From nobody Mon Feb 9 10:32:50 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+97263+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+97263+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1670856425; cv=none; d=zohomail.com; s=zohoarc; b=jZKeCBEZKXLPhmMY+pgKYjIMdRZa/9S7CPNmhkTMgf7UvljdvsCFaejC6ztgJVMc6iEkNTVyCBQoqJxpWD8E7aNRrB6kAdAFXWUwPReC328FIKuO2c/yCuQh84a4zCLD/MY2hspTcATSWJ8j7aYImRWRTupn835pmCXBWZrvOcQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1670856425; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=19iMJT6FH5cY/8lrQtOf+Ooi/9RzTEvQOfitmkVomAo=; b=DeqXtSMofwERlNlTc70NMwduD/EDumWx3kyQj3aykj7y8jfw9FEEJZ0i/WWSXwJKQgf2gpT6dWC2ld15Wy2hV7YIsVfu/a09RN59tm0IFiu+dQv0zNOGNq/OP/yAsGTPIxekq7OTS7QUMbMiTS6gdI7pqxMVb5BZQ/GpS5Btq5U= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+97263+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 16708564251191020.5261405733726; Mon, 12 Dec 2022 06:47:05 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id L2QqYY1788612xX4jclzPUb5; Mon, 12 Dec 2022 06:47:04 -0800 X-Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181]) by mx.groups.io with SMTP id smtpd.web10.44804.1670856423584482903 for ; Mon, 12 Dec 2022 06:47:03 -0800 X-Received: by mail-lj1-f181.google.com with SMTP id s10so9872ljg.1 for ; Mon, 12 Dec 2022 06:47:03 -0800 (PST) X-Gm-Message-State: qMKDkLw4a4sPa3Hso4jZ9MGIx1787277AA= X-Google-Smtp-Source: AA0mqf5PfHOWU87y7RLOA2wiGjOoDNi2hybsnn9IxCMjtOOZKScDkacPu8j94dxJUj1yYzCO2YHuvA== X-Received: by 2002:a2e:bc89:0:b0:27b:5596:1e4d with SMTP id h9-20020a2ebc89000000b0027b55961e4dmr609846ljf.34.1670856421515; Mon, 12 Dec 2022 06:47:01 -0800 (PST) X-Received: from localhost.localdomain ([77.221.215.144]) by smtp.gmail.com with ESMTPSA id t4-20020a056512030400b0049c29292250sm1643313lfp.149.2022.12.12.06.47.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Dec 2022 06:47:01 -0800 (PST) From: "Savva Mitrofanov" To: devel@edk2.groups.io Cc: =?UTF-8?q?Marvin=20H=C3=A4user?= , Pedro Falcato , Vitaly Cheptsov Subject: [edk2-devel] [edk2-platforms][PATCH v2 03/11] Ext4Pkg: Fix global buffer overflow in Ext4ReadDir Date: Mon, 12 Dec 2022 20:46:46 +0600 Message-Id: <20221212144654.2650-4-savvamtr@gmail.com> In-Reply-To: <20221212144654.2650-1-savvamtr@gmail.com> References: <20221212144654.2650-1-savvamtr@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,savvamtr@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1670856424; bh=0H7ZBx/J9HeTCRv4kjIzWG0aGIIVZg6/BmxT+RH5YCI=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=of8hbMLRGEkZvuhno089uzHJYPeAzMbnkpx27/lwKP6Ryg7BlcbCSKHxCZR7syOJMod piwUh501G4zqlwP5wQjash70MmYRT9RNd10eNJwYEaOA70bMV+31ZaLEA5OXTrlQdYCwZ aCOZv6+luYGhxuUPcmrHuv0vY2NhU8rIuAg= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1670856426274100014 Content-Type: text/plain; charset="utf-8" Directory entry structure can contain name_len bigger than size of "." or "..", that's why CompareMem in such cases leads to global buffer overflow. So there are two problems. The first is that statement doesn't check cases when name_len !=3D 0 but > 2 and the second is that we passing big Length to CompareMem routine. The correct way here is to check that name_len <=3D 2 and check for null-terminator presence Cc: Marvin H=C3=A4user Cc: Pedro Falcato Cc: Vitaly Cheptsov Fixes: e55f0527dde48a5f139c1b8f35acc4e6b59dd794 Signed-off-by: Savva Mitrofanov --- Features/Ext4Pkg/Ext4Dxe/Directory.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/Features/Ext4Pkg/Ext4Dxe/Directory.c b/Features/Ext4Pkg/Ext4Dx= e/Directory.c index 8b8fce568e43..ffc0e8043076 100644 --- a/Features/Ext4Pkg/Ext4Dxe/Directory.c +++ b/Features/Ext4Pkg/Ext4Dxe/Directory.c @@ -491,11 +491,9 @@ Ext4ReadDir ( =20 // Entry.name_len may be 0 if it's a nameless entry, like an unused en= try // or a checksum at the end of the directory block. - // memcmp (and CompareMem) return 0 when the passed length is 0. - - IsDotOrDotDot =3D Entry.name_len !=3D 0 && - (CompareMem (Entry.name, ".", Entry.name_len) =3D=3D 0= || - CompareMem (Entry.name, "..", Entry.name_len) =3D=3D = 0); + IsDotOrDotDot =3D Entry.name_len <=3D 2 && + ((Entry.name[0] =3D=3D '.') && + (Entry.name[1] =3D=3D '.' || Entry.name[1] =3D=3D '\0= ')); =20 // When inode =3D 0, it's unused. ShouldSkip =3D Entry.inode =3D=3D 0 || IsDotOrDotDot; --=20 2.38.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#97263): https://edk2.groups.io/g/devel/message/97263 Mute This Topic: https://groups.io/mt/95622331/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-