/**
This function checks if the buffer is valid per processor architecture and
does not overlap with SMRAM.
@param Buffer The buffer start address to be checked.
@param Length The buffer length to be checked.
@retval TRUE This buffer is valid per processor architecture and does not
overlap with SMRAM.
@retval FALSE This buffer is not valid per processor architecture or overlaps
with SMRAM.
**/
BOOLEAN
FtwSmmIsBufferOutsideSmmValid (
IN EFI_PHYSICAL_ADDRESS Buffer,
IN UINT64 Length
)
{
return SmmIsBufferOutsideSmmValid (Buffer, Length);
}
/**
Copies a source buffer (NON-SMRAM) to a destination buffer (NON-SMRAM).
This function copies a source buffer (non-SMRAM) to a destination buffer (SMRAM).
It checks if source buffer and destination buffer are valid per processor architecture and not overlap with SMRAM.
If the check passes, it copies memory and returns EFI_SUCCESS.
If the check fails, it returns EFI_SECURITY_VIOLATION.
The implementation must be reentrant, and it must handle the case where source buffer overlaps destination buffer.
@param DestinationBuffer The pointer to the destination buffer of the memory copy.
@param SourceBuffer The pointer to the source buffer of the memory copy.
@param Length The number of bytes to copy from SourceBuffer to DestinationBuffer.
@retval EFI_SECURITY_VIOLATION The DesinationBuffer is invalid per processor architecture or overlap with SMRAM.
@retval EFI_SECURITY_VIOLATION The SourceBuffer is invalid per processor architecture or overlap with SMRAM.
@retval EFI_SUCCESS Memory is copied.
**/
EFI_STATUS
EFIAPI
SmmCopyMem (
OUT VOID *DestinationBuffer,
IN CONST VOID *SourceBuffer,
IN UINTN Length
)
{
if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)DestinationBuffer, Length)) {
DEBUG ((EFI_D_ERROR, "SmmCopyMem: Security Violation: Destination (0x%x), Length (0x%x)\n", DestinationBuffer, Length));
return EFI_SECURITY_VIOLATION;
}
if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)SourceBuffer, Length)) {
DEBUG ((EFI_D_ERROR, "SmmCopyMem: Security Violation: Source (0x%x), Length (0x%x)\n", SourceBuffer, Length));
return EFI_SECURITY_VIOLATION;
}
CopyMem (DestinationBuffer, SourceBuffer, Length);
return EFI_SUCCESS;
}
/**
Fills a target buffer (NON-SMRAM) with a byte value.
This function fills a target buffer (non-SMRAM) with a byte value.
It checks if target buffer is valid per processor architecture and not overlap with SMRAM.
If the check passes, it fills memory and returns EFI_SUCCESS.
If the check fails, it returns EFI_SECURITY_VIOLATION.
@param Buffer The memory to set.
@param Length The number of bytes to set.
@param Value The value with which to fill Length bytes of Buffer.
@retval EFI_SECURITY_VIOLATION The Buffer is invalid per processor architecture or overlap with SMRAM.
@retval EFI_SUCCESS Memory is set.
**/
EFI_STATUS
EFIAPI
SmmSetMem (
OUT VOID *Buffer,
IN UINTN Length,
IN UINT8 Value
)
{
if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer, Length)) {
DEBUG ((EFI_D_ERROR, "SmmSetMem: Security Violation: Source (0x%x), Length (0x%x)\n", Buffer, Length));
return EFI_SECURITY_VIOLATION;
}
SetMem (Buffer, Length, Value);
return EFI_SUCCESS;
}
/**
Dispatch function for SMM lock box update.
Caution: This function may receive untrusted input.
Restore buffer and length are external input, so this function will validate
it is in SMRAM.
@param LockBoxParameterUpdate parameter of lock box update
**/
VOID
SmmLockBoxUpdate (
IN EFI_SMM_LOCK_BOX_PARAMETER_UPDATE *LockBoxParameterUpdate
)
{
EFI_STATUS Status;
EFI_SMM_LOCK_BOX_PARAMETER_UPDATE TempLockBoxParameterUpdate;
//
// Sanity check
//
if (mLocked) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Locked!\n"));
LockBoxParameterUpdate->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
return ;
}
CopyMem (&TempLockBoxParameterUpdate, LockBoxParameterUpdate, sizeof (EFI_SMM_LOCK_BOX_PARAMETER_UPDATE));
//
// Sanity check
//
if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterUpdate.Buffer, (UINTN)TempLockBoxParameterUpdate.Length)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Update address in SMRAM or buffer overflow!\n"));
LockBoxParameterUpdate->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
return ;
}
//
// The AsmLfence() call here is to ensure the above range check for the
// CommBuffer have been completed before calling into UpdateLockBox().
//
AsmLfence ();
//
// Update data
//
Status = UpdateLockBox (
&TempLockBoxParameterUpdate.Guid,
(UINTN)TempLockBoxParameterUpdate.Offset,
(VOID *)(UINTN)TempLockBoxParameterUpdate.Buffer,
(UINTN)TempLockBoxParameterUpdate.Length
);
LockBoxParameterUpdate->Header.ReturnStatus = (UINT64)Status;
return ;
}
/**
Dispatch function for SMM lock box restore.
Caution: This function may receive untrusted input.
Restore buffer and length are external input, so this function will validate
it is in SMRAM.
@param LockBoxParameterRestore parameter of lock box restore
**/
VOID
SmmLockBoxRestore (
IN EFI_SMM_LOCK_BOX_PARAMETER_RESTORE *LockBoxParameterRestore
)
{
EFI_STATUS Status;
EFI_SMM_LOCK_BOX_PARAMETER_RESTORE TempLockBoxParameterRestore;
CopyMem (&TempLockBoxParameterRestore, LockBoxParameterRestore, sizeof (EFI_SMM_LOCK_BOX_PARAMETER_RESTORE));
//
// Sanity check
//
if (!SmmIsBufferOutsideSmmValid ((UINTN)TempLockBoxParameterRestore.Buffer, (UINTN)TempLockBoxParameterRestore.Length)) {
DEBUG ((EFI_D_ERROR, "SmmLockBox Restore address in SMRAM or buffer overflow!\n"));
LockBoxParameterRestore->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
return ;
}
//
// Restore data
//
if ((TempLockBoxParameterRestore.Length == 0) && (TempLockBoxParameterRestore.Buffer == 0)) {
Status = RestoreLockBox (
&TempLockBoxParameterRestore.Guid,
NULL,
NULL
);
} else {
Status = RestoreLockBox (
&TempLockBoxParameterRestore.Guid,
(VOID *)(UINTN)TempLockBoxParameterRestore.Buffer,
(UINTN *)&TempLockBoxParameterRestore.Length
);
if (Status == EFI_BUFFER_TOO_SMALL) {
LockBoxParameterRestore->Length = TempLockBoxParameterRestore.Length;
}
}
LockBoxParameterRestore->Header.ReturnStatus = (UINT64)Status;
return ;
}
/**
Communication service SMI Handler entry.
This SMI handler provides services for report SMM boot records.
Caution: This function may receive untrusted input.
Communicate buffer and buffer size are external input, so this function will do basic validation.
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
@param[in] RegisterContext Points to an optional handler context which was specified when the
handler was registered.
@param[in, out] CommBuffer A pointer to a collection of data in memory that will
be conveyed from a non-SMM environment into an SMM environment.
@param[in, out] CommBufferSize The size of the CommBuffer.
@retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
should still be called.
@retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
still be called.
@retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
be called.
@retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
**/
EFI_STATUS
EFIAPI
FpdtSmiHandler (
IN EFI_HANDLE DispatchHandle,
IN CONST VOID *RegisterContext,
IN OUT VOID *CommBuffer,
IN OUT UINTN *CommBufferSize
)
{
EFI_STATUS Status;
SMM_BOOT_RECORD_COMMUNICATE *SmmCommData;
UINTN BootRecordOffset;
UINTN BootRecordSize;
VOID *BootRecordData;
UINTN TempCommBufferSize;
//
// If input is invalid, stop processing this SMI
//
if (CommBuffer == NULL || CommBufferSize == NULL) {
return EFI_SUCCESS;
}
TempCommBufferSize = *CommBufferSize;
if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {
return EFI_SUCCESS;
}
if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM communication data buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer;
Status = EFI_SUCCESS;
switch (SmmCommData->Function) {
case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE :
SmmCommData->BootRecordSize = mBootRecordSize;
break;
case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA :
Status = EFI_UNSUPPORTED;
break;
case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET :
BootRecordOffset = SmmCommData->BootRecordOffset;
BootRecordData = SmmCommData->BootRecordData;
BootRecordSize = SmmCommData->BootRecordSize;
if (BootRecordData == NULL || BootRecordOffset >= mBootRecordSize) {
Status = EFI_INVALID_PARAMETER;
break;
}
//
// Sanity check
//
if (BootRecordSize > mBootRecordSize - BootRecordOffset) {
BootRecordSize = mBootRecordSize - BootRecordOffset;
}
SmmCommData->BootRecordSize = BootRecordSize;
if (!SmmIsBufferOutsideSmmValid ((UINTN)BootRecordData, BootRecordSize)) {
DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM Data buffer in SMRAM or overflow!\n"));
Status = EFI_ACCESS_DENIED;
break;
}
CopyMem (
(UINT8*)BootRecordData,
mBootRecordBuffer + BootRecordOffset,
BootRecordSize
);
break;
default:
Status = EFI_UNSUPPORTED;
}
SmmCommData->ReturnStatus = Status;
return EFI_SUCCESS;
}
/**
Communication service SMI Handler entry.
This SMI handler provides services for the fault tolerant write wrapper driver.
Caution: This function requires additional review when modified.
This driver need to make sure the CommBuffer is not in the SMRAM range.
Also in FTW_FUNCTION_GET_LAST_WRITE case, check SmmFtwGetLastWriteHeader->Data +
SmmFtwGetLastWriteHeader->PrivateDataSize within communication buffer.
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
@param[in] RegisterContext Points to an optional handler context which was specified when the
handler was registered.
@param[in, out] CommBuffer A pointer to a collection of data in memory that will be conveyed
from a non-SMM environment into an SMM environment.
@param[in, out] CommBufferSize The size of the CommBuffer.
@retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
should still be called.
@retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
still be called.
@retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
be called.
@retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
**/
EFI_STATUS
EFIAPI
SmmFaultTolerantWriteHandler (
IN EFI_HANDLE DispatchHandle,
IN CONST VOID *RegisterContext,
IN OUT VOID *CommBuffer,
IN OUT UINTN *CommBufferSize
)
{
EFI_STATUS Status;
SMM_FTW_COMMUNICATE_FUNCTION_HEADER *SmmFtwFunctionHeader;
SMM_FTW_GET_MAX_BLOCK_SIZE_HEADER *SmmGetMaxBlockSizeHeader;
SMM_FTW_ALLOCATE_HEADER *SmmFtwAllocateHeader;
SMM_FTW_WRITE_HEADER *SmmFtwWriteHeader;
SMM_FTW_RESTART_HEADER *SmmFtwRestartHeader;
SMM_FTW_GET_LAST_WRITE_HEADER *SmmFtwGetLastWriteHeader;
VOID *PrivateData;
EFI_HANDLE SmmFvbHandle;
UINTN InfoSize;
UINTN CommBufferPayloadSize;
UINTN PrivateDataSize;
UINTN Length;
UINTN TempCommBufferSize;
//
// If input is invalid, stop processing this SMI
//
if (CommBuffer == NULL || CommBufferSize == NULL) {
return EFI_SUCCESS;
}
TempCommBufferSize = *CommBufferSize;
if (TempCommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) {
DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
CommBufferPayloadSize = TempCommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE;
if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
SmmFtwFunctionHeader = (SMM_FTW_COMMUNICATE_FUNCTION_HEADER *)CommBuffer;
if (mEndOfDxe) {
//
// It will be not safe to expose the operations after End Of Dxe.
//
DEBUG ((EFI_D_ERROR, "SmmFtwHandler: Not safe to do the operation: %x after End Of Dxe, so access denied!\n", SmmFtwFunctionHeader->Function));
SmmFtwFunctionHeader->ReturnStatus = EFI_ACCESS_DENIED;
return EFI_SUCCESS;
}
switch (SmmFtwFunctionHeader->Function) {
case FTW_FUNCTION_GET_MAX_BLOCK_SIZE:
if (CommBufferPayloadSize < sizeof (SMM_FTW_GET_MAX_BLOCK_SIZE_HEADER)) {
DEBUG ((EFI_D_ERROR, "GetMaxBlockSize: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
SmmGetMaxBlockSizeHeader = (SMM_FTW_GET_MAX_BLOCK_SIZE_HEADER *) SmmFtwFunctionHeader->Data;
Status = FtwGetMaxBlockSize (
&mFtwDevice->FtwInstance,
&SmmGetMaxBlockSizeHeader->BlockSize
);
break;
case FTW_FUNCTION_ALLOCATE:
if (CommBufferPayloadSize < sizeof (SMM_FTW_ALLOCATE_HEADER)) {
DEBUG ((EFI_D_ERROR, "Allocate: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
SmmFtwAllocateHeader = (SMM_FTW_ALLOCATE_HEADER *) SmmFtwFunctionHeader->Data;
Status = FtwAllocate (
&mFtwDevice->FtwInstance,
&SmmFtwAllocateHeader->CallerId,
SmmFtwAllocateHeader->PrivateDataSize,
SmmFtwAllocateHeader->NumberOfWrites
);
break;
case FTW_FUNCTION_WRITE:
if (CommBufferPayloadSize < OFFSET_OF (SMM_FTW_WRITE_HEADER, Data)) {
DEBUG ((EFI_D_ERROR, "Write: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
SmmFtwWriteHeader = (SMM_FTW_WRITE_HEADER *) SmmFtwFunctionHeader->Data;
Length = SmmFtwWriteHeader->Length;
PrivateDataSize = SmmFtwWriteHeader->PrivateDataSize;
if (((UINTN)(~0) - Length < OFFSET_OF (SMM_FTW_WRITE_HEADER, Data)) ||
((UINTN)(~0) - PrivateDataSize < OFFSET_OF (SMM_FTW_WRITE_HEADER, Data) + Length)) {
//
// Prevent InfoSize overflow
//
Status = EFI_ACCESS_DENIED;
break;
}
InfoSize = OFFSET_OF (SMM_FTW_WRITE_HEADER, Data) + Length + PrivateDataSize;
//
// SMRAM range check already covered before
//
if (InfoSize > CommBufferPayloadSize) {
DEBUG ((EFI_D_ERROR, "Write: Data size exceed communication buffer size limit!\n"));
Status = EFI_ACCESS_DENIED;
break;
}
if (PrivateDataSize == 0) {
PrivateData = NULL;
} else {
PrivateData = (VOID *)&SmmFtwWriteHeader->Data[Length];
}
Status = GetFvbByAddressAndAttribute (
SmmFtwWriteHeader->FvbBaseAddress,
SmmFtwWriteHeader->FvbAttributes,
&SmmFvbHandle
);
if (!EFI_ERROR (Status)) {
Status = FtwWrite(
&mFtwDevice->FtwInstance,
SmmFtwWriteHeader->Lba,
SmmFtwWriteHeader->Offset,
Length,
PrivateData,
SmmFvbHandle,
SmmFtwWriteHeader->Data
);
}
break;
case FTW_FUNCTION_RESTART:
if (CommBufferPayloadSize < sizeof (SMM_FTW_RESTART_HEADER)) {
DEBUG ((EFI_D_ERROR, "Restart: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
SmmFtwRestartHeader = (SMM_FTW_RESTART_HEADER *) SmmFtwFunctionHeader->Data;
Status = GetFvbByAddressAndAttribute (
SmmFtwRestartHeader->FvbBaseAddress,
SmmFtwRestartHeader->FvbAttributes,
&SmmFvbHandle
);
if (!EFI_ERROR (Status)) {
Status = FtwRestart (&mFtwDevice->FtwInstance, SmmFvbHandle);
}
break;
case FTW_FUNCTION_ABORT:
Status = FtwAbort (&mFtwDevice->FtwInstance);
break;
case FTW_FUNCTION_GET_LAST_WRITE:
if (CommBufferPayloadSize < OFFSET_OF (SMM_FTW_GET_LAST_WRITE_HEADER, Data)) {
DEBUG ((EFI_D_ERROR, "GetLastWrite: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
SmmFtwGetLastWriteHeader = (SMM_FTW_GET_LAST_WRITE_HEADER *) SmmFtwFunctionHeader->Data;
PrivateDataSize = SmmFtwGetLastWriteHeader->PrivateDataSize;
if ((UINTN)(~0) - PrivateDataSize < OFFSET_OF (SMM_FTW_GET_LAST_WRITE_HEADER, Data)){
//
// Prevent InfoSize overflow
//
Status = EFI_ACCESS_DENIED;
break;
}
InfoSize = OFFSET_OF (SMM_FTW_GET_LAST_WRITE_HEADER, Data) + PrivateDataSize;
//
// SMRAM range check already covered before
//
if (InfoSize > CommBufferPayloadSize) {
DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));
Status = EFI_ACCESS_DENIED;
break;
}
Status = FtwGetLastWrite (
&mFtwDevice->FtwInstance,
&SmmFtwGetLastWriteHeader->CallerId,
&SmmFtwGetLastWriteHeader->Lba,
&SmmFtwGetLastWriteHeader->Offset,
&SmmFtwGetLastWriteHeader->Length,
&PrivateDataSize,
(VOID *)SmmFtwGetLastWriteHeader->Data,
&SmmFtwGetLastWriteHeader->Complete
);
SmmFtwGetLastWriteHeader->PrivateDataSize = PrivateDataSize;
break;
default:
Status = EFI_UNSUPPORTED;
}
SmmFtwFunctionHeader->ReturnStatus = Status;
return EFI_SUCCESS;
}
/**
Communication service SMI Handler entry.
This SMI handler provides services for the variable wrapper driver.
Caution: This function may receive untrusted input.
This variable data and communicate buffer are external input, so this function will do basic validation.
Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
SmmVariableGetStatistics() should also do validation based on its own knowledge.
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
@param[in] RegisterContext Points to an optional handler context which was specified when the
handler was registered.
@param[in, out] CommBuffer A pointer to a collection of data in memory that will
be conveyed from a non-SMM environment into an SMM environment.
@param[in, out] CommBufferSize The size of the CommBuffer.
@retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
should still be called.
@retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
still be called.
@retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
be called.
@retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
**/
EFI_STATUS
EFIAPI
SmmVariableHandler (
IN EFI_HANDLE DispatchHandle,
IN CONST VOID *RegisterContext,
IN OUT VOID *CommBuffer,
IN OUT UINTN *CommBufferSize
)
{
EFI_STATUS Status;
SMM_VARIABLE_COMMUNICATE_HEADER *SmmVariableFunctionHeader;
SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;
SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *GetNextVariableName;
SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *QueryVariableInfo;
SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE *GetPayloadSize;
VARIABLE_INFO_ENTRY *VariableInfo;
SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock;
SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *CommVariableProperty;
UINTN InfoSize;
UINTN NameBufferSize;
UINTN CommBufferPayloadSize;
UINTN TempCommBufferSize;
//
// If input is invalid, stop processing this SMI
//
if (CommBuffer == NULL || CommBufferSize == NULL) {
return EFI_SUCCESS;
}
TempCommBufferSize = *CommBufferSize;
if (TempCommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
CommBufferPayloadSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
if (CommBufferPayloadSize > mVariableBufferPayloadSize) {
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload size invalid!\n"));
return EFI_SUCCESS;
}
if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)CommBuffer;
switch (SmmVariableFunctionHeader->Function) {
case SMM_VARIABLE_FUNCTION_GET_VARIABLE:
if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {
DEBUG ((EFI_D_ERROR, "GetVariable: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
//
// Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
//
CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;
if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||
((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {
//
// Prevent InfoSize overflow happen
//
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
+ SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
//
// SMRAM range check already covered before
//
if (InfoSize > CommBufferPayloadSize) {
DEBUG ((EFI_D_ERROR, "GetVariable: Data size exceed communication buffer size limit!\n"));
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {
//
// Make sure VariableName is A Null-terminated string.
//
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
Status = VariableServiceGetVariable (
SmmVariableHeader->Name,
&SmmVariableHeader->Guid,
&SmmVariableHeader->Attributes,
&SmmVariableHeader->DataSize,
(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize
);
CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
break;
case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME:
if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {
DEBUG ((EFI_D_ERROR, "GetNextVariableName: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
//
// Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
//
CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) mVariableBufferPayload;
if ((UINTN)(~0) - GetNextVariableName->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {
//
// Prevent InfoSize overflow happen
//
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + GetNextVariableName->NameSize;
//
// SMRAM range check already covered before
//
if (InfoSize > CommBufferPayloadSize) {
DEBUG ((EFI_D_ERROR, "GetNextVariableName: Data size exceed communication buffer size limit!\n"));
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
NameBufferSize = CommBufferPayloadSize - OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);
if (NameBufferSize < sizeof (CHAR16) || GetNextVariableName->Name[NameBufferSize/sizeof (CHAR16) - 1] != L'\0') {
//
// Make sure input VariableName is A Null-terminated string.
//
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
Status = VariableServiceGetNextVariableName (
&GetNextVariableName->NameSize,
GetNextVariableName->Name,
&GetNextVariableName->Guid
);
CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
break;
case SMM_VARIABLE_FUNCTION_SET_VARIABLE:
if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {
DEBUG ((EFI_D_ERROR, "SetVariable: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
//
// Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
//
CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;
if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||
((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {
//
// Prevent InfoSize overflow happen
//
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
+ SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
//
// SMRAM range check already covered before
// Data buffer should not contain SMM range
//
if (InfoSize > CommBufferPayloadSize) {
DEBUG ((EFI_D_ERROR, "SetVariable: Data size exceed communication buffer size limit!\n"));
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {
//
// Make sure VariableName is A Null-terminated string.
//
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
Status = VariableServiceSetVariable (
SmmVariableHeader->Name,
&SmmVariableHeader->Guid,
SmmVariableHeader->Attributes,
SmmVariableHeader->DataSize,
(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize
);
break;
case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO:
if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO)) {
DEBUG ((EFI_D_ERROR, "QueryVariableInfo: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data;
Status = VariableServiceQueryVariableInfo (
QueryVariableInfo->Attributes,
&QueryVariableInfo->MaximumVariableStorageSize,
&QueryVariableInfo->RemainingVariableStorageSize,
&QueryVariableInfo->MaximumVariableSize
);
break;
case SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE:
if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE)) {
DEBUG ((EFI_D_ERROR, "GetPayloadSize: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
GetPayloadSize = (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE *) SmmVariableFunctionHeader->Data;
GetPayloadSize->VariablePayloadSize = mVariableBufferPayloadSize;
Status = EFI_SUCCESS;
break;
case SMM_VARIABLE_FUNCTION_READY_TO_BOOT:
mEndOfDxe = TRUE;
//
// The initialization for variable quota.
//
InitializeVariableQuota ();
if (AtRuntime()) {
Status = EFI_UNSUPPORTED;
break;
}
ReclaimForOS ();
Status = EFI_SUCCESS;
break;
case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE:
mAtRuntime = TRUE;
Status = EFI_SUCCESS;
break;
case SMM_VARIABLE_FUNCTION_GET_STATISTICS:
VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data;
InfoSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
//
// Do not need to check SmmVariableFunctionHeader->Data in SMRAM here.
// It is covered by previous CommBuffer check
//
if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) {
DEBUG ((EFI_D_ERROR, "GetStatistics: SMM communication buffer in SMRAM!\n"));
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
Status = SmmVariableGetStatistics (VariableInfo, &InfoSize);
*CommBufferSize = InfoSize + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
break;
case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE:
if (mEndOfDxe) {
Status = EFI_ACCESS_DENIED;
} else {
VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) SmmVariableFunctionHeader->Data;
Status = VariableLockRequestToLock (
NULL,
VariableToLock->Name,
&VariableToLock->Guid
);
}
break;
case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_SET:
if (mEndOfDxe) {
Status = EFI_ACCESS_DENIED;
} else {
CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) SmmVariableFunctionHeader->Data;
Status = VarCheckVariablePropertySet (
CommVariableProperty->Name,
&CommVariableProperty->Guid,
&CommVariableProperty->VariableProperty
);
}
break;
case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:
if (CommBufferPayloadSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {
DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
//
// Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
//
CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) mVariableBufferPayload;
if ((UINTN) (~0) - CommVariableProperty->NameSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {
//
// Prevent InfoSize overflow happen
//
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
InfoSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) + CommVariableProperty->NameSize;
//
// SMRAM range check already covered before
//
if (InfoSize > CommBufferPayloadSize) {
DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: Data size exceed communication buffer size limit!\n"));
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
if (CommVariableProperty->NameSize < sizeof (CHAR16) || CommVariableProperty->Name[CommVariableProperty->NameSize/sizeof (CHAR16) - 1] != L'\0') {
//
// Make sure VariableName is A Null-terminated string.
//
Status = EFI_ACCESS_DENIED;
goto EXIT;
}
Status = VarCheckVariablePropertyGet (
CommVariableProperty->Name,
&CommVariableProperty->Guid,
&CommVariableProperty->VariableProperty
);
CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
break;
default:
Status = EFI_UNSUPPORTED;
}
EXIT:
SmmVariableFunctionHeader->ReturnStatus = Status;
return EFI_SUCCESS;
}
/**
Communication service SMI Handler entry.
This SMI handler provides services for the performance wrapper driver.
Caution: This function may receive untrusted input.
Communicate buffer and buffer size are external input, so this function will do basic validation.
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
@param[in] RegisterContext Points to an optional handler context which was specified when the
handler was registered.
@param[in, out] CommBuffer A pointer to a collection of data in memory that will
be conveyed from a non-SMM environment into an SMM environment.
@param[in, out] CommBufferSize The size of the CommBuffer.
@retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
should still be called.
@retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
still be called.
@retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
be called.
@retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
**/
EFI_STATUS
EFIAPI
SmmPerformanceHandler (
IN EFI_HANDLE DispatchHandle,
IN CONST VOID *RegisterContext,
IN OUT VOID *CommBuffer,
IN OUT UINTN *CommBufferSize
)
{
EFI_STATUS Status;
SMM_PERF_COMMUNICATE *SmmPerfCommData;
GAUGE_DATA_ENTRY_EX *GaugeEntryExArray;
UINT64 DataSize;
UINTN Index;
GAUGE_DATA_ENTRY *GaugeData;
UINTN NumberOfEntries;
UINTN LogEntryKey;
UINTN TempCommBufferSize;
GaugeEntryExArray = NULL;
//
// If input is invalid, stop processing this SMI
//
if (CommBuffer == NULL || CommBufferSize == NULL) {
return EFI_SUCCESS;
}
TempCommBufferSize = *CommBufferSize;
if(TempCommBufferSize < sizeof (SMM_PERF_COMMUNICATE)) {
return EFI_SUCCESS;
}
if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM communcation data buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
SmmPerfCommData = (SMM_PERF_COMMUNICATE *)CommBuffer;
switch (SmmPerfCommData->Function) {
case SMM_PERF_FUNCTION_GET_GAUGE_ENTRY_NUMBER :
SmmPerfCommData->NumberOfEntries = mGaugeData->NumberOfEntries;
Status = EFI_SUCCESS;
break;
case SMM_PERF_FUNCTION_GET_GAUGE_DATA :
GaugeData = SmmPerfCommData->GaugeData;
NumberOfEntries = SmmPerfCommData->NumberOfEntries;
LogEntryKey = SmmPerfCommData->LogEntryKey;
if (GaugeData == NULL || NumberOfEntries == 0 || LogEntryKey > mGaugeData->NumberOfEntries ||
NumberOfEntries > mGaugeData->NumberOfEntries || LogEntryKey > (mGaugeData->NumberOfEntries - NumberOfEntries)) {
Status = EFI_INVALID_PARAMETER;
break;
}
//
// Sanity check
//
DataSize = MultU64x32 (NumberOfEntries, sizeof(GAUGE_DATA_ENTRY));
if (!SmmIsBufferOutsideSmmValid ((UINTN) GaugeData, DataSize)) {
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM Performance Data buffer in SMRAM or overflow!\n"));
Status = EFI_ACCESS_DENIED;
break;
}
GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
for (Index = 0; Index < NumberOfEntries; Index++) {
CopyMem (
(UINT8 *) &GaugeData[Index],
(UINT8 *) &GaugeEntryExArray[LogEntryKey++],
sizeof (GAUGE_DATA_ENTRY)
);
}
Status = EFI_SUCCESS;
break;
default:
Status = EFI_UNSUPPORTED;
}
SmmPerfCommData->ReturnStatus = Status;
return EFI_SUCCESS;
}