From 998870c5ea85eabdd2b4df798f86e8de08d8a71b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Gardou?= Date: Mon, 8 Feb 2021 14:33:08 +0100 Subject: [PATCH] [NTOS:MM] Properly fail for invalid sizes of data section mappings --- ntoskrnl/mm/ARM3/section.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/ntoskrnl/mm/ARM3/section.c b/ntoskrnl/mm/ARM3/section.c index 3e6a25b44db..1301267e6b3 100644 --- a/ntoskrnl/mm/ARM3/section.c +++ b/ntoskrnl/mm/ARM3/section.c @@ -1326,25 +1326,26 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea, /* Check if the caller specified the view size */ if (!(*ViewSize)) { + LONGLONG ViewSizeLL; + /* The caller did not, so pick a 64K aligned view size based on the offset */ SectionOffset->LowPart &= ~(_64K - 1); - /* Make sure that we will not overflow */ - if ((Section->SizeOfSection.QuadPart - SectionOffset->QuadPart) > MAXLONG_PTR) + /* Calculate size and make sure this fits */ + if (!NT_SUCCESS(RtlLongLongSub(Section->SizeOfSection.QuadPart, SectionOffset->QuadPart, &ViewSizeLL)) + || !NT_SUCCESS(RtlLongLongToSIZET(ViewSizeLL, ViewSize)) + || (*ViewSize > MAXLONG_PTR)) { MiDereferenceControlArea(ControlArea); return STATUS_INVALID_VIEW_SIZE; } - - *ViewSize = (SIZE_T)(Section->SizeOfSection.QuadPart - SectionOffset->QuadPart); } else { - /* A size was specified, align it to a 64K boundary */ - *ViewSize += SectionOffset->LowPart & (_64K - 1); - - /* Check for overflow or huge value */ - if ((*ViewSize < (SectionOffset->LowPart & (_64K - 1))) || ((*ViewSize) > MAXLONG_PTR)) + /* A size was specified, align it to a 64K boundary + * and check for overflow or huge value. */ + if (!NT_SUCCESS(RtlSIZETAdd(*ViewSize, SectionOffset->LowPart & (_64K - 1), ViewSize)) + || (*ViewSize > MAXLONG_PTR)) { MiDereferenceControlArea(ControlArea); return STATUS_INVALID_VIEW_SIZE;