* [PATCH v2 0/2] CryptoPkg/BaseCryptLib: Correct CRT realloc Wrapper
@ 2017-11-01 8:19 Long Qin
2017-11-01 8:19 ` [PATCH v2 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper Long Qin
2017-11-01 8:19 ` [PATCH v2 2/2] CryptoPkg/BaseCryptLib: Fix mismatched memory allocation/free Long Qin
0 siblings, 2 replies; 4+ messages in thread
From: Long Qin @ 2017-11-01 8:19 UTC (permalink / raw)
To: edk2-devel; +Cc: jian.j.wang, ting.ye, lersek
V2 Update: Add NULL check for memory allocation failure.
There is one long-standing problem in current CRT realloc wrapper
implementation, which will cause the obvious buffer overflow issue
when re-allocating memory block.
One BZ report: https://bugzilla.tianocore.org/show_bug.cgi?id=605
This patch series is to fix this buffer overflow issue by introducing
one extra header to record the memory buffer size information.
And extra comments were also added to clarify the memory release routines
if the caller is required to free the memory block outside the function.
Long Qin (2):
CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
CryptoPkg/BaseCryptLib: Fix mismatched memory allocation/free
CryptoPkg/Include/Library/BaseCryptLib.h | 16 +++--
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 5 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c | 3 +-
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 15 ++--
.../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 13 ++--
.../BaseCryptLib/SysCall/BaseMemAllocation.c | 83 ++++++++++++++++++++--
6 files changed, 108 insertions(+), 27 deletions(-)
--
2.14.1.windows.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
2017-11-01 8:19 [PATCH v2 0/2] CryptoPkg/BaseCryptLib: Correct CRT realloc Wrapper Long Qin
@ 2017-11-01 8:19 ` Long Qin
2017-11-01 8:48 ` Wang, Jian J
2017-11-01 8:19 ` [PATCH v2 2/2] CryptoPkg/BaseCryptLib: Fix mismatched memory allocation/free Long Qin
1 sibling, 1 reply; 4+ messages in thread
From: Long Qin @ 2017-11-01 8:19 UTC (permalink / raw)
To: edk2-devel; +Cc: jian.j.wang, ting.ye, lersek, Qin Long
There is one long-standing problem in CRT realloc wrapper, which will
cause the obvious buffer overflow issue when re-allocating one bigger
memory block:
void *realloc (void *ptr, size_t size)
{
//
// BUG: hardcode OldSize == size! We have no any knowledge about
// memory size of original pointer ptr.
//
return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
}
This patch introduces one extra header to record the memory buffer size
information when allocating memory block from malloc routine, and re-wrap
the realloc() and free() routines to remove this BUG.
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
.../BaseCryptLib/SysCall/BaseMemAllocation.c | 83 ++++++++++++++++++++--
1 file changed, 76 insertions(+), 7 deletions(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
index f390e0d449..19c071e2bf 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
@@ -16,6 +16,18 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <CrtLibSupport.h>
#include <Library/MemoryAllocationLib.h>
+//
+// Extra header to record the memory buffer size from malloc routine.
+//
+#define CRYPTMEM_HEAD_SIGNATURE SIGNATURE_32('c','m','h','d')
+typedef struct {
+ UINT32 Signature;
+ UINT32 Reserved;
+ UINTN Size;
+} CRYPTMEM_HEAD;
+
+#define CRYPTMEM_OVERHEAD sizeof(CRYPTMEM_HEAD)
+
//
// -- Memory-Allocation Routines --
//
@@ -23,27 +35,84 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
/* Allocates memory blocks */
void *malloc (size_t size)
{
- return AllocatePool ((UINTN) size);
+ CRYPTMEM_HEAD *PoolHdr;
+ UINTN NewSize;
+ VOID *Data;
+
+ //
+ // Adjust the size by the buffer header overhead
+ //
+ NewSize = (UINTN)(size) + CRYPTMEM_OVERHEAD;
+
+ Data = AllocatePool (NewSize);
+ if (Data != NULL) {
+ PoolHdr = (CRYPTMEM_HEAD *)Data;
+ //
+ // Record the memory brief information
+ //
+ PoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
+ PoolHdr->Size = size;
+
+ return (VOID *)(PoolHdr + 1);
+ } else {
+ //
+ // The buffer allocation failed.
+ //
+ return NULL;
+ }
}
/* Reallocate memory blocks */
void *realloc (void *ptr, size_t size)
{
- //
- // BUG: hardcode OldSize == size! We have no any knowledge about
- // memory size of original pointer ptr.
- //
- return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
+ CRYPTMEM_HEAD *OldPoolHdr;
+ CRYPTMEM_HEAD *NewPoolHdr;
+ UINTN OldSize;
+ UINTN NewSize;
+ VOID *Data;
+
+ NewSize = (UINTN)size + CRYPTMEM_OVERHEAD;
+ Data = AllocatePool (NewSize);
+ if (Data != NULL) {
+ NewPoolHdr = (CRYPTMEM_HEAD *)Data;
+ NewPoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
+ NewPoolHdr->Size = size;
+ if (ptr != NULL) {
+ //
+ // Retrieve the original size from the buffer header.
+ //
+ OldPoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
+ ASSERT (OldPoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
+ OldSize = OldPoolHdr->Size;
+
+ //
+ // Duplicate the buffer content.
+ //
+ CopyMem ((VOID *)(NewPoolHdr + 1), ptr, MIN (OldSize, size));
+ FreePool ((VOID *)OldPoolHdr);
+ }
+
+ return (VOID *)(NewPoolHdr + 1);
+ } else {
+ //
+ // The buffer allocation failed.
+ //
+ return NULL;
+ }
}
/* De-allocates or frees a memory block */
void free (void *ptr)
{
+ CRYPTMEM_HEAD *PoolHdr;
+
//
// In Standard C, free() handles a null pointer argument transparently. This
// is not true of FreePool() below, so protect it.
//
if (ptr != NULL) {
- FreePool (ptr);
+ PoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
+ ASSERT (PoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
+ FreePool (PoolHdr);
}
}
--
2.14.1.windows.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 2/2] CryptoPkg/BaseCryptLib: Fix mismatched memory allocation/free
2017-11-01 8:19 [PATCH v2 0/2] CryptoPkg/BaseCryptLib: Correct CRT realloc Wrapper Long Qin
2017-11-01 8:19 ` [PATCH v2 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper Long Qin
@ 2017-11-01 8:19 ` Long Qin
1 sibling, 0 replies; 4+ messages in thread
From: Long Qin @ 2017-11-01 8:19 UTC (permalink / raw)
To: edk2-devel; +Cc: jian.j.wang, ting.ye, lersek, Qin Long
The malloc/free (instead of AllocatePool/FreePool) were used directly
in some wrapper implementations, which was designed to leverage the
light-weight memory management routines at Runtime phase.
The malloc/free and AllocatePool/FreePool usages are required to be
matched, after extra memory size info header was introduced in malloc
wrapper.
This patch corrects two memory allocation cases, which requires the
caller to free the buffer with FreePool() outside the function call.
And some comments were also added to clarify the correct memory
release functions if it's the caller's responsibility to free the
memory buffer.
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
CryptoPkg/Include/Library/BaseCryptLib.h | 16 ++++++++++------
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 5 +++--
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c | 3 ++-
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 15 +++++++++------
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 13 ++++++++-----
5 files changed, 32 insertions(+), 20 deletions(-)
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 5f67ecb709..e2b6a95666 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -2388,10 +2388,12 @@ Pkcs5HashPassword (
@param[in] P7Data Pointer to the PKCS#7 message to verify.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
- It's caller's responsibility to free the buffer.
+ It's caller's responsibility to free the buffer with
+ Pkcs7FreeSigners().
@param[out] StackLength Length of signer's certificates in bytes.
@param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
- It's caller's responsibility to free the buffer.
+ It's caller's responsibility to free the buffer with
+ Pkcs7FreeSigners().
@param[out] CertLength Length of the trusted certificate in bytes.
@retval TRUE The operation is finished successfully.
@@ -2433,10 +2435,11 @@ Pkcs7FreeSigners (
@param[in] P7Data Pointer to the PKCS#7 message.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] SignerChainCerts Pointer to the certificates list chained to signer's
- certificate. It's caller's responsibility to free the buffer.
+ certificate. It's caller's responsibility to free the buffer
+ with Pkcs7FreeSigners().
@param[out] ChainLength Length of the chained certificates list buffer in bytes.
@param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's
- responsibility to free the buffer.
+ responsibility to free the buffer with Pkcs7FreeSigners().
@param[out] UnchainLength Length of the unchained certificates list buffer in bytes.
@retval TRUE The operation is finished successfully.
@@ -2472,7 +2475,8 @@ Pkcs7GetCertificatesList (
@param[in] OtherCerts Pointer to an optional additional set of certificates to
include in the PKCS#7 signedData (e.g. any intermediate
CAs in the chain).
- @param[out] SignedData Pointer to output PKCS#7 signedData.
+ @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's
+ responsibility to free the buffer with FreePool().
@param[out] SignedDataSize Size of SignedData in bytes.
@retval TRUE PKCS#7 data signing succeeded.
@@ -2540,7 +2544,7 @@ Pkcs7Verify (
@param[in] P7Data Pointer to the PKCS#7 signed data to process.
@param[in] P7Length Length of the PKCS#7 signed data in bytes.
@param[out] Content Pointer to the extracted content from the PKCS#7 signedData.
- It's caller's responsibility to free the buffer.
+ It's caller's responsibility to free the buffer with FreePool().
@param[out] ContentSize The size of the extracted content in bytes.
@retval TRUE The P7Data was correctly formatted for processing.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
index d3b1a907aa..0f61d4b4ad 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
@@ -34,7 +34,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@param[in] OtherCerts Pointer to an optional additional set of certificates to
include in the PKCS#7 signedData (e.g. any intermediate
CAs in the chain).
- @param[out] SignedData Pointer to output PKCS#7 signedData.
+ @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's
+ responsibility to free the buffer with FreePool().
@param[out] SignedDataSize Size of SignedData in bytes.
@retval TRUE PKCS#7 data signing succeeded.
@@ -167,7 +168,7 @@ Pkcs7Sign (
// is totally 19 bytes.
//
*SignedDataSize = P7DataSize - 19;
- *SignedData = malloc (*SignedDataSize);
+ *SignedData = AllocatePool (*SignedDataSize);
if (*SignedData == NULL) {
OPENSSL_free (P7Data);
goto _Exit;
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c
index 539bb6b7d5..1ce7202d91 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c
@@ -33,7 +33,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@param[in] OtherCerts Pointer to an optional additional set of certificates to
include in the PKCS#7 signedData (e.g. any intermediate
CAs in the chain).
- @param[out] SignedData Pointer to output PKCS#7 signedData.
+ @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's
+ responsibility to free the buffer with FreePool().
@param[out] SignedDataSize Size of SignedData in bytes.
@retval FALSE This interface is not supported.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index bf67a1f569..296df028b1 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -240,10 +240,12 @@ _Exit:
@param[in] P7Data Pointer to the PKCS#7 message to verify.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
- It's caller's responsibility to free the buffer.
+ It's caller's responsibility to free the buffer with
+ Pkcs7FreeSigners().
@param[out] StackLength Length of signer's certificates in bytes.
@param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
- It's caller's responsibility to free the buffer.
+ It's caller's responsibility to free the buffer with
+ Pkcs7FreeSigners().
@param[out] CertLength Length of the trusted certificate in bytes.
@retval TRUE The operation is finished successfully.
@@ -438,10 +440,11 @@ Pkcs7FreeSigners (
@param[in] P7Data Pointer to the PKCS#7 message.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] SignerChainCerts Pointer to the certificates list chained to signer's
- certificate. It's caller's responsibility to free the buffer.
+ certificate. It's caller's responsibility to free the buffer
+ with Pkcs7FreeSigners().
@param[out] ChainLength Length of the chained certificates list buffer in bytes.
@param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's
- responsibility to free the buffer.
+ responsibility to free the buffer with Pkcs7FreeSigners().
@param[out] UnchainLength Length of the unchained certificates list buffer in bytes.
@retval TRUE The operation is finished successfully.
@@ -921,7 +924,7 @@ _Exit:
@param[in] P7Data Pointer to the PKCS#7 signed data to process.
@param[in] P7Length Length of the PKCS#7 signed data in bytes.
@param[out] Content Pointer to the extracted content from the PKCS#7 signedData.
- It's caller's responsibility to free the buffer.
+ It's caller's responsibility to free the buffer with FreePool().
@param[out] ContentSize The size of the extracted content in bytes.
@retval TRUE The P7Data was correctly formatted for processing.
@@ -996,7 +999,7 @@ Pkcs7GetAttachedContent (
OctStr = Pkcs7->d.sign->contents->d.data;
if ((OctStr->length > 0) && (OctStr->data != NULL)) {
*ContentSize = OctStr->length;
- *Content = malloc (*ContentSize);
+ *Content = AllocatePool (*ContentSize);
if (*Content == NULL) {
*ContentSize = 0;
goto _Exit;
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
index 06602ec535..d3e8ec89a7 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
@@ -25,10 +25,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@param[in] P7Data Pointer to the PKCS#7 message to verify.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
- It's caller's responsibility to free the buffer.
+ It's caller's responsibility to free the buffer with
+ Pkcs7FreeSigners().
@param[out] StackLength Length of signer's certificates in bytes.
@param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
- It's caller's responsibility to free the buffer.
+ It's caller's responsibility to free the buffer with
+ Pkcs7FreeSigners().
@param[out] CertLength Length of the trusted certificate in bytes.
@retval FALSE This interface is not supported.
@@ -75,10 +77,11 @@ Pkcs7FreeSigners (
@param[in] P7Data Pointer to the PKCS#7 message.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] SignerChainCerts Pointer to the certificates list chained to signer's
- certificate. It's caller's responsibility to free the buffer.
+ certificate. It's caller's responsibility to free the buffer
+ with Pkcs7FreeSigners().
@param[out] ChainLength Length of the chained certificates list buffer in bytes.
@param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's
- responsibility to free the buffer.
+ responsibility to free the buffer with Pkcs7FreeSigners().
@param[out] UnchainLength Length of the unchained certificates list buffer in bytes.
@retval TRUE The operation is finished successfully.
@@ -142,7 +145,7 @@ Pkcs7Verify (
@param[in] P7Data Pointer to the PKCS#7 signed data to process.
@param[in] P7Length Length of the PKCS#7 signed data in bytes.
@param[out] Content Pointer to the extracted content from the PKCS#7 signedData.
- It's caller's responsibility to free the buffer.
+ It's caller's responsibility to free the buffer with FreePool().
@param[out] ContentSize The size of the extracted content in bytes.
@retval TRUE The P7Data was correctly formatted for processing.
--
2.14.1.windows.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
2017-11-01 8:19 ` [PATCH v2 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper Long Qin
@ 2017-11-01 8:48 ` Wang, Jian J
0 siblings, 0 replies; 4+ messages in thread
From: Wang, Jian J @ 2017-11-01 8:48 UTC (permalink / raw)
To: Long, Qin, edk2-devel@lists.01.org; +Cc: Ye, Ting, lersek@redhat.com
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
> -----Original Message-----
> From: Long, Qin
> Sent: Wednesday, November 01, 2017 4:19 PM
> To: edk2-devel@lists.01.org
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Ye, Ting <ting.ye@intel.com>;
> lersek@redhat.com; Long, Qin <qin.long@intel.com>
> Subject: [PATCH v2 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in
> realloc wrapper
>
> There is one long-standing problem in CRT realloc wrapper, which will
> cause the obvious buffer overflow issue when re-allocating one bigger
> memory block:
> void *realloc (void *ptr, size_t size)
> {
> //
> // BUG: hardcode OldSize == size! We have no any knowledge about
> // memory size of original pointer ptr.
> //
> return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
> }
> This patch introduces one extra header to record the memory buffer size
> information when allocating memory block from malloc routine, and re-wrap
> the realloc() and free() routines to remove this BUG.
>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ting Ye <ting.ye@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Qin Long <qin.long@intel.com>
> ---
> .../BaseCryptLib/SysCall/BaseMemAllocation.c | 83
> ++++++++++++++++++++--
> 1 file changed, 76 insertions(+), 7 deletions(-)
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> index f390e0d449..19c071e2bf 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> +++ b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> @@ -16,6 +16,18 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY
> KIND, EITHER EXPRESS OR IMPLIED.
> #include <CrtLibSupport.h>
> #include <Library/MemoryAllocationLib.h>
>
> +//
> +// Extra header to record the memory buffer size from malloc routine.
> +//
> +#define CRYPTMEM_HEAD_SIGNATURE SIGNATURE_32('c','m','h','d')
> +typedef struct {
> + UINT32 Signature;
> + UINT32 Reserved;
> + UINTN Size;
> +} CRYPTMEM_HEAD;
> +
> +#define CRYPTMEM_OVERHEAD sizeof(CRYPTMEM_HEAD)
> +
> //
> // -- Memory-Allocation Routines --
> //
> @@ -23,27 +35,84 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY
> KIND, EITHER EXPRESS OR IMPLIED.
> /* Allocates memory blocks */
> void *malloc (size_t size)
> {
> - return AllocatePool ((UINTN) size);
> + CRYPTMEM_HEAD *PoolHdr;
> + UINTN NewSize;
> + VOID *Data;
> +
> + //
> + // Adjust the size by the buffer header overhead
> + //
> + NewSize = (UINTN)(size) + CRYPTMEM_OVERHEAD;
> +
> + Data = AllocatePool (NewSize);
> + if (Data != NULL) {
> + PoolHdr = (CRYPTMEM_HEAD *)Data;
> + //
> + // Record the memory brief information
> + //
> + PoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
> + PoolHdr->Size = size;
> +
> + return (VOID *)(PoolHdr + 1);
> + } else {
> + //
> + // The buffer allocation failed.
> + //
> + return NULL;
> + }
> }
>
> /* Reallocate memory blocks */
> void *realloc (void *ptr, size_t size)
> {
> - //
> - // BUG: hardcode OldSize == size! We have no any knowledge about
> - // memory size of original pointer ptr.
> - //
> - return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
> + CRYPTMEM_HEAD *OldPoolHdr;
> + CRYPTMEM_HEAD *NewPoolHdr;
> + UINTN OldSize;
> + UINTN NewSize;
> + VOID *Data;
> +
> + NewSize = (UINTN)size + CRYPTMEM_OVERHEAD;
> + Data = AllocatePool (NewSize);
> + if (Data != NULL) {
> + NewPoolHdr = (CRYPTMEM_HEAD *)Data;
> + NewPoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
> + NewPoolHdr->Size = size;
> + if (ptr != NULL) {
> + //
> + // Retrieve the original size from the buffer header.
> + //
> + OldPoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
> + ASSERT (OldPoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
> + OldSize = OldPoolHdr->Size;
> +
> + //
> + // Duplicate the buffer content.
> + //
> + CopyMem ((VOID *)(NewPoolHdr + 1), ptr, MIN (OldSize, size));
> + FreePool ((VOID *)OldPoolHdr);
> + }
> +
> + return (VOID *)(NewPoolHdr + 1);
> + } else {
> + //
> + // The buffer allocation failed.
> + //
> + return NULL;
> + }
> }
>
> /* De-allocates or frees a memory block */
> void free (void *ptr)
> {
> + CRYPTMEM_HEAD *PoolHdr;
> +
> //
> // In Standard C, free() handles a null pointer argument transparently. This
> // is not true of FreePool() below, so protect it.
> //
> if (ptr != NULL) {
> - FreePool (ptr);
> + PoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
> + ASSERT (PoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
> + FreePool (PoolHdr);
> }
> }
> --
> 2.14.1.windows.1
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-11-01 8:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-01 8:19 [PATCH v2 0/2] CryptoPkg/BaseCryptLib: Correct CRT realloc Wrapper Long Qin
2017-11-01 8:19 ` [PATCH v2 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper Long Qin
2017-11-01 8:48 ` Wang, Jian J
2017-11-01 8:19 ` [PATCH v2 2/2] CryptoPkg/BaseCryptLib: Fix mismatched memory allocation/free Long Qin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox