From nobody Sun Feb 8 18:28:27 2026 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1505451481179954.8096250087481; Thu, 14 Sep 2017 21:58:01 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 14C4921E97814; Thu, 14 Sep 2017 21:55:00 -0700 (PDT) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6A78B21E977FF for ; Thu, 14 Sep 2017 21:54:58 -0700 (PDT) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Sep 2017 21:57:58 -0700 Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by fmsmga006.fm.intel.com with ESMTP; 14 Sep 2017 21:57:56 -0700 X-Original-To: edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,396,1500966000"; d="scan'208";a="152114423" From: Hao Wu To: edk2-devel@lists.01.org Date: Fri, 15 Sep 2017 12:57:47 +0800 Message-Id: <20170915045753.588-2-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170915045753.588-1-hao.a.wu@intel.com> References: <20170915045753.588-1-hao.a.wu@intel.com> Subject: [edk2] [PATCH 1/7] MdeModulePkg/UdfDxe: Add checks to ensure no possible NULL ptr deref X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hao Wu , Ruiyu Ni , Eric Dong , Star Zeng MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Case 1 - Within DuplicateFid() & DuplicateFe(): The call to AllocateCopyPool() may return NULL. Add ASSERTs as checks. Case 2 - Within UdfRead(): Add ASSERT to ensure 'NewFileEntryData' returned from FindFileEntry() will not be NULL pointer. Case 3 - Within GetAllocationDescriptorLsn(): The return value of 'GetPdFromLongAd (Volume, ParentIcb)' may be NULL, and it will be passed into function GetShortAdLsn() which will dereference it. Add ASSERT in GetShortAdLsn() as check. Case 4 - Within ReadFile(): Add ASSERT to ensure 'Data' returned from GetAedAdsData() will not be NULL pointer. Case 5 - Within InternalFindFile(): If both 'Parent->FileIdentifierDesc' and 'Icb' are NULL, then possible NULL pointer dereference will happen in ReadDirectoryEntry(). Add additional check to resolve. Cc: Paulo Alcantara Cc: Ruiyu Ni Cc: Star Zeng Cc: Eric Dong Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu --- MdeModulePkg/Universal/Disk/UdfDxe/File.c | 1 + MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 18 +++++++++++= +++++++ 2 files changed, 19 insertions(+) diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/File.c b/MdeModulePkg/Unive= rsal/Disk/UdfDxe/File.c index 01361141bb..82db75475b 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/File.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/File.c @@ -427,6 +427,7 @@ UdfRead ( if (EFI_ERROR (Status)) { goto Error_Find_Fe; } + ASSERT (NewFileEntryData !=3D NULL); =20 if (IS_FE_SYMLINK (NewFileEntryData)) { Status =3D ResolveSymlink ( diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/Md= eModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c index 4609580b30..02a73a9eb9 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c @@ -297,6 +297,8 @@ GetShortAdLsn ( IN UDF_SHORT_ALLOCATION_DESCRIPTOR *ShortAd ) { + ASSERT (PartitionDesc !=3D NULL); + return (UINT64)PartitionDesc->PartitionStartingLocation + ShortAd->ExtentPosition; } @@ -480,6 +482,8 @@ DuplicateFid ( *NewFileIdentifierDesc =3D (UDF_FILE_IDENTIFIER_DESCRIPTOR *)AllocateCopyPool ( (UINTN) GetFidDescriptorLength (FileIdentifierDesc), FileIdentifierD= esc); + + ASSERT (*NewFileIdentifierDesc !=3D NULL); } =20 // @@ -494,6 +498,8 @@ DuplicateFe ( ) { *NewFileEntry =3D AllocateCopyPool (Volume->FileEntrySize, FileEntry); + + ASSERT (*NewFileEntry !=3D NULL); } =20 // @@ -1028,6 +1034,7 @@ ReadFile ( if (EFI_ERROR (Status)) { goto Error_Get_Aed; } + ASSERT (Data !=3D NULL); =20 AdOffset =3D 0; continue; @@ -1209,6 +1216,13 @@ InternalFindFile ( VOID *CompareFileEntry; =20 // + // Check if both Parent->FileIdentifierDesc and Icb are NULL. + // + if ((Parent->FileIdentifierDesc =3D=3D NULL) && (Icb =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + // // Check if parent file is really directory. // if (!IS_FE_DIRECTORY (Parent->FileEntry)) { @@ -1220,6 +1234,10 @@ InternalFindFile ( // FE/EFE and FID descriptors. // if (StrCmp (FileName, L".") =3D=3D 0) { + if (Parent->FileIdentifierDesc =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + DuplicateFe (BlockIo, Volume, Parent->FileEntry, &File->FileEntry); DuplicateFid (Parent->FileIdentifierDesc, &File->FileIdentifierDesc); =20 --=20 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel