODUCED
+  gEfiSmmReadyToLockProtocolGuid    ## NOTIFY
+  gEfiLockBoxProtocolGuid           ## PRODUCES
 
 [Depex]
-  gEfiSmmSwDispatch2ProtocolGuid
+  TRUE
 
+[UserExtensions.TianoCore."ExtraFiles"]
+  SmmLockBoxExtra.uni