From ada470c4507cec718b80aed7a8ce9db8c05c68fb Mon Sep 17 00:00:00 2001 From: Chris Fernald Date: Tue, 8 Nov 2022 14:11:32 -0800 Subject: [PATCH] Fix buffer overflow when merging guard pages in MergeMemoryMap (#126) ## Description Checks that the next map entry is valid before dereferencing to merge the guard pages. If the final entry is at the end of a page with no valid page following it, then this can cause an access violation. ## How This Was Tested Tested on Q35 platform boot. ## Integration Instructions N/A --- MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c index d39edb3417..6769f416f5 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c @@ -460,11 +460,17 @@ MergeMemoryMap ( NewMemoryMapEntry = MemoryMap; MemoryMapEnd = (EFI_MEMORY_DESCRIPTOR *)((UINT8 *)MemoryMap + *MemoryMapSize); while ((UINTN)MemoryMapEntry < (UINTN)MemoryMapEnd) { - CopyMem (NewMemoryMapEntry, MemoryMapEntry, sizeof (EFI_MEMORY_DESCRIPTOR)); + CopyMem (NewMemoryMapEntry, MemoryMapEntry, DescriptorSize); // MU_CHANGE Use size parameter for consistency. NextMemoryMapEntry = NEXT_MEMORY_DESCRIPTOR (MemoryMapEntry, DescriptorSize); do { - MergeGuardPages (NewMemoryMapEntry, NextMemoryMapEntry->PhysicalStart); + // MU_CHANGE START Fix overflow in the MergeGuardPages call. + if ((UINTN)NextMemoryMapEntry < (UINTN)MemoryMapEnd) { + MergeGuardPages (NewMemoryMapEntry, NextMemoryMapEntry->PhysicalStart); + } + + // MU_CHANGE END + MemoryBlockLength = (UINT64)(EfiPagesToSize (NewMemoryMapEntry->NumberOfPages)); if (((UINTN)NextMemoryMapEntry < (UINTN)MemoryMapEnd) && (NewMemoryMapEntry->Type == NextMemoryMapEntry->Type) &&