From e37976a2b28ea351c7cd187571761d60ac9de65b Mon Sep 17 00:00:00 2001 From: Sureshkumar Ponnusamy Date: Tue, 6 Aug 2024 18:16:33 -0400 Subject: [PATCH] [CHERRY-PICK] MdeModulePkg/FaultTolerantWriteDxe: Fix buffer overrun issue - This PR aims to prevent a buffer overrun issue found in FtwGetLastWriteHeader function.As per the current code, when there is a malformed blocks (with all bytes as 0s) then `Offset += FTW_WRITE_TOTAL_SIZE (FtwHeader->NumberOfWrites, FtwHeader->PrivateDataSize)` would access beyond FtwWorkSpaceSize. - Also added the signature check to validate work space Signed-off-by: Sureshkumar Ponnusamy --- MdeModulePkg/Universal/FaultTolerantWriteDxe/FtwMisc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FtwMisc.c b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FtwMisc.c index 5847bf90bd..26c8f18edf 100644 --- a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FtwMisc.c +++ b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FtwMisc.c @@ -810,12 +810,18 @@ FtwGetLastWriteHeader ( FtwHeader = (EFI_FAULT_TOLERANT_WRITE_HEADER *)(FtwWorkSpaceHeader + 1); Offset = sizeof (EFI_FAULT_TOLERANT_WORKING_BLOCK_HEADER); + if (!CompareGuid (&FtwWorkSpaceHeader->Signature, &gEdkiiWorkingBlockSignatureGuid)) { + *FtwWriteHeader = FtwHeader; + return EFI_ABORTED; + } + while (FtwHeader->Complete == FTW_VALID_STATE) { Offset += FTW_WRITE_TOTAL_SIZE (FtwHeader->NumberOfWrites, FtwHeader->PrivateDataSize); // // If Offset exceed the FTW work space boudary, return error. // - if (Offset >= FtwWorkSpaceSize) { + + if ((Offset + sizeof (EFI_FAULT_TOLERANT_WRITE_HEADER)) >= FtwWorkSpaceSize) { *FtwWriteHeader = FtwHeader; return EFI_ABORTED; }