MdeModulePkg DxeCore: Address boundary check for Type AllocateAddress

Check for Type AllocateAddress,
if NumberOfPages is 0 or
if (NumberOfPages << EFI_PAGE_SHIFT) is above MAX_ADDRESS or
if (Start + NumberOfBytes) rolls over 0 or
if Start is above MAX_ADDRESS or
if End is above MAX_ADDRESS,
return EFI_NOT_FOUND.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

1 files changed, 26 insertions, 0 deletions

diff --git a/MdeModulePkg/Core/Dxe/Mem/Page.c b/MdeModulePkg/Core/Dxe/Mem/Page.c
index 62738a1875..2f4ff8ecfd 100644
--- a/MdeModulePkg/Core/Dxe/Mem/Page.c
+++ b/MdeModulePkg/Core/Dxe/Mem/Page.c
@@ -1201,6 +1201,8 @@ CoreInternalAllocatePages (
 {

   EFI_STATUS      Status;

   UINT64          Start;

+  UINT64          NumberOfBytes;

+  UINT64          End;

   UINT64          MaxAddress;

   UINTN           Alignment;

 

@@ -1246,6 +1248,30 @@ CoreInternalAllocatePages (
   //

   MaxAddress = MAX_ADDRESS;

 

+  //

+  // Check for Type AllocateAddress,

+  // if NumberOfPages is 0 or

+  // if (NumberOfPages << EFI_PAGE_SHIFT) is above MAX_ADDRESS or

+  // if (Start + NumberOfBytes) rolls over 0 or

+  // if Start is above MAX_ADDRESS or

+  // if End is above MAX_ADDRESS,

+  // return EFI_NOT_FOUND.

+  //

+  if (Type == AllocateAddress) {

+    if ((NumberOfPages == 0) ||

+        (NumberOfPages > RShiftU64 (MaxAddress, EFI_PAGE_SHIFT))) {

+      return EFI_NOT_FOUND;

+    }

+    NumberOfBytes = LShiftU64 (NumberOfPages, EFI_PAGE_SHIFT);

+    End = Start + NumberOfBytes - 1;

+

+    if ((Start >= End) ||

+        (Start > MaxAddress) || 

+        (End > MaxAddress)) {

+      return EFI_NOT_FOUND;

+    }

+  }

+

   if (Type == AllocateMaxAddress) {

     MaxAddress = Start;

   }