From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) by mx.groups.io with SMTP id smtpd.web12.7004.1598329246575296385 for ; Mon, 24 Aug 2020 21:20:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@broadcom.com header.s=google header.b=KW5cOVBz; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: broadcom.com, ip: 209.85.218.51, mailfrom: vladimir.olovyannikov@broadcom.com) Received: by mail-ej1-f51.google.com with SMTP id md23so13955952ejb.6 for ; Mon, 24 Aug 2020 21:20:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:references:in-reply-to:mime-version:thread-index:date :message-id:subject:to:cc; bh=kxVhglFuBHOmHwjs0z0ALjyOwOyXeqm9+5a8eHpz7es=; b=KW5cOVBzxLIVESVg9GssF/T3rSblB6QrmUla/OR7iKZ6ItY862o2Bm7wywCsZ5prsC Z21Fmz2oD4dlFHZ5UELxewER6uYZlDHbrjHqhnDmx6z1nwTHwQossfaBRRi4R1fHHmbA oIR/kPhTaKzF98bcrh7NaoFxXtfGwJQZUxgUw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:references:in-reply-to:mime-version :thread-index:date:message-id:subject:to:cc; bh=kxVhglFuBHOmHwjs0z0ALjyOwOyXeqm9+5a8eHpz7es=; b=QzA3jxaH6wqJyp0HQ+hxIYGz/YOUmWnfrI7oFewRma5/5bouNCUKk/Xe1eBqqJf7pS LIDFaQ2PwR1rdwrxD8/OPW9MZ6eCWZisQxYdUL9uv7q73yr9XByiz3FvkpuSa7NoYS/E cvfuJSGL9UlFpKP2evj1O41MXv0nGOqvkqR659XMaSKRgGMwRALRAIMxenZlr0EV9SER pyvc1u9wfh6TapSJrCvV9CIn3gAk50zqYIMHYRcNnKhxsqHppSFFjZuAdSE8eybH5DSs PFuK8nJwAbBgnUljjUK6cV6fMmFdgRCM7KwtHUbxiS1c3b9B6r3qwTBjbxMYAVvG/Blw NBIw== X-Gm-Message-State: AOAM5320oPDDkKME/zLBxkyOThOU4umc7hVklGNEo7qeWj+wsvZ7UKft sHvc/FoWuPPGQbW1uH0XvdfkLzycjDRT1VDWF3+ItA== X-Google-Smtp-Source: ABdhPJxqaobJL+1XZYdwbRnMNP6An+r/z4Ny3mXv80bn5ri8b/sG6oE8WDp30SZtVwnsRkGZPGnlg4wmEjJLiUpC2K4= X-Received: by 2002:a17:906:768c:: with SMTP id o12mr8331655ejm.269.1598329244805; Mon, 24 Aug 2020 21:20:44 -0700 (PDT) From: "Vladimir Olovyannikov" References: <20200702023113.10517-1-vladimir.olovyannikov@broadcom.com> <75a66368-c26d-41bd-cc88-adcf709715a2@redhat.com> In-Reply-To: <75a66368-c26d-41bd-cc88-adcf709715a2@redhat.com> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQIPMN3OmeaVw9NKOowWv4Cnq7U8kwFqonaWAg9XyHUCJB/uGKip2ptw Date: Mon, 24 Aug 2020 21:20:44 -0700 Message-ID: <1e9f4010921552ed3826e161bbf9bc3a@mail.gmail.com> Subject: Re: [edk2-devel] [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix buffer overrun in FileHandleReadLine() To: Laszlo Ersek , devel@edk2.groups.io, zhiguang.liu@intel.com Cc: "Kinney, Michael D" , "Gao, Liming" Content-Type: text/plain; charset="UTF-8" > -----Original Message----- > From: Laszlo Ersek > Sent: Monday, August 24, 2020 9:52 AM > To: devel@edk2.groups.io; zhiguang.liu@intel.com; > vladimir.olovyannikov@broadcom.com > Cc: Kinney, Michael D ; Gao, Liming > > Subject: Re: [edk2-devel] [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix > buffer overrun in FileHandleReadLine() > > On 08/24/20 18:18, Laszlo Ersek wrote: > > On 07/03/20 04:30, Zhiguang Liu wrote: > >> Reviewed-by: Zhiguang Liu > > > > Merged as commit 4535fc312b76, via > > . > > The commit message does not mention a TianoCore BZ. If there *is* an > associated TianoCore BZ, please set it to RESOLVED|FIXED now, and also > mark the above commit hash in a comment on it. > > Thanks > Laszlo Thank you Laszlo. I modified the BZ https://bugzilla.tianocore.org/show_bug.cgi?id=2783 as you suggested. Thank you, Vladimir > > > > > Thanks, > > Laszlo > > > >> > >>> -----Original Message----- > >>> From: devel@edk2.groups.io On Behalf Of > >>> Vladimir Olovyannikov via groups.io > >>> Sent: Thursday, July 2, 2020 10:31 AM > >>> To: devel@edk2.groups.io > >>> Cc: Vladimir Olovyannikov ; > >>> Kinney, Michael D ; Gao, Liming > >>> ; Liu, Zhiguang > >>> Subject: [edk2-devel] [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix > >>> buffer overrun in FileHandleReadLine() > >>> > >>> If the size of the supplied buffer in FileHandleReadLine(), module > >>> UefiFileHandleLib.c, was not 0, but was not enough to fit in the > >>> line, the size is increased, and then the Buffer of the new size is > >>> zeroed. This size is always larger than the supplied buffer size, > >>> causing supplied buffer overrun. Fix the issue by using the supplied > >>> buffer size in ZeroMem(). > >>> > >>> Signed-off-by: Vladimir Olovyannikov > >>> > >>> Cc: Michael D Kinney > >>> Cc: Liming Gao > >>> Cc: Zhiguang Liu > >>> --- > >>> MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c | 6 ++++-- > >>> 1 file changed, 4 insertions(+), 2 deletions(-) > >>> > >>> diff --git a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c > >>> b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c > >>> index 28e28e5f67d5..ab34e6ccd5f4 100644 > >>> --- a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c > >>> +++ b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c > >>> @@ -969,6 +969,7 @@ FileHandleReadLine( > >>> UINTN CharSize; > >>> > >>> UINTN CountSoFar; > >>> > >>> UINTN CrCount; > >>> > >>> + UINTN OldSize; > >>> > >>> UINT64 OriginalFilePosition; > >>> > >>> > >>> > >>> if (Handle == NULL > >>> > >>> @@ -1039,10 +1040,11 @@ FileHandleReadLine( > >>> // if we ran out of space tell when... > >>> > >>> // > >>> > >>> if ((CountSoFar+1-CrCount)*sizeof(CHAR16) > *Size){ > >>> > >>> + OldSize = *Size; > >>> > >>> *Size = (CountSoFar+1-CrCount)*sizeof(CHAR16); > >>> > >>> if (!Truncate) { > >>> > >>> - if (Buffer != NULL && *Size != 0) { > >>> > >>> - ZeroMem(Buffer, *Size); > >>> > >>> + if (Buffer != NULL && OldSize != 0) { > >>> > >>> + ZeroMem(Buffer, OldSize); > >>> > >>> } > >>> > >>> FileHandleSetPosition(Handle, OriginalFilePosition); > >>> > >>> return (EFI_BUFFER_TOO_SMALL); > >>> > >>> -- > >>> 2.26.2.266.ge870325ee8 > >