REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
Within GetVolumeSize(): The boundary check will validate the 'NumberOfPartitions' field of a Logical Volume Integrity Descriptor matches the data within the relating Logical Volume Descriptor. Cc: Paulo Alcantara <pa...@paulo.ac> Cc: Ruiyu Ni <ruiyu...@intel.com> Cc: Jiewen Yao <jiewen....@intel.com> Cc: Star Zeng <star.z...@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a...@intel.com> --- MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 17 ++++++++++++++++- MdeModulePkg/Universal/Disk/UdfDxe/Udf.h | 7 +++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c index 7611d28b5a..826ffccf81 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c @@ -2450,6 +2450,13 @@ SetFileInfo ( /** Get volume and free space size information of an UDF volume. + @attention This is boundary function that may receive untrusted input. + @attention The input is from FileSystem. + + The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are + external inputs, so this routine will do basic validation for both descriptors + and report status. + @param[in] BlockIo BlockIo interface. @param[in] DiskIo DiskIo interface. @param[in] Volume UDF volume information structure. @@ -2488,7 +2495,8 @@ GetVolumeSize ( ExtentAd = &LogicalVolDesc->IntegritySequenceExtent; - if (ExtentAd->ExtentLength == 0) { + if ((ExtentAd->ExtentLength == 0) || + (ExtentAd->ExtentLength < sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) { return EFI_VOLUME_CORRUPTED; } @@ -2528,6 +2536,13 @@ GetVolumeSize ( goto Out_Free; } + if ((LogicalVolInt->NumberOfPartitions > MAX_UINT32 / sizeof (UINT32) / 2) || + (LogicalVolInt->NumberOfPartitions * sizeof (UINT32) * 2 > + ExtentAd->ExtentLength - sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) { + Status = EFI_VOLUME_CORRUPTED; + goto Out_Free; + } + *VolumeSize = 0; *FreeSpaceSize = 0; diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h index 85bf5e7733..9c3f21fd05 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h +++ b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h @@ -902,6 +902,13 @@ SetFileInfo ( /** Get volume and free space size information of an UDF volume. + @attention This is boundary function that may receive untrusted input. + @attention The input is from FileSystem. + + The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are + external inputs, so this routine will do basic validation for both descriptors + and report status. + @param[in] BlockIo BlockIo interface. @param[in] DiskIo DiskIo interface. @param[in] Volume UDF volume information structure. -- 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel