From patchwork Mon Jan  7 07:15:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 154871
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp3192632ljp;
 Sun, 6 Jan 2019 23:15:26 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6P/T85fbmNUoByiXrrez3O0i2I522VwjZoMwihQs9Q2RttcGn/IAfAmnJuo5IxmZ6cNyGf
X-Received: by 2002:a17:902:bf44:: with SMTP id
 u4mr50616331pls.5.1546845326738; 
 Sun, 06 Jan 2019 23:15:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546845326; cv=none;
 d=google.com; s=arc-20160816;
 b=XJm4E5Pn4anYru5rlSpt5MKq+FHCjpYa4IrgnAxnNsxTfNZ+eP/iCmAgm9ymOQbhEK
 j7nzWVM4lYNBb1Q2MhZ+P/L5lYUanp+Zh53PZmjqqhtYRmpX7SHxuah4LP6+OJ9Xstyd
 LEiBkJ/yDsbVS1BhSsJEv3/47LyLLNBzXSHn5rotGfoOWpxBtTiB3TX3HIdFi4ja63FW
 6e+zu5VL9hKoJEebeCd4/r5QZ77BJ0ygTVvChOAgRItWNc/7CYabwKfCltpIacmLoKiy
 WfE/gTzzxZPRg407/Mbkr/p4bMH237eVObrIdQLg61k93oXHU6h2UWtLvaM05ZY5TGyP
 oOZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help
 :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
 :mime-version:references:in-reply-to:message-id:date:to:from
 :dkim-signature:delivered-to;
 bh=PhE1PoyVIM0P5z0fNwgCQbEgcV2fn6J655sciQ9a0Jw=;
 b=ECbn5Nel7oXjAV42CATlJP7/4GpF6kHpBPFkAE92oz0hm0tb5FQIfI68vAjKQ0UVvy
 EiKUvozBPK6jWlPaG0NVQNtr20/rFt7kNXZb4WX0guE68WNRZ/ugBi0o2yLPby2cz0n6
 uPcFCgeye1Tcgj7k3/0rV5Zq0VlgHt4RtDmuJPJ8ZqPj6NvekTtjFj79UhYdP04M0qLF
 q+04NMRBvaYrRQvAHNzDu1g+Wugfu5v+HaAzNn3/fvOhOTdV5glmK8Ec0zA9Go1ehd/Q
 d/w34f3qwJN7tdadTIFr2wVpgGKoackHQbw3DhWSe0NGk3Gk3aDpq8ZiSWSZWGeEHZuL
 J4EQ==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=QLBhAPaR; 
 spf=pass (google.com: best guess record for domain of
 edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1
 as permitted sender)
 smtp.mailfrom=edk2-devel-bounces@lists.01.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <edk2-devel-bounces@lists.01.org>
Received: from ml01.01.org (ml01.01.org. [2001:19d0:306:5::1])
 by mx.google.com with ESMTPS id
 a16si8664897pls.146.2019.01.06.23.15.26
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 06 Jan 2019 23:15:26 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1
 as permitted sender) client-ip=2001:19d0:306:5::1; 
Authentication-Results: mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=QLBhAPaR; 
 spf=pass (google.com: best guess record for domain of
 edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1
 as permitted sender)
 smtp.mailfrom=edk2-devel-bounces@lists.01.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from [127.0.0.1] (localhost [IPv6:::1])
 by ml01.01.org (Postfix) with ESMTP id B67A5211B1130;
 Sun,  6 Jan 2019 23:15:25 -0800 (PST)
X-Original-To: edk2-devel@lists.01.org
Delivered-To: edk2-devel@lists.01.org
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=2a00:1450:4864:20::542; helo=mail-ed1-x542.google.com;
 envelope-from=ard.biesheuvel@linaro.org;
 receiver=edk2-devel@lists.01.org 
Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com
 [IPv6:2a00:1450:4864:20::542])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
 bits)) (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 6AE8A2119BAC9
 for <edk2-devel@lists.01.org>; Sun,  6 Jan 2019 23:15:23 -0800 (PST)
Received: by mail-ed1-x542.google.com with SMTP id h15so36914273edb.4
 for <edk2-devel@lists.01.org>; Sun, 06 Jan 2019 23:15:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=+JQ5h+H2sJsTteMl/P7k20Nphsv7LpnL8o5lHwa1T0E=;
 b=QLBhAPaRED8TJTAemSynMv55TtFjs/zTXn0d+3chJqVhn52tAprbikvRcqBRRQthzo
 Xks42f0Ua/pFhtygey6A+G8wuaCsii9Sn3PCp/mtehi1FvVXq5uSLT8X/yO8GvRvTvtY
 WIT3ktFmKBB2GVeQjjnkTH0xUukqnMW/WTDa8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=+JQ5h+H2sJsTteMl/P7k20Nphsv7LpnL8o5lHwa1T0E=;
 b=TXYK3pKVLRfd/d01BUdovhi3c6ZPTsiNcIQwD5zkYtwhl3Oy/jEX/fBuQV/74xQuSn
 CeGC1XhY+6Aski5QIdE/YhVWQxlgUyDa1EV6ky65YUAEIV21ztRG4Sdmdzyi1yVs6uRg
 0DiBAwWugfb9cSdDiCChGr/RmJUP1z6YKTfpTq2QCCr+VOo6iJD6HdK9jNKzy+Nbjnme
 bHBTBRJinGYUlMMb0ItZf8o33PXgSfPFla1O9K6EZahGDMY+gbi8wN0LfXTy4+qRlGFr
 +/MaDcMJkKjm1AY/31tm31Cpu6vhFaZs+zN2cbnSNb4QBFy7n50RD0E+G4QVVSERWxWm
 rzlg==
X-Gm-Message-State: AA+aEWZxy+/I6mP7gKOXFAKCJvICmAZHGj7qy96TEBajj8nFtuzVpYjY
 NSKaXHv/ZGX9/SGpY/0bpEV+W++4AxVthg==
X-Received: by 2002:a50:d085:: with SMTP id v5mr54147843edd.61.1546845321662; 
 Sun, 06 Jan 2019 23:15:21 -0800 (PST)
Received: from chuckie.home ([2a01:cb1d:112:6f00:58f2:776e:9e23:a7ca])
 by smtp.gmail.com with ESMTPSA id
 t9sm30263693edd.25.2019.01.06.23.15.20
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 06 Jan 2019 23:15:20 -0800 (PST)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: edk2-devel@lists.01.org
Date: Mon,  7 Jan 2019 08:15:00 +0100
Message-Id: <20190107071504.2431-2-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190107071504.2431-1-ard.biesheuvel@linaro.org>
References: <20190107071504.2431-1-ard.biesheuvel@linaro.org>
MIME-Version: 1.0
Subject: [edk2] [PATCH 1/5] ArmPkg/ArmMmuLib AARCH64: fix out of bounds access
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
Errors-To: edk2-devel-bounces@lists.01.org
Sender: "edk2-devel" <edk2-devel-bounces@lists.01.org>

Take care not to dereference BlockEntry if it may be pointing past
the end of the page table we are manipulating. It is only a read,
and thus harmless, but HeapGuard triggers on it so let's fix it.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.20.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>

diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
index e41044142ef4..d66df3e17a02 100644
--- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
+++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
@@ -382,7 +382,7 @@ UpdateRegionMapping (
 
       // Break the inner loop when next block is a table
       // Rerun GetBlockEntryListFromAddress to avoid page table memory leak
-      if (TableLevel != 3 &&
+      if (TableLevel != 3 && BlockEntry <= LastBlockEntry &&
           (*BlockEntry & TT_TYPE_MASK) == TT_TYPE_TABLE_ENTRY) {
             break;
       }