From 47e800f75056c4e26ee9fa69a91ba1f162249176 Mon Sep 17 00:00:00 2001 From: dakanji Date: Sun, 4 Dec 2022 19:11:33 +0300 Subject: [PATCH] OpenVariableRuntimeDxe: Add spoof proof UEFI 2.x checking (#405) --- Platform/OpenVariableRuntimeDxe/VariableDxe.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/Platform/OpenVariableRuntimeDxe/VariableDxe.c b/Platform/OpenVariableRuntimeDxe/VariableDxe.c index e9cf3d69..b2ee7d55 100644 --- a/Platform/OpenVariableRuntimeDxe/VariableDxe.c +++ b/Platform/OpenVariableRuntimeDxe/VariableDxe.c @@ -648,8 +648,10 @@ VariableServiceInitialize ( ) { EFI_STATUS Status; - EFI_EVENT ReadyToBootEvent; + UINTN OffsetQVI; + UINTN HeaderQVI; EFI_EVENT EndOfDxeEvent; + EFI_EVENT ReadyToBootEvent; EFI_CREATE_EVENT_EX OriginalCreateEventEx; SaveAcpiGlobalVariable (SystemTable); @@ -684,8 +686,18 @@ VariableServiceInitialize ( // // Avoid setting UEFI 2.x interface member on EFI 1.x. // - if (SystemTable->RuntimeServices->Hdr.Revision >= EFI_2_00_SYSTEM_TABLE_REVISION) { - SystemTable->RuntimeServices->QueryVariableInfo = VariableServiceQueryVariableInfo; + // First test all systable elements as some may have been spoofed and pass a limited element check + // Then check that QueryVariableInfo is specifically available before setting the interface member + // + if ( ((SystemTable->Hdr.Revision >> 16U) > 1) + && ((SystemTable->BootServices->Hdr.Revision >> 16U) > 1) + && ((SystemTable->RuntimeServices->Hdr.Revision >> 16U) > 1)) + { + OffsetQVI = OFFSET_OF (EFI_RUNTIME_SERVICES, QueryVariableInfo); + HeaderQVI = OffsetQVI + sizeof (SystemTable->RuntimeServices->QueryVariableInfo); + if (SystemTable->RuntimeServices->Hdr.HeaderSize >= HeaderQVI) { + SystemTable->RuntimeServices->QueryVariableInfo = VariableServiceQueryVariableInfo; + } } //