From: Star Zeng Date: Fri, 18 Mar 2016 01:52:44 +0000 (+0800) Subject: MdeModulePkg DxeCore: Address boundary check for Type AllocateAddress X-Git-Tag: edk2-stable201903~7584 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=c2a07a10b1a781fe18942f54d6cf282aa855f72c MdeModulePkg DxeCore: Address boundary check for Type AllocateAddress Check for Type AllocateAddress, if NumberOfPages is 0 or if (NumberOfPages << EFI_PAGE_SHIFT) is above MAX_ADDRESS or if (Start + NumberOfBytes) rolls over 0 or if Start is above MAX_ADDRESS or if End is above MAX_ADDRESS, return EFI_NOT_FOUND. Cc: Jiewen Yao Cc: Michael Kinney Cc: Liming Gao Cc: Feng Tian Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng Reviewed-by: Liming Gao --- diff --git a/MdeModulePkg/Core/Dxe/Mem/Page.c b/MdeModulePkg/Core/Dxe/Mem/Page.c index 62738a1875..2f4ff8ecfd 100644 --- a/MdeModulePkg/Core/Dxe/Mem/Page.c +++ b/MdeModulePkg/Core/Dxe/Mem/Page.c @@ -1201,6 +1201,8 @@ CoreInternalAllocatePages ( { EFI_STATUS Status; UINT64 Start; + UINT64 NumberOfBytes; + UINT64 End; UINT64 MaxAddress; UINTN Alignment; @@ -1246,6 +1248,30 @@ CoreInternalAllocatePages ( // MaxAddress = MAX_ADDRESS; + // + // Check for Type AllocateAddress, + // if NumberOfPages is 0 or + // if (NumberOfPages << EFI_PAGE_SHIFT) is above MAX_ADDRESS or + // if (Start + NumberOfBytes) rolls over 0 or + // if Start is above MAX_ADDRESS or + // if End is above MAX_ADDRESS, + // return EFI_NOT_FOUND. + // + if (Type == AllocateAddress) { + if ((NumberOfPages == 0) || + (NumberOfPages > RShiftU64 (MaxAddress, EFI_PAGE_SHIFT))) { + return EFI_NOT_FOUND; + } + NumberOfBytes = LShiftU64 (NumberOfPages, EFI_PAGE_SHIFT); + End = Start + NumberOfBytes - 1; + + if ((Start >= End) || + (Start > MaxAddress) || + (End > MaxAddress)) { + return EFI_NOT_FOUND; + } + } + if (Type == AllocateMaxAddress) { MaxAddress = Start; }