From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:4864:20::143; helo=mail-it1-x143.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-it1-x143.google.com (mail-it1-x143.google.com [IPv6:2607:f8b0:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6EEC321959CB2 for ; Mon, 14 Jan 2019 10:48:49 -0800 (PST) Received: by mail-it1-x143.google.com with SMTP id h193so878956ita.5 for ; Mon, 14 Jan 2019 10:48:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NksVvgFmbDufTPY1D/i9kGHE62O2jGDTrg638nYXbmM=; b=ehtVZRzXyU+xnF23r5CQFkQ1h6Lq/ZhQsYMF1Hr3Ng13KXLBCHToBTSAvjhFxXgXZ8 94atE6/4lw+FpNRoS+fNmtPLJKs6WHqNFpwcpLctEI9L6FBDQHMunCU2ZIHakJkLuJCD zQaiZ1/QJPBML/dHM7SektKA+gAPsf6QSOghE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NksVvgFmbDufTPY1D/i9kGHE62O2jGDTrg638nYXbmM=; b=MPx4R8vDnw3/aNM9ghY4xf1IRurZbT4RxdMc3djPE5WUYxYIbZPr/Veln/ldgAJpE4 XM56BJ7eLjXnTiQL3v6BLlAAyjFMyNYgWJ4LRq+9pEkYNmbQZSJGbwnfVFfPmH+CV0SB uKqHQU5o7X1iCpyibTvswvH0w9l9zvMGWM5agjkM7gQ57RvR2ayjrsB8NPO44L+BTnOq fxUTHxbqwddrI2SKTQMq0znNt+TS1oolP8cnoY5PEXvA1z1UEN3IilM/6AZuOICLJzaO drY3hsY5/Ma81bHznURB2Ol5qaUbgfq8kuEHJh0ozkh6HYDv5sU+RKvUfEQ94XWF1TT/ jE1w== X-Gm-Message-State: AJcUukfTGRv1v96SPpi02Po5+IMrsSuanWfCAS9yVdR8/hxrQNhsDqcH lS5daIrpCRJ8QBQ9GhAGfpqw4JTm9zcH3OCeD5J/3w== X-Google-Smtp-Source: ALg8bN77X23SZ1MrppDfsDFztdJNqj92QdOOIIUn4gmFgZMWaTzcXyZIJnnX6uz90S3xfdw5YKroNTBg3/8y2Fau1xk= X-Received: by 2002:a24:710:: with SMTP id f16mr297102itf.121.1547491728729; Mon, 14 Jan 2019 10:48:48 -0800 (PST) MIME-Version: 1.0 References: <20190107071504.2431-1-ard.biesheuvel@linaro.org> <20190107071504.2431-2-ard.biesheuvel@linaro.org> <20190114120031.5vectitph267ydz6@bivouac.eciton.net> In-Reply-To: <20190114120031.5vectitph267ydz6@bivouac.eciton.net> From: Ard Biesheuvel Date: Mon, 14 Jan 2019 19:48:37 +0100 Message-ID: To: Leif Lindholm Cc: "edk2-devel@lists.01.org" Subject: Re: [PATCH 1/5] ArmPkg/ArmMmuLib AARCH64: fix out of bounds access X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2019 18:48:49 -0000 Content-Type: text/plain; charset="UTF-8" On Mon, 14 Jan 2019 at 13:00, Leif Lindholm wrote: > > On Mon, Jan 07, 2019 at 08:15:00AM +0100, Ard Biesheuvel wrote: > > Take care not to dereference BlockEntry if it may be pointing past > > the end of the page table we are manipulating. It is only a read, > > and thus harmless, but HeapGuard triggers on it so let's fix it. > > > > Contributed-under: TianoCore Contribution Agreement 1.1 > > Signed-off-by: Ard Biesheuvel > > Reviewed-by: Leif Lindholm > Thanks Pushed as d08575759e5a..76c23f9e0d0d > > --- > > ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c > > index e41044142ef4..d66df3e17a02 100644 > > --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c > > +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c > > @@ -382,7 +382,7 @@ UpdateRegionMapping ( > > > > // Break the inner loop when next block is a table > > // Rerun GetBlockEntryListFromAddress to avoid page table memory leak > > - if (TableLevel != 3 && > > + if (TableLevel != 3 && BlockEntry <= LastBlockEntry && > > (*BlockEntry & TT_TYPE_MASK) == TT_TYPE_TABLE_ENTRY) { > > break; > > } > > -- > > 2.20.1 > >