MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180)

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134 Originally, the block size of created Ram disks is hard-coded to 512 bytes. However, if the total size of the Ram disk is not a multiple of 512 bytes, there will be potential memory access issues when dealing with the last block of the Ram disk. This commit will adjust the block size of the Ram disks to ensure that the total size is a multiple of the block size. Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Ray Ni <ray.ni@intel.com>
2018-02-07 12:49:50 +08:00
parent fccdb88022
commit 38c9fbdcaa
3 changed files with 20 additions and 11 deletions
--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
+++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
@@ -1,7 +1,7 @@
 /** @file
  The realization of EFI_RAM_DISK_PROTOCOL.

-  Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>
  (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
  This program and the accompanying materials
  are licensed and made available under the terms and conditions of the BSD License
@@ -613,7 +613,8 @@ RamDiskRegister (
  //
  // Add check to prevent data read across the memory boundary
  //
-  if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1) {
+  if ((RamDiskSize > MAX_UINTN) ||
+      (RamDiskBase > MAX_UINTN - RamDiskSize + 1)) {
    return EFI_INVALID_PARAMETER;
  }