From: Andrew Fish <afish@apple.com>
To: edk2-devel <edk2-devel@lists.01.org>
Subject: I found a fun bug in the Shell today. Looks like we have been getting lucky?
Date: Wed, 24 Aug 2016 17:59:47 -0700 [thread overview]
Message-ID: <095E0E05-A876-48C3-B87D-FA5874921821@apple.com> (raw)
I was tracking down a data corruption issue when paging was enabled on an edk2 shell command. The crash was in a custom ConSpliter over writing a DXE Core data structure. The buffer overflow seemed to be caused by the Console getting confused on the location of the end of the screen. I set a watchpoint on gST->ConOut->Mode->CursorRow and found the shell was the one corrupting the Mode data.
UEFI Spec: The following data values in the SIMPLE_TEXT_OUTPUT_MODE interface are read-only and are changed by using the appropriate interface functions:
(master)>git grep "OurConOut.Mode"
Application/Shell/ConsoleLogger.c:72: (*ConsoleInfo)->OurConOut.Mode = gST->ConOut->Mode;
Application/Shell/ConsoleLogger.c:647:// ShellInfoObject.ConsoleInfo->OurConOut.Mode->CursorRow = 0;
Application/Shell/ConsoleLogger.c:648:// ShellInfoObject.ConsoleInfo->OurConOut.Mode->CursorColumn = 0;
Application/Shell/ConsoleLogger.c:704: if (ConsoleInfo->OurConOut.Mode->CursorColumn > 0) {
Application/Shell/ConsoleLogger.c:705: ConsoleInfo->OurConOut.Mode->CursorColumn--;
Application/Shell/ConsoleLogger.c:734: ConsoleInfo->OurConOut.Mode->CursorRow++;
Application/Shell/ConsoleLogger.c:741: ConsoleInfo->OurConOut.Mode->CursorColumn = 0;
Application/Shell/ConsoleLogger.c:747: ConsoleInfo->OurConOut.Mode->CursorColumn++;
Application/Shell/ConsoleLogger.c:751: if ((INTN)ConsoleInfo->ColsPerScreen == ConsoleInfo->OurConOut.Mode->CursorColumn + 1) {
Application/Shell/ConsoleLogger.c:781: ConsoleInfo->OurConOut.Mode->CursorRow++;
Application/Shell/ConsoleLogger.c:782: ConsoleInfo->OurConOut.Mode->CursorColumn = 0;
Application/Shell/ConsoleLogger.c:976: ConsoleInfo->OurConOut.Mode = ConsoleInfo->OldConOut->Mode;
I'm not exactly sure what this code is trying to do as the console should update Mode structure directly? Maybe the intent was to have a copy of gST->ConOut->Mode and keep it in sync? It seems like this should cause more issues, but maybe the edk2 ConSplitter is not broken by this behavior and we are getting lucky?
Thanks,
Andrew Fish
https://tianocore.acgmultimedia.com/show_bug.cgi?id=105
next reply other threads:[~2016-08-25 0:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-25 0:59 Andrew Fish [this message]
2016-08-25 1:26 ` I found a fun bug in the Shell today. Looks like we have been getting lucky? Andrew Fish
2016-08-25 16:05 ` Carsey, Jaben
2016-08-25 16:08 ` Andrew Fish
2016-08-25 16:17 ` Carsey, Jaben
2016-08-25 16:20 ` Andrew Fish
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=095E0E05-A876-48C3-B87D-FA5874921821@apple.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox