From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:4864:20::443; helo=mail-wr1-x443.google.com; envelope-from=leif.lindholm@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-wr1-x443.google.com (mail-wr1-x443.google.com [IPv6:2a00:1450:4864:20::443]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 1D35C211B76B3 for ; Mon, 14 Jan 2019 04:00:34 -0800 (PST) Received: by mail-wr1-x443.google.com with SMTP id v13so22514074wrw.5 for ; Mon, 14 Jan 2019 04:00:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=CXmA1F22KsP9Wtu+bvQWgO0cR7dA+Y+RF7ptF2SHhIo=; b=RQdt5a8Gk0P+hBAfDoV5Pq2JEA/T0Ra+M6LQSxDzz3Pus/q49wqSY/ThMtkDKfev7H ho7g9Bzme6Sh5LTj+yVDaFCpZaQGsORLvdIsVX3eSD/BUWlzULoNe3YKE73rKYIypen9 GSazVsqsq329mQVq/5eA7QDYQQjgwlwRJ9yJc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=CXmA1F22KsP9Wtu+bvQWgO0cR7dA+Y+RF7ptF2SHhIo=; b=nFnlKP8CETwGoW9I9wRAyyh4waN7O/GrO2r7DEN2onjzsu7P1xRv0WT7B5B57EhCDu KtdKUxB9or+JY32N7zd4/01/uae+683biJy4qZAJi9OldQfW4sm1M0cDnJJQY1E+/aom iiunLNpxrvRCcu9r/epm4+3LWPQIoaUr7JV2aAxkdjn5Mm7NAO/ojYebF5hOwS6D9FDf iP/rc6/eyuueY1pLYSzIwJDdV1fCxQGBUNumMnC2wISRZfgb7OqnV/KD5RibnjM46rU1 SIX/GCkQfs1D4B59ymishpRFPLipJBcO70mXTxcG7xB8m/ScVl2bWw70WUh0//hfYQCt wvqA== X-Gm-Message-State: AJcUukcnHN7tkRq8VRd/amp/jPTRATrTuhLvV4ncbRMMKH4GAXMvmiJL czs77Yd56kJFAC2vXtvpAcfe9IhlUuM= X-Google-Smtp-Source: ALg8bN5WxXbbpaMyIj69PJsgI0IE2ZwNFkn7BOLY8ZTxSwZUclaSGE7uJ4aQZFC75e//c8hRZfgo3g== X-Received: by 2002:adf:a58a:: with SMTP id g10mr23758420wrc.3.1547467233338; Mon, 14 Jan 2019 04:00:33 -0800 (PST) Received: from bivouac.eciton.net (bivouac.eciton.net. [2a00:1098:0:86:1000:23:0:2]) by smtp.gmail.com with ESMTPSA id o8sm63186029wrx.15.2019.01.14.04.00.32 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 14 Jan 2019 04:00:32 -0800 (PST) Date: Mon, 14 Jan 2019 12:00:31 +0000 From: Leif Lindholm To: Ard Biesheuvel Cc: edk2-devel@lists.01.org Message-ID: <20190114120031.5vectitph267ydz6@bivouac.eciton.net> References: <20190107071504.2431-1-ard.biesheuvel@linaro.org> <20190107071504.2431-2-ard.biesheuvel@linaro.org> MIME-Version: 1.0 In-Reply-To: <20190107071504.2431-2-ard.biesheuvel@linaro.org> User-Agent: NeoMutt/20170113 (1.7.2) Subject: Re: [PATCH 1/5] ArmPkg/ArmMmuLib AARCH64: fix out of bounds access X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2019 12:00:35 -0000 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Jan 07, 2019 at 08:15:00AM +0100, Ard Biesheuvel wrote: > Take care not to dereference BlockEntry if it may be pointing past > the end of the page table we are manipulating. It is only a read, > and thus harmless, but HeapGuard triggers on it so let's fix it. > > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Ard Biesheuvel Reviewed-by: Leif Lindholm > --- > ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c > index e41044142ef4..d66df3e17a02 100644 > --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c > +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c > @@ -382,7 +382,7 @@ UpdateRegionMapping ( > > // Break the inner loop when next block is a table > // Rerun GetBlockEntryListFromAddress to avoid page table memory leak > - if (TableLevel != 3 && > + if (TableLevel != 3 && BlockEntry <= LastBlockEntry && > (*BlockEntry & TT_TYPE_MASK) == TT_TYPE_TABLE_ENTRY) { > break; > } > -- > 2.20.1 >