From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=Ov6qPEEQ; spf=pass (domain: arm.com, ip: 40.107.6.42, mailfrom: krzysztof.koch@arm.com) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (EUR04-DB3-obe.outbound.protection.outlook.com [40.107.6.42]) by groups.io with SMTP; Thu, 15 Aug 2019 06:11:51 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bxNEavYUzRxTlYHHEh45ORtawGAHtpJl+kCjdcvcB30=; b=Ov6qPEEQ/S96/yTaK5yRogEpUrnbWWRTP0kmA3K0SdCWim6CHKUdFtzEqqQnbN2VWnjLm23aVVNp/YNMOi6v78UfiiVO4atm4EMVS6QiAqdKaPVJIKmzdeVNq+0DQy3nuMFKRyuK10yNnRYbDSCyKMkvN0JB7f1+7KZMyqmG2+c= Received: from AM6PR08CA0005.eurprd08.prod.outlook.com (2603:10a6:20b:b2::17) by VI1PR0802MB2605.eurprd08.prod.outlook.com (2603:10a6:800:b0::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2157.18; Thu, 15 Aug 2019 13:11:47 +0000 Received: from DB5EUR03FT063.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::203) by AM6PR08CA0005.outlook.office365.com (2603:10a6:20b:b2::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2178.16 via Frontend Transport; Thu, 15 Aug 2019 13:11:47 +0000 Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT063.mail.protection.outlook.com (10.152.20.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2178.16 via Frontend Transport; Thu, 15 Aug 2019 13:11:45 +0000 Received: ("Tessian outbound 578a71fe5eaa:v26"); Thu, 15 Aug 2019 13:11:45 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: b037fdb475d8a360 X-CR-MTA-TID: 64aa7808 Received: from 84e721b15034.1 (cr-mta-lb-1.cr-mta-net [104.47.5.51]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 8C806E55-7EE6-43F5-A524-F9BB311F1BE5.1; Thu, 15 Aug 2019 13:11:40 +0000 Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02lp2051.outbound.protection.outlook.com [104.47.5.51]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 84e721b15034.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384); Thu, 15 Aug 2019 13:11:40 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gRx9sfn31i0B7TWSVAIORnJ7ts8vV6eO9/ZROy+ZO2ERoXkppMsjcUrVAZY7iS9OBgadG/x9dgIiLabxcdYGve+LBcKo9rHFAw8eK0QPfjvFNyX2DOOPXrcm/hFjUEu3v43xDstYlpcJ8vLPPoqjemj5Zrz5iAXJ3Ya0FUIgtHpBUehCyrzNV7DNBa0b9KKZRaGX+R30FQ020i6w/xAMHbTxc7Jc7bauYRgwferECyU1OyZuR5GGarlW1UE9we/K59woPDLbkWhSTM0op5o2YdVSH0ttbt0/ID728Xf6JZswwFbT4Ys/Mia2Zw8AsOkEPXqnNR2VL8X1RnE6C0OnIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bxNEavYUzRxTlYHHEh45ORtawGAHtpJl+kCjdcvcB30=; b=e9nwK/BvQoKP85F3JStrpITOD++0UdDtrf6vL7KgPaHQxIjsYgSb2qYdR2ot2oVH7Qf5tpPnjne/A6cu90eqx9aOB1vGKG8KnZqimenvzCGZiC3fUih+hOUE6n6oh4Sj1VTJoX+HRNM30Nl0KU3KvN58J/Dzjm/ojp+ajokI0z1FsSq1SofnqpVVTP2/IKv4ZLqIKX3135W//kONaMMfRw5bIAGmsxSeXK/STGk1CU+NToSltQBb/WjWXLK3ATJ/DLMoAmRuYniGPX7tptjq7ygs4weSyUVJtnTKVkpjfI/8arFHgAPNTKPkTMOIANik8lwM2rvx2C5vS8nSlZ6sog== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com; dmarc=temperror action=none header.from=arm.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bxNEavYUzRxTlYHHEh45ORtawGAHtpJl+kCjdcvcB30=; b=Ov6qPEEQ/S96/yTaK5yRogEpUrnbWWRTP0kmA3K0SdCWim6CHKUdFtzEqqQnbN2VWnjLm23aVVNp/YNMOi6v78UfiiVO4atm4EMVS6QiAqdKaPVJIKmzdeVNq+0DQy3nuMFKRyuK10yNnRYbDSCyKMkvN0JB7f1+7KZMyqmG2+c= Received: from DB7PR08CA0029.eurprd08.prod.outlook.com (2603:10a6:5:16::42) by HE1PR0802MB2604.eurprd08.prod.outlook.com (2603:10a6:3:db::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2157.16; Thu, 15 Aug 2019 13:11:36 +0000 Received: from DB5EUR03FT038.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::207) by DB7PR08CA0029.outlook.office365.com (2603:10a6:5:16::42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2157.18 via Frontend Transport; Thu, 15 Aug 2019 13:11:35 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from nebula.arm.com (40.67.248.234) by DB5EUR03FT038.mail.protection.outlook.com (10.152.21.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2178.16 via Frontend Transport; Thu, 15 Aug 2019 13:11:34 +0000 Received: from AZ-NEU-EX01.Emea.Arm.com (10.251.26.4) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1415.2; Thu, 15 Aug 2019 13:11:33 +0000 Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX01.Emea.Arm.com (10.251.26.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1415.2; Thu, 15 Aug 2019 13:11:32 +0000 Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 15 Aug 2019 13:11:31 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [PATCH v1 00/11] Test against invalid pointers in acpiview Date: Thu, 15 Aug 2019 14:11:10 +0100 Message-ID: <20190815131121.52644-1-krzysztof.koch@arm.com> X-Mailer: git-send-email 2.16.2.windows.1 MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(396003)(376002)(346002)(39860400002)(136003)(2980300002)(199004)(189003)(63350400001)(51416003)(305945005)(50226002)(81166006)(47776003)(486006)(81156014)(26005)(336012)(7696005)(8936002)(36756003)(2351001)(476003)(426003)(6306002)(53936002)(2616005)(4326008)(126002)(2906002)(14444005)(63370400001)(44832011)(6916009)(86362001)(48376002)(70586007)(356004)(50466002)(316002)(5660300002)(70206006)(966005)(1076003)(53416004)(8676002)(16586007)(186003)(54906003)(6666004)(478600001);DIR:OUT;SFP:1101;SCL:1;SRVR:HE1PR0802MB2604;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5a59e0b9-ebd5-452e-e8f5-08d721821fbd X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:HE1PR0802MB2604; X-MS-TrafficTypeDiagnostic: HE1PR0802MB2604:|VI1PR0802MB2605: X-MS-Exchange-PUrlCount: 1 X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:8882;OLM:8882; X-Forefront-PRVS: 01304918F3 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: ghVicOONtEBIfrEaWB46PbV5z71/WlZNOb90SiUwitVFig85OoWsI4y+5Z2Ki5iYMg3vFfzbWC3x58q6zsXcqK5zawRJ6JaBkQfJ8cGlPhy0xreLnQfUFA6owdE+qn7iP51SJ/B1vI64FajnTFHAqqhWPZ3d2Dh7yEMptRDFX04/pDFzXbu9r9ONHEBUggVQeW555DpHEFQTFdipsRXhUZMan46hent2LicVeKARurouWqXvBl4/8t+h9zFkiWKE1kerVXsU2dzR2NN3+1y/lHOcop/4GSUpXRmM6KdaJe8632B8tra3EGsQooSUoUWEUaucBJqhp6CGWPYmy4cUl+Dr+gwXQk8NcaJdyTlAjQIYpdNmaMlDn1TdNpPCWkwB+m7hJcnIRrhoT2JmawL0DaWK71vl0SAXcToZn8rEi6Q= X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2604 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Return-Path: Krzysztof.Koch@arm.com X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT063.eop-EUR03.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:63.35.35.123;IPV:CAL;SCL:-1;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(346002)(136003)(39860400002)(396003)(376002)(2980300002)(199004)(189003)(70206006)(2906002)(81156014)(86362001)(478600001)(6666004)(76130400001)(305945005)(81166006)(8676002)(26826003)(48376002)(1076003)(70586007)(966005)(14444005)(50466002)(36756003)(47776003)(4326008)(6306002)(6916009)(51416003)(486006)(54906003)(53416004)(316002)(476003)(126002)(63370400001)(44832011)(63350400001)(8936002)(2616005)(50226002)(26005)(16586007)(426003)(5660300002)(336012)(186003)(22756006)(2351001)(7696005);DIR:OUT;SFP:1101;SCL:1;SRVR:VI1PR0802MB2605;H:64aa7808-outbound-1.mta.getcheckrecipient.com;FPR:;SPF:TempError;LANG:en;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;A:1;MX:1; X-MS-Office365-Filtering-Correlation-Id-Prvs: 12919f31-5a6d-4ff7-e424-08d7218218d8 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(710020)(711020)(4605104)(1401327)(2017052603328);SRVR:VI1PR0802MB2605; NoDisclaimer: True X-Forefront-PRVS: 01304918F3 X-Microsoft-Antispam-Message-Info: 03G6oqrpvEQVT8um4hklP2iqIkUNr5cmCSRHhW+xdk8EGg1xAEgnkBdQJ6PkHu1j4R2iQfMKyKIdCZZUxwotCQe1Z/x6xKfUeic8OLfqOydjzzdcmiJ3b8VQxKk/8kfjmxORp4WOAhhy9z9IleHHe6nDN11KnyXSSre7Z5y3jQuhp71S/OYw8RuyJtXpTV0cYh2Bc960uIOU/2ieAcQsfY4xxV/xhPAlZHEidimCZF/amKklT9T8ccZranffvd8nzoJMYMnRltbeAg3FBvFI9/Hr2+39MLLHvDha8buGe8ZxKcZVsDyJrkkS4yxZSEESPkPwjF5PW1Vw0LbEHI+y8F4J4inbJvwPXKf3Kxoi7KJ0ypxN42tGhd6Fr6r2J1VJ7sPh3cesAf8oSjFVWdKWp88oYZGgLiGXqN76t6AYlzk= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Aug 2019 13:11:45.7498 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 5a59e0b9-ebd5-452e-e8f5-08d721821fbd X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2605 Content-Type: text/plain Prevent the use of invalid pointers when parsing ACPI tables in the UEFI shell acpiview tool. The parsing of ACPI tables is often controlled with the values read earlier from the same table. For example, the 'Offset' or 'Count' fields found in a structure are later used to parse the substructures. If such fields lie outside the structure's buffer length provided, then there is a possibility for a wild or dangling pointer. Currently, if the ParseAcpi() function terminates early because the end of the input table data buffer has been reached, then the pointers which were supposed to be updated by this function are left untouched. This is a security issue as the values pointed to by these pointers are later used for flow control. This patch series aims to solve this security issue by explicitly initializing any pointers lying outside the input ACPI data buffer to NULL and testing for NULL whenever these pointers are dereferenced. Changes can be seet at: https://github.com/KrzysztofKoch1/edk2/tree/612_add_pointer_validation_v1 Krzysztof Koch (11): ShellPkg: acpiview: Set ItemPtr to NULL for unprocessed table fields ShellPkg: acpiview: RSDP: Validate global pointer before use ShellPkg: acpiview: FADT: Validate global pointer before use ShellPkg: acpiview: SLIT: Validate global pointer before use ShellPkg: acpiview: SLIT: Validate System Locality count ShellPkg: acpiview: SRAT: Validate global pointers before use ShellPkg: acpiview: MADT: Validate global pointers before use ShellPkg: acpiview: PPTT: Validate global pointers before use ShellPkg: acpiview: IORT: Validate global pointers before use ShellPkg: acpiview: GTDT: Validate global pointers before use ShellPkg: acpiview: DBG2: Validate global pointers before use ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiParser.c | 9 ++- ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c | 43 ++++++++++++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Fadt/FadtParser.c | 14 +++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c | 37 ++++++++++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c | 52 +++++++++++++++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c | 13 +++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c | 25 ++++++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Rsdp/RsdpParser.c | 12 ++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Slit/SlitParser.c | 61 ++++++++++++++++++-- ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c | 13 +++++ 10 files changed, 272 insertions(+), 7 deletions(-) -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'