[PATCH v1 10/10] MdeModulePkg/UdfDxe: Avoid possible use of already-freed data

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Hao Wu <hao.a.wu@intel.com>, Paulo Alcantara <paulo@paulo.ac>,
	Ruiyu Ni <ruiyu.ni@intel.com>, Star Zeng <star.zeng@intel.com>
Subject: [PATCH v1 10/10] MdeModulePkg/UdfDxe: Avoid possible use of already-freed data
Date: Tue, 16 Oct 2018 15:23:40 +0800	[thread overview]
Message-ID: <20181016072340.22068-11-hao.a.wu@intel.com> (raw)
In-Reply-To: <20181016072340.22068-1-hao.a.wu@intel.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1255

For function ReadFile():

If the line

  Status = GetAedAdsData (
   ...
   );

is reached multiple times during the 'for' loop, freeing the data pointed
by variable 'Data' may potentially lead to variable 'Ad' referencing the
already-freed data.

After calling function GetAllocationDescriptor(), 'Data' and 'Ad' may
point to the same memory (with some possible offset). Hence, this commit
will move the FreePool() call backwards to ensure the data will no longer
be used.

Cc: Paulo Alcantara <paulo@paulo.ac>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
index 7526de79b2..bf73ab4252 100644
--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
@@ -1044,6 +1044,7 @@ ReadFile (
   EFI_STATUS              Status;
   UINT32                  LogicalBlockSize;
   VOID                    *Data;
+  VOID                    *DataBak;
   UINT64                  Length;
   VOID                    *Ad;
   UINT64                  AdOffset;
@@ -1184,12 +1185,7 @@ ReadFile (
       // Descriptor and its extents (ADs).
       //
       if (GET_EXTENT_FLAGS (RecordingFlags, Ad) == ExtentIsNextExtent) {
-        if (!DoFreeAed) {
-          DoFreeAed = TRUE;
-        } else {
-          FreePool (Data);
-        }
-
+        DataBak = Data;
         Status = GetAedAdsData (
           BlockIo,
           DiskIo,
@@ -1200,6 +1196,13 @@ ReadFile (
           &Data,
           &Length
           );
+
+        if (!DoFreeAed) {
+          DoFreeAed = TRUE;
+        } else {
+          FreePool (DataBak);
+        }
+
         if (EFI_ERROR (Status)) {
           goto Error_Get_Aed;
         }
-- 
2.12.0.windows.1

next prev parent reply	other threads:[~2018-10-16  7:23 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-16  7:23 [PATCH v1 00/10] UDF: Bugfixes Hao Wu
2018-10-16  7:23 ` [PATCH v1 01/10] MdeModulePkg/PartitionDxe: Add check for underlying device block size Hao Wu
2018-10-16  7:23 ` [PATCH v1 02/10] MdeModulePkg/UdfDxe: Refine boundary checks for file/path name string Hao Wu
2018-10-16  7:23 ` [PATCH v1 03/10] MdeModulePkg/UdfDxe: Add boundary check the read of FE/EFE Hao Wu
2018-10-16  7:23 ` [PATCH v1 04/10] MdeModulePkg/UdfDxe: Add boundary check for ComponentIdentifier decode Hao Wu
2018-10-16  7:23 ` [PATCH v1 05/10] MdeModulePkg/UdfDxe: Add boundary check for getting volume (free) size Hao Wu
2018-10-16  7:23 ` [PATCH v1 06/10] MdeModulePkg/UdfDxe: Correct behavior for UdfSetPosition() Hao Wu
2018-10-16  7:23 ` [PATCH v1 07/10] MdeModulePkg/UdfDxe: Fix a typo within SetFileInfo() Hao Wu
2018-10-16  7:23 ` [PATCH v1 08/10] MdeModulePkg/UdfDxe: Update GetInfo() for FS VolumeLabel info request Hao Wu
2018-10-16  7:23 ` [PATCH v1 09/10] MdeModulePkg/UdfDxe: Add more check when getting PD from LongAd Hao Wu
2018-10-16  7:23 ` Hao Wu [this message]
2018-10-22 14:39 ` [PATCH v1 00/10] UDF: Bugfixes Paulo Alcantara
2018-10-23  5:45   ` Zeng, Star
2018-10-23  6:10     ` Wu, Hao A
2018-10-23 12:28       ` Wu, Hao A

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7526de79b dfblob:bf73ab425 )
 OR (
bs:"[PATCH v1 10/10] MdeModulePkg/UdfDxe: Avoid possible use of already-freed data" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181016072340.22068-11-hao.a.wu@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox