From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.151; helo=mga17.intel.com; envelope-from=ruiyu.ni@intel.com; receiver=edk2-devel@lists.01.org Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C8673210F30AD for ; Wed, 15 Aug 2018 23:32:58 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Aug 2018 23:32:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,246,1531810800"; d="scan'208";a="249233140" Received: from ray-dev.ccr.corp.intel.com ([10.239.9.8]) by orsmga005.jf.intel.com with ESMTP; 15 Aug 2018 23:32:42 -0700 From: Ruiyu Ni To: edk2-devel@lists.01.org Cc: Jaben Carsey , Jian Wang Date: Thu, 16 Aug 2018 14:33:23 +0800 Message-Id: <20180816063323.177852-1-ruiyu.ni@intel.com> X-Mailer: git-send-email 2.16.1.windows.1 Subject: [PATCH] ShellPkg/edit: Fix heap access out-of-bounds X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Aug 2018 06:32:59 -0000 The issue was found when heap guard is turned on. PrintLib somehow receives a non-null terminated string in var-arg. When the PrintLib implementation reads the string it keeps reading because no null-terminator is met, which triggers the page fault set by the heap guard. The issue is caused by a bug in FileBufferPrintLine(). When "edit" opens a binary file, in FileBufferPrintLine(), the Line->Buffer may start with \x00 \x00, but the Line->Size is larger than MainEditor.ScreenSize.Column, it causes the PrintLine is set to an empty string by below call: StrnCpyS ( PrintLine, BufLen/sizeof(CHAR16), Buffer, MIN(Limit, MainEditor.ScreenSize.Column) ); But since Limit (equals to Line->Size) is larger than MainEditor.ScreenSize.Column, below for-loop doesn't successfully set the whole PrintLine to all-empty-space. for (; Limit < MainEditor.ScreenSize.Column; Limit++) { PrintLine[Limit] = L' '; } So after the for-loop, PrintLine is still an empty string. Later in below call, the PrintLine2 is created based on PrintLine. ShellCopySearchAndReplace ( PrintLine, PrintLine2, BufLen * 2, L"%", L"^%", FALSE, FALSE ); But due to the implementation of ShellCopySearchAndReplace(), PrintLine2 is untouched and INVALID_PARAMETER is returned. Finally an uninitialized string is passed to ShellPrintEx() which causes the #PF exception. The fix is to reset Limit to StrLen(PrintLine) before for-loop. So that PrintLine can be converted from an empty string to a string containing all spaces. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni Cc: Jaben Carsey Cc: Jian Wang --- ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c index 56ccd399b0..39a5afb53f 100644 --- a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c +++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c @@ -500,7 +500,7 @@ FileBufferPrintLine ( PrintLine = AllocatePool (BufLen); if (PrintLine != NULL) { StrnCpyS (PrintLine, BufLen/sizeof(CHAR16), Buffer, MIN(Limit, MainEditor.ScreenSize.Column)); - for (; Limit < MainEditor.ScreenSize.Column; Limit++) { + for (Limit = StrLen (PrintLine); Limit < MainEditor.ScreenSize.Column; Limit++) { PrintLine[Limit] = L' '; } -- 2.16.1.windows.1