From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <afish@apple.com>
Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id D5BE21A1E4B
 for <edk2-devel@lists.01.org>; Thu, 25 Aug 2016 09:08:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s;
 c=relaxed/simple; 
 q=dns/txt; i=@apple.com; t=1472141300; x=2336054900;
 h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type:
 Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=gGrDqRI7nuN3vcFajd9JlutU+7/oaN9cRANUw/iZCqU=;
 b=Q//sLD90Y79hQD/2uh7xQYKA9NgHG62xyLPa4t4QVcMtVXKssPTXQTj9zUePPu1Z
 qNpeTsFA/Gj9qkwrSjkIryBwt4aydkF4UTq1ptBc2ptbaOnIdCzYKBDZz+t//ib5
 WfMzvcXgWhOEVpD/B3fpUkZryBv4qbF395/H+3bYXR+c9pGa+jRY2f+qCXUHgQYC
 N4H4CwKeutzhtRdwJe5oYUZISkmi70S2GG3FsBbWZkqOpAjLM0XEJradtRTZXXby
 94ALUxMRUTLc1KqLdtKOmOAnTKwo6w9BV7olCFsTeSiMJWZPFSna5g2vH378fFhS
 v3V07TjjV3BvkJcGxWv8rA==;
Received: from relay6.apple.com (relay6.apple.com [17.128.113.90])
 by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id
 CB.91.10360.4F71FB75; Thu, 25 Aug 2016 09:08:20 -0700 (PDT)
X-AuditID: 11973e11-f79e76d000002878-13-57bf17f4f168
Received: from chive.apple.com (chive.apple.com [17.128.115.15])
 by relay6.apple.com (Apple SCV relay) with SMTP id 55.87.04916.4F71FB75;
 Thu, 25 Aug 2016 09:08:20 -0700 (PDT)
MIME-version: 1.0
Received: from [17.153.51.43] by chive.apple.com
 (Oracle Communications Messaging Server 8.0.1.1.0 64bit (built May 17 2016))
 with ESMTPSA id <0OCH00EPP3HUNU80@chive.apple.com>; Thu,
 25 Aug 2016 09:08:20 -0700 (PDT)
Sender: afish@apple.com
From: Andrew Fish <afish@apple.com>
In-reply-to: <CB6E33457884FA40993F35157061515C54A2D473@FMSMSX103.amr.corp.intel.com>
Date: Thu, 25 Aug 2016 09:08:18 -0700
Cc: edk2-devel <edk2-devel@lists.01.org>, "Ni, Ruiyu" <ruiyu.ni@intel.com>
Message-id: <0B832F72-ABF8-4E9E-A123-604A579CA9E0@apple.com>
References: <095E0E05-A876-48C3-B87D-FA5874921821@apple.com>
 <B883F72C-4CCC-4867-A2AA-5D1D13E958AE@apple.com>
 <CB6E33457884FA40993F35157061515C54A2D473@FMSMSX103.amr.corp.intel.com>
To: "Carsey, Jaben" <jaben.carsey@intel.com>
X-Mailer: Apple Mail (2.3112)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrFLMWRmVeSWpSXmKPExsUi2FAYpftFfH+4waejahZ7Dh1lttjY9IfV
 4mXPanYHZo/Fe14yeXTP/scSwBTFZZOSmpNZllqkb5fAldF08QRTwTuZigNXLjA1MLZIdDFy
 ckgImEhM+nqFGcIWk7hwbz1bFyMXh5DAXkaJlSeamGGKZtx+zgpiCwlsZJTY8sIfxOYVEJT4
 MfkeSxcjBwezgLzEwfOyIGFmAS2J749aWSDm3GWU2Dv7CDtIQlhAXOLdmU3MIPXCAkkSz2aH
 g4TZBJQlVsz/AFbCKRAmcX/KIkYQm0VAVeJS4ywWiJleEmuP/WCCWGsj8WrSbWaIc3YySizs
 LAWxRQR0JFbf+gx1sqzEvg0LwH6RENjDJjF1SwfrBEaRWUjOnoVw9iwkZy9gZF7FKJSbmJmj
 m5lnpJdYUJCTqpecn7uJERT40+0EdzAeX2V1iFGAg1GJh3cG6/5wIdbEsuLK3EOM0hwsSuK8
 Yir7woUE0hNLUrNTUwtSi+KLSnNSiw8xMnFwSjUwqub0XjZ/qSC9Xy14iuXHHTcmh+6vnjb/
 v7wNp63o+lvcQkrrzjQlxh+c4zzf3VA+6dqOG4YN90tlri9d3XOo46hq6vprdccbmpTzi+y7
 F1h2JVmWZvLYdbeG+k1rlIpzyk+uWZp+18/neZVylF7+S6796R+//xGpXfT0CvOO1d9rha/E
 yFkpsRRnJBpqMRcVJwIAS25Ib10CAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplkeLIzCtJLcpLzFFi42IRbCjm1/0ivj/cYMU7bos9h44yW2xs+sNq
 8bJnNbsDs8fiPS+ZPLpn/2MJYIrisklJzcksSy3St0vgymi6eIKp4J1MxYErF5gaGFskuhg5
 OSQETCRm3H7OCmGLSVy4t54NxBYS2MgoseWFP4jNKyAo8WPyPZYuRg4OZgF5iYPnZUHCzAJa
 Et8ftQKFuYDK7zJK7J19hB0kISwgLvHuzCZmkHphgSSJZ7PDQcJsAsoSK+Z/ACvhFAiTuD9l
 ESOIzSKgKnGpcRYLxEwvibXHfjBBrLWReDXpNjPEOTsZJRZ2loLYIgI6EqtvfWaGOFlWYt+G
 BWwTGAVnIbl0FsKls5BcuoCReRWjQFFqTmKlmV5iQUFOql5yfu4mRnCgFkbtYGxYbnWIUYCD
 UYmH9wP7/nAh1sSy4srcQ4wSHMxKIryhwDAX4k1JrKxKLcqPLyrNSS0+xJgMdP9EZinR5Hxg
 FOWVxBuamBiYGBubGRubm5iTJqwkzstwbHe4kEB6YklqdmpqQWoRzBYmDk6pBkapptvXwm+W
 eUzbvHVRXYmKq/r/ebsefRTkWBDx6ZvxzFnnH20yu+l/7WtekknK7YMWvP58SjlWaa1sK55v
 vt7IxPRWZ5nh92qn5CePdY3MNunoXeGdYW884x+DsWOBo0x4SFG400btHIYoLm+ua0sarfZ9
 CQhRCf95sb9X6drxaOFHBQlrdiqxFGckGmoxFxUnAgAJAc5emAIAAA==
Subject: Re: I found a fun bug in the Shell today. Looks like we have been getting lucky?
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 16:08:22 -0000
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII


> On Aug 25, 2016, at 9:05 AM, Carsey, Jaben <jaben.carsey@intel.com> wrote:
> 
> Andrew,
> 
> Can you file a Bugzilla issue so we can track this issue properly?
> 

Jaben,

I attached the URL at the end of the original mail: https://tianocore.acgmultimedia.com/show_bug.cgi?id=105

Thanks,

Andrew Fish

> -Jaben
> 
>> -----Original Message-----
>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
>> Andrew Fish
>> Sent: Wednesday, August 24, 2016 6:26 PM
>> To: edk2-devel <edk2-devel@lists.01.org>
>> Subject: Re: [edk2] I found a fun bug in the Shell today. Looks like we have
>> been getting lucky?
>> Importance: High
>> 
>> 
>>> On Aug 24, 2016, at 5:59 PM, Andrew Fish <afish@apple.com> wrote:
>>> 
>>> I was tracking down a data corruption issue when paging was enabled on an
>> edk2 shell command. The crash was in a custom ConSpliter over writing a DXE
>> Core data structure. The buffer overflow seemed to be caused by the
>> Console getting confused on the location of the end of the screen. I set a
>> watchpoint on gST->ConOut->Mode->CursorRow and found the shell was
>> the one corrupting the Mode data.
>>> 
>>> UEFI Spec: The following data values in the SIMPLE_TEXT_OUTPUT_MODE
>> interface are read-only and are changed by using the appropriate interface
>> functions:
>>> 
>>> (master)>git grep "OurConOut.Mode"
>>> Application/Shell/ConsoleLogger.c:72:  (*ConsoleInfo)->OurConOut.Mode
>> = gST->ConOut->Mode;
>>> Application/Shell/ConsoleLogger.c:647://    ShellInfoObject.ConsoleInfo-
>>> OurConOut.Mode->CursorRow    = 0;
>>> Application/Shell/ConsoleLogger.c:648://    ShellInfoObject.ConsoleInfo-
>>> OurConOut.Mode->CursorColumn = 0;
>>> Application/Shell/ConsoleLogger.c:704:      if (ConsoleInfo-
>>> OurConOut.Mode->CursorColumn > 0) {
>>> Application/Shell/ConsoleLogger.c:705:        ConsoleInfo-
>>> OurConOut.Mode->CursorColumn--;
>>> Application/Shell/ConsoleLogger.c:734:      ConsoleInfo->OurConOut.Mode-
>>> CursorRow++;
>>> Application/Shell/ConsoleLogger.c:741:      ConsoleInfo->OurConOut.Mode-
>>> CursorColumn = 0;
>>> Application/Shell/ConsoleLogger.c:747:      ConsoleInfo->OurConOut.Mode-
>>> CursorColumn++;
>>> Application/Shell/ConsoleLogger.c:751:      if ((INTN)ConsoleInfo-
>>> ColsPerScreen == ConsoleInfo->OurConOut.Mode->CursorColumn + 1) {
>>> Application/Shell/ConsoleLogger.c:781:        ConsoleInfo-
>>> OurConOut.Mode->CursorRow++;
>>> Application/Shell/ConsoleLogger.c:782:        ConsoleInfo-
>>> OurConOut.Mode->CursorColumn = 0;
>>> Application/Shell/ConsoleLogger.c:976:    ConsoleInfo->OurConOut.Mode =
>> ConsoleInfo->OldConOut->Mode;
>>> 
>>> 
>>> I'm not exactly sure what this code is trying to do as the console should
>> update Mode structure directly? Maybe the intent was to have a copy of
>> gST->ConOut->Mode and keep it in sync? It seems like this should cause
>> more issues, but maybe the edk2 ConSplitter is not broken by this behavior
>> and we are getting lucky?
>>> 
>> 
>> I forgot to mention that setting the Mode->CursorRow in the console code
>> back to the last row if was larger looks like it hides this bug in the shell.
>> 
>> Thanks,
>> 
>> Andrew Fish
>> 
>> 
>>> Thanks,
>>> 
>>> Andrew Fish
>>> 
>>> https://tianocore.acgmultimedia.com/show_bug.cgi?id=105
>>> _______________________________________________
>>> edk2-devel mailing list
>>> edk2-devel@lists.01.org
>>> https://lists.01.org/mailman/listinfo/edk2-devel
>> 
>> _______________________________________________
>> edk2-devel mailing list
>> edk2-devel@lists.01.org
>> https://lists.01.org/mailman/listinfo/edk2-devel