From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ard.biesheuvel@linaro.org>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=2a00:1450:4864:20::542; helo=mail-ed1-x542.google.com;
 envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org 
Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com
 [IPv6:2a00:1450:4864:20::542])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 6AE8A2119BAC9
 for <edk2-devel@lists.01.org>; Sun,  6 Jan 2019 23:15:23 -0800 (PST)
Received: by mail-ed1-x542.google.com with SMTP id h15so36914273edb.4
 for <edk2-devel@lists.01.org>; Sun, 06 Jan 2019 23:15:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=+JQ5h+H2sJsTteMl/P7k20Nphsv7LpnL8o5lHwa1T0E=;
 b=QLBhAPaRED8TJTAemSynMv55TtFjs/zTXn0d+3chJqVhn52tAprbikvRcqBRRQthzo
 Xks42f0Ua/pFhtygey6A+G8wuaCsii9Sn3PCp/mtehi1FvVXq5uSLT8X/yO8GvRvTvtY
 WIT3ktFmKBB2GVeQjjnkTH0xUukqnMW/WTDa8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=+JQ5h+H2sJsTteMl/P7k20Nphsv7LpnL8o5lHwa1T0E=;
 b=TXYK3pKVLRfd/d01BUdovhi3c6ZPTsiNcIQwD5zkYtwhl3Oy/jEX/fBuQV/74xQuSn
 CeGC1XhY+6Aski5QIdE/YhVWQxlgUyDa1EV6ky65YUAEIV21ztRG4Sdmdzyi1yVs6uRg
 0DiBAwWugfb9cSdDiCChGr/RmJUP1z6YKTfpTq2QCCr+VOo6iJD6HdK9jNKzy+Nbjnme
 bHBTBRJinGYUlMMb0ItZf8o33PXgSfPFla1O9K6EZahGDMY+gbi8wN0LfXTy4+qRlGFr
 +/MaDcMJkKjm1AY/31tm31Cpu6vhFaZs+zN2cbnSNb4QBFy7n50RD0E+G4QVVSERWxWm
 rzlg==
X-Gm-Message-State: AA+aEWZxy+/I6mP7gKOXFAKCJvICmAZHGj7qy96TEBajj8nFtuzVpYjY
 NSKaXHv/ZGX9/SGpY/0bpEV+W++4AxVthg==
X-Google-Smtp-Source: AFSGD/W5Dio8NrWtTdzgqzKR44xBERWDonhJFGF1p0ylt+ROhviYwlB0hYrjbDa61ceJDXyu0M4gjA==
X-Received: by 2002:a50:d085:: with SMTP id v5mr54147843edd.61.1546845321662; 
 Sun, 06 Jan 2019 23:15:21 -0800 (PST)
Received: from chuckie.home ([2a01:cb1d:112:6f00:58f2:776e:9e23:a7ca])
 by smtp.gmail.com with ESMTPSA id t9sm30263693edd.25.2019.01.06.23.15.20
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 06 Jan 2019 23:15:20 -0800 (PST)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: edk2-devel@lists.01.org
Date: Mon,  7 Jan 2019 08:15:00 +0100
Message-Id: <20190107071504.2431-2-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190107071504.2431-1-ard.biesheuvel@linaro.org>
References: <20190107071504.2431-1-ard.biesheuvel@linaro.org>
MIME-Version: 1.0
Subject: [PATCH 1/5] ArmPkg/ArmMmuLib AARCH64: fix out of bounds access
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 07:15:23 -0000
Content-Transfer-Encoding: 8bit

Take care not to dereference BlockEntry if it may be pointing past
the end of the page table we are manipulating. It is only a read,
and thus harmless, but HeapGuard triggers on it so let's fix it.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
index e41044142ef4..d66df3e17a02 100644
--- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
+++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
@@ -382,7 +382,7 @@ UpdateRegionMapping (
 
       // Break the inner loop when next block is a table
       // Rerun GetBlockEntryListFromAddress to avoid page table memory leak
-      if (TableLevel != 3 &&
+      if (TableLevel != 3 && BlockEntry <= LastBlockEntry &&
           (*BlockEntry & TT_TYPE_MASK) == TT_TYPE_TABLE_ENTRY) {
             break;
       }
-- 
2.20.1