From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id DE89E1A1E3E for ; Wed, 24 Aug 2016 17:59:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1472086789; x=2336000389; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=/yo8+6KBoMmevg3jJ8d0k+7l2aDYkZq+T6zuKOPhv7M=; b=eRPq96vbzyj6bKlBgtfuzS10Yks8oT6HP36RzCfKJOuh5Kr+I3GiUAdFWZR9r5Rd bVxGY0kZiVjumZM1pUj4TkstPVT0YqvFHGg0tcyyI+9lbMUEQFEx5gVc9+8N/yvt s8ymhomwrBVIuYyj5+WQfyQPgJ60byIl3PPjMUCf8hkxOH/kKM+dlnCXnDVVfx6o p3uqvc2agBo9K5+/iyZz2q2zqQyFPYG7rSpxKgH+KlManYNOlE179s57OBFp8Dbx eMrKhqYkf1828ZlP6ys1Jhr2ZKa/HAvd0jrwh7XROzM5hP3NDVhj3q8xnf29VDIY WOWcKaQE6VgKevnSLI9Jaw==; Received: from relay6.apple.com (relay6.apple.com [17.128.113.90]) by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id 32.36.07433.5034EB75; Wed, 24 Aug 2016 17:59:49 -0700 (PDT) X-AuditID: 11973e12-f79b16d000001d09-5b-57be4305e430 Received: from chive.apple.com (chive.apple.com [17.128.115.15]) by relay6.apple.com (Apple SCV relay) with SMTP id A9.00.04916.5034EB75; Wed, 24 Aug 2016 17:59:49 -0700 (PDT) MIME-version: 1.0 Received: from [17.153.51.43] by chive.apple.com (Oracle Communications Messaging Server 8.0.1.1.0 64bit (built May 17 2016)) with ESMTPSA id <0OCF00IRKXFN9K80@chive.apple.com> for edk2-devel@lists.01.org; Wed, 24 Aug 2016 17:59:48 -0700 (PDT) Sender: afish@apple.com From: Andrew Fish Message-id: <095E0E05-A876-48C3-B87D-FA5874921821@apple.com> Date: Wed, 24 Aug 2016 17:59:47 -0700 To: edk2-devel X-Mailer: Apple Mail (2.3112) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHLMWRmVeSWpSXmKPExsUi2FAYpcvqvC/coOkYt8WeQ0eZHRg9umf/ YwlgjOKySUnNySxLLdK3S+DKeP2wn7HgR3jFg7lXWRsYP/l1MXJySAiYSLz/NZ0ZwhaTuHBv PVsXIxeHkMBeRokT576zwBS92PqIFSKxkVGipaebDSTBKyAo8WPyPaAiDg5mgTCJtvOBEDU/ GSUeT3nLBFIjLCAu8e7MJrANbALKEivmf2AHqRcWiJC49MsTYoyNxOwJ31hBwiwCqhKbroHd JiKgIbG1uxXqNlmJfRsWgN0mIbCATWLO1cXMExgFZiG5YhbCFSBhZgEtie+PWqHC8hIHz8tC hDUlnt37xA5ha0s8eXeBdQEj2ypGodzEzBzdzDwTvcSCgpxUveT83E2MoACebie0g/HUKqtD jAIcjEo8vAJr94YLsSaWFVfmHmKU5mBREucVUtkXLiSQnliSmp2aWpBaFF9UmpNafIiRiYNT qoHRjDfjVSJ31fq5G0LX9jBd/nuNs+PG+0tXPDa8b1lz+bbHA5+b6vM1DY497ji7d8H2NTeZ cw8+XTfHb+Kzmrj7rIekDzOfkz++ZYHo5b2O7TxMa7hfzPv4xHvf3kslc/oOlguJvP9UkMMV X8Z6MUl8o/niveG7jQJXLTBo3cPJXhdsWZHFY/I0R4mlOCPRUIu5qDgRANMf44BBAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprBIsWRmVeSWpSXmKPExsUi2FDMr8vqvC/c4G8rh8WeQ0eZHRg9umf/ YwlgjOKySUnNySxLLdK3S+DKeP2wn7HgR3jFg7lXWRsYP/l1MXJySAiYSLzY+ogVwhaTuHBv PVsXIxeHkMBGRomWnm42kASvgKDEj8n3WLoYOTiYBcIk2s4HQtT8ZJR4POUtE0iNsIC4xLsz m5hBbDYBZYkV8z+wg9QLC0RIXPrlCTHGRmL2hG+sIGEWAVWJTdfAThAR0JDY2t3KDHGCrMS+ DQvYJjDyzkKyeBbCYpAws4CWxPdHrVBheYmD52UhwpoSz+59YoewtSWevLvAuoCRbRWjQFFq TmKlmV5iQUFOql5yfu4mRnDAFUbtYGxYbnWIUYCDUYmHV2Dt3nAh1sSy4srcQ4wSHMxKIry6 9vvChXhTEiurUovy44tKc1KLDzFOZAQ6fyKzlGhyPjAe8kriDU1MDEyMjc2Mjc1NzGkprCTO y3Bsd7iQQHpiSWp2ampBahHMUUwcnFINjByi1kJFXR1+b5p8zrMpp/6csuCm0YmD8Yfu/7u9 1sYju7qCYfGzP9af9j55etbgUkWzx+Yteic4tynXzZ1rfks5vdpbu0RDr3rP1KzH09cvKruj XbDrZccEW+3DZ29a+Rw6myTEEC6hZdWy4krfIqdH72LnVv65rjYjeO2/I/vCzotdaeSvjlZi Kc5INNRiLipOBAATElr2qwIAAA== X-Content-Filtered-By: Mailman/MimeDel 2.1.21 Subject: I found a fun bug in the Shell today. Looks like we have been getting lucky? X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2016 00:59:50 -0000 Content-Type: text/plain; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT I was tracking down a data corruption issue when paging was enabled on an edk2 shell command. The crash was in a custom ConSpliter over writing a DXE Core data structure. The buffer overflow seemed to be caused by the Console getting confused on the location of the end of the screen. I set a watchpoint on gST->ConOut->Mode->CursorRow and found the shell was the one corrupting the Mode data. UEFI Spec: The following data values in the SIMPLE_TEXT_OUTPUT_MODE interface are read-only and are changed by using the appropriate interface functions: (master)>git grep "OurConOut.Mode" Application/Shell/ConsoleLogger.c:72: (*ConsoleInfo)->OurConOut.Mode = gST->ConOut->Mode; Application/Shell/ConsoleLogger.c:647:// ShellInfoObject.ConsoleInfo->OurConOut.Mode->CursorRow = 0; Application/Shell/ConsoleLogger.c:648:// ShellInfoObject.ConsoleInfo->OurConOut.Mode->CursorColumn = 0; Application/Shell/ConsoleLogger.c:704: if (ConsoleInfo->OurConOut.Mode->CursorColumn > 0) { Application/Shell/ConsoleLogger.c:705: ConsoleInfo->OurConOut.Mode->CursorColumn--; Application/Shell/ConsoleLogger.c:734: ConsoleInfo->OurConOut.Mode->CursorRow++; Application/Shell/ConsoleLogger.c:741: ConsoleInfo->OurConOut.Mode->CursorColumn = 0; Application/Shell/ConsoleLogger.c:747: ConsoleInfo->OurConOut.Mode->CursorColumn++; Application/Shell/ConsoleLogger.c:751: if ((INTN)ConsoleInfo->ColsPerScreen == ConsoleInfo->OurConOut.Mode->CursorColumn + 1) { Application/Shell/ConsoleLogger.c:781: ConsoleInfo->OurConOut.Mode->CursorRow++; Application/Shell/ConsoleLogger.c:782: ConsoleInfo->OurConOut.Mode->CursorColumn = 0; Application/Shell/ConsoleLogger.c:976: ConsoleInfo->OurConOut.Mode = ConsoleInfo->OldConOut->Mode; I'm not exactly sure what this code is trying to do as the console should update Mode structure directly? Maybe the intent was to have a copy of gST->ConOut->Mode and keep it in sync? It seems like this should cause more issues, but maybe the edk2 ConSplitter is not broken by this behavior and we are getting lucky? Thanks, Andrew Fish https://tianocore.acgmultimedia.com/show_bug.cgi?id=105