packages/edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
edk2/0014-MdeModulePkg-Core-Dxe-assert-SectionInstance-invariant-in-FindChildNode.patch
Jiajie Li 30b95c6463 Fix CVE-2021-28210 
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
2021-06-28 16:42:40 +08:00

107 lines
4.2 KiB
Diff
Executable File
Raw Blame History

From 4ea70df0973caf3763aa306e8d6571fc37aa35e5 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 28 Sep 2020 16:29:01 +0200
Subject: [PATCH v2 1/2] MdeModulePkg/Core/Dxe: assert SectionInstance
invariant in FindChildNode()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
FindChildNode() has two callers: GetSection(), and FindChildNode() itself.
- At the GetSection() call site, a positive (i.e., nonzero)
SectionInstance is passed. This is because GetSection() takes a
zero-based (UINTN) SectionInstance, and then passes
Instance=(SectionInstance+1) to FindChildNode().
- For reaching the recursive FindChildNode() call site, a section type
mismatch, or a section instance mismatch, is necessary. This means,
respectively, that SectionInstance will either not have been decreased,
or not to zero anyway, at the recursive FindChildNode() call site.
Add two ASSERT()s to FindChildNode(), for expressing the (SectionSize>0)
invariant.
In turn, the invariant provides the explanation why, after the recursive
call, a zero SectionInstance implies success. Capture it in a comment.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
Notes:
v2:
- no change
MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c | 23 +++++++++++++++-----
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c b/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c
index d678166db475..d7f7ef427422 100644
--- a/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c
+++ b/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c
@@ -952,8 +952,8 @@ CreateChildNode (
search.
@param SearchType Indicates the type of section to search for.
@param SectionInstance Indicates which instance of section to find.
- This is an in/out parameter to deal with
- recursions.
+ This is an in/out parameter and it is 1-based,
+ to deal with recursions.
@param SectionDefinitionGuid Guid of section definition
@param FoundChild Output indicating the child node that is found.
@param FoundStream Output indicating which section stream the child
@@ -988,6 +988,8 @@ FindChildNode (
EFI_STATUS ErrorStatus;
EFI_STATUS Status;
+ ASSERT (*SectionInstance > 0);
+
CurrentChildNode = NULL;
ErrorStatus = EFI_NOT_FOUND;
@@ -1037,6 +1039,11 @@ FindChildNode (
}
}
+ //
+ // Type mismatch, or we haven't found the desired instance yet.
+ //
+ ASSERT (*SectionInstance > 0);
+
if (CurrentChildNode->EncapsulatedStreamHandle != NULL_STREAM_HANDLE) {
//
// If the current node is an encapsulating node, recurse into it...
@@ -1050,16 +1057,20 @@ FindChildNode (
&RecursedFoundStream,
AuthenticationStatus
);
- //
- // If the status is not EFI_SUCCESS, just save the error code and continue
- // to find the request child node in the rest stream.
- //
if (*SectionInstance == 0) {
+ //
+ // The recursive FindChildNode() call decreased (*SectionInstance) to
+ // zero.
+ //
ASSERT_EFI_ERROR (Status);
*FoundChild = RecursedChildNode;
*FoundStream = RecursedFoundStream;
return EFI_SUCCESS;
} else {
+ //
+ // If the status is not EFI_SUCCESS, just save the error code and
+ // continue to find the request child node in the rest stream.
+ //
ErrorStatus = Status;
}
} else if ((CurrentChildNode->Type == EFI_SECTION_GUID_DEFINED) && (SearchType != EFI_SECTION_GUID_DEFINED)) {
--
2.19.1.3.g30247aa5d201
Reference in New Issue View Git Blame Copy Permalink