[PATCH 0/6] Resolve undefined behaviours in left shift OPs

[PATCH 0/6] Resolve undefined behaviours in left shift OPs

[Hao Wu]

The series resolves two kinds of undefined behaviours in left shift
operations:
  a. Left-shifting negative values;
  b. Left-shifting that incurs the result being out of range.

Cc: Steven Shi <steven.shi@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>

Hao Wu (6):
  MdePkg/PrintLib: Fix possible negative value left shift
  MdeModulePkg/PrintLib: Fix possible negative value left shift
  MdeModulePkg/Tpl: Fix negative value left shift
  MdeModulePkg/DxeNetLib: Fix negative value left shift
  MdeModulePkg/Crc32: Fix possible out of range left shift
  MdeModulePkg/AtaAtapiPassThru: Fix possible out of range left shift

 MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AhciMode.c          | 4 ++--
 MdeModulePkg/Core/Dxe/Event/Tpl.c                         | 2 +-
 MdeModulePkg/Core/RuntimeDxe/Crc32.c                      | 6 +++---
 MdeModulePkg/Library/DxeNetLib/DxeNetLib.c                | 2 +-
 MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c | 2 +-
 MdePkg/Library/BasePrintLib/PrintLibInternal.c            | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

-- 
2.12.0.windows.1

[PATCH 1/6] MdePkg/PrintLib: Fix possible negative value left shift

[Hao Wu]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=702

Within function InternalPrintLibSPrintMarker(), possible left shift of a
negative value is found in:
"(*(ArgumentString + 1) << 8)"

which involves undefined behavior.

Since '*(ArgumentString + 1)' is of type CONST CHAR8 (signed), it will be
promoted to type int (signed) during the left shift operation. If
'*(ArgumentString + 1)' is a negative value, the behavior will be
undefined.

According to the C11 spec, Section 6.5.7:
> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
>   bits are filled with zeros. If E1 has an unsigned type, the value
>   of the result is E1 * 2^E2 , reduced modulo one more than the
>   maximum value representable in the result type. If E1 has a signed
>   type and nonnegative value, and E1 * 2^E2 is representable in the
>   result type, then that is the resulting value; otherwise, the
>   behavior is undefined.

This commit explicitly cast '*(ArgumentString + 1)' with UINT8 to resolve
this issue.

Cc: Steven Shi <steven.shi@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdePkg/Library/BasePrintLib/PrintLibInternal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MdePkg/Library/BasePrintLib/PrintLibInternal.c b/MdePkg/Library/BasePrintLib/PrintLibInternal.c
index cec5b3bc99..28d946472f 100644
--- a/MdePkg/Library/BasePrintLib/PrintLibInternal.c
+++ b/MdePkg/Library/BasePrintLib/PrintLibInternal.c
@@ -1165,7 +1165,7 @@ BasePrintLibSPrintMarker (
     // Copy the string into the output buffer performing the required type conversions
     //
     while (Index < Count) {
-      ArgumentCharacter = ((*ArgumentString & 0xff) | (*(ArgumentString + 1) << 8)) & ArgumentMask;
+      ArgumentCharacter = ((*ArgumentString & 0xff) | (((UINT8)*(ArgumentString + 1)) << 8)) & ArgumentMask;
 
       LengthToReturn += (1 * BytesPerOutputCharacter);
       if ((Flags & COUNT_ONLY_NO_PRINT) == 0 && Buffer != NULL) {
-- 
2.12.0.windows.1

[PATCH 2/6] MdeModulePkg/PrintLib: Fix possible negative value left shift

[Hao Wu]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=702

Within function InternalPrintLibSPrintMarker(), possible left shift of a
negative value is found in:
"(*(ArgumentString + 1) << 8)"

which involves undefined behavior.

Since '*(ArgumentString + 1)' is of type CONST CHAR8 (signed), it will be
promoted to type int (signed) during the left shift operation. If
'*(ArgumentString + 1)' is a negative value, the behavior will be
undefined.

According to the C11 spec, Section 6.5.7:
> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
>   bits are filled with zeros. If E1 has an unsigned type, the value
>   of the result is E1 * 2^E2 , reduced modulo one more than the
>   maximum value representable in the result type. If E1 has a signed
>   type and nonnegative value, and E1 * 2^E2 is representable in the
>   result type, then that is the resulting value; otherwise, the
>   behavior is undefined.

This commit explicitly cast '*(ArgumentString + 1)' with UINT8 to resolve
this issue.

Cc: Steven Shi <steven.shi@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c b/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c
index b58db8e011..56534e56c3 100644
--- a/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c
+++ b/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c
@@ -2108,7 +2108,7 @@ InternalPrintLibSPrintMarker (
     // Copy the string into the output buffer performing the required type conversions
     //
     while (Index < Count) {
-      ArgumentCharacter = ((*ArgumentString & 0xff) | (*(ArgumentString + 1) << 8)) & ArgumentMask;
+      ArgumentCharacter = ((*ArgumentString & 0xff) | (((UINT8)*(ArgumentString + 1)) << 8)) & ArgumentMask;
 
       LengthToReturn += (1 * BytesPerOutputCharacter);
       if ((Flags & COUNT_ONLY_NO_PRINT) == 0 && Buffer != NULL) {
-- 
2.12.0.windows.1

[PATCH 3/6] MdeModulePkg/Tpl: Fix negative value left shift

[Hao Wu]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=695

Within function CoreRestoreTpl(), left shift a negative value -2 is used
in:
"while (((-2 << NewTpl) & gEventPending) != 0) {"

which involves undefined behavior.

According to the C11 spec, Section 6.5.7:
> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
>   bits are filled with zeros. If E1 has an unsigned type, the value
>   of the result is E1 * 2^E2 , reduced modulo one more than the
>   maximum value representable in the result type. If E1 has a signed
>   type and nonnegative value, and E1 * 2^E2 is representable in the
>   result type, then that is the resulting value; otherwise, the
>   behavior is undefined.

This commit explicitly cast '-2' with UINTN to resolve this issue.

Cc: Steven Shi <steven.shi@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdeModulePkg/Core/Dxe/Event/Tpl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MdeModulePkg/Core/Dxe/Event/Tpl.c b/MdeModulePkg/Core/Dxe/Event/Tpl.c
index 8ad0a33701..8c50f61117 100644
--- a/MdeModulePkg/Core/Dxe/Event/Tpl.c
+++ b/MdeModulePkg/Core/Dxe/Event/Tpl.c
@@ -123,7 +123,7 @@ CoreRestoreTpl (
   //
   // Dispatch any pending events
   //
-  while (((-2 << NewTpl) & gEventPending) != 0) {
+  while (((((UINTN)-2) << NewTpl) & gEventPending) != 0) {
     gEfiCurrentTpl = (UINTN) HighBitSet64 (gEventPending);
     if (gEfiCurrentTpl < TPL_HIGH_LEVEL) {
       CoreSetInterruptState (TRUE);
-- 
2.12.0.windows.1

[PATCH 4/6] MdeModulePkg/DxeNetLib: Fix negative value left shift

[Hao Wu]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=698

Within function NetRandomInitSeed(), left shift a negative value is used
in:
"~Time.Hour << 24"

which involves undefined behavior.

Since Time.Hour is of type UINT8 (range from 0 to 23), hence ~Time.Hour
will be a negative value (of type int, signed).

According to the C11 spec, Section 6.5.7:
> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
>   bits are filled with zeros. If E1 has an unsigned type, the value
>   of the result is E1 * 2^E2 , reduced modulo one more than the
>   maximum value representable in the result type. If E1 has a signed
>   type and nonnegative value, and E1 * 2^E2 is representable in the
>   result type, then that is the resulting value; otherwise, the
>   behavior is undefined.

This commit explicitly cast 'Time.Hour' with UINT32 to resolve this issue.

Cc: Steven Shi <steven.shi@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdeModulePkg/Library/DxeNetLib/DxeNetLib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c b/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c
index 7cd7e3aca0..ca5413edcc 100644
--- a/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c
+++ b/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c
@@ -872,7 +872,7 @@ NetRandomInitSeed (
   UINT64                    MonotonicCount;
 
   gRT->GetTime (&Time, NULL);
-  Seed = (~Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second);
+  Seed = (~(UINT32)Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second);
   Seed ^= Time.Nanosecond;
   Seed ^= Time.Year << 7;
 
-- 
2.12.0.windows.1

[PATCH 5/6] MdeModulePkg/Crc32: Fix possible out of range left shift

[Hao Wu]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=697

Within function ReverseBits(), left shift operations of 1 in the
following statements:
"(1 << Index)" and "(1 << (31 - Index))"

will incur possible out of range left shift when Index is either 0 or
31, since "1 << 31" is possible to exceed the range of type 'int'
(signed).

According to the C11 spec, Section 6.5.7:
> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
>   bits are filled with zeros. If E1 has an unsigned type, the value
>   of the result is E1 * 2^E2 , reduced modulo one more than the
>   maximum value representable in the result type. If E1 has a signed
>   type and nonnegative value, and E1 * 2^E2 is representable in the
>   result type, then that is the resulting value; otherwise, the
>   behavior is undefined.

This commit explicitly cast '1' with UINT32 to resolve this issue.

Cc: Steven Shi <steven.shi@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdeModulePkg/Core/RuntimeDxe/Crc32.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/MdeModulePkg/Core/RuntimeDxe/Crc32.c b/MdeModulePkg/Core/RuntimeDxe/Crc32.c
index a6fe77fa34..5cee66ebd1 100644
--- a/MdeModulePkg/Core/RuntimeDxe/Crc32.c
+++ b/MdeModulePkg/Core/RuntimeDxe/Crc32.c
@@ -7,7 +7,7 @@
   EFI Runtime Services Table are converted from physical address to
   virtual addresses.  This requires that the 32-bit CRC be recomputed.
 
-Copyright (c) 2006 - 2008, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -79,8 +79,8 @@ ReverseBits (
 
   NewValue = 0;
   for (Index = 0; Index < 32; Index++) {
-    if ((Value & (1 << Index)) != 0) {
-      NewValue = NewValue | (1 << (31 - Index));
+    if ((Value & (((UINT32)1) << Index)) != 0) {
+      NewValue = NewValue | (((UINT32)1) << (31 - Index));
     }
   }
 
-- 
2.12.0.windows.1

[PATCH 6/6] MdeModulePkg/AtaAtapiPassThru: Fix possible out of range left shift

[Hao Wu]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=699

Within function AhciModeInitialization(), left shift operations of 'BIT0'
in the following statements:
"if ((PortImplementBitMap & (BIT0 << Port)) != 0) {"

will incur possible out of range left shift when Port is 31, since
"1 << 31" is possible to exceed the range of type 'int' (signed).

According to the C11 spec, Section 6.5.7:
> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
>   bits are filled with zeros. If E1 has an unsigned type, the value
>   of the result is E1 * 2^E2 , reduced modulo one more than the
>   maximum value representable in the result type. If E1 has a signed
>   type and nonnegative value, and E1 * 2^E2 is representable in the
>   result type, then that is the resulting value; otherwise, the
>   behavior is undefined.

This commit explicitly cast 'BIT0' with UINT32 to resolve this issue.

Cc: Steven Shi <steven.shi@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AhciMode.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AhciMode.c b/MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AhciMode.c
index b954de8101..e6de5d65bc 100644
--- a/MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AhciMode.c
+++ b/MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AhciMode.c
@@ -1,7 +1,7 @@
 /** @file
   The file for AHCI mode of ATA host controller.
 
-  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.<BR>
   (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -2314,7 +2314,7 @@ AhciModeInitialization (
   }
 
   for (Port = 0; Port < EFI_AHCI_MAX_PORTS; Port ++) {
-    if ((PortImplementBitMap & (BIT0 << Port)) != 0) {
+    if ((PortImplementBitMap & (((UINT32)BIT0) << Port)) != 0) {
       //
       // According to AHCI spec, MaxPortNumber should be equal or greater than the number of implemented ports.
       //
-- 
2.12.0.windows.1

Re: [PATCH 3/6] MdeModulePkg/Tpl: Fix negative value left shift

[Paolo Bonzini]

On 19/09/2017 13:43, Hao Wu wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=695
> 
> Within function CoreRestoreTpl(), left shift a negative value -2 is used
> in:
> "while (((-2 << NewTpl) & gEventPending) != 0) {"
> 
> which involves undefined behavior.
> 
> According to the C11 spec, Section 6.5.7:
>> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
>>   bits are filled with zeros. If E1 has an unsigned type, the value
>>   of the result is E1 * 2^E2 , reduced modulo one more than the
>>   maximum value representable in the result type. If E1 has a signed
>>   type and nonnegative value, and E1 * 2^E2 is representable in the
>>   result type, then that is the resulting value; otherwise, the
>>   behavior is undefined.
> 
> This commit explicitly cast '-2' with UINTN to resolve this issue.
> 
> Cc: Steven Shi <steven.shi@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
>  MdeModulePkg/Core/Dxe/Event/Tpl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/MdeModulePkg/Core/Dxe/Event/Tpl.c b/MdeModulePkg/Core/Dxe/Event/Tpl.c
> index 8ad0a33701..8c50f61117 100644
> --- a/MdeModulePkg/Core/Dxe/Event/Tpl.c
> +++ b/MdeModulePkg/Core/Dxe/Event/Tpl.c
> @@ -123,7 +123,7 @@ CoreRestoreTpl (
>    //
>    // Dispatch any pending events
>    //
> -  while (((-2 << NewTpl) & gEventPending) != 0) {
> +  while (((((UINTN)-2) << NewTpl) & gEventPending) != 0) {
>      gEfiCurrentTpl = (UINTN) HighBitSet64 (gEventPending);
>      if (gEfiCurrentTpl < TPL_HIGH_LEVEL) {
>        CoreSetInterruptState (TRUE);
> 

Maybe:

  for (;;) {
    PendingTpl = (UINTN) HighBitSet64 (gEventPending);
    if (NewTpl >= PendingTpl) {
      break;
    }
    gEfiCurrentTpl = PendingTpl;
  }

This is much more readable, and HighBitSet64 should be efficient on most
modern processors.

Paolo

Re: [PATCH 4/6] MdeModulePkg/DxeNetLib: Fix negative value left shift

[Paolo Bonzini]

On 19/09/2017 13:43, Hao Wu wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=698
> 
> Within function NetRandomInitSeed(), left shift a negative value is used
> in:
> "~Time.Hour << 24"
> 
> which involves undefined behavior.
> 
> Since Time.Hour is of type UINT8 (range from 0 to 23), hence ~Time.Hour
> will be a negative value (of type int, signed).
> 
> According to the C11 spec, Section 6.5.7:
>> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
>>   bits are filled with zeros. If E1 has an unsigned type, the value
>>   of the result is E1 * 2^E2 , reduced modulo one more than the
>>   maximum value representable in the result type. If E1 has a signed
>>   type and nonnegative value, and E1 * 2^E2 is representable in the
>>   result type, then that is the resulting value; otherwise, the
>>   behavior is undefined.
> 
> This commit explicitly cast 'Time.Hour' with UINT32 to resolve this issue.
> 
> Cc: Steven Shi <steven.shi@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
>  MdeModulePkg/Library/DxeNetLib/DxeNetLib.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c b/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c
> index 7cd7e3aca0..ca5413edcc 100644
> --- a/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c
> +++ b/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c
> @@ -872,7 +872,7 @@ NetRandomInitSeed (
>    UINT64                    MonotonicCount;
>  
>    gRT->GetTime (&Time, NULL);
> -  Seed = (~Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second);
> +  Seed = (~(UINT32)Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second);
>    Seed ^= Time.Nanosecond;
>    Seed ^= Time.Year << 7;
Is there any reason why Seed must be XORed with 0xFF000000 (that's what
the ~ does)?  Would it make sense to either write it explicitly as a
XOR, or perhaps the ~ can be removed altogether?

Paolo

Re: [PATCH 5/6] MdeModulePkg/Crc32: Fix possible out of range left shift

[Paolo Bonzini]

On 19/09/2017 13:43, Hao Wu wrote:
>    NewValue = 0;
>    for (Index = 0; Index < 32; Index++) {
> -    if ((Value & (1 << Index)) != 0) {
> -      NewValue = NewValue | (1 << (31 - Index));
> +    if ((Value & (((UINT32)1) << Index)) != 0) {
> +      NewValue = NewValue | (((UINT32)1) << (31 - Index));
>      }


Why not just "1u" instead of the cast?

Paolo

Re: [PATCH 5/6] MdeModulePkg/Crc32: Fix possible out of range left shift

[Wu, Hao A]

> -----Original Message-----
> From: Paolo Bonzini [mailto:paolo.bonzini@gmail.com] On Behalf Of Paolo
> Bonzini
> Sent: Wednesday, September 20, 2017 1:06 AM
> To: Wu, Hao A; edk2-devel@lists.01.org
> Cc: Dong, Eric; Zeng, Star
> Subject: Re: [edk2] [PATCH 5/6] MdeModulePkg/Crc32: Fix possible out of
> range left shift
> 
> On 19/09/2017 13:43, Hao Wu wrote:
> >    NewValue = 0;
> >    for (Index = 0; Index < 32; Index++) {
> > -    if ((Value & (1 << Index)) != 0) {
> > -      NewValue = NewValue | (1 << (31 - Index));
> > +    if ((Value & (((UINT32)1) << Index)) != 0) {
> > +      NewValue = NewValue | (((UINT32)1) << (31 - Index));
> >      }
> 
> 
> Why not just "1u" instead of the cast?

Thanks for the feedback. I will update the patch according to the
suggestion.

Best Regards,
Hao Wu

> 
> Paolo

Re: [PATCH 3/6] MdeModulePkg/Tpl: Fix negative value left shift

[Zeng, Star]

There is a case must be considered that gEventPending is 0, HighBitSet64 will return -1, then the code will be wrong.
The code maybe:

  while (gEventPending != 0) {
    PendingTpl = (UINTN) HighBitSet64 (gEventPending);
    if (NewTpl >= PendingTpl) {
      break;
    }
    gEfiCurrentTpl = PendingTpl;

    ...

  }


Thanks,
Star
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Paolo Bonzini
Sent: Wednesday, September 20, 2017 1:03 AM
To: Wu, Hao A <hao.a.wu@intel.com>; edk2-devel@lists.01.org
Cc: Dong, Eric <eric.dong@intel.com>; Zeng, Star <star.zeng@intel.com>
Subject: Re: [edk2] [PATCH 3/6] MdeModulePkg/Tpl: Fix negative value left shift

On 19/09/2017 13:43, Hao Wu wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=695
> 
> Within function CoreRestoreTpl(), left shift a negative value -2 is 
> used
> in:
> "while (((-2 << NewTpl) & gEventPending) != 0) {"
> 
> which involves undefined behavior.
> 
> According to the C11 spec, Section 6.5.7:
>> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
>>   bits are filled with zeros. If E1 has an unsigned type, the value
>>   of the result is E1 * 2^E2 , reduced modulo one more than the
>>   maximum value representable in the result type. If E1 has a signed
>>   type and nonnegative value, and E1 * 2^E2 is representable in the
>>   result type, then that is the resulting value; otherwise, the
>>   behavior is undefined.
> 
> This commit explicitly cast '-2' with UINTN to resolve this issue.
> 
> Cc: Steven Shi <steven.shi@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
>  MdeModulePkg/Core/Dxe/Event/Tpl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/MdeModulePkg/Core/Dxe/Event/Tpl.c 
> b/MdeModulePkg/Core/Dxe/Event/Tpl.c
> index 8ad0a33701..8c50f61117 100644
> --- a/MdeModulePkg/Core/Dxe/Event/Tpl.c
> +++ b/MdeModulePkg/Core/Dxe/Event/Tpl.c
> @@ -123,7 +123,7 @@ CoreRestoreTpl (
>    //
>    // Dispatch any pending events
>    //
> -  while (((-2 << NewTpl) & gEventPending) != 0) {
> +  while (((((UINTN)-2) << NewTpl) & gEventPending) != 0) {
>      gEfiCurrentTpl = (UINTN) HighBitSet64 (gEventPending);
>      if (gEfiCurrentTpl < TPL_HIGH_LEVEL) {
>        CoreSetInterruptState (TRUE);
> 

Maybe:

  for (;;) {
    PendingTpl = (UINTN) HighBitSet64 (gEventPending);
    if (NewTpl >= PendingTpl) {
      break;
    }
    gEfiCurrentTpl = PendingTpl;
  }

This is much more readable, and HighBitSet64 should be efficient on most modern processors.

Paolo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [PATCH 3/6] MdeModulePkg/Tpl: Fix negative value left shift

[Wu, Hao A]

Star and Paolo,

Thanks for the feedbacks. I will refine the patch according to your suggestions.


Best Regards,
Hao Wu


> -----Original Message-----
> From: Zeng, Star
> Sent: Thursday, September 21, 2017 10:57 AM
> To: Paolo Bonzini; Wu, Hao A; edk2-devel@lists.01.org
> Cc: Dong, Eric; Zeng, Star
> Subject: RE: [edk2] [PATCH 3/6] MdeModulePkg/Tpl: Fix negative value left
> shift
> 
> There is a case must be considered that gEventPending is 0, HighBitSet64 will
> return -1, then the code will be wrong.
> The code maybe:
> 
>   while (gEventPending != 0) {
>     PendingTpl = (UINTN) HighBitSet64 (gEventPending);
>     if (NewTpl >= PendingTpl) {
>       break;
>     }
>     gEfiCurrentTpl = PendingTpl;
> 
>     ...
> 
>   }
> 
> 
> Thanks,
> Star
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Paolo
> Bonzini
> Sent: Wednesday, September 20, 2017 1:03 AM
> To: Wu, Hao A <hao.a.wu@intel.com>; edk2-devel@lists.01.org
> Cc: Dong, Eric <eric.dong@intel.com>; Zeng, Star <star.zeng@intel.com>
> Subject: Re: [edk2] [PATCH 3/6] MdeModulePkg/Tpl: Fix negative value left
> shift
> 
> On 19/09/2017 13:43, Hao Wu wrote:
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=695
> >
> > Within function CoreRestoreTpl(), left shift a negative value -2 is
> > used
> > in:
> > "while (((-2 << NewTpl) & gEventPending) != 0) {"
> >
> > which involves undefined behavior.
> >
> > According to the C11 spec, Section 6.5.7:
> >> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
> >>   bits are filled with zeros. If E1 has an unsigned type, the value
> >>   of the result is E1 * 2^E2 , reduced modulo one more than the
> >>   maximum value representable in the result type. If E1 has a signed
> >>   type and nonnegative value, and E1 * 2^E2 is representable in the
> >>   result type, then that is the resulting value; otherwise, the
> >>   behavior is undefined.
> >
> > This commit explicitly cast '-2' with UINTN to resolve this issue.
> >
> > Cc: Steven Shi <steven.shi@intel.com>
> > Cc: Star Zeng <star.zeng@intel.com>
> > Cc: Eric Dong <eric.dong@intel.com>
> > Contributed-under: TianoCore Contribution Agreement 1.1
> > Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> > ---
> >  MdeModulePkg/Core/Dxe/Event/Tpl.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/MdeModulePkg/Core/Dxe/Event/Tpl.c
> > b/MdeModulePkg/Core/Dxe/Event/Tpl.c
> > index 8ad0a33701..8c50f61117 100644
> > --- a/MdeModulePkg/Core/Dxe/Event/Tpl.c
> > +++ b/MdeModulePkg/Core/Dxe/Event/Tpl.c
> > @@ -123,7 +123,7 @@ CoreRestoreTpl (
> >    //
> >    // Dispatch any pending events
> >    //
> > -  while (((-2 << NewTpl) & gEventPending) != 0) {
> > +  while (((((UINTN)-2) << NewTpl) & gEventPending) != 0) {
> >      gEfiCurrentTpl = (UINTN) HighBitSet64 (gEventPending);
> >      if (gEfiCurrentTpl < TPL_HIGH_LEVEL) {
> >        CoreSetInterruptState (TRUE);
> >
> 
> Maybe:
> 
>   for (;;) {
>     PendingTpl = (UINTN) HighBitSet64 (gEventPending);
>     if (NewTpl >= PendingTpl) {
>       break;
>     }
>     gEfiCurrentTpl = PendingTpl;
>   }
> 
> This is much more readable, and HighBitSet64 should be efficient on most
> modern processors.
> 
> Paolo
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel

Re: [PATCH 4/6] MdeModulePkg/DxeNetLib: Fix negative value left shift

[Wu, Jiaxin]

Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>


> -----Original Message-----
> From: Wu, Hao A
> Sent: Tuesday, September 19, 2017 7:44 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Shi, Steven <steven.shi@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Ye, Ting <ting.ye@intel.com>; Wu, Jiaxin
> <jiaxin.wu@intel.com>; Zeng, Star <star.zeng@intel.com>; Dong, Eric
> <eric.dong@intel.com>
> Subject: [PATCH 4/6] MdeModulePkg/DxeNetLib: Fix negative value left shift
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=698
> 
> Within function NetRandomInitSeed(), left shift a negative value is used
> in:
> "~Time.Hour << 24"
> 
> which involves undefined behavior.
> 
> Since Time.Hour is of type UINT8 (range from 0 to 23), hence ~Time.Hour
> will be a negative value (of type int, signed).
> 
> According to the C11 spec, Section 6.5.7:
> > 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated
> >   bits are filled with zeros. If E1 has an unsigned type, the value
> >   of the result is E1 * 2^E2 , reduced modulo one more than the
> >   maximum value representable in the result type. If E1 has a signed
> >   type and nonnegative value, and E1 * 2^E2 is representable in the
> >   result type, then that is the resulting value; otherwise, the
> >   behavior is undefined.
> 
> This commit explicitly cast 'Time.Hour' with UINT32 to resolve this issue.
> 
> Cc: Steven Shi <steven.shi@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
>  MdeModulePkg/Library/DxeNetLib/DxeNetLib.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c
> b/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c
> index 7cd7e3aca0..ca5413edcc 100644
> --- a/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c
> +++ b/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c
> @@ -872,7 +872,7 @@ NetRandomInitSeed (
>    UINT64                    MonotonicCount;
> 
>    gRT->GetTime (&Time, NULL);
> -  Seed = (~Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 |
> Time.Second);
> +  Seed = (~(UINT32)Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 |
> Time.Second);
>    Seed ^= Time.Nanosecond;
>    Seed ^= Time.Year << 7;
> 
> --
> 2.12.0.windows.1