public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "gaoliming" <gaoliming@byosoft.com.cn>
To: <devel@edk2.groups.io>, <pedro.falcato@gmail.com>
Cc: "'Vitaly Cheptsov'" <vit9696@protonmail.com>,
	"'Marvin Häuser'" <mhaeuser@posteo.de>,
	"'Michael D Kinney'" <michael.d.kinney@intel.com>,
	"'Zhiguang Liu'" <zhiguang.liu@intel.com>,
	"'Jiewen Yao'" <Jiewen.yao@intel.com>
Subject: 回复: [edk2-devel] 回复: [PATCH v3 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString
Date: Mon, 7 Nov 2022 09:32:33 +0800	[thread overview]
Message-ID: <016b01d8f248$cf2d28c0$6d877a40$@byosoft.com.cn> (raw)
In-Reply-To: <CAKbZUD2-QpmWyUS2MpH9cMPG8hJW-GseAAS9qviH8EGkWG=Xgg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 5612 bytes --]

Create https://github.com/tianocore/edk2/pull/3604 to merge this patch.

 

Thanks

Liming

发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Pedro Falcato
发送时间: 2022年11月5日 8:25
收件人: devel@edk2.groups.io; gaoliming@byosoft.com.cn
抄送: Vitaly Cheptsov <vit9696@protonmail.com>; Marvin Häuser <mhaeuser@posteo.de>; Michael D Kinney <michael.d.kinney@intel.com>; Zhiguang Liu <zhiguang.liu@intel.com>; Jiewen Yao <Jiewen.yao@intel.com>
主题: Re: [edk2-devel] 回复: [PATCH v3 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString

 

Hi Liming,

 

Thank you for the review. Can we please push this in time for the stable tag?

 

Thanks,

Pedro

 

On Fri, Nov 4, 2022 at 1:22 AM gaoliming via groups.io <http://groups.io>  <gaoliming=byosoft.com.cn@groups.io <mailto:byosoft.com.cn@groups.io> > wrote:

Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >

> -----邮件原件-----
> 发件人: Pedro Falcato <pedro.falcato@gmail.com <mailto:pedro.falcato@gmail.com> >
> 发送时间: 2022年11月3日 9:12
> 收件人: devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
> 抄送: Pedro Falcato <pedro.falcato@gmail.com <mailto:pedro.falcato@gmail.com> >; Vitaly Cheptsov
> <vit9696@protonmail.com <mailto:vit9696@protonmail.com> >; Marvin Häuser <mhaeuser@posteo.de <mailto:mhaeuser@posteo.de> >;
> Michael D Kinney <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Liming Gao
> <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; Zhiguang Liu <zhiguang.liu@intel.com <mailto:zhiguang.liu@intel.com> >; Jiewen
> Yao <Jiewen.yao@Intel.com <mailto:Jiewen.yao@Intel.com> >
> 主题: [PATCH v3 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString
> 
> There was a OOB access in *StrHexTo* functions, when passed strings like
> "XDEADBEEF".
> 
> OpenCore folks established an ASAN-equipped project to fuzz Ext4Dxe,
> which was able to catch these (mostly harmless) issues.
> 
> Cc: Vitaly Cheptsov <vit9696@protonmail.com <mailto:vit9696@protonmail.com> >
> Cc: Marvin Häuser <mhaeuser@posteo.de <mailto:mhaeuser@posteo.de> >
> Cc: Michael D Kinney <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >
> Cc: Liming Gao <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >
> Cc: Zhiguang Liu <zhiguang.liu@intel.com <mailto:zhiguang.liu@intel.com> >
> Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com <mailto:pedro.falcato@gmail.com> >
> Acked-by: Michael D Kinney <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >
> Reviewed-by: Jiewen Yao <Jiewen.yao@Intel.com <mailto:Jiewen.yao@Intel.com> >
> ---
>  MdePkg/Library/BaseLib/SafeString.c | 25 +++++++++++++++++++++----
>  1 file changed, 21 insertions(+), 4 deletions(-)
> 
> diff --git a/MdePkg/Library/BaseLib/SafeString.c
> b/MdePkg/Library/BaseLib/SafeString.c
> index f338a32a3a41..b75b33381732 100644
> --- a/MdePkg/Library/BaseLib/SafeString.c
> +++ b/MdePkg/Library/BaseLib/SafeString.c
> @@ -863,6 +863,9 @@ StrHexToUintnS (
>    OUT       UINTN   *Data
>    )
>  {
> +  BOOLEAN  FoundLeadingZero;
> +
> +  FoundLeadingZero = FALSE;
>    ASSERT (((UINTN)String & BIT0) == 0);
> 
>    //
> @@ -892,12 +895,14 @@ StrHexToUintnS (
>    //
>    // Ignore leading Zeros after the spaces
>    //
> +
> +  FoundLeadingZero = *String == L'0';
>    while (*String == L'0') {
>      String++;
>    }
> 
>    if (CharToUpper (*String) == L'X') {
> -    if (*(String - 1) != L'0') {
> +    if (!FoundLeadingZero) {
>        *Data = 0;
>        return RETURN_SUCCESS;
>      }
> @@ -992,6 +997,9 @@ StrHexToUint64S (
>    OUT       UINT64  *Data
>    )
>  {
> +  BOOLEAN  FoundLeadingZero;
> +
> +  FoundLeadingZero = FALSE;
>    ASSERT (((UINTN)String & BIT0) == 0);
> 
>    //
> @@ -1021,12 +1029,13 @@ StrHexToUint64S (
>    //
>    // Ignore leading Zeros after the spaces
>    //
> +  FoundLeadingZero = *String == L'0';
>    while (*String == L'0') {
>      String++;
>    }
> 
>    if (CharToUpper (*String) == L'X') {
> -    if (*(String - 1) != L'0') {
> +    if (!FoundLeadingZero) {
>        *Data = 0;
>        return RETURN_SUCCESS;
>      }
> @@ -2393,6 +2402,9 @@ AsciiStrHexToUintnS (
>    OUT       UINTN  *Data
>    )
>  {
> +  BOOLEAN  FoundLeadingZero;
> +
> +  FoundLeadingZero = FALSE;
>    //
>    // 1. Neither String nor Data shall be a null pointer.
>    //
> @@ -2420,12 +2432,13 @@ AsciiStrHexToUintnS (
>    //
>    // Ignore leading Zeros after the spaces
>    //
> +  FoundLeadingZero = *String == '0';
>    while (*String == '0') {
>      String++;
>    }
> 
>    if (AsciiCharToUpper (*String) == 'X') {
> -    if (*(String - 1) != '0') {
> +    if (!FoundLeadingZero) {
>        *Data = 0;
>        return RETURN_SUCCESS;
>      }
> @@ -2517,6 +2530,9 @@ AsciiStrHexToUint64S (
>    OUT       UINT64  *Data
>    )
>  {
> +  BOOLEAN  FoundLeadingZero;
> +
> +  FoundLeadingZero = FALSE;
>    //
>    // 1. Neither String nor Data shall be a null pointer.
>    //
> @@ -2544,12 +2560,13 @@ AsciiStrHexToUint64S (
>    //
>    // Ignore leading Zeros after the spaces
>    //
> +  FoundLeadingZero = *String == '0';
>    while (*String == '0') {
>      String++;
>    }
> 
>    if (AsciiCharToUpper (*String) == 'X') {
> -    if (*(String - 1) != '0') {
> +    if (!FoundLeadingZero) {
>        *Data = 0;
>        return RETURN_SUCCESS;
>      }
> --
> 2.38.1











-- 

Pedro Falcato




[-- Attachment #2: Type: text/html, Size: 12442 bytes --]

  reply	other threads:[~2022-11-07  1:32 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-03  1:11 [PATCH v3 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString Pedro Falcato
2022-11-04  1:22 ` 回复: " gaoliming
2022-11-05  0:24   ` [edk2-devel] " Pedro Falcato
2022-11-07  1:32     ` gaoliming [this message]
2022-11-07  8:14       ` Pedro Falcato
2022-11-07  8:57         ` JC
2022-11-07  9:11         ` JC

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='016b01d8f248$cf2d28c0$6d877a40$@byosoft.com.cn' \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox