From 3fa40d588af9cac947fd2abac652ebb95411786c Mon Sep 17 00:00:00 2001 From: Hao Wu Date: Thu, 14 Sep 2017 10:15:53 +0800 Subject: [PATCH] MdeModulePkg/UdfDxe: Add checks to ensure no possible NULL ptr deref Case 1 - Within DuplicateFid() & DuplicateFe(): The call to AllocateCopyPool() may return NULL. Add ASSERTs as checks. Case 2 - Within UdfRead(): Add ASSERT to ensure 'NewFileEntryData' returned from FindFileEntry() will not be NULL pointer. Case 3 - Within GetAllocationDescriptorLsn(): The return value of 'GetPdFromLongAd (Volume, ParentIcb)' may be NULL, and it will be passed into function GetShortAdLsn() which will dereference it. Add ASSERT in GetShortAdLsn() as check. Case 4 - Within ReadFile(): Add ASSERT to ensure 'Data' returned from GetAedAdsData() will not be NULL pointer. Case 5 - Within InternalFindFile(): If both 'Parent->FileIdentifierDesc' and 'Icb' are NULL, then possible NULL pointer dereference will happen in ReadDirectoryEntry(). Add additional check to resolve. Cc: Paulo Alcantara Cc: Ruiyu Ni Cc: Star Zeng Cc: Eric Dong Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu Reviewed-by: Paulo Alcantara Reviewed-by: Star Zeng --- MdeModulePkg/Universal/Disk/UdfDxe/File.c | 1 + .../Disk/UdfDxe/FileSystemOperations.c | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/File.c b/MdeModulePkg/Universal/Disk/UdfDxe/File.c index 01361141bb..82db75475b 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/File.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/File.c @@ -427,6 +427,7 @@ UdfRead ( if (EFI_ERROR (Status)) { goto Error_Find_Fe; } + ASSERT (NewFileEntryData != NULL); if (IS_FE_SYMLINK (NewFileEntryData)) { Status = ResolveSymlink ( diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c index 4609580b30..02a73a9eb9 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c @@ -297,6 +297,8 @@ GetShortAdLsn ( IN UDF_SHORT_ALLOCATION_DESCRIPTOR *ShortAd ) { + ASSERT (PartitionDesc != NULL); + return (UINT64)PartitionDesc->PartitionStartingLocation + ShortAd->ExtentPosition; } @@ -480,6 +482,8 @@ DuplicateFid ( *NewFileIdentifierDesc = (UDF_FILE_IDENTIFIER_DESCRIPTOR *)AllocateCopyPool ( (UINTN) GetFidDescriptorLength (FileIdentifierDesc), FileIdentifierDesc); + + ASSERT (*NewFileIdentifierDesc != NULL); } // @@ -494,6 +498,8 @@ DuplicateFe ( ) { *NewFileEntry = AllocateCopyPool (Volume->FileEntrySize, FileEntry); + + ASSERT (*NewFileEntry != NULL); } // @@ -1028,6 +1034,7 @@ ReadFile ( if (EFI_ERROR (Status)) { goto Error_Get_Aed; } + ASSERT (Data != NULL); AdOffset = 0; continue; @@ -1208,6 +1215,13 @@ InternalFindFile ( CHAR16 FoundFileName[UDF_FILENAME_LENGTH]; VOID *CompareFileEntry; + // + // Check if both Parent->FileIdentifierDesc and Icb are NULL. + // + if ((Parent->FileIdentifierDesc == NULL) && (Icb == NULL)) { + return EFI_INVALID_PARAMETER; + } + // // Check if parent file is really directory. // @@ -1220,6 +1234,10 @@ InternalFindFile ( // FE/EFE and FID descriptors. // if (StrCmp (FileName, L".") == 0) { + if (Parent->FileIdentifierDesc == NULL) { + return EFI_INVALID_PARAMETER; + } + DuplicateFe (BlockIo, Volume, Parent->FileEntry, &File->FileEntry); DuplicateFid (Parent->FileIdentifierDesc, &File->FileIdentifierDesc);