From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181])
 by mx.groups.io with SMTP id smtpd.web10.44804.1670856423584482903
 for <devel@edk2.groups.io>;
 Mon, 12 Dec 2022 06:47:03 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20210112 header.b=UTJn07UM;
 spf=pass (domain: gmail.com, ip: 209.85.208.181, mailfrom: savvamtr@gmail.com)
Received: by mail-lj1-f181.google.com with SMTP id s10so9872ljg.1
        for <devel@edk2.groups.io>; Mon, 12 Dec 2022 06:47:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ymaox3Sz8C1y50ZfwA1KmZyfdwxXrxMeFUagae8ucDI=;
        b=UTJn07UMC2uwO4PL66SCelVq7KjOfsjcTZ+FRNUmVInFUOBx/6TYLscmVR1fC0yIPI
         iDsdLIh0dVuD3bWpVXvcgOjHEBO2BM4GTA32htVtOdrZ9PgZdCiKsiwxj1ZSAjnfq2UV
         E9CeYyQonuj9D/HvLX5vN+g7I89l1Xkv0SKk3mvpzZjHZZ9y7Dua4C8UcHok1rZDXfsF
         VVO8n7EKyTn1thMGy1nN4S/F4I1KH/X+cEGoH2cCRb4TYoxk+aWojYJq7D4aYY+OlKHa
         cNlmwAjmSFXa6q6MrAiTWWRNJpZwnWZty98f5kYQwG5mnNJQc+4xqZBcmf1zxEwfF0D5
         XVmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ymaox3Sz8C1y50ZfwA1KmZyfdwxXrxMeFUagae8ucDI=;
        b=4BSd2sWFVd9CG8fG4RLxAKJpsIBQkSVS2S/ngx40oEyR21yfe3ZcxxXiyWuBCYu8KV
         15UdJAZabD8kAbpyQsqodnlhjCtplpZrkONceQ/RCTGB7PikXf4VKvXYbNxj1aIaqJ1C
         MGYLDO0On2DFIiNS1B38Z0a5T7Ju6DK1gTKiN4MCkVU00QDlg98XAVj8p5q2nurkx1vK
         9uSJnNzQ/qteV9a97gb+od33Jm1T9b2jncoa8J45ft7WQP+zWjZSbk+5idbP6X0uUB94
         +m0erj+gdN2cfEYh0PUOYcS5uICRohugCWnnmAj4kPUmzUQyZGf9hmFo+xjdgj3bTEfz
         irig==
X-Gm-Message-State: ANoB5pkHlQLBHGwPR38fhVB8QbmYCy9v7Kr5xsGq/Z/boAs2K+El95F4
	bRQRqy2lNbb+hwlXY4Dx5+84/9Q649ZbGB3s
X-Google-Smtp-Source: AA0mqf5PfHOWU87y7RLOA2wiGjOoDNi2hybsnn9IxCMjtOOZKScDkacPu8j94dxJUj1yYzCO2YHuvA==
X-Received: by 2002:a2e:bc89:0:b0:27b:5596:1e4d with SMTP id h9-20020a2ebc89000000b0027b55961e4dmr609846ljf.34.1670856421515;
        Mon, 12 Dec 2022 06:47:01 -0800 (PST)
Return-Path: <savvamtr@gmail.com>
Received: from localhost.localdomain ([77.221.215.144])
        by smtp.gmail.com with ESMTPSA id t4-20020a056512030400b0049c29292250sm1643313lfp.149.2022.12.12.06.47.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 12 Dec 2022 06:47:01 -0800 (PST)
From: "Savva Mitrofanov" <savvamtr@gmail.com>
To: devel@edk2.groups.io
Cc: =?UTF-8?q?Marvin=20H=C3=A4user?= <mhaeuser@posteo.de>,
	Pedro Falcato <pedro.falcato@gmail.com>,
	Vitaly Cheptsov <vit9696@protonmail.com>
Subject: [edk2-platforms][PATCH v2 03/11] Ext4Pkg: Fix global buffer overflow in Ext4ReadDir
Date: Mon, 12 Dec 2022 20:46:46 +0600
Message-Id: <20221212144654.2650-4-savvamtr@gmail.com>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221212144654.2650-1-savvamtr@gmail.com>
References: <20221212144654.2650-1-savvamtr@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Directory entry structure can contain name_len bigger than size of "."
or "..", that's why CompareMem in such cases leads to global buffer
overflow. So there are two problems. The first is that statement doesn't
check cases when name_len !=3D 0 but > 2 and the second is that we passing
big Length to CompareMem routine.
The correct way here is to check that name_len <=3D 2 and check for
null-terminator presence

Cc: Marvin H=C3=A4user <mhaeuser@posteo.de>
Cc: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Fixes: e55f0527dde48a5f139c1b8f35acc4e6b59dd794
Signed-off-by: Savva Mitrofanov <savvamtr@gmail.com>
---
 Features/Ext4Pkg/Ext4Dxe/Directory.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/Features/Ext4Pkg/Ext4Dxe/Directory.c b/Features/Ext4Pkg/Ext4Dx=
e/Directory.c
index 8b8fce568e43..ffc0e8043076 100644
--- a/Features/Ext4Pkg/Ext4Dxe/Directory.c
+++ b/Features/Ext4Pkg/Ext4Dxe/Directory.c
@@ -491,11 +491,9 @@ Ext4ReadDir (
 =0D
     // Entry.name_len may be 0 if it's a nameless entry, like an unused en=
try=0D
     // or a checksum at the end of the directory block.=0D
-    // memcmp (and CompareMem) return 0 when the passed length is 0.=0D
-=0D
-    IsDotOrDotDot =3D Entry.name_len !=3D 0 &&=0D
-                    (CompareMem (Entry.name, ".", Entry.name_len) =3D=3D 0=
 ||=0D
-                     CompareMem (Entry.name, "..", Entry.name_len) =3D=3D =
0);=0D
+    IsDotOrDotDot =3D Entry.name_len <=3D 2 &&=0D
+                    ((Entry.name[0] =3D=3D '.') &&=0D
+                     (Entry.name[1] =3D=3D '.' || Entry.name[1] =3D=3D '\0=
'));=0D
 =0D
     // When inode =3D 0, it's unused.=0D
     ShouldSkip =3D Entry.inode =3D=3D 0 || IsDotOrDotDot;=0D
--=20
2.38.1