diff options
| author | Hao Wu <hao.a.wu@intel.com> | 2018-10-16 13:09:43 +0800 |
|---|---|---|
| committer | Hao Wu <hao.a.wu@intel.com> | 2018-10-23 14:25:04 +0800 |
| commit | 68099b52b0fcc1d45864154954d776d91afb33e0 (patch) | |
| tree | eec1460c85596dd6d3a10495dfc151f470a4e8a8 /MdeModulePkg/Universal/Disk | |
| parent | 85acb5e8ffef026b80241b1657ed4fba26e382b1 (diff) | |
| download | edk2-68099b52b0fcc1d45864154954d776d91afb33e0.tar.gz | |
MdeModulePkg/UdfDxe: Avoid possible use of already-freed data
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1255
For function ReadFile():
If the line
Status = GetAedAdsData (
...
);
is reached multiple times during the 'for' loop, freeing the data pointed
by variable 'Data' may potentially lead to variable 'Ad' referencing the
already-freed data.
After calling function GetAllocationDescriptor(), 'Data' and 'Ad' may
point to the same memory (with some possible offset). Hence, this commit
will move the FreePool() call backwards to ensure the data will no longer
be used.
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
Diffstat (limited to 'MdeModulePkg/Universal/Disk')
| -rw-r--r-- | MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c index cabb599695..b9ebddfe62 100644 --- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c @@ -1078,6 +1078,7 @@ ReadFile ( EFI_STATUS Status;
UINT32 LogicalBlockSize;
VOID *Data;
+ VOID *DataBak;
UINT64 Length;
VOID *Ad;
UINT64 AdOffset;
@@ -1218,12 +1219,7 @@ ReadFile ( // Descriptor and its extents (ADs).
//
if (GET_EXTENT_FLAGS (RecordingFlags, Ad) == ExtentIsNextExtent) {
- if (!DoFreeAed) {
- DoFreeAed = TRUE;
- } else {
- FreePool (Data);
- }
-
+ DataBak = Data;
Status = GetAedAdsData (
BlockIo,
DiskIo,
@@ -1234,6 +1230,13 @@ ReadFile ( &Data,
&Length
);
+
+ if (!DoFreeAed) {
+ DoFreeAed = TRUE;
+ } else {
+ FreePool (DataBak);
+ }
+
if (EFI_ERROR (Status)) {
goto Error_Get_Aed;
}
|