Fix an out-of-bounds read inside CompareMem() when checking for "." or ".." by explicitly bounding name_len to [0, 2] beforehand.
Reported-by: Savva Mitrofanov <[email protected]> Fixes: 45e37d8533ca8 ("Ext4Pkg: Hide "." and ".." entries from Read() callers.") Cc: Marvin Häuser <[email protected]> Signed-off-by: Pedro Falcato <[email protected]> --- Features/Ext4Pkg/Ext4Dxe/Directory.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Features/Ext4Pkg/Ext4Dxe/Directory.c b/Features/Ext4Pkg/Ext4Dxe/Directory.c index 4441e6d192b6..34c06b77b142 100644 --- a/Features/Ext4Pkg/Ext4Dxe/Directory.c +++ b/Features/Ext4Pkg/Ext4Dxe/Directory.c @@ -491,12 +491,12 @@ Ext4ReadDir ( // or a checksum at the end of the directory block. // memcmp (and CompareMem) return 0 when the passed length is 0. - IsDotOrDotDot = Entry.name_len != 0 && - (CompareMem (Entry.name, ".", Entry.name_len) == 0 || - CompareMem (Entry.name, "..", Entry.name_len) == 0); + IsDotOrDotDot = Entry.name_len <= 2 && + CompareMem (Entry.name, "..", Entry.name_len) == 0; - // When inode = 0, it's unused. - ShouldSkip = Entry.inode == 0 || IsDotOrDotDot; + // When inode = 0, it's unused. When name_len == 0, it's a nameless entry + // (which we should not expose to ReadDir). + ShouldSkip = Entry.inode == 0 || Entry.name_len == 0 || IsDotOrDotDot; if (ShouldSkip) { Offset += Entry.rec_len; -- 2.39.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98313): https://edk2.groups.io/g/devel/message/98313 Mute This Topic: https://groups.io/mt/96211381/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
