From c6c501654e85d712bc6381b1c9f2beb28b44ec68 Mon Sep 17 00:00:00 2001 From: Jian J Wang Date: Thu, 23 Nov 2017 08:56:46 +0800 Subject: [PATCH] MdeModulePkg/Core: Fix potential array overflow In the method DumpGuardedMemoryBitmap() and SetAllGuardPages(), the code didn't check if the global mMapLevel is legal value or not, which leaves a logic hole causing potential array overflow in code followed. This patch adds sanity check before any array reference in those methods. Cc: Wu Hao Cc: Star Zeng Cc: Eric Dong Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang Reviewed-by: Wu Hao --- MdeModulePkg/Core/Dxe/Mem/HeapGuard.c | 4 +++- MdeModulePkg/Core/PiSmmCore/HeapGuard.c | 8 ++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c index 30a73fc04d..3a829854af 100644 --- a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c +++ b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c @@ -1110,7 +1110,9 @@ DumpGuardedMemoryBitmap ( CHAR8 *Ruler1; CHAR8 *Ruler2; - if (mGuardedMemoryMap == 0) { + if (mGuardedMemoryMap == 0 || + mMapLevel == 0 || + mMapLevel > GUARDED_HEAP_MAP_TABLE_DEPTH) { return; } diff --git a/MdeModulePkg/Core/PiSmmCore/HeapGuard.c b/MdeModulePkg/Core/PiSmmCore/HeapGuard.c index 7dbbf79dc0..1d5fb8cdb5 100644 --- a/MdeModulePkg/Core/PiSmmCore/HeapGuard.c +++ b/MdeModulePkg/Core/PiSmmCore/HeapGuard.c @@ -1170,7 +1170,9 @@ SetAllGuardPages ( UINTN Index; BOOLEAN OnGuarding; - if (mGuardedMemoryMap == 0) { + if (mGuardedMemoryMap == 0 || + mMapLevel == 0 || + mMapLevel > GUARDED_HEAP_MAP_TABLE_DEPTH) { return; } @@ -1329,7 +1331,9 @@ DumpGuardedMemoryBitmap ( CHAR8 *Ruler1; CHAR8 *Ruler2; - if (mGuardedMemoryMap == 0) { + if (mGuardedMemoryMap == 0 || + mMapLevel == 0 || + mMapLevel > GUARDED_HEAP_MAP_TABLE_DEPTH) { return; } -- 2.39.2