From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.120])
 by mx.groups.io with SMTP id smtpd.web09.2197.1572068255253113068
 for <devel@edk2.groups.io>;
 Fri, 25 Oct 2019 22:37:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=fVC2UNhk;
 spf=pass (domain: redhat.com, ip: 207.211.31.120, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1572068254;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=nBAiVxdgL+dCUJWJx9F8DhgMZV+qEEgR6ajo9ukR+Lk=;
	b=fVC2UNhkfwJw4EC1R0D7EwXDBb8ZUR0aUiSKMaDMsSsy9TrO97ZO7PGk6EVpMlj32xei0i
	1EKCDRKhnBfJHT6P0e5O6w6QjK7nvokarrtR65+lXm/Tzm8frAb1J+vljhx7gqTeqpD5k3
	Ly5bQwO9XITOzJ2p/MmsUlcw7iyPB20=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-383-090onGgDOVO54dBe4EvxrQ-1; Sat, 26 Oct 2019 01:37:32 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 74874107AD25;
	Sat, 26 Oct 2019 05:37:31 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-26.ams2.redhat.com [10.36.116.26])
	by smtp.corp.redhat.com (Postfix) with ESMTP id AE0625D9CA;
	Sat, 26 Oct 2019 05:37:29 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: David Woodhouse <dwmw2@infradead.org>,
	Jian J Wang <jian.j.wang@intel.com>,
	Jiaxin Wu <jiaxin.wu@intel.com>,
	Sivaraman Nainar <sivaramann@amiindia.co.in>,
	Xiaoyu Lu <xiaoyux.lu@intel.com>
Subject: [PATCH v2 3/8] CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553)
Date: Sat, 26 Oct 2019 07:37:14 +0200
Message-Id: <20191026053719.10453-4-lersek@redhat.com>
In-Reply-To: <20191026053719.10453-1-lersek@redhat.com>
References: <20191026053719.10453-1-lersek@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-MC-Unique: 090onGgDOVO54dBe4EvxrQ-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable

According to the ISO C standard, strchr() is a function. We #define it as
a macro. Unfortunately, our macro evaluates the first argument ("str")
twice. If the expression passed for "str" has side effects, the behavior
may be undefined.

In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package), which calls strchr() just like that:

  strchr((xdigits =3D xdigits_l), ch)
  strchr((xdigits =3D xdigits_u), ch)

To enable this kind of function call, turn strchr() into a function.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

Notes:
    v2:
    - new patch

 CryptoPkg/Library/Include/CrtLibSupport.h           | 2 +-
 CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/=
Include/CrtLibSupport.h
index 5806f50f7485..b90da20ff7e7 100644
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
@@ -146,8 +146,9 @@ int            isalnum     (int);
 int            isupper     (int);
 int            tolower     (int);
 int            strcmp      (const char *, const char *);
 int            strncasecmp (const char *, const char *, size_t);
+char           *strchr     (const char *, int);
 char           *strrchr    (const char *, int);
 unsigned long  strtoul     (const char *, char **, int);
 long           strtol      (const char *, char **, int);
 char           *strerror   (int);
@@ -187,9 +188,8 @@ void           abort       (void);
 #define strlen(str)                       (size_t)(AsciiStrnLenS(str,MAX_S=
TRING_SIZE))
 #define strcpy(strDest,strSource)         AsciiStrCpyS(strDest,MAX_STRING_=
SIZE,strSource)
 #define strncpy(strDest,strSource,count)  AsciiStrnCpyS(strDest,MAX_STRING=
_SIZE,strSource,(UINTN)count)
 #define strcat(strDest,strSource)         AsciiStrCatS(strDest,MAX_STRING_=
SIZE,strSource)
-#define strchr(str,ch)                    ScanMem8((VOID *)(str),AsciiStrS=
ize(str),(UINT8)ch)
 #define strncmp(string1,string2,count)    (int)(AsciiStrnCmp(string1,strin=
g2,(UINTN)(count)))
 #define strcasecmp(str1,str2)             (int)AsciiStriCmp(str1,str2)
 #define sprintf(buf,...)                  AsciiSPrint(buf,MAX_STRING_SIZE,=
__VA_ARGS__)
 #define localtime(timer)                  NULL
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPk=
g/Library/BaseCryptLib/SysCall/CrtWrapper.c
index 71a2ef34ed2b..42235ab96ac3 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
@@ -114,8 +114,13 @@ QuickSortWorker (
 //
 // -- String Manipulation Routines --
 //
=20
+char *strchr(const char *str, int ch)
+{
+  return ScanMem8 (str, AsciiStrSize (str), (UINT8)ch);
+}
+
 /* Scan a string for the last occurrence of a character */
 char *strrchr (const char *str, int c)
 {
   char * save;
--=20
2.19.1.3.g30247aa5d201