From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 by mx.groups.io with SMTP id smtpd.web11.35134.1578903544991146850
 for <devel@edk2.groups.io>;
 Mon, 13 Jan 2020 00:19:05 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.100, mailfrom: zhiguang.liu@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga001.jf.intel.com ([10.7.209.18])
  by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Jan 2020 00:19:04 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.69,428,1571727600"; 
   d="scan'208";a="304781163"
Received: from fieedk002.ccr.corp.intel.com ([10.239.158.170])
  by orsmga001.jf.intel.com with ESMTP; 13 Jan 2020 00:19:03 -0800
From: "Zhiguang Liu" <zhiguang.liu@intel.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Hao A Wu <hao.a.wu@intel.com>
Subject: [PATCH] MdePkg: PE loader should zero out dest buffer on allocation
Date: Mon, 13 Jan 2020 16:18:53 +0800
Message-Id: <20200113081854.9732-1-zhiguang.liu@intel.com>
X-Mailer: git-send-email 2.16.2.windows.1

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1999

When PE loader loads image to memory, the first section of image may
not locate right next to the image header, which causes some memory
space remaining uninitialized. This is a security issue.
This patch compares the ending address of image header and the beginning
address of the first section. If there is a gap, zero out this gap.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Signed-off-by: Zhiguang Liu <zhiguang.liu@intel.com>
---
 MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
index 07bb62f860..2cdfb4a082 100644
--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
@@ -1306,6 +1306,14 @@ PeCoffLoaderLoadImage (
   // Load each section of the image
   //
   Section = FirstSection;
+  //
+  // Zero out the memory space between image header and the first section
+  //
+  End  = (CHAR8 *)(ImageContext->ImageAddress + ImageContext->SizeOfHeaders);
+  Base = PeCoffLoaderImageAddress (ImageContext, Section->VirtualAddress, TeStrippedOffset);
+  if (End < Base) {
+    ZeroMem (End, Base - End);
+  }
   for (Index = 0; Index < NumberOfSections; Index++) {
     //
     // Read the section
-- 
2.16.2.windows.1