Re: [edk2] [PATCH v3 0/3] UdfDxe: Additional checks for ResolveSymlink()

Tue, 30 Oct 2018 02:27:35 -0700 

Many thanks for the rework. For the series:
Reviewed-by: Leif Lindholm <leif.lindh...@linaro.org>

On Tue, Oct 30, 2018 at 09:26:14AM +0800, Hao Wu wrote:
> V3 changes:
> 
> According to Leif's recommendation, split the original patch into 3
> seperate ones.
> 
> Since there is no code changes compared with the V2 of the patch, I just
> preserved the 'Reviewed-by' tags by Paulo and Star.
> 
> V2 history:
> 
> Refine type C check (refer to V1 history below) to eliminate the
> unnecessary CopyMem() call.
> 
> V1 history:
> 
> The commit will add 3 types of checks for function ResolveSymlink():
> 
> A. Check for the value of 'Component Type' field within a Path Component
> 
> According to the ECMA-167 standard (3rd Edition - June 1997), Section
> 14.16.1.1, valid values are 1 to 5. All other values will be treated as a
> corrupted volume.
> 
> B. Check for the content pointed by 'File'
> 
> Since content within 'File' is the output data for ResolveSymlink().
> Checks is added to ensure the content in 'File' is valid. Otherwise,
> possible null pointer dereference issue will occur during the subsequent
> usage of the data returned by ResolveSymlink().
> 
> C. Check for possible memory double free/use after free case
> 
> For codes:
> 
>     if (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent,
>                     sizeof (UDF_FILE_INFO)) != 0) {
>       CleanupFileInformation (&PreviousFile);
>     }
> 
>     CopyMem ((VOID *)&PreviousFile, (VOID *)File, sizeof (UDF_FILE_INFO));
> 
> If the contents in 'PreviousFile' and 'File' are the same, call to
> "CleanupFileInformation (&PreviousFile);" will free the buffers in 'File'
> as well. This will lead to potential memory double free/use after free
> issues.
> 
> Cc: Leif Lindholm <leif.lindh...@linaro.org>
> Cc: Ruiyu Ni <ruiyu...@intel.com>
> 
> Hao Wu (3):
>   MdeModulePkg/UdfDxe: Check 'Component Type' within a Path Component
>   MdeModulePkg/UdfDxe: Content check for 'File' in ResolveSymlink()
>   MdeModulePkg/UdfDxe: Memory free/use after free in ResolveSymlink()
> 
>  MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 38 
> ++++++++++++++++++--
>  1 file changed, 35 insertions(+), 3 deletions(-)
> 
> -- 
> 2.12.0.windows.1
> 
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to