From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.20; helo=mga02.intel.com; envelope-from=ruiyu.ni@intel.com; receiver=edk2-devel@lists.01.org Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id EFFD821E256BA for ; Sun, 4 Feb 2018 23:59:13 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Feb 2018 00:04:55 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,464,1511856000"; d="scan'208";a="28823858" Received: from ray-dev.ccr.corp.intel.com (HELO [10.239.9.19]) ([10.239.9.19]) by orsmga001.jf.intel.com with ESMTP; 05 Feb 2018 00:04:54 -0800 To: "Yao, Jiewen" , Laszlo Ersek , "edk2-devel@lists.01.org" Cc: "Gao, Liming" References: <20180202104753.94568-1-ruiyu.ni@intel.com> <87dac273-4f9c-7561-c215-ebae09cb07c6@redhat.com> <74D8A39837DF1E4DA445A8C0B3885C503AAB2A87@shsmsx102.ccr.corp.intel.com> From: "Ni, Ruiyu" Message-ID: <1b109ae4-4eca-839b-a6aa-87e925509b40@Intel.com> Date: Mon, 5 Feb 2018 16:04:53 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503AAB2A87@shsmsx102.ccr.corp.intel.com> Subject: Re: [PATCH] MdePkg/SafeString: Directly return when length of source string is 0 X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2018 07:59:14 -0000 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 2/5/2018 11:55 AM, Yao, Jiewen wrote: > Thanks to catch this. > > The root-cause of the failure is below line: > > SourceLen = StrnLenS (Source, DestMax); > > We should only limit the Source string access within Length, not DestMax, if Length is smaller than DestMax. > > 0 is just one special case. Length might be 1, 2, or 3 and it triggers same failure. > > So only checking 0 is not enough. > > Reviewed the code with Ruiyu. We think using below check seems better way to handle all cases. > > SourceLen = StrnLenS (Source, MIN(DestMax, Length)); > > The check for 0 is not needed. Patch v2 is sent out. > > Thank you > Yao Jiewen > >> -----Original Message----- >> From: Laszlo Ersek [mailto:lersek@redhat.com] >> Sent: Friday, February 2, 2018 9:43 PM >> To: Ni, Ruiyu ; edk2-devel@lists.01.org >> Cc: Yao, Jiewen ; Gao, Liming >> Subject: Re: [edk2] [PATCH] MdePkg/SafeString: Directly return when length of >> source string is 0 >> >> On 02/02/18 11:47, Ruiyu Ni wrote: >>> Today's implementation of [Ascii]StrnCpyS/[Ascii]StrnCatS doesn't >>> directly return the the length of source string is 0. >>> >>> When length of source string is 0, it means the Source points to >>> a memory that shouldn't be deferenced at all. >>> So it's not proper to call StrnLenS() in such situation. >>> In a pool guard enabled environment, when using shell to edit an >>> existing file which contains empty line, the page fault is met. >>> >>> The patch fixes the four library functions to align to the behavior >>> of non-safe version: directly return when length of source string >>> is 0. >>> >>> Contributed-under: TianoCore Contribution Agreement 1.1 >>> Signed-off-by: Ruiyu Ni >>> Cc: Jiewen Yao >>> Cc: Liming Gao >>> Cc: Jian J Wang >>> --- >>> MdePkg/Library/BaseLib/SafeString.c | 18 +++++++++++++++++- >>> 1 file changed, 17 insertions(+), 1 deletion(-) >>> >>> diff --git a/MdePkg/Library/BaseLib/SafeString.c >> b/MdePkg/Library/BaseLib/SafeString.c >>> index 68c33e9b7b..fed818ef33 100644 >>> --- a/MdePkg/Library/BaseLib/SafeString.c >>> +++ b/MdePkg/Library/BaseLib/SafeString.c >>> @@ -1,7 +1,7 @@ >>> /** @file >>> Safe String functions. >>> >>> - Copyright (c) 2014 - 2017, Intel Corporation. All rights reserved.
>>> + Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.
>>> This program and the accompanying materials >>> are licensed and made available under the terms and conditions of the BSD >> License >>> which accompanies this distribution. The full text of the license may be >> found at >>> @@ -317,6 +317,10 @@ StrnCpyS ( >>> { >>> UINTN SourceLen; >>> >>> + if (Length == 0) { >>> + return RETURN_SUCCESS; >>> + } >>> + >>> ASSERT (((UINTN) Destination & BIT0) == 0); >>> ASSERT (((UINTN) Source & BIT0) == 0); >>> >>> @@ -515,6 +519,10 @@ StrnCatS ( >>> UINTN CopyLen; >>> UINTN SourceLen; >>> >>> + if (Length == 0) { >>> + return RETURN_SUCCESS; >>> + } >>> + >>> ASSERT (((UINTN) Destination & BIT0) == 0); >>> ASSERT (((UINTN) Source & BIT0) == 0); >>> >>> @@ -1894,6 +1902,10 @@ AsciiStrnCpyS ( >>> { >>> UINTN SourceLen; >>> >>> + if (Length == 0) { >>> + return RETURN_SUCCESS; >>> + } >>> + >>> // >>> // 1. Neither Destination nor Source shall be a null pointer. >>> // >>> @@ -2082,6 +2094,10 @@ AsciiStrnCatS ( >>> UINTN CopyLen; >>> UINTN SourceLen; >>> >>> + if (Length == 0) { >>> + return RETURN_SUCCESS; >>> + } >>> + >>> // >>> // Let CopyLen denote the value DestMax - AsciiStrnLenS(Destination, >> DestMax) upon entry to AsciiStrnCatS. >>> // >>> >> >> Reviewed-by: Laszlo Ersek -- Thanks, Ray