From: "Michael Brown" <mcb30@ipxe.org>
To: devel@edk2.groups.io, kraxel@redhat.com
Cc: mikuback@linux.microsoft.com, Dandan Bi <dandan.bi@intel.com>,
Erich McMillan <emcmillan@microsoft.com>,
Jian J Wang <jian.j.wang@intel.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
Star Zeng <star.zeng@intel.com>,
Zhichao Gao <zhichao.gao@intel.com>,
Zhiguang Liu <zhiguang.liu@intel.com>,
Michael Kubacki <michael.kubacki@microsoft.com>
Subject: Re: [edk2-devel] [PATCH v3 01/12] MdeModulePkg/SmbiosDxe: Fix pointer and buffer overflow CodeQL alerts
Date: Tue, 14 Feb 2023 13:47:42 +0000 [thread overview]
Message-ID: <01020186502e636e-e8e67b6b-f07a-43b9-aa39-35be69d08c68-000000@eu-west-1.amazonses.com> (raw)
In-Reply-To: <20230214130114.kp4z4zmfjgaalv47@sirius.home.kraxel.org>
On 14/02/2023 13:01, Gerd Hoffmann wrote:
> On Mon, Feb 13, 2023 at 04:15:30PM +0000, Michael Brown wrote:
>> On 13/02/2023 15:48, Michael Kubacki wrote:
>>> @@ -1608,9 +1610,12 @@ ParseAndAddExistingSmbiosTable (
>>> //
>>> // Make sure not to access memory beyond SmbiosEnd
>>> //
>>> - if ((Smbios.Raw + sizeof (SMBIOS_STRUCTURE) > SmbiosEnd.Raw) ||
>>> - (Smbios.Raw + sizeof (SMBIOS_STRUCTURE) < Smbios.Raw))
>>> - {
>>> + Status = SafeUintnAdd ((UINTN)Smbios.Raw, sizeof (SMBIOS_STRUCTURE), &SafeIntResult);
>>> + if (EFI_ERROR (Status)) {
>>> + return EFI_INVALID_PARAMETER;
>>> + }
>>> +
>>> + if ((SafeIntResult > (UINTN)SmbiosEnd.Raw) || (SafeIntResult < (UINTN)Smbios.Raw)) {
>>> return EFI_INVALID_PARAMETER;
>>> }
>>
>> Could this not be expressed much more cleanly as just:
>>
>> if ((UINTN)(SmbiosEnd.Raw - Smbios.Raw) < sizeof (SMBIOS_STRUCTURE)) {
>> return EFI_INVALID_PARAMETER;
>> }
>>
>> without the need to hide a basic arithmetic operation behind an ugly wrapper
>> function and drag in an external library?
>
> Well, the advantage of using SafeIntLib is that (a) it is obvious even
> to untrained code readers what is going on here, and (b) it is hard to
> get it wrong.
>
> When looking at the quality some of the patches being posted to the list
> have I'd say that is important to consider even if you personally have
> no problems avoiding integer overflows without the help of SafeIntLib.
Fair enough. But in that case it should be used in a way that makes it
clear what it's actually doing. Specifically, the check for
if (... || (SafeIntResult < (UINTN)Smbios.Raw)) {
...
}
then becomes meaningless, since the whole point of SafeUintnAdd() is
that it cannot result in this kind of unsigned integer wraparound. The
code as modified by this patch is *harder* to understand, because the
reader has to dig through to figure out why this check still exists,
look at the implementation of SafeUintnAdd() to see what is meant by
"safe" in this context, and finally come to the conclusion that the
remaining underflow check is redundant code that should have been removed.
The reader is also going to be confused by the fact that the code as
modified by this patch then contains two separate methods for checking
for integer overflows, since the patch does not similarly update the
very similar code found almost immediately afterwards:
if ((Smbios.Raw + Smbios.Hdr->Length + 2 * sizeof (UINT8) >
SmbiosEnd.Raw) ||
(Smbios.Raw + Smbios.Hdr->Length + 2 * sizeof (UINT8) <
Smbios.Raw))
{
return EFI_INVALID_PARAMETER;
}
Lastly: the actual operation being made safe here is "check that buffer
contains at least this much data remaining". This is most obviously
done by calculating the remaining buffer space (i.e.
(UINTN)(SmbiosEnd.Raw - Smbios.Raw)) and comparing against that. That
logic is clear, simple, and obviously correct at first glance. Using
the SafeUintnAdd() call does something that *is* mathematically
equivalent to this check, but where the logic is much harder to parse.
I'd prefer it if the code were updated to avoid SafeUintnAdd()
altogether. But if not, then at a minimum the redundant check should be
removed, and the calculation involving Smbios.Hdr->Length should also be
updated to use SafeUintnAdd().
Thanks,
Michael
next prev parent reply other threads:[~2023-02-14 13:47 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-13 15:48 [PATCH v3 00/12] Enable New CodeQL Queries Michael Kubacki
2023-02-13 15:48 ` [PATCH v3 01/12] MdeModulePkg/SmbiosDxe: Fix pointer and buffer overflow CodeQL alerts Michael Kubacki
2023-02-13 16:15 ` [edk2-devel] " Michael Brown
2023-02-14 13:01 ` Gerd Hoffmann
2023-02-14 13:47 ` Michael Brown [this message]
2023-02-14 14:11 ` Gerd Hoffmann
2023-02-14 14:16 ` Michael Kubacki
2023-02-14 13:53 ` Michael Kubacki
2023-02-13 15:48 ` [PATCH v3 02/12] BaseTools/PatchCheck.py: Add PCCTS to tab exemption list Michael Kubacki
2023-02-13 15:48 ` [PATCH v3 03/12] BaseTools/VfrCompile: Fix potential buffer overwrites Michael Kubacki
2023-02-13 15:49 ` [PATCH v3 04/12] CryptoPkg: Fix conditionally uninitialized variable Michael Kubacki
2023-02-13 15:49 ` [PATCH v3 05/12] MdeModulePkg: Fix conditionally uninitialized variables Michael Kubacki
2023-02-13 15:49 ` [PATCH v3 06/12] MdePkg: " Michael Kubacki
2023-02-13 15:49 ` [PATCH v3 07/12] NetworkPkg: " Michael Kubacki
2023-02-13 15:49 ` [PATCH v3 08/12] PcAtChipsetPkg: " Michael Kubacki
2023-02-13 15:49 ` [PATCH v3 09/12] ShellPkg: " Michael Kubacki
2023-02-13 15:49 ` [PATCH v3 10/12] UefiCpuPkg: " Michael Kubacki
2023-02-13 15:49 ` [PATCH v3 11/12] .github/codeql/edk2.qls: Enable CWE 457, 676, and 758 queries Michael Kubacki
2023-02-13 15:49 ` [PATCH v3 12/12] .github/codeql/edk2.qls: Enable CWE 120, 787, and 805 queries Michael Kubacki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=01020186502e636e-e8e67b6b-f07a-43b9-aa39-35be69d08c68-000000@eu-west-1.amazonses.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox