MdeModulePkg/UdfDxe: Add boundary check for getting volume (free) size

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828

Within GetVolumeSize():

The boundary check will validate the 'NumberOfPartitions' field of a
Logical Volume Integrity Descriptor matches the data within the relating
Logical Volume Descriptor.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>

diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
index 359fac0adf6088f9a86605648a44b0a770138c02..24fef4e9f309730b83c9fafe3232ca3d50a26c49 100644 (file)
--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
@@ -2533,6 +2533,13 @@ SetFileInfo (
 /**\r
   Get volume and free space size information of an UDF volume.\r
 \r
+  @attention This is boundary function that may receive untrusted input.\r
+  @attention The input is from FileSystem.\r
+\r
+  The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are\r
+  external inputs, so this routine will do basic validation for both descriptors\r
+  and report status.\r
+\r
   @param[in]   BlockIo        BlockIo interface.\r
   @param[in]   DiskIo         DiskIo interface.\r
   @param[in]   Volume         UDF volume information structure.\r
@@ -2571,7 +2578,8 @@ GetVolumeSize (
 \r
   ExtentAd = &LogicalVolDesc->IntegritySequenceExtent;\r
 \r
-  if (ExtentAd->ExtentLength == 0) {\r
+  if ((ExtentAd->ExtentLength == 0) ||\r
+      (ExtentAd->ExtentLength < sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) {\r
     return EFI_VOLUME_CORRUPTED;\r
   }\r
 \r
@@ -2611,6 +2619,13 @@ GetVolumeSize (
     goto Out_Free;\r
   }\r
 \r
+  if ((LogicalVolInt->NumberOfPartitions > MAX_UINT32 / sizeof (UINT32) / 2) ||\r
+      (LogicalVolInt->NumberOfPartitions * sizeof (UINT32) * 2 >\r
+       ExtentAd->ExtentLength - sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) {\r
+    Status = EFI_VOLUME_CORRUPTED;\r
+    goto Out_Free;\r
+  }\r
+\r
   *VolumeSize = 0;\r
   *FreeSpaceSize = 0;\r
 \r

diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
index 9b82441e720b349de9835138a16d188567802c10..b054c623e5a56683a76e3fd2f632e5454c1a020f 100644 (file)
--- a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
+++ b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
@@ -903,6 +903,13 @@ SetFileInfo (
 /**\r
   Get volume and free space size information of an UDF volume.\r
 \r
+  @attention This is boundary function that may receive untrusted input.\r
+  @attention The input is from FileSystem.\r
+\r
+  The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are\r
+  external inputs, so this routine will do basic validation for both descriptors\r
+  and report status.\r
+\r
   @param[in]   BlockIo        BlockIo interface.\r
   @param[in]   DiskIo         DiskIo interface.\r
   @param[in]   Volume         UDF volume information structure.\r