diff options
| author | Hao Wu <hao.a.wu@intel.com> | 2018-10-30 09:17:04 +0800 |
|---|---|---|
| committer | Hao Wu <hao.a.wu@intel.com> | 2018-10-31 08:57:04 +0800 |
| commit | 27b9cb33e7437f6aef184c6b2982d004d279cc04 (patch) | |
| tree | 0190735399495bad095c9ddca71dbd247fab5d91 /MdeModulePkg/Universal/Disk | |
| parent | bfb8c64cbf6a4604b1a69de8e274cce7f0a678dc (diff) | |
| download | edk2-27b9cb33e7437f6aef184c6b2982d004d279cc04.zip edk2-27b9cb33e7437f6aef184c6b2982d004d279cc04.tar.gz edk2-27b9cb33e7437f6aef184c6b2982d004d279cc04.tar.bz2 | |
MdeModulePkg/UdfDxe: Memory free/use after free in ResolveSymlink()
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1279
For function ResolveSymlink(), the below codes:
if (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent,
sizeof (UDF_FILE_INFO)) != 0) {
CleanupFileInformation (&PreviousFile);
}
CopyMem ((VOID *)&PreviousFile, (VOID *)File, sizeof (UDF_FILE_INFO));
If the contents in 'PreviousFile' and 'File' are the same, call to
"CleanupFileInformation (&PreviousFile);" will free the buffers in 'File'
as well. This will lead to potential memory double free/use after free
issues.
This commit will add additional check to address the above issue.
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Diffstat (limited to 'MdeModulePkg/Universal/Disk')
| -rw-r--r-- | MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c index 14b1dea..d38b6c9 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c @@ -2144,6 +2144,8 @@ ResolveSymlink ( UINTN Index;
UINT8 CompressionId;
UDF_FILE_INFO PreviousFile;
+ BOOLEAN NotParent;
+ BOOLEAN NotFile;
ZeroMem ((VOID *)File, sizeof (UDF_FILE_INFO));
@@ -2298,12 +2300,18 @@ ResolveSymlink ( goto Error_Find_File;
}
- if (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent,
- sizeof (UDF_FILE_INFO)) != 0) {
+ NotParent = (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent,
+ sizeof (UDF_FILE_INFO)) != 0);
+ NotFile = (CompareMem ((VOID *)&PreviousFile, (VOID *)File,
+ sizeof (UDF_FILE_INFO)) != 0);
+
+ if (NotParent && NotFile) {
CleanupFileInformation (&PreviousFile);
}
- CopyMem ((VOID *)&PreviousFile, (VOID *)File, sizeof (UDF_FILE_INFO));
+ if (NotFile) {
+ CopyMem ((VOID *)&PreviousFile, (VOID *)File, sizeof (UDF_FILE_INFO));
+ }
}
//
|