From: Long Qin <qin.long@intel.com>
To: edk2-devel@lists.01.org
Cc: Ye Ting <ting.ye@intel.com>, Laszlo Ersek <lersek@redhat.com>
Subject: [PATCH v2] CryptoPkg/BaseCryptLib: Fix potential integer overflow issue.
Date: Thu, 25 Oct 2018 23:21:05 +0800 [thread overview]
Message-ID: <20181025152105.2596-1-qin.long@intel.com> (raw)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1275
The LookupFreeMemRegion() in RuntimeMemAllocate.c is used to look-up
free memory region for runtime resource allocation, which was designed
to support runtime authenticated variable service.
The ReqPages in this function is the required pages to be allocated,
which depends on the malloc() call in internal OpenSSL routines. The
direct offset subtractions on ReqPages may bring possible integer
overflow issue.
This patch is to add the extra parameter checks to remove this possible
overflow risk.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Long Qin <qin.long@intel.com>
---
.../Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c b/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c
index 463f2bf855..92bb9ddccd 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c
@@ -2,7 +2,7 @@
Light-weight Memory Management Routines for OpenSSL-based Crypto
Library at Runtime Phase.
-Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -141,6 +141,12 @@ LookupFreeMemRegion (
StartPageIndex = RT_SIZE_TO_PAGES (mRTPageTable->LastEmptyPageOffset);
ReqPages = RT_SIZE_TO_PAGES (AllocationSize);
+ if (ReqPages > mRTPageTable->PageCount) {
+ //
+ // No enough region for object allocation.
+ //
+ return (UINTN)(-1);
+ }
//
// Look up the free memory region with in current memory map table.
@@ -176,6 +182,12 @@ LookupFreeMemRegion (
// Look up the free memory region from the beginning of the memory table
// until the StartCursorOffset
//
+ if (ReqPages > StartPageIndex) {
+ //
+ // No enough region for object allocation.
+ //
+ return (UINTN)(-1);
+ }
for (Index = 0; Index < (StartPageIndex - ReqPages); ) {
//
// Check Consecutive ReqPages Pages.
--
2.16.1.windows.2
reply other threads:[~2018-10-25 15:21 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181025152105.2596-1-qin.long@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox