From: Jian J Wang Date: Thu, 23 Nov 2017 00:56:46 +0000 (+0800) Subject: MdeModulePkg/Core: Fix potential array overflow X-Git-Tag: edk2-stable201903~3024 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=c6c501654e85d712bc6381b1c9f2beb28b44ec68 MdeModulePkg/Core: Fix potential array overflow In the method DumpGuardedMemoryBitmap() and SetAllGuardPages(), the code didn't check if the global mMapLevel is legal value or not, which leaves a logic hole causing potential array overflow in code followed. This patch adds sanity check before any array reference in those methods. Cc: Wu Hao Cc: Star Zeng Cc: Eric Dong Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang Reviewed-by: Wu Hao --- diff --git a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c index 30a73fc04d..3a829854af 100644 --- a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c +++ b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c @@ -1110,7 +1110,9 @@ DumpGuardedMemoryBitmap ( CHAR8 *Ruler1; CHAR8 *Ruler2; - if (mGuardedMemoryMap == 0) { + if (mGuardedMemoryMap == 0 || + mMapLevel == 0 || + mMapLevel > GUARDED_HEAP_MAP_TABLE_DEPTH) { return; } diff --git a/MdeModulePkg/Core/PiSmmCore/HeapGuard.c b/MdeModulePkg/Core/PiSmmCore/HeapGuard.c index 7dbbf79dc0..1d5fb8cdb5 100644 --- a/MdeModulePkg/Core/PiSmmCore/HeapGuard.c +++ b/MdeModulePkg/Core/PiSmmCore/HeapGuard.c @@ -1170,7 +1170,9 @@ SetAllGuardPages ( UINTN Index; BOOLEAN OnGuarding; - if (mGuardedMemoryMap == 0) { + if (mGuardedMemoryMap == 0 || + mMapLevel == 0 || + mMapLevel > GUARDED_HEAP_MAP_TABLE_DEPTH) { return; } @@ -1329,7 +1331,9 @@ DumpGuardedMemoryBitmap ( CHAR8 *Ruler1; CHAR8 *Ruler2; - if (mGuardedMemoryMap == 0) { + if (mGuardedMemoryMap == 0 || + mMapLevel == 0 || + mMapLevel > GUARDED_HEAP_MAP_TABLE_DEPTH) { return; }