From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ting.ye@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.100; helo=mga07.intel.com;
 envelope-from=ting.ye@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 4067B2117B56A
 for <edk2-devel@lists.01.org>; Thu, 25 Oct 2018 17:50:08 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51])
 by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 25 Oct 2018 17:50:08 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,426,1534834800"; d="scan'208";a="85670300"
Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202])
 by orsmga006.jf.intel.com with ESMTP; 25 Oct 2018 17:50:08 -0700
Received: from fmsmsx116.amr.corp.intel.com (10.18.116.20) by
 fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Thu, 25 Oct 2018 17:50:08 -0700
Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by
 fmsmsx116.amr.corp.intel.com (10.18.116.20) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Thu, 25 Oct 2018 17:50:08 -0700
Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.161]) by
 SHSMSX152.ccr.corp.intel.com ([169.254.6.214]) with mapi id 14.03.0415.000;
 Fri, 26 Oct 2018 08:50:06 +0800
From: "Ye, Ting" <ting.ye@intel.com>
To: "Long, Qin" <qin.long@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
Thread-Topic: [edk2] [PATCH] CryptoPkg/BaseCryptLib: Fix potential integer
 overflow issue.
Thread-Index: AQHUa5yg+ByvGJlrS0Gm69DzqPqGBKUwtF/Q
Date: Fri, 26 Oct 2018 00:50:05 +0000
Message-ID: <BC0C045B0E2A584CA4575E779FA2C12A1AB584FD@SHSMSX103.ccr.corp.intel.com>
References: <20181024132202.10596-1-qin.long@intel.com>
In-Reply-To: <20181024132202.10596-1-qin.long@intel.com>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH] CryptoPkg/BaseCryptLib: Fix potential integer overflow issue.
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2018 00:50:09 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Ye Ting <ting.ye@intel.com>=20

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Long=
 Qin
Sent: Wednesday, October 24, 2018 9:22 PM
To: edk2-devel@lists.01.org
Cc: Ye, Ting <ting.ye@intel.com>
Subject: [edk2] [PATCH] CryptoPkg/BaseCryptLib: Fix potential integer overf=
low issue.

The LookupFreeMemRegion() in RuntimeMemAllocate.c is used to look-up free m=
emory region for runtime resource allocation, which was designed to support=
 runtime authenticated variable service.
The direct offset subtractions in this function may bring possible integer =
overflow issue.

This patch is to add the extra parameter checks to remove this possible ove=
rflow risk.

Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Long Qin <qin.long@intel.com>
---
 .../Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c    | 14 ++++++++++=
+++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c =
b/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c
index 463f2bf855..92bb9ddccd 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c
@@ -2,7 +2,7 @@
   Light-weight Memory Management Routines for OpenSSL-based Crypto
   Library at Runtime Phase.
=20
-Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials  are licensed and made availab=
le under the terms and conditions of the BSD License  which accompanies thi=
s distribution.  The full text of the license may be found at @@ -141,6 +14=
1,12 @@ LookupFreeMemRegion (
=20
   StartPageIndex =3D RT_SIZE_TO_PAGES (mRTPageTable->LastEmptyPageOffset);
   ReqPages       =3D RT_SIZE_TO_PAGES (AllocationSize);
+  if (ReqPages > mRTPageTable->PageCount) {
+    //
+    // No enough region for object allocation.
+    //
+    return (UINTN)(-1);
+  }
=20
   //
   // Look up the free memory region with in current memory map table.
@@ -176,6 +182,12 @@ LookupFreeMemRegion (
   // Look up the free memory region from the beginning of the memory table
   // until the StartCursorOffset
   //
+  if (ReqPages > StartPageIndex) {
+    //
+    // No enough region for object allocation.
+    //
+    return (UINTN)(-1);
+  }
   for (Index =3D 0; Index < (StartPageIndex - ReqPages); ) {
     //
     // Check Consecutive ReqPages Pages.
--
2.16.1.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel