[PATCH 0/2] Avoid consuming content beyond string boundaries

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

* [PATCH 0/2] Avoid consuming content beyond string boundaries
@ 2017-09-19 11:38 Hao Wu
  2017-09-19 11:38 ` [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Hao Wu
  2017-09-19 11:38 ` [PATCH 2/2] MdePkg/BaseLib: " Hao Wu
  0 siblings, 2 replies; 6+ messages in thread
From: Hao Wu @ 2017-09-19 11:38 UTC (permalink / raw)
  To: edk2-devel
  Cc: Hao Wu, Steven Shi, Ruiyu Ni, Jaben Carsey, Michael Kinney,
	Liming Gao

The series adds checks to avoid reading content beyond string boundaries.

Cc: Steven Shi <steven.shi@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jaben Carsey <jaben.carsey@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>


Hao Wu (2):
  ShellPkg/Shell: Avoid reading content beyond string boundary
  MdePkg/BaseLib: Avoid reading content beyond string boundary

 MdePkg/Library/BaseLib/FilePaths.c         | 4 ++--
 ShellPkg/Application/Shell/ShellProtocol.c | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

-- 
2.12.0.windows.1



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary
  2017-09-19 11:38 [PATCH 0/2] Avoid consuming content beyond string boundaries Hao Wu
@ 2017-09-19 11:38 ` Hao Wu
  2017-09-19 13:22   ` Carsey, Jaben
  2017-09-19 14:55   ` Ni, Ruiyu
  2017-09-19 11:38 ` [PATCH 2/2] MdePkg/BaseLib: " Hao Wu
  1 sibling, 2 replies; 6+ messages in thread
From: Hao Wu @ 2017-09-19 11:38 UTC (permalink / raw)
  To: edk2-devel; +Cc: Hao Wu, Ruiyu Ni, Jaben Carsey, Steven Shi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=690

Within function EfiShellGetDevicePathFromFilePath(), when the input
parameter 'Path' string is like:
"FS0:"

It is possible for the below statement:
"if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {"

to read the content 1 byte beyond the string boundary (both 'Path' and
'MapName' will be FS0: in this case).

This commit adds additional checks to avoid this.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jaben Carsey <jaben.carsey@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 ShellPkg/Application/Shell/ShellProtocol.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ShellPkg/Application/Shell/ShellProtocol.c b/ShellPkg/Application/Shell/ShellProtocol.c
index 40e5e653ae..5e34b8dad1 100644
--- a/ShellPkg/Application/Shell/ShellProtocol.c
+++ b/ShellPkg/Application/Shell/ShellProtocol.c
@@ -598,7 +598,8 @@ EfiShellGetDevicePathFromFilePath(
   //
   // build the full device path
   //
-  if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {
+  if ((*(Path+StrLen(MapName)) != CHAR_NULL) &&
+      (*(Path+StrLen(MapName)+1) == CHAR_NULL)) {
     DevicePathForReturn = FileDevicePath(Handle, L"\\");
   } else {
     DevicePathForReturn = FileDevicePath(Handle, Path+StrLen(MapName));
-- 
2.12.0.windows.1



^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH 2/2] MdePkg/BaseLib: Avoid reading content beyond string boundary
  2017-09-19 11:38 [PATCH 0/2] Avoid consuming content beyond string boundaries Hao Wu
  2017-09-19 11:38 ` [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Hao Wu
@ 2017-09-19 11:38 ` Hao Wu
  2017-09-19 14:55   ` Ni, Ruiyu
  1 sibling, 1 reply; 6+ messages in thread
From: Hao Wu @ 2017-09-19 11:38 UTC (permalink / raw)
  To: edk2-devel; +Cc: Hao Wu, Ruiyu Ni, Steven Shi, Michael Kinney, Liming Gao

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=705

As mentioned in the above Bugzilla link by Steven, within the function
PathCleanUpDirectories(), when executing command:
"cd ."

under Shell, the input parameter 'Path' string will have string length
less than 2. Hence, it is possible for the below statement:
"if (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0) {"

to read contents before the string boundary.

This commit adds additional checks to avoid this.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdePkg/Library/BaseLib/FilePaths.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/MdePkg/Library/BaseLib/FilePaths.c b/MdePkg/Library/BaseLib/FilePaths.c
index 203045ccdc..d6f3758ecb 100644
--- a/MdePkg/Library/BaseLib/FilePaths.c
+++ b/MdePkg/Library/BaseLib/FilePaths.c
@@ -1,7 +1,7 @@
 /** @file
   Defines file-path manipulation functions.
 
-  Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -91,7 +91,7 @@ PathCleanUpDirectories(
   while ((TempString = StrStr (Path, L"\\.\\")) != NULL) {
     CopyMem (TempString, TempString + 2, StrSize (TempString + 2));
   }
-  if (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0) {
+  if ((StrLen (Path) >= 2) && (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0)) {
     Path[StrLen (Path) - 1] = CHAR_NULL;
   }
 
-- 
2.12.0.windows.1



^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary
  2017-09-19 11:38 ` [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Hao Wu
@ 2017-09-19 13:22   ` Carsey, Jaben
  2017-09-19 14:55   ` Ni, Ruiyu
  1 sibling, 0 replies; 6+ messages in thread
From: Carsey, Jaben @ 2017-09-19 13:22 UTC (permalink / raw)
  To: Wu, Hao A, edk2-devel@lists.01.org; +Cc: Ni, Ruiyu, Shi, Steven

Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>

> -----Original Message-----
> From: Wu, Hao A
> Sent: Tuesday, September 19, 2017 4:39 AM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>;
> Carsey, Jaben <jaben.carsey@intel.com>; Shi, Steven
> <steven.shi@intel.com>
> Subject: [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string
> boundary
> Importance: High
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=690
> 
> Within function EfiShellGetDevicePathFromFilePath(), when the input
> parameter 'Path' string is like:
> "FS0:"
> 
> It is possible for the below statement:
> "if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {"
> 
> to read the content 1 byte beyond the string boundary (both 'Path' and
> 'MapName' will be FS0: in this case).
> 
> This commit adds additional checks to avoid this.
> 
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Jaben Carsey <jaben.carsey@intel.com>
> Cc: Steven Shi <steven.shi@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
>  ShellPkg/Application/Shell/ShellProtocol.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/ShellPkg/Application/Shell/ShellProtocol.c
> b/ShellPkg/Application/Shell/ShellProtocol.c
> index 40e5e653ae..5e34b8dad1 100644
> --- a/ShellPkg/Application/Shell/ShellProtocol.c
> +++ b/ShellPkg/Application/Shell/ShellProtocol.c
> @@ -598,7 +598,8 @@ EfiShellGetDevicePathFromFilePath(
>    //
>    // build the full device path
>    //
> -  if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {
> +  if ((*(Path+StrLen(MapName)) != CHAR_NULL) &&
> +      (*(Path+StrLen(MapName)+1) == CHAR_NULL)) {
>      DevicePathForReturn = FileDevicePath(Handle, L"\\");
>    } else {
>      DevicePathForReturn = FileDevicePath(Handle, Path+StrLen(MapName));
> --
> 2.12.0.windows.1



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 2/2] MdePkg/BaseLib: Avoid reading content beyond string boundary
  2017-09-19 11:38 ` [PATCH 2/2] MdePkg/BaseLib: " Hao Wu
@ 2017-09-19 14:55   ` Ni, Ruiyu
  0 siblings, 0 replies; 6+ messages in thread
From: Ni, Ruiyu @ 2017-09-19 14:55 UTC (permalink / raw)
  To: Wu, Hao A, edk2-devel@lists.01.org
  Cc: Wu, Hao A, Kinney, Michael D, Gao, Liming

Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Hao Wu
Sent: Tuesday, September 19, 2017 7:39 PM
To: edk2-devel@lists.01.org
Cc: Wu, Hao A <hao.a.wu@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming <liming.gao@intel.com>
Subject: [edk2] [PATCH 2/2] MdePkg/BaseLib: Avoid reading content beyond string boundary

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=705

As mentioned in the above Bugzilla link by Steven, within the function PathCleanUpDirectories(), when executing command:
"cd ."

under Shell, the input parameter 'Path' string will have string length less than 2. Hence, it is possible for the below statement:
"if (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0) {"

to read contents before the string boundary.

This commit adds additional checks to avoid this.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdePkg/Library/BaseLib/FilePaths.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/MdePkg/Library/BaseLib/FilePaths.c b/MdePkg/Library/BaseLib/FilePaths.c
index 203045ccdc..d6f3758ecb 100644
--- a/MdePkg/Library/BaseLib/FilePaths.c
+++ b/MdePkg/Library/BaseLib/FilePaths.c
@@ -1,7 +1,7 @@
 /** @file
   Defines file-path manipulation functions.
 
-  Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2011 - 2017, Intel Corporation. All rights 
+ reserved.<BR>
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at @@ -91,7 +91,7 @@ PathCleanUpDirectories(
   while ((TempString = StrStr (Path, L"\\.\\")) != NULL) {
     CopyMem (TempString, TempString + 2, StrSize (TempString + 2));
   }
-  if (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0) {
+  if ((StrLen (Path) >= 2) && (StrCmp (Path + StrLen (Path) - 2, 
+ L"\\.") == 0)) {
     Path[StrLen (Path) - 1] = CHAR_NULL;
   }
 
--
2.12.0.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary
  2017-09-19 11:38 ` [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Hao Wu
  2017-09-19 13:22   ` Carsey, Jaben
@ 2017-09-19 14:55   ` Ni, Ruiyu
  1 sibling, 0 replies; 6+ messages in thread
From: Ni, Ruiyu @ 2017-09-19 14:55 UTC (permalink / raw)
  To: Wu, Hao A, edk2-devel@lists.01.org; +Cc: Wu, Hao A, Carsey, Jaben

Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Hao Wu
Sent: Tuesday, September 19, 2017 7:39 PM
To: edk2-devel@lists.01.org
Cc: Wu, Hao A <hao.a.wu@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Carsey, Jaben <jaben.carsey@intel.com>
Subject: [edk2] [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=690

Within function EfiShellGetDevicePathFromFilePath(), when the input parameter 'Path' string is like:
"FS0:"

It is possible for the below statement:
"if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {"

to read the content 1 byte beyond the string boundary (both 'Path' and 'MapName' will be FS0: in this case).

This commit adds additional checks to avoid this.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jaben Carsey <jaben.carsey@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 ShellPkg/Application/Shell/ShellProtocol.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ShellPkg/Application/Shell/ShellProtocol.c b/ShellPkg/Application/Shell/ShellProtocol.c
index 40e5e653ae..5e34b8dad1 100644
--- a/ShellPkg/Application/Shell/ShellProtocol.c
+++ b/ShellPkg/Application/Shell/ShellProtocol.c
@@ -598,7 +598,8 @@ EfiShellGetDevicePathFromFilePath(
   //
   // build the full device path
   //
-  if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {
+  if ((*(Path+StrLen(MapName)) != CHAR_NULL) &&
+      (*(Path+StrLen(MapName)+1) == CHAR_NULL)) {
     DevicePathForReturn = FileDevicePath(Handle, L"\\");
   } else {
     DevicePathForReturn = FileDevicePath(Handle, Path+StrLen(MapName));
--
2.12.0.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel


^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-09-19 14:52 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-19 11:38 [PATCH 0/2] Avoid consuming content beyond string boundaries Hao Wu
2017-09-19 11:38 ` [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Hao Wu
2017-09-19 13:22   ` Carsey, Jaben
2017-09-19 14:55   ` Ni, Ruiyu
2017-09-19 11:38 ` [PATCH 2/2] MdePkg/BaseLib: " Hao Wu
2017-09-19 14:55   ` Ni, Ruiyu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox