From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <michael.d.kinney@intel.com>
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
 (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 1A5291A1DEB
 for <edk2-devel@lists.01.org>; Wed, 28 Sep 2016 17:38:24 -0700 (PDT)
Received: from orsmga005.jf.intel.com ([10.7.209.41])
 by fmsmga103.fm.intel.com with ESMTP; 28 Sep 2016 17:38:24 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.30,412,1470726000"; d="scan'208";a="14426330"
Received: from mdkinney-mobl.amr.corp.intel.com ([10.232.96.141])
 by orsmga005.jf.intel.com with ESMTP; 28 Sep 2016 17:38:23 -0700
From: Michael Kinney <michael.d.kinney@intel.com>
To: edk2-devel@lists.01.org
Cc: Jaben Carsey <jaben.carsey@intel.com>,
	Ruiyu Ni <ruiyu.ni@intel.com>
Date: Wed, 28 Sep 2016 17:38:20 -0700
Message-Id: <1475109500-13024-1-git-send-email-michael.d.kinney@intel.com>
X-Mailer: git-send-email 2.6.3.windows.1
Subject: [Patch] ShellPkg/Hexedit: Fix FreePool() ASSERT() when writing disk
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2016 00:38:24 -0000

The HDiskImageSave() function copies a device path using
DuplicateDevicePath() and passes that device path to
gBS->LocateDevicePath() that changes the value of the
device path pointer.  When FreePool() is called with the
modified device path pointer, the FreePool() service
generates an ASSERT() because the signature for the pool
head can not be found.

The function HDiskImageRead() immediately above
HDiskImageSave() has the correct algorithm that uses an
additional local variable called DupDevicePathForFree to
preserve the pointer to the allocated buffer so it can
be used in the call to FreePool().

Bug: <https://bugzilla.tianocore.org/show_bug.cgi?id=131>

Cc: Jaben Carsey <jaben.carsey@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Michael Kinney <michael.d.kinney@intel.com>
---
 ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c b/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c
index a50b52f..bc74a4f 100644
--- a/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c
+++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c
@@ -343,6 +343,7 @@ HDiskImageSave (
 
   CONST EFI_DEVICE_PATH_PROTOCOL  *DevicePath;
   EFI_DEVICE_PATH_PROTOCOL        *DupDevicePath;
+  EFI_DEVICE_PATH_PROTOCOL        *DupDevicePathForFree;
   EFI_BLOCK_IO_PROTOCOL           *BlkIo;
   EFI_STATUS                      Status;
   EFI_HANDLE                      Handle;
@@ -364,12 +365,13 @@ HDiskImageSave (
     return EFI_INVALID_PARAMETER;
   }
   DupDevicePath = DuplicateDevicePath(DevicePath);
+  DupDevicePathForFree = DupDevicePath;
 
   //
   // get blkio interface
   //
   Status = gBS->LocateDevicePath(&gEfiBlockIoProtocolGuid,&DupDevicePath,&Handle);
-  FreePool(DupDevicePath);
+  FreePool(DupDevicePathForFree);
   if (EFI_ERROR (Status)) {
 //    StatusBarSetStatusString (L"Read Disk Failed");
     return Status;
-- 
2.6.3.windows.1