MdeModulePkg/PlatformDriOverrideDxe: Fix overflow condition check

[edk2-devel] [PATCH] MdeModulePkg/PlatformDriOverrideDxe: Fix overflow condition check

Posted by Li, Walon 2 years, 11 months ago

Code mistake, VariableIndex is smaller normally than buffer+buffersize
so should not break loop.

Signed-off-by:Walon Li <walon.li@hpe.com>
---
 .../Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c b/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
index f91f038b7a..bd2d04452f 100644
--- a/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
+++ b/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
@@ -776,7 +776,7 @@ InitOverridesMapping (
         // Check buffer overflow
         //
         if ((DriverImageInfo->DriverImagePath == NULL) || (VariableIndex < (UINT8 *) DriverDevicePath) ||
-            (VariableIndex < (UINT8 *) VariableBuffer + BufferSize)) {
+            (VariableIndex > (UINT8 *) VariableBuffer + BufferSize)) {
           Corrupted = TRUE;
           break;
         }
-- 
2.23.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75091): https://edk2.groups.io/g/devel/message/75091
Mute This Topic: https://groups.io/mt/82790757/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] 回复: [PATCH] MdeModulePkg/PlatformDriOverrideDxe: Fix overflow condition check

Posted by gaoliming 2 years, 11 months ago

Agree this fix. Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>

> -----邮件原件-----
> 发件人: Walon Li <walon.li@hpe.com>
> 发送时间: 2021年5月13日 10:49
> 收件人: devel@edk2.groups.io
> 抄送: walon.li@hpe.com; nickle.wang@hpe.com; dandan.bi@intel.com;
> gaoliming@byosoft.com.cn
> 主题: [PATCH] MdeModulePkg/PlatformDriOverrideDxe: Fix overflow
> condition check
> 
> Code mistake, VariableIndex is smaller normally than buffer+buffersize
> so should not break loop.
> 
> Signed-off-by:Walon Li <walon.li@hpe.com>
> ---
>  .../Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c       | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git
> a/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
> b/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
> index f91f038b7a..bd2d04452f 100644
> --- a/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
> +++
> b/MdeModulePkg/Universal/PlatformDriOverrideDxe/PlatDriOverrideLib.c
> @@ -776,7 +776,7 @@ InitOverridesMapping (
>          // Check buffer overflow
> 
>          //
> 
>          if ((DriverImageInfo->DriverImagePath == NULL) || (VariableIndex
> < (UINT8 *) DriverDevicePath) ||
> 
> -            (VariableIndex < (UINT8 *) VariableBuffer + BufferSize)) {
> 
> +            (VariableIndex > (UINT8 *) VariableBuffer + BufferSize)) {
> 
>            Corrupted = TRUE;
> 
>            break;
> 
>          }
> 
> --
> 2.23.0.windows.1





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75092): https://edk2.groups.io/g/devel/message/75092
Mute This Topic: https://groups.io/mt/82791174/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-