MdeModulePkg: Add Boot%04x structure check function at BOpt_GetBootOp…

…tions According Bugzilla Bug 4792, GetEfiGlobalVariable2 try to get data from NVRAM, but NVRAM is easy to be modified. So wrong Boot%04x data may cause overflow. For example, if BootOptionSize smaller than 3 or StrSize can't get any NULL byte, it can cause overflow. Signed-off-by: zodf0055980 <[email protected]>
tianocore · Sep 2, 2024 · b75764e · b75764e
1 parent b0f43dd
commit b75764e
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/MdeModulePkg/Include/Library/UefiBootManagerLib.h b/MdeModulePkg/Include/Library/UefiBootManagerLib.h
@@ -813,4 +813,21 @@ EfiBootManagerDispatchDeferredImages (
   VOID
   );
 
+/**
+  Validate the Boot####, Driver####, SysPrep#### and PlatformRecovery####
+  variable (VendorGuid/Name)
+
+  @param  Variable              The variable data.
+  @param  VariableSize          The variable size.
+
+  @retval TRUE                  The variable data is correct.
+  @retval FALSE                 The variable data is corrupted.
+
+**/
+BOOLEAN
+BmValidateOption (
+  UINT8  *Variable,
+  UINTN  VariableSize
+  );
+
 #endif
diff --git a/MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootOption.c b/MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootOption.c
@@ -356,6 +356,11 @@ BOpt_GetBootOptions (
       continue;
     }
 
+    if (!BmValidateOption (LoadOptionFromVar, BootOptionSize)) {
+      FreePool (LoadOptionFromVar);
+      continue;
+    }
+
     if (BootNext != NULL) {
       BootNextFlag = (BOOLEAN)(*BootNext == BootOrderList[Index]);
     } else {