From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45])
 by mx.groups.io with SMTP id smtpd.web11.41660.1673481564433418667
 for <devel@edk2.groups.io>;
 Wed, 11 Jan 2023 15:59:27 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20210112 header.b=RFW+y1hB;
 spf=pass (domain: gmail.com, ip: 209.85.128.45, mailfrom: pedro.falcato@gmail.com)
Received: by mail-wm1-f45.google.com with SMTP id ay12-20020a05600c1e0c00b003d9ea12bafcso10073819wmb.3
        for <devel@edk2.groups.io>; Wed, 11 Jan 2023 15:59:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=F21OJdC0I4Se6ZqQvm0tneN1VM+g6W7+FJq+0VoyW6U=;
        b=RFW+y1hBCvSF0w6W4MChJiA2SvlPWps0BRZkNlOPME1fpzwhUHM5Sboj0G3xMD2FyG
         6Az8Zj3zXWYIQTiLtitnSvz0AzsjUK7lBSPu3E/EHgjT/qhStpTueS/S7qHAmxQKQ+ij
         p1x6ih+pl5AugpmdoT0Jl7u/jkkz/KWh3MdPcviWgpxVrZjoO5amA9MIiJBQoq6Osr5g
         Rmm6Pz6DQTSwSBr1Nvi9J6Z8jXT7Uv8/PbaCeA103JJFlfDsvFzsH7x3rVXeIizaf/oR
         iI4+tsXjTkIXq3k8rCtpNLA+rjsGtacP/zVS5Z3nakssq0Zfef2ayrClTRioB3GsD1vp
         k9LA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=F21OJdC0I4Se6ZqQvm0tneN1VM+g6W7+FJq+0VoyW6U=;
        b=Fv74ifW1sVFID/907emKcKUV/zzokefycYU/+4XXbw6zmLEzqSP6HURuT7Kc2hYWYq
         ULdgCBz+QphKmKfwSImBPw2K2HCNcsfa1TTW+qxyTHl23jYPiCewzD3Qmh02UvgjhCn7
         rcgLY4V9B9noau0p0bszrMqbNE+zrXKIKWIqSBcereYQSFMOU8r3i2GtKoItvy15hQai
         zOT47akaYvM6a6Wtx2LRIfqddOWOsztIEwL1/dz04Iyh+UNFxqmTzjPgZuuzJtj42Eyx
         mvQVK5POCB32qmNCl8FifcJQ4e+Bp1rnkUgINP3T2Pf+rMUeJAg0ivrkdZzGgQWFJPTa
         FxFw==
X-Gm-Message-State: AFqh2koPYswJ2Z4APwoXtoSApbMmnEqQbbDNxd0K3EdvrGKlNxm26WRQ
	xl8v9n9RuMTrwVM00ixS3qIU0iT3cvEMYQ==
X-Google-Smtp-Source: AMrXdXtYVpQLKyCGcI3hPY1KdQU4ooeURUtPaYrhYq1iYq0ULBUWLETCoZYk9QNFHPSL+zwBsphqKg==
X-Received: by 2002:a05:600c:3d05:b0:3d3:5c21:dd94 with SMTP id bh5-20020a05600c3d0500b003d35c21dd94mr55666910wmb.9.1673481566475;
        Wed, 11 Jan 2023 15:59:26 -0800 (PST)
Return-Path: <pedro.falcato@gmail.com>
Received: from PC-PEDRO-ARCH.lan ([2001:8a0:7280:5801:9441:3dce:686c:bfc7])
        by smtp.gmail.com with ESMTPSA id p21-20020a7bcc95000000b003c65c9a36dfsm19276102wma.48.2023.01.11.15.59.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Jan 2023 15:59:26 -0800 (PST)
From: "Pedro Falcato" <pedro.falcato@gmail.com>
To: devel@edk2.groups.io
Cc: Pedro Falcato <pedro.falcato@gmail.com>,
	Savva Mitrofanov <savvamtr@gmail.com>,
	=?UTF-8?q?Marvin=20H=C3=A4user?= <mhaeuser@posteo.de>
Subject: [PATCH 1/3] Ext4Pkg: Fix out-of-bounds read in Ext4ReadDir
Date: Wed, 11 Jan 2023 23:59:17 +0000
Message-Id: <20230111235920.252317-3-pedro.falcato@gmail.com>
X-Mailer: git-send-email 2.39.0
In-Reply-To: <20230111235920.252317-1-pedro.falcato@gmail.com>
References: <20230111235920.252317-1-pedro.falcato@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix an out-of-bounds read inside CompareMem() when
checking for "." or ".." by explicitly bounding name_len
to [0, 2] beforehand.

Reported-by: Savva Mitrofanov <savvamtr@gmail.com>
Fixes: 45e37d8533ca8 ("Ext4Pkg: Hide "." and ".." entries from Read() callers.")
Cc: Marvin Häuser <mhaeuser@posteo.de>
Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
---
 Features/Ext4Pkg/Ext4Dxe/Directory.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/Features/Ext4Pkg/Ext4Dxe/Directory.c b/Features/Ext4Pkg/Ext4Dxe/Directory.c
index 4441e6d192b6..6ed664fc632f 100644
--- a/Features/Ext4Pkg/Ext4Dxe/Directory.c
+++ b/Features/Ext4Pkg/Ext4Dxe/Directory.c
@@ -491,12 +491,14 @@ Ext4ReadDir (
     // or a checksum at the end of the directory block.
     // memcmp (and CompareMem) return 0 when the passed length is 0.
 
-    IsDotOrDotDot = Entry.name_len != 0 &&
-                    (CompareMem (Entry.name, ".", Entry.name_len) == 0 ||
-                     CompareMem (Entry.name, "..", Entry.name_len) == 0);
+    // We must bound name_len as > 0 and <= 2 to avoid any out-of-bounds accesses or bad detection of
+    // "." and "..".
+    IsDotOrDotDot = Entry.name_len > 0 && Entry.name_len <= 2 &&
+                    CompareMem (Entry.name, "..", Entry.name_len) == 0;
 
-    // When inode = 0, it's unused.
-    ShouldSkip = Entry.inode == 0 || IsDotOrDotDot;
+    // When inode = 0, it's unused. When name_len == 0, it's a nameless entry
+    // (which we should not expose to ReadDir).
+    ShouldSkip = Entry.inode == 0 || Entry.name_len == 0 || IsDotOrDotDot;
 
     if (ShouldSkip) {
       Offset += Entry.rec_len;
-- 
2.39.0