From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <hao.a.wu@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=hao.a.wu@intel.com;
 receiver=edk2-devel@lists.01.org 
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id E28C02117B576
 for <edk2-devel@lists.01.org>; Mon, 29 Oct 2018 18:26:20 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
 by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 29 Oct 2018 18:26:20 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,442,1534834800"; d="scan'208";a="104364491"
Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.9])
 by orsmga002.jf.intel.com with ESMTP; 29 Oct 2018 18:26:19 -0700
From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Hao Wu <hao.a.wu@intel.com>, Leif Lindholm <leif.lindholm@linaro.org>,
 Ruiyu Ni <ruiyu.ni@intel.com>
Date: Tue, 30 Oct 2018 09:26:14 +0800
Message-Id: <20181030012617.5040-1-hao.a.wu@intel.com>
X-Mailer: git-send-email 2.12.0.windows.1
Subject: [PATCH v3 0/3] UdfDxe: Additional checks for ResolveSymlink()
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2018 01:26:21 -0000

V3 changes:

According to Leif's recommendation, split the original patch into 3
seperate ones.

Since there is no code changes compared with the V2 of the patch, I just
preserved the 'Reviewed-by' tags by Paulo and Star.

V2 history:

Refine type C check (refer to V1 history below) to eliminate the
unnecessary CopyMem() call.

V1 history:

The commit will add 3 types of checks for function ResolveSymlink():

A. Check for the value of 'Component Type' field within a Path Component

According to the ECMA-167 standard (3rd Edition - June 1997), Section
14.16.1.1, valid values are 1 to 5. All other values will be treated as a
corrupted volume.

B. Check for the content pointed by 'File'

Since content within 'File' is the output data for ResolveSymlink().
Checks is added to ensure the content in 'File' is valid. Otherwise,
possible null pointer dereference issue will occur during the subsequent
usage of the data returned by ResolveSymlink().

C. Check for possible memory double free/use after free case

For codes:

    if (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent,
                    sizeof (UDF_FILE_INFO)) != 0) {
      CleanupFileInformation (&PreviousFile);
    }

    CopyMem ((VOID *)&PreviousFile, (VOID *)File, sizeof (UDF_FILE_INFO));

If the contents in 'PreviousFile' and 'File' are the same, call to
"CleanupFileInformation (&PreviousFile);" will free the buffers in 'File'
as well. This will lead to potential memory double free/use after free
issues.

Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>

Hao Wu (3):
  MdeModulePkg/UdfDxe: Check 'Component Type' within a Path Component
  MdeModulePkg/UdfDxe: Content check for 'File' in ResolveSymlink()
  MdeModulePkg/UdfDxe: Memory free/use after free in ResolveSymlink()

 MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 38 ++++++++++++++++++--
 1 file changed, 35 insertions(+), 3 deletions(-)

-- 
2.12.0.windows.1