From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=68.232.153.94; helo=esa3.dell-outbound.iphmx.com; envelope-from=jim.dailey@dell.com; receiver=edk2-devel@lists.01.org Received: from esa3.dell-outbound.iphmx.com (esa3.dell-outbound.iphmx.com [68.232.153.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id EC0632035561F for ; Fri, 3 Nov 2017 04:40:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1509709129; x=1541245129; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Ddo+Irn+EDnMG0tCxGzJpNd2pI+9ztgTo2Dr5EA3Urg=; b=rUgJr7AF62wo2mJxLKCf+uU8EyeJ36mJtE92NSnyZNgDprcrLE/tC8pX fbUUMccmxFbG826GHhNEF22XmwQHBJ31MIyP6KGuuakGJGaw81wZjTQB3 XQ4theRG3LyiJD7bzgQSaiYXHZBvq6nV48+vt7D8eJ9hYwcntDqv3AdLA w=; Received: from esa5.dell-outbound2.iphmx.com ([68.232.153.203]) by esa3.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Nov 2017 06:38:48 -0500 From: Received: from ausxippc101.us.dell.com ([143.166.85.207]) by esa5.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Nov 2017 17:42:54 +0600 X-LoopCount0: from 10.166.136.217 X-IronPort-AV: E=Sophos;i="5.44,338,1505797200"; d="scan'208";a="1006542733" X-DLP: DLP_GlobalPCIDSS To: , , CC: , Thread-Topic: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool Thread-Index: AQHTVJkKbntJ8pkID0OlAr/2yVyleA== Date: Fri, 3 Nov 2017 11:43:59 +0000 Message-ID: <1a406c1260494c08bba02f685e057916@ausx13mps339.AMER.DELL.COM> References: <20171103045759.26508-1-jian.j.wang@intel.com> <20171103045759.26508-3-jian.j.wang@intel.com> <734D49CCEBEEF84792F5B80ED585239D5BAB201A@SHSMSX104.ccr.corp.intel.com> In-Reply-To: <734D49CCEBEEF84792F5B80ED585239D5BAB201A@SHSMSX104.ccr.corp.intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titusconfig: No Restrictions 04051212 x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvIiwiaWQiOiJiN2YzMmEwYi1jMzI1LTQ3MGItYWMyMC00ZDU1MTBkODkxNzIiLCJwcm9wcyI6W3sibiI6IkNsYXNzaWZpY2F0aW9uIiwidmFscyI6W3sidmFsdWUiOiJObyBSZXN0cmljdGlvbnMifV19LHsibiI6IlN1YmxhYmVscyIsInZhbHMiOltdfSx7Im4iOiJFeHRlcm5hbENvcnJlc3BvbmRlbmNlIiwidmFscyI6W119XX0sIlN1YmplY3RMYWJlbHMiOltdLCJUTUNWZXJzaW9uIjoiMTYuMi4xMS4wIiwiVHJ1c3RlZExhYmVsSGFzaCI6ImFaWUJCdWFvWXRPaE5weE80YlJxV2dGS1hCellSKzV3Y3p5dFRYbTM1eDQ9In0= x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.143.242.75] MIME-Version: 1.0 Subject: Re: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Nov 2017 11:40:07 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Isn't ReallocatePool is the correct function to use in these cases? For example: NewCommandLine1 =3D ReallocatePool(NewSize, StrSize(OriginalCommandLine= ), OriginalCommandLine; Regards, Jim -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Ni, = Ruiyu Sent: Friday, November 3, 2017 3:23 AM To: Wang, Jian J ; edk2-devel@lists.01.org Cc: Carsey, Jaben ; Bi, Dandan Subject: Re: [edk2] [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool 2 comments below. -----Original Message----- From: Wang, Jian J=20 Sent: Friday, November 3, 2017 12:58 PM To: edk2-devel@lists.01.org Cc: Carsey, Jaben ; Ni, Ruiyu ;= Bi, Dandan Subject: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" bytes = of memory from old "Buffer" to new allocated one. If "AllocationSize" is bigge= r than size of "Buffer", heap memory overflow occurs during copy. The solution is to allocate pool first then copy the necessary bytes to new memory. This can avoid copying extra bytes from unknown memory range. Cc: Jaben Carsey Cc: Ruiyu Ni Cc: Bi Dandan Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang --- ShellPkg/Application/Shell/Shell.c | 4 +++= - ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c | 6 +++= +-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ShellPkg/Application/Shell/Shell.c b/ShellPkg/Application/Shel= l/Shell.c index 5471930ba1..24a04ca323 100644 --- a/ShellPkg/Application/Shell/Shell.c +++ b/ShellPkg/Application/Shell/Shell.c @@ -1646,7 +1646,9 @@ ShellConvertVariables ( // // now do the replacements... // - NewCommandLine1 =3D AllocateCopyPool(NewSize, OriginalCommandLine); + NewCommandLine1 =3D AllocatePool(NewSize); + ASSERT (NewCommandLine1 !=3D NULL); [Ray] 1. Please do not use assertion because there is NULL check in the bel= ow if-statement. The rule in ShellPkg is avoid using assertion. + CopyMem (NewCommandLine1, OriginalCommandLine, StrSize (OriginalCommandL= ine)); NewCommandLine2 =3D AllocateZeroPool(NewSize); ItemTemp =3D AllocateZeroPool(ItemSize+(2*sizeof(CHAR16))); if (NewCommandLine1 =3D=3D NULL || NewCommandLine2 =3D=3D NULL || ItemTe= mp =3D=3D NULL) { diff --git a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandL= ib.c b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c index 1122c89b8b..5de62219b3 100644 --- a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c +++ b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c @@ -143,10 +143,11 @@ UpdateOptionalData( OriginalOptionDataSize +=3D (*(UINT16*)(OriginalData + sizeof(UINT32))= ); OriginalOptionDataSize -=3D OriginalSize; NewSize =3D OriginalSize - OriginalOptionDataSize + DataSize; - NewData =3D AllocateCopyPool(NewSize, OriginalData); + NewData =3D AllocatePool(NewSize); if (NewData =3D=3D NULL) { Status =3D EFI_OUT_OF_RESOURCES; } else { + CopyMem (NewData, OriginalData, OriginalSize - OriginalOptionDataSiz= e); CopyMem(NewData + OriginalSize - OriginalOptionDataSize, Data, DataS= ize); } } @@ -1120,11 +1121,12 @@ BcfgAddOpt( // Now we know how many EFI_INPUT_KEY structs we need to attach to= the end of the EFI_KEY_OPTION struct. =20 // Re-allocate with the added information. // - KeyOptionBuffer =3D AllocateCopyPool(sizeof(EFI_KEY_OPTION) + (siz= eof(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount), &NewKeyOp= tion); + KeyOptionBuffer =3D AllocatePool (sizeof(EFI_KEY_OPTION) + (sizeof= (EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount)); if (KeyOptionBuffer =3D=3D NULL) { ShellPrintHiiEx(-1, -1, NULL, STRING_TOKEN (STR_GEN_NO_MEM), gSh= ellBcfgHiiHandle, L"bcfg"); =20 ShellStatus =3D SHELL_OUT_OF_RESOURCES; } [Ray] 2. Should the above NULL check return? + CopyMem (KeyOptionBuffer, &NewKeyOption, sizeof(EFI_KEY_OPTION)); } for (LoopCounter =3D 0 ; ShellStatus =3D=3D SHELL_SUCCESS && LoopCou= nter < NewKeyOption.KeyData.Options.InputKeyCount; LoopCounter++) { // --=20 2.14.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel