MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677 Attacker able to modify physical memory and ResumeCount. System will crash/DoS when ResumeCount reaches its MAX_UINT32. Cc: Zhiguang Liu <[email protected]> Cc: Dandan Bi <[email protected]> Cc: Liming Gao <[email protected]> Signed-off-by: Pakkirisamy ShanmugavelX <[email protected]> Reviewed-by: Liming Gao <[email protected]>
tianocore · May 17, 2024 · 284dbac · 284dbac
1 parent 558a253
commit 284dbac
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
@@ -112,11 +112,15 @@ FpdtStatusCodeListenerPei (
   //
   S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount);
   AcpiS3ResumeRecord->ResumeCount++;
-  AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
+  if (AcpiS3ResumeRecord->ResumeCount > 0) {
+    AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
+    DEBUG ((DEBUG_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume));
+  } else {
+    DEBUG ((DEBUG_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero."));
+  }
 
-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount   = %d\n", AcpiS3ResumeRecord->ResumeCount));
-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume    = %ld\n", AcpiS3ResumeRecord->FullResume));
-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume));
+  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount   = 0x%x\n", AcpiS3ResumeRecord->ResumeCount));
+  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume    = 0x%x\n", AcpiS3ResumeRecord->FullResume));
 
   //
   // Update S3 Suspend Performance Record.