From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4ACB22117D772 for ; Mon, 29 Oct 2018 18:26:24 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Oct 2018 18:26:24 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,442,1534834800"; d="scan'208";a="104364509" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.9]) by orsmga002.jf.intel.com with ESMTP; 29 Oct 2018 18:26:22 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Leif Lindholm , Ruiyu Ni Date: Tue, 30 Oct 2018 09:26:16 +0800 Message-Id: <20181030012617.5040-3-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20181030012617.5040-1-hao.a.wu@intel.com> References: <20181030012617.5040-1-hao.a.wu@intel.com> Subject: [PATCH v3 2/3] MdeModulePkg/UdfDxe: Content check for 'File' in ResolveSymlink() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Oct 2018 01:26:24 -0000 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1279 The content within 'File' is the output data for ResolveSymlink(). This commit will add checks to ensure the content in 'File' is valid. Otherwise, possible null pointer dereference issue will occur during the subsequent usage of the data returned by ResolveSymlink(). Cc: Leif Lindholm Cc: Ruiyu Ni Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu Reviewed-by: Paulo Alcantara Reviewed-by: Star Zeng --- MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c index c15741a032..2227f10d07 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c @@ -2145,6 +2145,8 @@ ResolveSymlink ( UINT8 CompressionId; UDF_FILE_INFO PreviousFile; + ZeroMem ((VOID *)File, sizeof (UDF_FILE_INFO)); + // // Symlink files on UDF volumes do not contain so much data other than // Path Components which resolves to real filenames, so it's OK to read in @@ -2288,6 +2290,14 @@ ResolveSymlink ( break; } + // + // Check the content in the file info pointed by File. + // + if ((File->FileEntry == NULL) || (File->FileIdentifierDesc == NULL)) { + Status = EFI_VOLUME_CORRUPTED; + goto Error_Find_File; + } + if (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent, sizeof (UDF_FILE_INFO)) != 0) { CleanupFileInformation (&PreviousFile); @@ -2301,6 +2311,13 @@ ResolveSymlink ( // FreePool (ReadFileInfo.FileData); + // + // Check the content in the resolved file info. + // + if ((File->FileEntry == NULL) || (File->FileIdentifierDesc == NULL)) { + return EFI_VOLUME_CORRUPTED; + } + return EFI_SUCCESS; Error_Find_File: -- 2.12.0.windows.1