diff options
| author | Hao Wu <hao.a.wu@intel.com> | 2017-12-13 16:28:33 +0800 |
|---|---|---|
| committer | Hao Wu <hao.a.wu@intel.com> | 2018-10-23 14:23:57 +0800 |
| commit | 3b30351b75d70ea65701ac999875fbb81a89a5ca (patch) | |
| tree | 35f8787484eb11f0c2d2e0a945b495d8565af631 /MdeModulePkg/Universal/Disk | |
| parent | 89f75aa04a97293a8ed9db2a90851a5053730cf5 (diff) | |
| download | edk2-3b30351b75d70ea65701ac999875fbb81a89a5ca.zip edk2-3b30351b75d70ea65701ac999875fbb81a89a5ca.tar.gz edk2-3b30351b75d70ea65701ac999875fbb81a89a5ca.tar.bz2 | |
MdeModulePkg/UdfDxe: Add boundary check for getting volume (free) size
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
Within GetVolumeSize():
The boundary check will validate the 'NumberOfPartitions' field of a
Logical Volume Integrity Descriptor matches the data within the relating
Logical Volume Descriptor.
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
Diffstat (limited to 'MdeModulePkg/Universal/Disk')
| -rw-r--r-- | MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 17 | ||||
| -rw-r--r-- | MdeModulePkg/Universal/Disk/UdfDxe/Udf.h | 7 |
2 files changed, 23 insertions, 1 deletions
diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c index 359fac0..24fef4e 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c @@ -2533,6 +2533,13 @@ SetFileInfo ( /**
Get volume and free space size information of an UDF volume.
+ @attention This is boundary function that may receive untrusted input.
+ @attention The input is from FileSystem.
+
+ The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are
+ external inputs, so this routine will do basic validation for both descriptors
+ and report status.
+
@param[in] BlockIo BlockIo interface.
@param[in] DiskIo DiskIo interface.
@param[in] Volume UDF volume information structure.
@@ -2571,7 +2578,8 @@ GetVolumeSize ( ExtentAd = &LogicalVolDesc->IntegritySequenceExtent;
- if (ExtentAd->ExtentLength == 0) {
+ if ((ExtentAd->ExtentLength == 0) ||
+ (ExtentAd->ExtentLength < sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) {
return EFI_VOLUME_CORRUPTED;
}
@@ -2611,6 +2619,13 @@ GetVolumeSize ( goto Out_Free;
}
+ if ((LogicalVolInt->NumberOfPartitions > MAX_UINT32 / sizeof (UINT32) / 2) ||
+ (LogicalVolInt->NumberOfPartitions * sizeof (UINT32) * 2 >
+ ExtentAd->ExtentLength - sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) {
+ Status = EFI_VOLUME_CORRUPTED;
+ goto Out_Free;
+ }
+
*VolumeSize = 0;
*FreeSpaceSize = 0;
diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h index 9b82441..b054c62 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h +++ b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h @@ -903,6 +903,13 @@ SetFileInfo ( /**
Get volume and free space size information of an UDF volume.
+ @attention This is boundary function that may receive untrusted input.
+ @attention The input is from FileSystem.
+
+ The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are
+ external inputs, so this routine will do basic validation for both descriptors
+ and report status.
+
@param[in] BlockIo BlockIo interface.
@param[in] DiskIo DiskIo interface.
@param[in] Volume UDF volume information structure.
|