From nobody Mon Feb  9 08:58:08 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+98325+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+98325+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1673481568; cv=none;
	d=zohomail.com; s=zohoarc;
	b=mDbxKbR2yBv09zoZl8slKvORVKhbVpte6TN80LR1eOSDLsRA8MP6RMapQXCSHSFjFzKRITiOT2k2h5u7Uh4LSFi2Q/Ch8f/3kRRgy3OEIAosV5RwSaQFiQXVgsHqC8Zr8HVDWWq0DwJzHtqtCrx8JVEaO8Lt9jJjjKdcFZfsVCo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1673481568;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=wL9arXDJsfDK7HWr/yy31C1BwHN6JCiSWT/TEAHkWD8=;
	b=XEl8Dgd7pQVRoWlTBsloCyE+V/e9/KhwzkV1jkHS97bSayk1JkCIP9o/fpeZQTTlIdBIIA9hIYL5cryZ80W/rrjtx/0o1jMiZy9sSoKxEXX4p9A8jbct5IQtKGbbKfJ5oUu7ZHI68lJ/KcJQbP/doBkUzeep/zldZSOSFt3wwVs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+98325+1787277+3901457@groups.io;
	dmarc=fail header.from=<pedro.falcato@gmail.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1673481568407212.66542688986112;
 Wed, 11 Jan 2023 15:59:28 -0800 (PST)
Return-Path: <bounce+27952+98325+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id XuC8YY1788612xFGFBrZ829F;
 Wed, 11 Jan 2023 15:59:28 -0800
X-Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
 by mx.groups.io with SMTP id smtpd.web11.41660.1673481564433418667
 for <devel@edk2.groups.io>;
 Wed, 11 Jan 2023 15:59:27 -0800
X-Received: by mail-wm1-f45.google.com with SMTP id
 ay12-20020a05600c1e0c00b003d9ea12bafcso10073819wmb.3
        for <devel@edk2.groups.io>; Wed, 11 Jan 2023 15:59:27 -0800 (PST)
X-Gm-Message-State: 5LNuDOJlBkquwgTywyTC0ZCax1787277AA=
X-Google-Smtp-Source: 
 AMrXdXtYVpQLKyCGcI3hPY1KdQU4ooeURUtPaYrhYq1iYq0ULBUWLETCoZYk9QNFHPSL+zwBsphqKg==
X-Received: by 2002:a05:600c:3d05:b0:3d3:5c21:dd94 with SMTP id
 bh5-20020a05600c3d0500b003d35c21dd94mr55666910wmb.9.1673481566475;
        Wed, 11 Jan 2023 15:59:26 -0800 (PST)
X-Received: from PC-PEDRO-ARCH.lan ([2001:8a0:7280:5801:9441:3dce:686c:bfc7])
        by smtp.gmail.com with ESMTPSA id
 p21-20020a7bcc95000000b003c65c9a36dfsm19276102wma.48.2023.01.11.15.59.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Jan 2023 15:59:26 -0800 (PST)
From: "Pedro Falcato" <pedro.falcato@gmail.com>
To: devel@edk2.groups.io
Cc: Pedro Falcato <pedro.falcato@gmail.com>,
	Savva Mitrofanov <savvamtr@gmail.com>,
	=?UTF-8?q?Marvin=20H=C3=A4user?= <mhaeuser@posteo.de>
Subject: [edk2-devel] [PATCH 1/3] Ext4Pkg: Fix out-of-bounds read in
 Ext4ReadDir
Date: Wed, 11 Jan 2023 23:59:17 +0000
Message-Id: <20230111235920.252317-3-pedro.falcato@gmail.com>
In-Reply-To: <20230111235920.252317-1-pedro.falcato@gmail.com>
References: <20230111235920.252317-1-pedro.falcato@gmail.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,pedro.falcato@gmail.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1673481568;
 bh=4+bnFqOPek8sA5mon8wlcBcxxjo74Kn7T7y3yQPJUvU=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=mVAduO+S80hDKTqfe0pODDm4b5S0s6JN9k2O/jWNOuEJqfm33kBDyH2yqeOHw9sFKJk
 f17MRIvyzAzyvbqcWAYe6qeeESwGng8dGtO5OzTnj3IfKnbeB7AaLcKF/AoY0uGsn4Inm
 x/U2/DmKQTXx1jRlntgCYAggmAnFUPVQOpk=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1673481569809100002

Fix an out-of-bounds read inside CompareMem() when
checking for "." or ".." by explicitly bounding name_len
to [0, 2] beforehand.

Reported-by: Savva Mitrofanov <savvamtr@gmail.com>
Fixes: 45e37d8533ca8 ("Ext4Pkg: Hide "." and ".." entries from Read() calle=
rs.")
Cc: Marvin H=C3=A4user <mhaeuser@posteo.de>
Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
Reviewed-by: Marvin H=C3=A4user <mhaeuser@posteo.de <mailto:mhaeuser@posteo=
.de>>
---
 Features/Ext4Pkg/Ext4Dxe/Directory.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/Features/Ext4Pkg/Ext4Dxe/Directory.c b/Features/Ext4Pkg/Ext4Dx=
e/Directory.c
index 4441e6d192b6..6ed664fc632f 100644
--- a/Features/Ext4Pkg/Ext4Dxe/Directory.c
+++ b/Features/Ext4Pkg/Ext4Dxe/Directory.c
@@ -491,12 +491,14 @@ Ext4ReadDir (
     // or a checksum at the end of the directory block.
     // memcmp (and CompareMem) return 0 when the passed length is 0.
=20
-    IsDotOrDotDot =3D Entry.name_len !=3D 0 &&
-                    (CompareMem (Entry.name, ".", Entry.name_len) =3D=3D 0=
 ||
-                     CompareMem (Entry.name, "..", Entry.name_len) =3D=3D =
0);
+    // We must bound name_len as > 0 and <=3D 2 to avoid any out-of-bounds=
 accesses or bad detection of
+    // "." and "..".
+    IsDotOrDotDot =3D Entry.name_len > 0 && Entry.name_len <=3D 2 &&
+                    CompareMem (Entry.name, "..", Entry.name_len) =3D=3D 0;
=20
-    // When inode =3D 0, it's unused.
-    ShouldSkip =3D Entry.inode =3D=3D 0 || IsDotOrDotDot;
+    // When inode =3D 0, it's unused. When name_len =3D=3D 0, it's a namel=
ess entry
+    // (which we should not expose to ReadDir).
+    ShouldSkip =3D Entry.inode =3D=3D 0 || Entry.name_len =3D=3D 0 || IsDo=
tOrDotDot;
=20
     if (ShouldSkip) {
       Offset +=3D Entry.rec_len;
--=20
2.39.0



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98325): https://edk2.groups.io/g/devel/message/98325
Mute This Topic: https://groups.io/mt/96212631/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-