From c10dd27818d9bf61b8633f1d44153599a98f8b94 Mon Sep 17 00:00:00 2001 From: Andrew Bird Date: Fri, 28 Mar 2014 15:56:11 +0000 Subject: [PATCH 2/8] EMM: Fix potential array overrun. The maximum number of EMM handles is defined as 255 and consequently the handle_info array is sized to have valid values of 0..254. The code checks for out of bounds values < 0 and > 254 *OR* handle_info[handle].active == 0, so there is the potential to overrun the handle_info array if the handle is invalid, this patch corrects that. --- src/dosext/misc/emm.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/src/dosext/misc/emm.c b/src/dosext/misc/emm.c index 7cf96ea..cadf3dc 100644 --- a/src/dosext/misc/emm.c +++ b/src/dosext/misc/emm.c @@ -211,8 +211,12 @@ static u_short os_allow=1; { memmove((nameptr), (name), 8); nameptr[8]=0; } #define CHECK_HANDLE(handle) \ - if ((handle < 0) || (handle >= MAX_HANDLES) || \ - (handle_info[handle].active == 0)) { \ + if ((handle < 0) || (handle >= MAX_HANDLES)) { \ + E_printf("Invalid Handle handle=%x\n", handle); \ + SETHIGH(&(state->eax), EMM_INV_HAN); \ + return; \ + } \ + if (handle_info[handle].active == 0) { \ E_printf("Invalid Handle handle=%x, active=%d\n", \ handle, handle_info[handle].active); \ SETHIGH(&(state->eax), EMM_INV_HAN); \ @@ -585,8 +589,11 @@ do_map_unmap(int handle, int physical_page, int logical_page) unmap_page(physical_page); } else { - if ((handle < 0) || (handle >= MAX_HANDLES) || - (handle_info[handle].active == 0)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { + E_printf("Invalid Handle handle=%x\n", handle); + return EMM_INV_HAN; + } + if (handle_info[handle].active == 0) { E_printf("Invalid Handle handle=%x, active=%d\n", handle, handle_info[handle].active); return EMM_INV_HAN; @@ -1835,8 +1842,12 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in DEALLOCATE_HANDLE\n"); - if ((handle < 0) || (handle >= MAX_HANDLES) || - (handle_info[handle].active == 0)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { + E_printf("EMS: Invalid Handle\n"); + SETHIGH(&(state->eax), EMM_INV_HAN); + return (UNCHANGED); + } + if (handle_info[handle].active == 0) { E_printf("EMS: Invalid Handle\n"); SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); @@ -1862,8 +1873,11 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in SAVE_PAGE_MAP\n"); - if ((handle < 0) || (handle >= MAX_HANDLES) || - (handle_info[handle].active == 0)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { + SETHIGH(&(state->eax), EMM_INV_HAN); + return (UNCHANGED); + } + if (handle_info[handle].active == 0) { SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); } @@ -1881,8 +1895,11 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in RESTORE_PAGE_MAP\n"); - if ((handle < 0) || (handle >= MAX_HANDLES) || - (handle_info[handle].active == 0)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { + SETHIGH(&(state->eax), EMM_INV_HAN); + return (UNCHANGED); + } + if (handle_info[handle].active == 0) { SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); } @@ -1912,8 +1929,13 @@ ems_fn(state) Kdebug1((dbg_fd, "bios_emm: Get Pages Owned, han-0x%x\n", handle)); - if ((handle < 0) || (handle >= MAX_HANDLES) || - (handle_info[handle].active == 0)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { + SETHIGH(&(state->eax), EMM_INV_HAN); + SETWORD(&(state->ebx), 0); + return (UNCHANGED); + } + + if (handle_info[handle].active == 0) { SETHIGH(&(state->eax), EMM_INV_HAN); SETWORD(&(state->ebx), 0); return (UNCHANGED); -- 1.7.9.5