From nobody Wed Dec 25 14:12:22 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1507625895928123.3985763970494; Tue, 10 Oct 2017 01:58:15 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id A10702095B09D; Tue, 10 Oct 2017 01:54:46 -0700 (PDT) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4881E2095B069 for ; Tue, 10 Oct 2017 01:54:40 -0700 (PDT) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Oct 2017 01:58:07 -0700 Received: from ray-dev.ccr.corp.intel.com ([10.239.9.7]) by fmsmga002.fm.intel.com with ESMTP; 10 Oct 2017 01:58:05 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.88; helo=mga01.intel.com; envelope-from=ruiyu.ni@intel.com; receiver=edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,504,1500966000"; d="scan'208";a="1229084170" From: Ruiyu Ni To: edk2-devel@lists.01.org Date: Tue, 10 Oct 2017 16:58:03 +0800 Message-Id: <20171010085803.307284-1-ruiyu.ni@intel.com> X-Mailer: git-send-email 2.12.2.windows.2 Subject: [edk2] [PATCH] MdeModulePkg/Bds: Check variable name even OptionNumber is NULL X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laszlo Ersek , Ard Biesheuvel MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Current implementation skips to check whether the last four characters are digits when the OptionNumber is NULL. Even worse, it may incorrectly return FALSE when OptionNumber is NULL. The patch fixes it to always check the variable name even OptionNumber is NULL. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni Cc: Ard Biesheuvel Cc: Laszlo Ersek Reviewed-by: Laszlo Ersek --- .../Library/UefiBootManagerLib/BmLoadOption.c | 45 ++++++++++++++----= ---- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/MdeModulePkg/Library/UefiBootManagerLib/BmLoadOption.c b/MdeMo= dulePkg/Library/UefiBootManagerLib/BmLoadOption.c index b0a35058d0..32918caf32 100644 --- a/MdeModulePkg/Library/UefiBootManagerLib/BmLoadOption.c +++ b/MdeModulePkg/Library/UefiBootManagerLib/BmLoadOption.c @@ -785,6 +785,8 @@ EfiBootManagerIsValidLoadOptionVariableName ( UINTN VariableNameLen; UINTN Index; UINTN Uint; + EFI_BOOT_MANAGER_LOAD_OPTION_TYPE LocalOptionType; + UINT16 LocalOptionNumber; =20 if (VariableName =3D=3D NULL) { return FALSE; @@ -792,39 +794,52 @@ EfiBootManagerIsValidLoadOptionVariableName ( =20 VariableNameLen =3D StrLen (VariableName); =20 + // + // Return FALSE when the variable name length is too small. + // if (VariableNameLen <=3D 4) { return FALSE; } =20 - for (Index =3D 0; Index < ARRAY_SIZE (mBmLoadOptionName); Index++) { - if ((VariableNameLen - 4 =3D=3D StrLen (mBmLoadOptionName[Index])) && - (StrnCmp (VariableName, mBmLoadOptionName[Index], VariableNameLen = - 4) =3D=3D 0) + // + // Return FALSE when the variable name doesn't start with Driver/SysPrep= /Boot/PlatformRecovery. + // + for (LocalOptionType =3D 0; LocalOptionType < ARRAY_SIZE (mBmLoadOptionN= ame); LocalOptionType++) { + if ((VariableNameLen - 4 =3D=3D StrLen (mBmLoadOptionName[LocalOptionT= ype])) && + (StrnCmp (VariableName, mBmLoadOptionName[LocalOptionType], Variab= leNameLen - 4) =3D=3D 0) ) { break; } } + if (LocalOptionType =3D=3D ARRAY_SIZE (mBmLoadOptionName)) { + return FALSE; + } =20 - if (Index =3D=3D ARRAY_SIZE (mBmLoadOptionName)) { + // + // Return FALSE when the last four characters are not hex digits. + // + LocalOptionNumber =3D 0; + for (Index =3D VariableNameLen - 4; Index < VariableNameLen; Index++) { + Uint =3D BmCharToUint (VariableName[Index]); + if (Uint =3D=3D -1) { + break; + } else { + LocalOptionNumber =3D (UINT16) Uint + LocalOptionNumber * 0x10; + } + } + if (Index !=3D VariableNameLen) { return FALSE; } =20 if (OptionType !=3D NULL) { - *OptionType =3D (EFI_BOOT_MANAGER_LOAD_OPTION_TYPE) Index; + *OptionType =3D LocalOptionType; } =20 if (OptionNumber !=3D NULL) { - *OptionNumber =3D 0; - for (Index =3D VariableNameLen - 4; Index < VariableNameLen; Index++) { - Uint =3D BmCharToUint (VariableName[Index]); - if (Uint =3D=3D -1) { - break; - } else { - *OptionNumber =3D (UINT16) Uint + *OptionNumber * 0x10; - } - } + *OptionNumber =3D LocalOptionNumber; } =20 - return (BOOLEAN) (Index =3D=3D VariableNameLen); + return TRUE; } =20 /** --=20 2.12.2.windows.2 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel