From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44])
 by mx.groups.io with SMTP id smtpd.web10.5487.1670602278804047469
 for <devel@edk2.groups.io>;
 Fri, 09 Dec 2022 08:11:19 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20210112 header.b=DYHECA40;
 spf=pass (domain: gmail.com, ip: 209.85.167.44, mailfrom: savvamtr@gmail.com)
Received: by mail-lf1-f44.google.com with SMTP id 1so7767873lfz.4
        for <devel@edk2.groups.io>; Fri, 09 Dec 2022 08:11:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=xMz0lE8tAr5hoCsEbiJ3C+uiEuCmFotciU/xZLLaPbM=;
        b=DYHECA40pHVobYNX2vVx27Wli1zqgWSi4yN41DadpUJ+NdJQS4TXwbySwc+ME2EE06
         NfD5Ane4kgGDhib4FAR5eHrCR2otoWlrDa45ywlL61YHOqPvloSJ1QpP5vGKr5ed4LjR
         qqtYWgHEtNs6pRR7hdr33lupGx8bixgJmk4Pb/z2nf6XVhZV3pp6XjlIfT4+sf3L2QRZ
         LH0Dof4wuGMxGO9qCs+0plx5mVAF1QQuJq93T7RzA1HarEgQYYKitT4RK+hEs1YsDP9h
         Y5ELbZKPF8CnvZ3DpJkySKcy+UWBwkyu6N2oWqm9hJnhq3P+j+qMpdhr2SVUwkIuzPaj
         a2dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=xMz0lE8tAr5hoCsEbiJ3C+uiEuCmFotciU/xZLLaPbM=;
        b=WX0ZmTk6JUfLuKTztee3fkLxzddXx0LLw39y/+NB5ANC29Wnf0oUstDS4pc4WR1QuT
         Ijw1wUkj08j8jxR4gA97Jhu07ZknBhWDQrA4gmrg+TiUI/XoGO5pJT58b0vQqa7/wLSX
         xr4JSMwWBzVPWnvPIWTN4hoIQ8gQ3pnSZ+FDQ+w0E7FWQ9yMHy0QOrkZarYGqw7mqfmf
         KIu4ph/ONZn5Aswxca+l7Hhx57kLIdBVhjli5VE+wkkSG/xzDtEHUSBNf1YClXP+SoKd
         je8XuwZCcOzDRuJC9oUfI8D0bhg2pONDCem0asHq0oMivkbTor6q4P6bdELVbQO31coy
         R0VA==
X-Gm-Message-State: ANoB5plGsTDObawYaIepLBmvBOyP7cqEgK6MwQIb/rX2DTPM59/4Mur/
	VAJnh+5wwJ3Dcm1/su42SuN+WFe6K/aRcyuj
X-Google-Smtp-Source: AA0mqf50QhJ15yxqslJHtbDfvvkpV8FHuC5Dbtz+oq0A96zUmZWc/Ji/1mCxSt5XJLdSvamIcYmNhQ==
X-Received: by 2002:a05:6512:3d8f:b0:4b5:8c94:dbd2 with SMTP id k15-20020a0565123d8f00b004b58c94dbd2mr4270479lfv.24.1670602277014;
        Fri, 09 Dec 2022 08:11:17 -0800 (PST)
Return-Path: <savvamtr@gmail.com>
Received: from localhost.localdomain ([109.194.121.139])
        by smtp.gmail.com with ESMTPSA id v5-20020a05651203a500b00492c663bba2sm318430lfp.124.2022.12.09.08.11.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 Dec 2022 08:11:16 -0800 (PST)
From: "Savva Mitrofanov" <savvamtr@gmail.com>
To: devel@edk2.groups.io
Cc: =?UTF-8?q?Marvin=20H=C3=A4user?= <mhaeuser@posteo.de>,
	Pedro Falcato <pedro.falcato@gmail.com>,
	Vitaly Cheptsov <vit9696@protonmail.com>
Subject: [edk2-platforms][PATCH v1 03/12] Ext4Pkg: Fix global buffer overflow in Ext4ReadDir
Date: Fri,  9 Dec 2022 22:10:55 +0600
Message-Id: <20221209161104.70220-4-savvamtr@gmail.com>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221209161104.70220-1-savvamtr@gmail.com>
References: <20221209161104.70220-1-savvamtr@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Directory entry structure can contain name_len bigger than size of "."
or "..", that's why CompareMem in such cases leads to global buffer
overflow. So there are two problems. The first is that statement doesn't
check cases when name_len !=3D 0 but > 2 and the second is that we passing
big Length to CompareMem routine.
The correct way here is to check that name_len <=3D 2 and check for
null-terminator presence

Cc: Marvin H=C3=A4user <mhaeuser@posteo.de>
Cc: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Signed-off-by: Savva Mitrofanov <savvamtr@gmail.com>
---
 Features/Ext4Pkg/Ext4Dxe/Directory.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/Features/Ext4Pkg/Ext4Dxe/Directory.c b/Features/Ext4Pkg/Ext4Dx=
e/Directory.c
index 8b8fce568e43..ffc0e8043076 100644
--- a/Features/Ext4Pkg/Ext4Dxe/Directory.c
+++ b/Features/Ext4Pkg/Ext4Dxe/Directory.c
@@ -491,11 +491,9 @@ Ext4ReadDir (
 =0D
     // Entry.name_len may be 0 if it's a nameless entry, like an unused en=
try=0D
     // or a checksum at the end of the directory block.=0D
-    // memcmp (and CompareMem) return 0 when the passed length is 0.=0D
-=0D
-    IsDotOrDotDot =3D Entry.name_len !=3D 0 &&=0D
-                    (CompareMem (Entry.name, ".", Entry.name_len) =3D=3D 0=
 ||=0D
-                     CompareMem (Entry.name, "..", Entry.name_len) =3D=3D =
0);=0D
+    IsDotOrDotDot =3D Entry.name_len <=3D 2 &&=0D
+                    ((Entry.name[0] =3D=3D '.') &&=0D
+                     (Entry.name[1] =3D=3D '.' || Entry.name[1] =3D=3D '\0=
'));=0D
 =0D
     // When inode =3D 0, it's unused.=0D
     ShouldSkip =3D Entry.inode =3D=3D 0 || IsDotOrDotDot;=0D
--=20
2.38.1