From 4fa4d6d22708231a51bdff93ef3220aa95b6fc80 Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sun, 31 Aug 2014 23:56:37 +0200 Subject: Windows vulnerability fix: correct possible BSOD attack targeted towards GetWipePassCount() / WipeBuffer() found by the Open Crypto Audit Project. --- src/Driver/DriveFilter.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'src/Driver/DriveFilter.c') diff --git a/src/Driver/DriveFilter.c b/src/Driver/DriveFilter.c index 331b3720..26fed73d 100644 --- a/src/Driver/DriveFilter.c +++ b/src/Driver/DriveFilter.c @@ -1320,7 +1320,14 @@ static VOID SetupThreadProc (PVOID threadArg) if (SetupRequest.WipeAlgorithm != TC_WIPE_NONE) { byte wipePass; - for (wipePass = 1; wipePass <= GetWipePassCount (SetupRequest.WipeAlgorithm); ++wipePass) + int wipePassCount = GetWipePassCount (SetupRequest.WipeAlgorithm); + if (wipePassCount <= 0) + { + SetupResult = STATUS_INVALID_PARAMETER; + goto err; + } + + for (wipePass = 1; wipePass <= wipePassCount; ++wipePass) { if (!WipeBuffer (SetupRequest.WipeAlgorithm, wipeRandChars, wipePass, wipeBuffer, setupBlockSize)) { @@ -1692,7 +1699,7 @@ static VOID DecoySystemWipeThreadProc (PVOID threadArg) byte *wipeBuffer = NULL; byte *wipeRandBuffer = NULL; byte wipeRandChars[TC_WIPE_RAND_CHAR_COUNT]; - int wipePass; + int wipePass, wipePassCount; int ea = Extension->Queue.CryptoInfo->ea; KIRQL irql; @@ -1755,7 +1762,14 @@ static VOID DecoySystemWipeThreadProc (PVOID threadArg) if (offset.QuadPart > Extension->ConfiguredEncryptedAreaEnd) break; - for (wipePass = 1; wipePass <= GetWipePassCount (WipeDecoyRequest.WipeAlgorithm); ++wipePass) + wipePassCount = GetWipePassCount (WipeDecoyRequest.WipeAlgorithm); + if (wipePassCount <= 0) + { + DecoySystemWipeResult = STATUS_INVALID_PARAMETER; + goto err; + } + + for (wipePass = 1; wipePass <= wipePassCount; ++wipePass) { if (!WipeBuffer (WipeDecoyRequest.WipeAlgorithm, wipeRandChars, wipePass, wipeBuffer, wipeBlockSize)) { -- cgit v1.2.3