MdeModulePkg/UdfDxe: Memory free/use after free in ResolveSymlink()

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1279

For function ResolveSymlink(), the below codes:

    if (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent,
                    sizeof (UDF_FILE_INFO)) != 0) {
      CleanupFileInformation (&PreviousFile);
    }

    CopyMem ((VOID *)&PreviousFile, (VOID *)File, sizeof (UDF_FILE_INFO));

If the contents in 'PreviousFile' and 'File' are the same, call to
"CleanupFileInformation (&PreviousFile);" will free the buffers in 'File'
as well. This will lead to potential memory double free/use after free
issues.

This commit will add additional check to address the above issue.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>

diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
index 14b1deac92af63a3a558b7686ea76f75aba7ce1c..d38b6c911da7736646d1ddedc6c8fd3ee1e3f1b8 100644 (file)
--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
@@ -2144,6 +2144,8 @@ ResolveSymlink (
   UINTN               Index;\r
   UINT8               CompressionId;\r
   UDF_FILE_INFO       PreviousFile;\r
+  BOOLEAN             NotParent;\r
+  BOOLEAN             NotFile;\r
 \r
   ZeroMem ((VOID *)File, sizeof (UDF_FILE_INFO));\r
 \r
@@ -2298,12 +2300,18 @@ ResolveSymlink (
       goto Error_Find_File;\r
     }\r
 \r
-    if (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent,\r
-                    sizeof (UDF_FILE_INFO)) != 0) {\r
+    NotParent = (CompareMem ((VOID *)&PreviousFile, (VOID *)Parent,\r
+                 sizeof (UDF_FILE_INFO)) != 0);\r
+    NotFile   = (CompareMem ((VOID *)&PreviousFile, (VOID *)File,\r
+                 sizeof (UDF_FILE_INFO)) != 0);\r
+\r
+    if (NotParent && NotFile) {\r
       CleanupFileInformation (&PreviousFile);\r
     }\r
 \r
-    CopyMem ((VOID *)&PreviousFile, (VOID *)File, sizeof (UDF_FILE_INFO));\r
+    if (NotFile) {\r
+      CopyMem ((VOID *)&PreviousFile, (VOID *)File, sizeof (UDF_FILE_INFO));\r
+    }\r
   }\r
 \r
   //\r