From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Hao Wu <hao.a.wu@intel.com>, Paulo Alcantara <paulo@paulo.ac>,
Ruiyu Ni <ruiyu.ni@intel.com>, Jiewen Yao <jiewen.yao@intel.com>,
Star Zeng <star.zeng@intel.com>
Subject: [PATCH v1 03/10] MdeModulePkg/UdfDxe: Add boundary check the read of FE/EFE
Date: Tue, 16 Oct 2018 15:23:33 +0800 [thread overview]
Message-ID: <20181016072340.22068-4-hao.a.wu@intel.com> (raw)
In-Reply-To: <20181016072340.22068-1-hao.a.wu@intel.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
Within ReadFile():
Add checks to ensure that when getting the raw data or the Allocation
Descriptors' data from a FE/EFE, it will not consume data beyond the
size of a FE/EFE.
Cc: Paulo Alcantara <paulo@paulo.ac>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 54 ++++++++++++++++++--
1 file changed, 50 insertions(+), 4 deletions(-)
diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
index 5fb88c2ff3..d758b798f1 100644
--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
@@ -503,15 +503,27 @@ DuplicateFe (
NOTE: The FE/EFE can be thought it was an inode.
+ @attention This is boundary function that may receive untrusted input.
+ @attention The input is from FileSystem.
+
+ The (Extended) File Entry is external input, so this routine will do basic
+ validation for (Extended) File Entry and report status.
+
@param[in] FileEntryData (Extended) File Entry pointer.
+ @param[in] FileEntrySize Size of the (Extended) File Entry specified
+ by FileEntryData.
@param[out] Data Buffer contains the raw data of a given
(Extended) File Entry.
@param[out] Length Length of the data in Buffer.
+ @retval EFI_SUCCESS Raw data and size of the FE/EFE was read.
+ @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
+
**/
-VOID
+EFI_STATUS
GetFileEntryData (
IN VOID *FileEntryData,
+ IN UINTN FileEntrySize,
OUT VOID **Data,
OUT UINT64 *Length
)
@@ -535,20 +547,40 @@ GetFileEntryData (
*Data = (VOID *)((UINT8 *)FileEntry->Data +
FileEntry->LengthOfExtendedAttributes);
}
+
+ if ((*Length > FileEntrySize) ||
+ ((UINTN)FileEntryData > (UINTN)(*Data)) ||
+ ((UINTN)(*Data) - (UINTN)FileEntryData > FileEntrySize - *Length)) {
+ return EFI_VOLUME_CORRUPTED;
+ }
+ return EFI_SUCCESS;
}
/**
Get Allocation Descriptors' data information from a given FE/EFE.
+ @attention This is boundary function that may receive untrusted input.
+ @attention The input is from FileSystem.
+
+ The (Extended) File Entry is external input, so this routine will do basic
+ validation for (Extended) File Entry and report status.
+
@param[in] FileEntryData (Extended) File Entry pointer.
+ @param[in] FileEntrySize Size of the (Extended) File Entry specified
+ by FileEntryData.
@param[out] AdsData Buffer contains the Allocation Descriptors'
data from a given FE/EFE.
@param[out] Length Length of the data in AdsData.
+ @retval EFI_SUCCESS The data and size of Allocation Descriptors
+ were read from the FE/EFE.
+ @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
+
**/
-VOID
+EFI_STATUS
GetAdsInformation (
IN VOID *FileEntryData,
+ IN UINTN FileEntrySize,
OUT VOID **AdsData,
OUT UINT64 *Length
)
@@ -572,6 +604,13 @@ GetAdsInformation (
*AdsData = (VOID *)((UINT8 *)FileEntry->Data +
FileEntry->LengthOfExtendedAttributes);
}
+
+ if ((*Length > FileEntrySize) ||
+ ((UINTN)FileEntryData > (UINTN)(*AdsData)) ||
+ ((UINTN)(*AdsData) - (UINTN)FileEntryData > FileEntrySize - *Length)) {
+ return EFI_VOLUME_CORRUPTED;
+ }
+ return EFI_SUCCESS;
}
/**
@@ -1065,7 +1104,10 @@ ReadFile (
//
// There are no extents for this FE/EFE. All data is inline.
//
- GetFileEntryData (FileEntryData, &Data, &Length);
+ Status = GetFileEntryData (FileEntryData, Volume->FileEntrySize, &Data, &Length);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
if (ReadFileInfo->Flags == ReadFileGetFileSize) {
ReadFileInfo->ReadLength = Length;
@@ -1109,7 +1151,11 @@ ReadFile (
// This FE/EFE contains a run of Allocation Descriptors. Get data + size
// for start reading them out.
//
- GetAdsInformation (FileEntryData, &Data, &Length);
+ Status = GetAdsInformation (FileEntryData, Volume->FileEntrySize, &Data, &Length);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
AdOffset = 0;
for (;;) {
--
2.12.0.windows.1
next prev parent reply other threads:[~2018-10-16 7:23 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-16 7:23 [PATCH v1 00/10] UDF: Bugfixes Hao Wu
2018-10-16 7:23 ` [PATCH v1 01/10] MdeModulePkg/PartitionDxe: Add check for underlying device block size Hao Wu
2018-10-16 7:23 ` [PATCH v1 02/10] MdeModulePkg/UdfDxe: Refine boundary checks for file/path name string Hao Wu
2018-10-16 7:23 ` Hao Wu [this message]
2018-10-16 7:23 ` [PATCH v1 04/10] MdeModulePkg/UdfDxe: Add boundary check for ComponentIdentifier decode Hao Wu
2018-10-16 7:23 ` [PATCH v1 05/10] MdeModulePkg/UdfDxe: Add boundary check for getting volume (free) size Hao Wu
2018-10-16 7:23 ` [PATCH v1 06/10] MdeModulePkg/UdfDxe: Correct behavior for UdfSetPosition() Hao Wu
2018-10-16 7:23 ` [PATCH v1 07/10] MdeModulePkg/UdfDxe: Fix a typo within SetFileInfo() Hao Wu
2018-10-16 7:23 ` [PATCH v1 08/10] MdeModulePkg/UdfDxe: Update GetInfo() for FS VolumeLabel info request Hao Wu
2018-10-16 7:23 ` [PATCH v1 09/10] MdeModulePkg/UdfDxe: Add more check when getting PD from LongAd Hao Wu
2018-10-16 7:23 ` [PATCH v1 10/10] MdeModulePkg/UdfDxe: Avoid possible use of already-freed data Hao Wu
2018-10-22 14:39 ` [PATCH v1 00/10] UDF: Bugfixes Paulo Alcantara
2018-10-23 5:45 ` Zeng, Star
2018-10-23 6:10 ` Wu, Hao A
2018-10-23 12:28 ` Wu, Hao A
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181016072340.22068-4-hao.a.wu@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox