Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2025-11-11 11:08:02 -06:00
Code Activity

Windows vulnerability fix: correct some integer overflow issues using the IntSafe library. Detected by the Open Crypto Audit project

Browse Source
This commit is contained in:
Mounir IDRASSI
2014-09-01 00:03:26 +02:00
parent f82e16f0a1
commit 7c501359b3
2 changed files with 40 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/Driver/EncryptedIoQueue.c
View File

@@ -13,6 +13,7 @@
#include "EncryptedIoQueue.h" #include "EncryptedIoQueue.h"
#include "EncryptionThreadPool.h" #include "EncryptionThreadPool.h"
#include "Volumes.h" #include "Volumes.h"
#include <IntSafe.h>
static void AcquireBufferPoolMutex (EncryptedIoQueue *queue) static void AcquireBufferPoolMutex (EncryptedIoQueue *queue)
@@ -492,6 +493,8 @@ static VOID MainThreadProc (PVOID threadArg)
EncryptedIoRequest *request; EncryptedIoRequest *request;
uint64 intersectStart; uint64 intersectStart;
uint32 intersectLength; uint32 intersectLength;
ULONGLONG addResult;
HRESULT hResult;
if (IsEncryptionThreadPoolRunning()) if (IsEncryptionThreadPoolRunning())
KeSetPriorityThread (KeGetCurrentThread(), LOW_REALTIME_PRIORITY); KeSetPriorityThread (KeGetCurrentThread(), LOW_REALTIME_PRIORITY);
@@ -561,8 +564,15 @@ static VOID MainThreadProc (PVOID threadArg)
&& (item->OriginalOffset.QuadPart & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0) && (item->OriginalOffset.QuadPart & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0)
{ {
byte *buffer; byte *buffer;
ULONG alignedLength = item->OriginalLength + ENCRYPTION_DATA_UNIT_SIZE; ULONG alignedLength;
LARGE_INTEGER alignedOffset; LARGE_INTEGER alignedOffset;
hResult = ULongAdd(item->OriginalLength, ENCRYPTION_DATA_UNIT_SIZE, &alignedLength);
if (hResult != S_OK)
{
CompleteOriginalIrp (item, STATUS_INVALID_PARAMETER, 0);
continue;
}
alignedOffset.QuadPart = item->OriginalOffset.QuadPart & ~((LONGLONG) ENCRYPTION_DATA_UNIT_SIZE - 1); alignedOffset.QuadPart = item->OriginalOffset.QuadPart & ~((LONGLONG) ENCRYPTION_DATA_UNIT_SIZE - 1);
buffer = TCalloc (alignedLength); buffer = TCalloc (alignedLength);
@@ -608,7 +618,12 @@ static VOID MainThreadProc (PVOID threadArg)
if (item->OriginalLength == 0 if (item->OriginalLength == 0
|| (item->OriginalLength & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0 || (item->OriginalLength & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0
|| (item->OriginalOffset.QuadPart & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0 || (item->OriginalOffset.QuadPart & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0
|| (!queue->IsFilterDevice && item->OriginalOffset.QuadPart + item->OriginalLength > queue->VirtualDeviceLength)) || ( !queue->IsFilterDevice &&
( (S_OK != ULongLongAdd(item->OriginalOffset.QuadPart, item->OriginalLength, &addResult))
|| (addResult > (ULONGLONG) queue->VirtualDeviceLength)
)
)
)
{ {
CompleteOriginalIrp (item, STATUS_INVALID_PARAMETER, 0); CompleteOriginalIrp (item, STATUS_INVALID_PARAMETER, 0);
continue; continue;
@@ -622,9 +637,17 @@ static VOID MainThreadProc (PVOID threadArg)
{ {
// Adjust the offset for host file or device // Adjust the offset for host file or device
if (queue->CryptoInfo->hiddenVolume) if (queue->CryptoInfo->hiddenVolume)
item->OriginalOffset.QuadPart += queue->CryptoInfo->hiddenVolumeOffset; hResult = ULongLongAdd(item->OriginalOffset.QuadPart, queue->CryptoInfo->hiddenVolumeOffset, &addResult);
else else
item->OriginalOffset.QuadPart += queue->CryptoInfo->volDataAreaOffset; hResult = ULongLongAdd(item->OriginalOffset.QuadPart, queue->CryptoInfo->volDataAreaOffset, &addResult);
if (hResult != S_OK)
{
CompleteOriginalIrp (item, STATUS_INVALID_PARAMETER, 0);
continue;
}
else
item->OriginalOffset.QuadPart = addResult;
// Hidden volume protection // Hidden volume protection
if (item->Write && queue->CryptoInfo->bProtectHiddenVolume) if (item->Write && queue->CryptoInfo->bProtectHiddenVolume)

15
src/Driver/Ntdriver.c
View File

@@ -34,6 +34,7 @@
#include <ntddvol.h> #include <ntddvol.h>
#include <Ntstrsafe.h> #include <Ntstrsafe.h>
#include <Intsafe.h>
/* Init section, which is thrown away as soon as DriverEntry returns */ /* Init section, which is thrown away as soon as DriverEntry returns */
#pragma alloc_text(INIT,DriverEntry) #pragma alloc_text(INIT,DriverEntry)
@@ -704,10 +705,20 @@ NTSTATUS ProcessVolumeDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION
case IOCTL_DISK_VERIFY: case IOCTL_DISK_VERIFY:
if (ValidateIOBufferSize (Irp, sizeof (VERIFY_INFORMATION), ValidateInput)) if (ValidateIOBufferSize (Irp, sizeof (VERIFY_INFORMATION), ValidateInput))
{ {
HRESULT hResult;
ULONGLONG ullStartingOffset, ullNewOffset, ullEndOffset;
PVERIFY_INFORMATION pVerifyInformation; PVERIFY_INFORMATION pVerifyInformation;
pVerifyInformation = (PVERIFY_INFORMATION) Irp->AssociatedIrp.SystemBuffer; pVerifyInformation = (PVERIFY_INFORMATION) Irp->AssociatedIrp.SystemBuffer;
if (pVerifyInformation->StartingOffset.QuadPart + pVerifyInformation->Length > Extension->DiskLength) ullStartingOffset = (ULONGLONG) pVerifyInformation->StartingOffset.QuadPart;
hResult = ULongLongAdd(ullStartingOffset,
(ULONGLONG) Extension->cryptoInfo->hiddenVolume ? Extension->cryptoInfo->hiddenVolumeOffset : Extension->cryptoInfo->volDataAreaOffset,
&ullNewOffset);
if (hResult != S_OK)
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
else if (S_OK != ULongLongAdd(ullNewOffset, (ULONGLONG) pVerifyInformation->Length, &ullEndOffset))
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
else if (ullEndOffset > (ULONGLONG) Extension->DiskLength)
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER; Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
else else
{ {
@@ -721,7 +732,7 @@ NTSTATUS ProcessVolumeDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION
else else
{ {
LARGE_INTEGER offset = pVerifyInformation->StartingOffset; LARGE_INTEGER offset = pVerifyInformation->StartingOffset;
offset.QuadPart += Extension->cryptoInfo->hiddenVolume ? Extension->cryptoInfo->hiddenVolumeOffset : Extension->cryptoInfo->volDataAreaOffset; offset.QuadPart = ullNewOffset;
Irp->IoStatus.Status = ZwReadFile (Extension->hDeviceFile, NULL, NULL, NULL, &ioStatus, buffer, pVerifyInformation->Length, &offset, NULL); Irp->IoStatus.Status = ZwReadFile (Extension->hDeviceFile, NULL, NULL, NULL, &ioStatus, buffer, pVerifyInformation->Length, &offset, NULL);
TCfree (buffer); TCfree (buffer);