From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.43; helo=mga05.intel.com; envelope-from=qin.long@intel.com; receiver=edk2-devel@lists.01.org Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 92B312116821C for ; Wed, 24 Oct 2018 06:22:25 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Oct 2018 06:22:25 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,420,1534834800"; d="scan'208";a="275192110" Received: from shwdepsi940.ccr.corp.intel.com ([10.239.9.147]) by fmsmga006.fm.intel.com with ESMTP; 24 Oct 2018 06:22:24 -0700 From: Long Qin To: edk2-devel@lists.01.org Cc: ting.ye@intel.com Date: Wed, 24 Oct 2018 21:22:02 +0800 Message-Id: <20181024132202.10596-1-qin.long@intel.com> X-Mailer: git-send-email 2.16.1.windows.1 Subject: [PATCH] CryptoPkg/BaseCryptLib: Fix potential integer overflow issue. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2018 13:22:25 -0000 The LookupFreeMemRegion() in RuntimeMemAllocate.c is used to look-up free memory region for runtime resource allocation, which was designed to support runtime authenticated variable service. The direct offset subtractions in this function may bring possible integer overflow issue. This patch is to add the extra parameter checks to remove this possible overflow risk. Cc: Ye Ting Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Long Qin --- .../Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c b/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c index 463f2bf855..92bb9ddccd 100644 --- a/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c +++ b/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c @@ -2,7 +2,7 @@ Light-weight Memory Management Routines for OpenSSL-based Crypto Library at Runtime Phase. -Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -141,6 +141,12 @@ LookupFreeMemRegion ( StartPageIndex = RT_SIZE_TO_PAGES (mRTPageTable->LastEmptyPageOffset); ReqPages = RT_SIZE_TO_PAGES (AllocationSize); + if (ReqPages > mRTPageTable->PageCount) { + // + // No enough region for object allocation. + // + return (UINTN)(-1); + } // // Look up the free memory region with in current memory map table. @@ -176,6 +182,12 @@ LookupFreeMemRegion ( // Look up the free memory region from the beginning of the memory table // until the StartCursorOffset // + if (ReqPages > StartPageIndex) { + // + // No enough region for object allocation. + // + return (UINTN)(-1); + } for (Index = 0; Index < (StartPageIndex - ReqPages); ) { // // Check Consecutive ReqPages Pages. -- 2.16.1.windows.1