From 0b448dd8b27c9efac370576b18edada004ab560a Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 26 Apr 2016 13:57:32 +0200
Subject: OvmfPkg: SataControllerDxe: SataControllerStop: fix use after free

It would be possible to remove the UAF without local variables, by calling
SataPrivateData->PciIo->Attributes() before releasing SataPrivateData.

However, by keeping the location of the call (for which temporary
variables are necessary), we continue to match the error path logic in
SataControllerStart(), which is always recommended.

Reported-by: wang xiaofeng <winggundum82@163.com>
Fixes: bcab71413407e61c144994925556725dd65eede9
Cc: wang xiaofeng <winggundum82@163.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
---
 OvmfPkg/SataControllerDxe/SataController.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

(limited to 'OvmfPkg/SataControllerDxe')

diff --git a/OvmfPkg/SataControllerDxe/SataController.c b/OvmfPkg/SataControllerDxe/SataController.c
index e5ee63a0ab..1f84ad034e 100644
--- a/OvmfPkg/SataControllerDxe/SataController.c
+++ b/OvmfPkg/SataControllerDxe/SataController.c
@@ -570,6 +570,8 @@ SataControllerStop (
   EFI_STATUS                        Status;
   EFI_IDE_CONTROLLER_INIT_PROTOCOL  *IdeInit;
   EFI_SATA_CONTROLLER_PRIVATE_DATA  *SataPrivateData;
+  EFI_PCI_IO_PROTOCOL               *PciIo;
+  UINT64                            OriginalPciAttributes;
 
   //
   // Open the produced protocol
@@ -589,6 +591,9 @@ SataControllerStop (
   SataPrivateData = SATA_CONTROLLER_PRIVATE_DATA_FROM_THIS (IdeInit);
   ASSERT (SataPrivateData != NULL);
 
+  PciIo                 = SataPrivateData->PciIo;
+  OriginalPciAttributes = SataPrivateData->OriginalPciAttributes;
+
   //
   // Uninstall the IDE Controller Init Protocol from this instance
   //
@@ -616,12 +621,12 @@ SataControllerStop (
   //
   // Restore original PCI attributes
   //
-  SataPrivateData->PciIo->Attributes (
-                            SataPrivateData->PciIo,
-                            EfiPciIoAttributeOperationSet,
-                            SataPrivateData->OriginalPciAttributes,
-                            NULL
-                            );
+  PciIo->Attributes (
+           PciIo,
+           EfiPciIoAttributeOperationSet,
+           OriginalPciAttributes,
+           NULL
+           );
 
   //
   // Close protocols opened by Sata Controller driver
-- 
cgit