If DataSize or VariableNameSize is near MAX_ADDRESS, this can cause the computed PayLoadSize to overflow to a small value and pass the check in InitCommunicateBuffer(). To protect against this vulnerability, check DataSize and VariableNameSize to make sure PayloadSize doesn't overflow.

Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14252 6f19259b-4bc3-4df7-8a09-765794883524

2 files changed, 35 insertions, 0 deletions

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
index 10915e45b..1595c8c20 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
@@ -3224,6 +3224,11 @@ VariableCommonInitialize (
   ASSERT(VariableStoreHeader->Size == VariableStoreLength);

 

   //

+  // The max variable or hardware error variable size should be < variable store size.

+  //

+  ASSERT(MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) < VariableStoreLength);

+

+  //

   // Parse non-volatile variable data and get last variable offset.

   //

   NextVariable  = GetStartPointer ((VARIABLE_STORE_HEADER *)(UINTN)VariableStoreBase);

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
index a785476ff..103a12914 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
@@ -214,6 +214,16 @@ RuntimeServiceGetVariable (
     return EFI_INVALID_PARAMETER;

   }

 

+  if (*DataSize >= mVariableBufferSize) {

+    //

+    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to

+    // overflow to a small value and pass the check in InitCommunicateBuffer().

+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.

+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.

+    //

+    return EFI_INVALID_PARAMETER;

+  }

+

   AcquireLockOnlyAtBootTime(&mVariableServicesLock);

 

   //

@@ -291,6 +301,16 @@ RuntimeServiceGetNextVariableName (
     return EFI_INVALID_PARAMETER;

   }

 

+  if (*VariableNameSize >= mVariableBufferSize) {

+    //

+    // VariableNameSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to

+    // overflow to a small value and pass the check in InitCommunicateBuffer().

+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if VariableNameSize is >= mVariableBufferSize.

+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.

+    //

+    return EFI_INVALID_PARAMETER;

+  }

+

   AcquireLockOnlyAtBootTime(&mVariableServicesLock);

 

   //

@@ -374,6 +394,16 @@ RuntimeServiceSetVariable (
     return EFI_INVALID_PARAMETER;

   }

 

+  if (DataSize >= mVariableBufferSize) {

+    //

+    // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to

+    // overflow to a small value and pass the check in InitCommunicateBuffer().

+    // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.

+    // And there will be further check to ensure the total size is also not > mVariableBufferSize.

+    //

+    return EFI_INVALID_PARAMETER;

+  }

+

   AcquireLockOnlyAtBootTime(&mVariableServicesLock);

  

   //