diff options
| author | Ken Lautner <kenlautner3@gmail.com> | 2024-08-28 10:55:09 -0700 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2024-09-13 07:53:57 +0000 |
| commit | 964c22b8ea3b1c497fed0547f29e8338be26040a (patch) | |
| tree | 608a0095a6e9ddfc7df6ac1ea27a2992b9f81f6f /MdeModulePkg | |
| parent | a9b38305b64ef5997d0ba5f7d2797a75edd1f9ef (diff) | |
| download | edk2-964c22b8ea3b1c497fed0547f29e8338be26040a.tar.gz edk2-964c22b8ea3b1c497fed0547f29e8338be26040a.tar.bz2 edk2-964c22b8ea3b1c497fed0547f29e8338be26040a.zip | |
MdeModulePkg: Fix buffer overflow in MergeMemoryMap
Check that the next map entry is valid before dereferencing to merge the
guard pages. If the final entry is at the end of a page with no valid page
following it, then this can cause an access violation.
Signed-off-by: Kenneth Lautner <kenlautner3@gmail.com>
Diffstat (limited to 'MdeModulePkg')
| -rw-r--r-- | MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c index 58b947423a..a11c455ab5 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c @@ -395,11 +395,14 @@ MergeMemoryMap ( NewMemoryMapEntry = MemoryMap;
MemoryMapEnd = (EFI_MEMORY_DESCRIPTOR *)((UINT8 *)MemoryMap + *MemoryMapSize);
while ((UINTN)MemoryMapEntry < (UINTN)MemoryMapEnd) {
- CopyMem (NewMemoryMapEntry, MemoryMapEntry, sizeof (EFI_MEMORY_DESCRIPTOR));
+ CopyMem (NewMemoryMapEntry, MemoryMapEntry, DescriptorSize);
NextMemoryMapEntry = NEXT_MEMORY_DESCRIPTOR (MemoryMapEntry, DescriptorSize);
do {
- MergeGuardPages (NewMemoryMapEntry, NextMemoryMapEntry->PhysicalStart);
+ if ((UINTN)NextMemoryMapEntry < (UINTN)MemoryMapEnd) {
+ MergeGuardPages (NewMemoryMapEntry, NextMemoryMapEntry->PhysicalStart);
+ }
+
MemoryBlockLength = LShiftU64 (NewMemoryMapEntry->NumberOfPages, EFI_PAGE_SHIFT);
if (((UINTN)NextMemoryMapEntry < (UINTN)MemoryMapEnd) &&
(NewMemoryMapEntry->Type == NextMemoryMapEntry->Type) &&
|