From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from walk.intel-email.com (walk.intel-email.com [101.227.64.242]) by mx.groups.io with SMTP id smtpd.web12.6405.1667524975599166540 for ; Thu, 03 Nov 2022 18:22:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@byosoft.com.cn header.s=cloud-union header.b=Iw8Znt6M; spf=pass (domain: byosoft.com.cn, ip: 101.227.64.242, mailfrom: gaoliming@byosoft.com.cn) Received: from walk.intel-email.com (localhost [127.0.0.1]) by walk.intel-email.com (Postfix) with ESMTP id 6419CCD1F656 for ; Fri, 4 Nov 2022 09:22:53 +0800 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=byosoft.com.cn; s=cloud-union; t=1667524973; bh=d5xHuNfY+ctkth3j6ofr4Wd8MicVQsQXaqre8DY70Ls=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=Iw8Znt6MR90qdEd3vaHar/c4+MjCdRfXeCr/WiwkZltQSpkCLdtOMjrTBdEatSm64 a4DyZfCoOgGd2R/WMSbwYKcNieAot/+mKxNPW+grAumxmOgRPkBGydtSAxmflbYK/z D66eoLQ79H7x3lRfyGaFwWk6wpFydqmr4HQwOmH0= Received: from localhost (localhost [127.0.0.1]) by walk.intel-email.com (Postfix) with ESMTP id 5FA11CD1F64D for ; Fri, 4 Nov 2022 09:22:53 +0800 (CST) Received: from walk.intel-email.com (localhost [127.0.0.1]) by walk.intel-email.com (Postfix) with ESMTP id 34AAACD1F64C for ; Fri, 4 Nov 2022 09:22:53 +0800 (CST) Authentication-Results: walk.intel-email.com; none Received: from mail.byosoft.com.cn (mail.byosoft.com.cn [58.240.74.242]) by walk.intel-email.com (Postfix) with SMTP id B27D9CD1F667 for ; Fri, 4 Nov 2022 09:22:49 +0800 (CST) Received: from DESKTOPS6D0PVI ([58.246.60.130]) (envelope-sender ) by 192.168.6.13 with ESMTP for ; Fri, 04 Nov 2022 09:22:46 +0800 X-WM-Sender: gaoliming@byosoft.com.cn X-Originating-IP: 58.246.60.130 X-WM-AuthFlag: YES X-WM-AuthUser: gaoliming@byosoft.com.cn From: "gaoliming" To: "'Pedro Falcato'" , Cc: "'Vitaly Cheptsov'" , =?UTF-8?Q?'Marvin_H=C3=A4user'?= , "'Michael D Kinney'" , "'Zhiguang Liu'" , "'Jiewen Yao'" References: <20221103011149.659815-1-pedro.falcato@gmail.com> In-Reply-To: <20221103011149.659815-1-pedro.falcato@gmail.com> Subject: =?UTF-8?B?5Zue5aSNOiBbUEFUQ0ggdjMgMS8xXSBNZGVQa2cvQmFzZUxpYjogRml4IG91dC1vZi1ib3VuZHMgcmVhZHMgaW4gU2FmZVN0cmluZw==?= Date: Fri, 4 Nov 2022 09:22:49 +0800 Message-ID: <000201d8efeb$f43533b0$dc9f9b10$@byosoft.com.cn> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQGxUQmPs9Y0Oj1QXXhCb6uJwyhXFq59NcUw Sender: "gaoliming" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Content-Language: zh-cn Reviewed-by: Liming Gao > -----=E9=82=AE=E4=BB=B6=E5=8E=9F=E4=BB=B6----- > =E5=8F=91=E4=BB=B6=E4=BA=BA: Pedro Falcato > =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: = 2022=E5=B9=B411=E6=9C=883=E6=97=A5 9:12 > =E6=94=B6=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io > =E6=8A=84=E9=80=81: Pedro Falcato ; Vitaly = Cheptsov > ; Marvin H=C3=A4user ; > Michael D Kinney ; Liming Gao > ; Zhiguang Liu ; = Jiewen > Yao > =E4=B8=BB=E9=A2=98: [PATCH v3 1/1] MdePkg/BaseLib: Fix out-of-bounds = reads in SafeString >=20 > There was a OOB access in *StrHexTo* functions, when passed strings = like > "XDEADBEEF". >=20 > OpenCore folks established an ASAN-equipped project to fuzz Ext4Dxe, > which was able to catch these (mostly harmless) issues. >=20 > Cc: Vitaly Cheptsov > Cc: Marvin H=C3=A4user > Cc: Michael D Kinney > Cc: Liming Gao > Cc: Zhiguang Liu > Signed-off-by: Pedro Falcato > Acked-by: Michael D Kinney > Reviewed-by: Jiewen Yao > --- > MdePkg/Library/BaseLib/SafeString.c | 25 +++++++++++++++++++++---- > 1 file changed, 21 insertions(+), 4 deletions(-) >=20 > diff --git a/MdePkg/Library/BaseLib/SafeString.c > b/MdePkg/Library/BaseLib/SafeString.c > index f338a32a3a41..b75b33381732 100644 > --- a/MdePkg/Library/BaseLib/SafeString.c > +++ b/MdePkg/Library/BaseLib/SafeString.c > @@ -863,6 +863,9 @@ StrHexToUintnS ( > OUT UINTN *Data > ) > { > + BOOLEAN FoundLeadingZero; > + > + FoundLeadingZero =3D FALSE; > ASSERT (((UINTN)String & BIT0) =3D=3D 0); >=20 > // > @@ -892,12 +895,14 @@ StrHexToUintnS ( > // > // Ignore leading Zeros after the spaces > // > + > + FoundLeadingZero =3D *String =3D=3D L'0'; > while (*String =3D=3D L'0') { > String++; > } >=20 > if (CharToUpper (*String) =3D=3D L'X') { > - if (*(String - 1) !=3D L'0') { > + if (!FoundLeadingZero) { > *Data =3D 0; > return RETURN_SUCCESS; > } > @@ -992,6 +997,9 @@ StrHexToUint64S ( > OUT UINT64 *Data > ) > { > + BOOLEAN FoundLeadingZero; > + > + FoundLeadingZero =3D FALSE; > ASSERT (((UINTN)String & BIT0) =3D=3D 0); >=20 > // > @@ -1021,12 +1029,13 @@ StrHexToUint64S ( > // > // Ignore leading Zeros after the spaces > // > + FoundLeadingZero =3D *String =3D=3D L'0'; > while (*String =3D=3D L'0') { > String++; > } >=20 > if (CharToUpper (*String) =3D=3D L'X') { > - if (*(String - 1) !=3D L'0') { > + if (!FoundLeadingZero) { > *Data =3D 0; > return RETURN_SUCCESS; > } > @@ -2393,6 +2402,9 @@ AsciiStrHexToUintnS ( > OUT UINTN *Data > ) > { > + BOOLEAN FoundLeadingZero; > + > + FoundLeadingZero =3D FALSE; > // > // 1. Neither String nor Data shall be a null pointer. > // > @@ -2420,12 +2432,13 @@ AsciiStrHexToUintnS ( > // > // Ignore leading Zeros after the spaces > // > + FoundLeadingZero =3D *String =3D=3D '0'; > while (*String =3D=3D '0') { > String++; > } >=20 > if (AsciiCharToUpper (*String) =3D=3D 'X') { > - if (*(String - 1) !=3D '0') { > + if (!FoundLeadingZero) { > *Data =3D 0; > return RETURN_SUCCESS; > } > @@ -2517,6 +2530,9 @@ AsciiStrHexToUint64S ( > OUT UINT64 *Data > ) > { > + BOOLEAN FoundLeadingZero; > + > + FoundLeadingZero =3D FALSE; > // > // 1. Neither String nor Data shall be a null pointer. > // > @@ -2544,12 +2560,13 @@ AsciiStrHexToUint64S ( > // > // Ignore leading Zeros after the spaces > // > + FoundLeadingZero =3D *String =3D=3D '0'; > while (*String =3D=3D '0') { > String++; > } >=20 > if (AsciiCharToUpper (*String) =3D=3D 'X') { > - if (*(String - 1) !=3D '0') { > + if (!FoundLeadingZero) { > *Data =3D 0; > return RETURN_SUCCESS; > } > -- > 2.38.1