diff options
| author | Jian J Wang <jian.j.wang@intel.com> | 2017-11-23 08:56:46 +0800 |
|---|---|---|
| committer | Hao Wu <hao.a.wu@intel.com> | 2017-11-24 08:35:29 +0800 |
| commit | c6c501654e85d712bc6381b1c9f2beb28b44ec68 (patch) | |
| tree | e6fa09a837853ca238b39f5b32bff03cddeeb140 /MdeModulePkg/Core/PiSmmCore | |
| parent | 938d2456fcd26a0940522c6bb185858f65930bb1 (diff) | |
| download | edk2-c6c501654e85d712bc6381b1c9f2beb28b44ec68.tar.gz edk2-c6c501654e85d712bc6381b1c9f2beb28b44ec68.tar.bz2 edk2-c6c501654e85d712bc6381b1c9f2beb28b44ec68.zip | |
MdeModulePkg/Core: Fix potential array overflow
In the method DumpGuardedMemoryBitmap() and SetAllGuardPages(), the code
didn't check if the global mMapLevel is legal value or not, which leaves
a logic hole causing potential array overflow in code followed.
This patch adds sanity check before any array reference in those methods.
Cc: Wu Hao <hao.a.wu@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Wu Hao <hao.a.wu@intel.com>
Diffstat (limited to 'MdeModulePkg/Core/PiSmmCore')
| -rw-r--r-- | MdeModulePkg/Core/PiSmmCore/HeapGuard.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/MdeModulePkg/Core/PiSmmCore/HeapGuard.c b/MdeModulePkg/Core/PiSmmCore/HeapGuard.c index 7dbbf79dc0..1d5fb8cdb5 100644 --- a/MdeModulePkg/Core/PiSmmCore/HeapGuard.c +++ b/MdeModulePkg/Core/PiSmmCore/HeapGuard.c @@ -1170,7 +1170,9 @@ SetAllGuardPages ( UINTN Index;
BOOLEAN OnGuarding;
- if (mGuardedMemoryMap == 0) {
+ if (mGuardedMemoryMap == 0 ||
+ mMapLevel == 0 ||
+ mMapLevel > GUARDED_HEAP_MAP_TABLE_DEPTH) {
return;
}
@@ -1329,7 +1331,9 @@ DumpGuardedMemoryBitmap ( CHAR8 *Ruler1;
CHAR8 *Ruler2;
- if (mGuardedMemoryMap == 0) {
+ if (mGuardedMemoryMap == 0 ||
+ mMapLevel == 0 ||
+ mMapLevel > GUARDED_HEAP_MAP_TABLE_DEPTH) {
return;
}
|