From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 10DFE1A1EF2 for ; Wed, 12 Oct 2016 05:22:13 -0700 (PDT) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP; 12 Oct 2016 05:22:14 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,482,1473145200"; d="scan'208";a="1063789030" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.34]) by orsmga002.jf.intel.com with ESMTP; 12 Oct 2016 05:22:11 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Liming Gao , Yonghong Zhu Date: Wed, 12 Oct 2016 20:20:31 +0800 Message-Id: <1476274836-10544-48-git-send-email-hao.a.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.0 In-Reply-To: <1476274836-10544-1-git-send-email-hao.a.wu@intel.com> References: <1476274836-10544-1-git-send-email-hao.a.wu@intel.com> Subject: [PATCH 47/52] BaseTools/GenVtf: Fix potential buffer overflow in scanf functions X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 12:22:13 -0000 String width is not specified for '%s' specifier in the format string for scanf functions. This can result in buffer overflows. This commit now specifies the string length for '%s' in format strings according to the size of receiving buffers. Cc: Liming Gao Cc: Yonghong Zhu Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- BaseTools/Source/C/GenVtf/GenVtf.c | 82 +++++++++++++++++++++++++++++++++++++- 1 file changed, 80 insertions(+), 2 deletions(-) diff --git a/BaseTools/Source/C/GenVtf/GenVtf.c b/BaseTools/Source/C/GenVtf/GenVtf.c index 85c771d..9c485d3 100644 --- a/BaseTools/Source/C/GenVtf/GenVtf.c +++ b/BaseTools/Source/C/GenVtf/GenVtf.c @@ -1045,6 +1045,7 @@ Arguments: Returns: EFI_INVALID_PARAMETER - The parameter is invalid + EFI_OUT_OF_RESOURCES - Resource can not be allocated EFI_SUCCESS - The function completed successfully --*/ @@ -1062,6 +1063,8 @@ Returns: CHAR8 Buff4[10]; CHAR8 Buff5[10]; CHAR8 Token[50]; + CHAR8 *FormatString; + INTN FormatLength; Fp = fopen (LongFilePath (VtfInfo->CompSymName), "rb"); @@ -1070,10 +1073,47 @@ Returns: return EFI_INVALID_PARAMETER; } + // + // Generate the format string for fscanf + // + FormatLength = snprintf ( + NULL, + 0, + "%%%us %%%us %%%us %%%us %%%us %%%us %%%us", + (unsigned) sizeof (Buff1) - 1, + (unsigned) sizeof (Buff2) - 1, + (unsigned) sizeof (OffsetStr) - 1, + (unsigned) sizeof (Buff3) - 1, + (unsigned) sizeof (Buff4) - 1, + (unsigned) sizeof (Buff5) - 1, + (unsigned) sizeof (Token) - 1 + ) + 1; + + FormatString = (CHAR8 *) malloc (FormatLength); + if (FormatString == NULL) { + fclose (Fp); + + Error (NULL, 0, 4001, "Resource", "memory cannot be allocated!"); + return EFI_OUT_OF_RESOURCES; + } + + snprintf ( + FormatString, + FormatLength, + "%%%us %%%us %%%us %%%us %%%us %%%us %%%us", + (unsigned) sizeof (Buff1) - 1, + (unsigned) sizeof (Buff2) - 1, + (unsigned) sizeof (OffsetStr) - 1, + (unsigned) sizeof (Buff3) - 1, + (unsigned) sizeof (Buff4) - 1, + (unsigned) sizeof (Buff5) - 1, + (unsigned) sizeof (Token) - 1 + ); + while (fgets (Buff, sizeof (Buff), Fp) != NULL) { fscanf ( Fp, - "%s %s %s %s %s %s %s", + FormatString, Buff1, Buff2, OffsetStr, @@ -1096,6 +1136,10 @@ Returns: memcpy ((VOID *) RelativeAddress, (VOID *) CompStartAddress, sizeof (UINT64)); + if (FormatString != NULL) { + free (FormatString); + } + if (Fp != NULL) { fclose (Fp); } @@ -2198,6 +2242,8 @@ Returns: CHAR8 Section[MAX_LONG_FILE_PATH]; CHAR8 Token[MAX_LONG_FILE_PATH]; CHAR8 BaseToken[MAX_LONG_FILE_PATH]; + CHAR8 *FormatString; + INTN FormatLength; UINT64 TokenAddress; long StartLocation; @@ -2276,6 +2322,37 @@ Returns: } // + // Generate the format string for fscanf + // + FormatLength = snprintf ( + NULL, + 0, + "%%%us | %%%us | %%%us | %%%us\n", + (unsigned) sizeof (Type) - 1, + (unsigned) sizeof (Address) - 1, + (unsigned) sizeof (Section) - 1, + (unsigned) sizeof (Token) - 1 + ) + 1; + + FormatString = (CHAR8 *) malloc (FormatLength); + if (FormatString == NULL) { + fclose (SourceFile); + fclose (DestFile); + Error (NULL, 0, 4001, "Resource", "memory cannot be allocated!"); + return EFI_ABORTED; + } + + snprintf ( + FormatString, + FormatLength, + "%%%us | %%%us | %%%us | %%%us\n", + (unsigned) sizeof (Type) - 1, + (unsigned) sizeof (Address) - 1, + (unsigned) sizeof (Section) - 1, + (unsigned) sizeof (Token) - 1 + ); + + // // Read in the file // while (feof (SourceFile) == 0) { @@ -2283,7 +2360,7 @@ Returns: // // Read a line // - if (fscanf (SourceFile, "%s | %s | %s | %s\n", Type, Address, Section, Token) == 4) { + if (fscanf (SourceFile, FormatString, Type, Address, Section, Token) == 4) { // // Get the token address @@ -2306,6 +2383,7 @@ Returns: } } + free (FormatString); fclose (SourceFile); fclose (DestFile); return EFI_SUCCESS; -- 1.9.5.msysgit.0