From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 861ED22135D51 for ; Wed, 7 Mar 2018 01:00:05 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 70C438182D0C; Wed, 7 Mar 2018 09:06:19 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-143.rdu2.redhat.com [10.10.120.143]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5F1191C70F; Wed, 7 Mar 2018 09:06:15 +0000 (UTC) To: marcandre.lureau@redhat.com Cc: edk2-devel@lists.01.org, Jiewen Yao , Chao Zhang , Star Zeng References: <20180306202718.4061-1-marcandre.lureau@redhat.com> From: Laszlo Ersek Message-ID: <1dbffca1-c83e-0839-45b5-62875b0cfae0@redhat.com> Date: Wed, 7 Mar 2018 10:06:14 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180306202718.4061-1-marcandre.lureau@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 07 Mar 2018 09:06:19 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 07 Mar 2018 09:06:19 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: [PATCH 1/1] RFC: SecurityPkg: only clear HashInterface informations X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 09:00:07 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Hi Marc-André, On 03/06/18 21:27, marcandre.lureau@redhat.com wrote: > From: Marc-André Lureau > > The ZeroMem() call goes beyond the HashInterfaceHob structure, causing > HOB list corruption. Instead, just clear the HashInterface fields, as > I suppose was originally intended. > > Cc: Jiewen Yao > Cc: Chao Zhang > Cc: Star Zeng > Cc: Laszlo Ersek > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Marc-André Lureau > --- > .../HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c > index dbee0f2531bc..361a4f6508a0 100644 > --- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c > +++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c > @@ -424,7 +424,8 @@ HashLibBaseCryptoRouterPeiConstructor ( > // This is the second execution of this module, clear the hash interface > // information registered at its first execution. > // > - ZeroMem (&HashInterfaceHob->HashInterface, sizeof (*HashInterfaceHob) - sizeof (EFI_GUID)); > + ZeroMem (&HashInterfaceHob->HashInterface, sizeof (HashInterfaceHob->HashInterface)); > + HashInterfaceHob->HashInterfaceCount = 0; > } > > // > Excellent catch! :) I do have a question however, for the other reviewers on this patch, in line with your commit message saying, "clear the HashInterface fields, as *I suppose* was originally intended". I don't think the proposed update matches the original intent 100%. Namely, this is the definition of the HASH_INTERFACE_HOB type (from the same source file): > typedef struct { > // > // If gZeroGuid, SupportedHashMask is 0 for FIRST module which consumes HashLib > // or the hash algorithm bitmap of LAST module which consumes HashLib. > // HashInterfaceCount and HashInterface are all 0. > // If gEfiCallerIdGuid, HashInterfaceCount, HashInterface and SupportedHashMask > // are the hash interface information of CURRENT module which consumes HashLib. > // > EFI_GUID Identifier; > UINTN HashInterfaceCount; > HASH_INTERFACE HashInterface[HASH_COUNT]; > UINT32 SupportedHashMask; > } HASH_INTERFACE_HOB; Note that it says, if Identifier equals "gEfiCallerIdGuid", then *all three* subsequent fields carry information of the current module that consumes HashLib. Those three fields include "SupportedHashMask". Furthermore, the comment just preceding the bug / ZeroMem() call says, > // > // In PEI phase, some modules may call RegisterForShadow and will be > // shadowed and executed again after memory is discovered. > // This is the second execution of this module, clear the hash interface > // information registered at its first execution. > // And note that here we are just past the check > HashInterfaceHob = InternalGetHashInterfaceHob (&gEfiCallerIdGuid); > if (HashInterfaceHob != NULL) { in other words, the "Identifier equals gEfiCallerIdGuid" branch from the type definition applies; meaning that "SupportedHashMask" is defined too. Thus, I'd like the other reviewers to confirm whether we should clear "SupportedHashMask". >>From the original (buggy) code, I think we *should* clear SupportedHashMask as well. The "Length" argument of the original ZeroMem() call implies precisely that: sizeof (*HashInterfaceHob) - sizeof (EFI_GUID) This stands for "all fields in *HashInterfaceHob except the leading EFI_GUID Identifier field". So, the actual bug is in the "Buffer" argument of the ZeroMem() call: it is a typo. Certainly the intent must have been "start clearing from the first field right after the EFI_GUID Identifier field", namely "HashInterfaceCount": &HashInterfaceHob->HashInterfaceCount ^^^^^ Therefore I think the *first* approach to actually fixing this bug would be to simply add the "Count" suffix: > diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c > index dbee0f2531bc..a869fffae3fe 100644 > --- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c > +++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c > @@ -424,7 +424,10 @@ HashLibBaseCryptoRouterPeiConstructor ( > // This is the second execution of this module, clear the hash interface > // information registered at its first execution. > // > - ZeroMem (&HashInterfaceHob->HashInterface, sizeof (*HashInterfaceHob) - sizeof (EFI_GUID)); > + ZeroMem ( > + &HashInterfaceHob->HashInterfaceCount, > + sizeof (*HashInterfaceHob) - sizeof (EFI_GUID) > + ); > } > > // On the other hand, I don't think such a fix would be great. First of all, the HASH_INTERFACE_HOB struct definition is not wrapped in #pragma pack (1) ... #pragma pack () in other words, HASH_INTERFACE_HOB is not packed, hence there could be an unspecified amount of padding between "Identifier" and "HashInterfaceCount". That would lead to the same kind of buffer overflow, because "Length" includes the padding, but the "Buffer" argument doesn't. Second, even if there were no padding (and thus the byte count would be a perfect match for the full HOB structure), in the "Buffer" argument we take the address of the "HashInterfaceCount" field, and with the "Length" field, we still overflow that *individual* field. Although we wouldn't overflow the containing HOB structure, this is still (arguably) undefined behavior -- I seem to remember that some compilers actually blow up on this when you use the standard ISO C memcpy() or memset() functions in such contexts. So, long story short, I suggest the following fix instead: > diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c > index dbee0f2531bc..84c1aaae70eb 100644 > --- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c > +++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c > @@ -397,6 +397,7 @@ HashLibBaseCryptoRouterPeiConstructor ( > { > EFI_STATUS Status; > HASH_INTERFACE_HOB *HashInterfaceHob; > + UINTN ClearStartOffset; > > HashInterfaceHob = InternalGetHashInterfaceHob (&gZeroGuid); > if (HashInterfaceHob == NULL) { > @@ -424,7 +425,11 @@ HashLibBaseCryptoRouterPeiConstructor ( > // This is the second execution of this module, clear the hash interface > // information registered at its first execution. > // > - ZeroMem (&HashInterfaceHob->HashInterface, sizeof (*HashInterfaceHob) - sizeof (EFI_GUID)); > + ClearStartOffset = OFFSET_OF (HASH_INTERFACE_HOB, HashInterfaceCount); > + ZeroMem ( > + (UINT8 *)HashInterfaceHob + ClearStartOffset, > + sizeof (*HashInterfaceHob) - ClearStartOffset > + ); > } > > // Thoughts? Thanks! Laszlo