From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR05-VI1-obe.outbound.protection.outlook.com (EUR05-VI1-obe.outbound.protection.outlook.com [40.107.21.55]) by mx.groups.io with SMTP id smtpd.web12.9141.1579518863279960412 for ; Mon, 20 Jan 2020 03:14:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=SBVBF6MT; spf=pass (domain: arm.com, ip: 40.107.21.55, mailfrom: krzysztof.koch@arm.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TZF1xKOTInpWcsBLeHSZV9peC8I33rFUUqhumlzhQRQ=; b=SBVBF6MTDkMPQAvv/fiypRp8SAW76HZfBJJCTUiSyon/xZO58mqqwmetnDD0JUgGHUU336k6bzb9iaipp4hzleVUB3XbzRVNRlOMMZhpoM4cRGGveJAW5Hg24Y8hLmH+o7ksAS2ekfUW5UIw7gCfKDsV5ryEAeIzYWSXFW0ZOgM= Received: from VI1PR0802CA0039.eurprd08.prod.outlook.com (2603:10a6:800:a9::25) by AM0PR08MB3252.eurprd08.prod.outlook.com (2603:10a6:208:5e::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.22; Mon, 20 Jan 2020 11:14:20 +0000 Received: from VE1EUR03FT012.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::208) by VI1PR0802CA0039.outlook.office365.com (2603:10a6:800:a9::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.19 via Frontend Transport; Mon, 20 Jan 2020 11:14:19 +0000 Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=bestguesspass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT012.mail.protection.outlook.com (10.152.18.211) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.23 via Frontend Transport; Mon, 20 Jan 2020 11:14:19 +0000 Received: ("Tessian outbound 121a58c8f9bf:v40"); Mon, 20 Jan 2020 11:14:19 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: c65e3ca0b8454835 X-CR-MTA-TID: 64aa7808 Received: from cd0dd70c89b2.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id E7029A84-D2B9-47FF-B665-A545AFBFA696.1; Mon, 20 Jan 2020 11:14:13 +0000 Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id cd0dd70c89b2.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 20 Jan 2020 11:14:13 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=STuKerXd1N/RIiXCJmKX7vl3p3z0BV9z50L94opk1ymrwsFP39a4saXaJGhi4cG+lyOyhNv5V8+2bg2KOG1EbklPgTDc1sfL8rlK9lL9cj6BmcCpxhf+deR8w31LPgyUWM6zR2uupKcmIm6T0wuvgCQRXyXAgKIwfVHqqyTwPuyxIDtevBS8ZkXvHvMGD+Wzykc+wB5PO09r92f+YKVHuteuPoT9Fl+FTzMwVJrkcbFTdiAmxcI4TH6GlPnXxa3qTbo7675EhTdJyI5OkFC2x6Y8P0uQO5nmu7lGUFRSEb2mn7ocdv5AB7ZKoQgBC4LSRBJuQmW0KYeIkGfyVedSlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TZF1xKOTInpWcsBLeHSZV9peC8I33rFUUqhumlzhQRQ=; b=ajK2eAQX1wT34jyAln+fmbRjQcmvYWtchfNq7T/ZZwuq3mmC0FL7bZAXB7n/TJiEZkTlGF3OURIP9qQm+nKIuUm/M7XmC4l84rBDLcD+ymTxLyg/CloMyrZA8Y0RSAgr0nHi364hGy9f+CA6hxHWACn+139b0ZwGFug2EQYw4Vb43acCjwsit2w7VjdQ/8KI9mTlowsQoD8cptvvnX9Chd4DsHjGwy5Thk7XkAdvVI4uhUQ7a0z409KbolqWtlpJcSW/UtT2q7PPHTHAdSK9wkAefqlHV2WuR+iqjQoard2zs7wxC2i1o5y2nMHwt9eBcpHpFKoJh1qLN30ADdX6IA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com; dmarc=bestguesspass action=none header.from=arm.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TZF1xKOTInpWcsBLeHSZV9peC8I33rFUUqhumlzhQRQ=; b=SBVBF6MTDkMPQAvv/fiypRp8SAW76HZfBJJCTUiSyon/xZO58mqqwmetnDD0JUgGHUU336k6bzb9iaipp4hzleVUB3XbzRVNRlOMMZhpoM4cRGGveJAW5Hg24Y8hLmH+o7ksAS2ekfUW5UIw7gCfKDsV5ryEAeIzYWSXFW0ZOgM= Received: from VI1PR0802CA0021.eurprd08.prod.outlook.com (2603:10a6:800:aa::31) by AM0PR08MB3233.eurprd08.prod.outlook.com (2603:10a6:208:60::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.20; Mon, 20 Jan 2020 11:14:12 +0000 Received: from VE1EUR03FT059.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::202) by VI1PR0802CA0021.outlook.office365.com (2603:10a6:800:aa::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.18 via Frontend Transport; Mon, 20 Jan 2020 11:14:12 +0000 Authentication-Results-Original: spf=pass (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=bestguesspass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 40.67.248.234 as permitted sender) receiver=protection.outlook.com; client-ip=40.67.248.234; helo=nebula.arm.com; Received: from nebula.arm.com (40.67.248.234) by VE1EUR03FT059.mail.protection.outlook.com (10.152.19.60) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.2644.23 via Frontend Transport; Mon, 20 Jan 2020 11:14:11 +0000 Received: from AZ-NEU-EX01.Emea.Arm.com (10.251.26.4) by AZ-NEU-EX04.Arm.com (10.251.24.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1415.2; Mon, 20 Jan 2020 11:14:04 +0000 Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX01.Emea.Arm.com (10.251.26.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1779.2; Mon, 20 Jan 2020 11:14:03 +0000 Received: from E119924.Arm.com (10.37.9.56) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Mon, 20 Jan 2020 11:14:03 +0000 From: "Krzysztof Koch" To: CC: , , , , Subject: [PATCH v3 00/11] Test against invalid pointers in acpiview Date: Mon, 20 Jan 2020 11:13:40 +0000 Message-ID: <20200120111351.29184-1-krzysztof.koch@arm.com> X-Mailer: git-send-email 2.16.2.windows.1 MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(39860400002)(136003)(376002)(396003)(346002)(199004)(189003)(5660300002)(6916009)(478600001)(7696005)(316002)(2906002)(26005)(44832011)(2616005)(186003)(4326008)(36756003)(966005)(54906003)(336012)(426003)(356004)(6666004)(86362001)(8936002)(70206006)(81166006)(8676002)(81156014)(1076003)(70586007);DIR:OUT;SFP:1101;SCL:1;SRVR:AM0PR08MB3233;H:nebula.arm.com;FPR:;SPF:Pass;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: bfecc62b-d02a-4414-f6a0-08d79d99e51a X-MS-TrafficTypeDiagnostic: AM0PR08MB3233:|AM0PR08MB3252: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: True X-MS-Oob-TLC-OOBClassifiers: OLM:9508;OLM:9508; X-Forefront-PRVS: 0288CD37D9 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: duY0bxlDmyGqtGPYAtmm6j7NX9M/YwUvtyU6NbyeMh1l4yldz8+NgPe04LRm0Sk7cmQY7Lv/LuYVQB+mjjTVPBoI2a82Sm8FtiR/WU9CooiAlyMHyj7gXmGqqPTWKtE4ZOdUn4KyS0z2ikqPO//wnjpN6y7lsmcFq8dbxtX1srvDEZamcB4eXJ021mSEIQtS8nnShIUO7pJXm6qOPLzBCaSgATN0s+ixKW2koao2zojYR2XuKwF6KBVFooyi5Gjzwtdj3B20a6vod33YKtYStRxzdamnIiDUt66jFNw0yDypEfoNhZiIwnMKFSk1K0bsJVM+NXVTTsVqLY0gaAm4v/sdWalfEiGOh9g17FOXEasiCKQ4sFYiO+mClbmXecdOJ8jz6ByZRkXe2PMbUvcKersxY6mfYchhdLRYTz2QG6Lhy99a0fWCrpHwN6IoKtTWsCsqIankvzVhXkXnSxh7IgZzriMMR0EMGJiuGINSfI5lEuem6I+oDIXOLmB71c1bh8Z8JTrlfjDo+vhsKkKymA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3233 Original-Authentication-Results: spf=pass (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=bestguesspass action=none header.from=arm.com; Return-Path: Krzysztof.Koch@arm.com X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT012.eop-EUR03.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:63.35.35.123;IPV:CAL;SCL:-1;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(376002)(346002)(396003)(136003)(39860400002)(189003)(199004)(426003)(2616005)(26005)(6666004)(7696005)(44832011)(2906002)(186003)(966005)(86362001)(316002)(4326008)(336012)(5660300002)(26826003)(36906005)(70586007)(70206006)(36756003)(54906003)(478600001)(81166006)(81156014)(8936002)(6916009)(1076003)(8676002);DIR:OUT;SFP:1101;SCL:1;SRVR:AM0PR08MB3252;H:64aa7808-outbound-1.mta.getcheckrecipient.com;FPR:;SPF:Pass;LANG:en;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;MX:1;A:1; X-MS-Office365-Filtering-Correlation-Id-Prvs: 15cf81cf-3e6e-468d-9fa8-08d79d99e09c X-Forefront-PRVS: 0288CD37D9 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: p7zj2rGasqub21rW2r7CjgY9PisLupiCFJrtuDxYBeXkTjmlLeOVbZv1wo1uurh+3NWYxMnJVFPNkE5laeRx146Lf7bZB0uZy2gBFwbf8Wc+WVheMFlprSzjsBq2tKtdRsvVJwSr/0ApY+Jm7q9yB3v+Z+bOFlYAf5IAv344wwoxdK8SO0vv5Cn3f+5zmGVO1NPBVEYaaEBSZzXdQXI3dkRGEyd11dufkAnc41cTkPHqhLGTIvJCPeesHPuI8KkApEw5Rq4Q5/5lCnLVNvnSGxoszY3aiMDbp4d+9bBrAAu0Ok5Bx5gOeXmnToguhjCzFLS+2WlOYEUZZoUcOVDUMtN2LHrLLVSu0N4ayQCHjEkyavNSPKvEZ9QKuOH6vLGTT5ljL0DRM0G8vGa2ZJnxbwHP5NJCzlJicuBrPczae1JFDEfezjg+a0GA8rDNfK0OHn9o0RMI21tkXORe98dkJYvz5ogcyLL69jbd/Xy7vFDK0Q9dFyt6rB1FMdv0lriABa30wJkr3YDBxZGikiQxKg== X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2020 11:14:19.4190 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: bfecc62b-d02a-4414-f6a0-08d79d99e51a X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3252 Content-Type: text/plain Prevent the use of invalid pointers when parsing ACPI tables in the UEFI shell acpiview tool. The parsing of ACPI tables is often controlled with the values read earlier from the same table. For example, the 'Offset' or 'Count' fields found in a structure are later used to parse the substructures. If such fields lie outside the structure's buffer length provided, then there is a possibility for a wild or dangling pointer. Currently, if the ParseAcpi() function terminates early because the end of the input table data buffer has been reached, then the pointers which were supposed to be updated by this function are left untouched. This is a security issue as the values pointed to by these pointers are later used for flow control. This patch series aims to solve this security issue by explicitly initializing any pointers lying outside the input ACPI data buffer to NULL and testing for NULL whenever these pointers are dereferenced. Changes can be seet at: https://github.com/KrzysztofKoch1/edk2/tree/612_add_pointer_validation_v3 Notes: v3: - Rebase on latest master [Krzysztof] v2: - Do not require FadtMinorRevision and X_DsdtAddress pointers to be valid in FADT table parser [Zhichao] v1: - Validate static pointers in acpiview parsers before use [Krzysztof] Krzysztof Koch (11): ShellPkg: acpiview: Set ItemPtr to NULL for unprocessed table fields ShellPkg: acpiview: RSDP: Validate global pointer before use ShellPkg: acpiview: FADT: Validate global pointer before use ShellPkg: acpiview: SLIT: Validate global pointer before use ShellPkg: acpiview: SLIT: Validate System Locality count ShellPkg: acpiview: SRAT: Validate global pointers before use ShellPkg: acpiview: MADT: Validate global pointers before use ShellPkg: acpiview: PPTT: Validate global pointers before use ShellPkg: acpiview: IORT: Validate global pointers before use ShellPkg: acpiview: GTDT: Validate global pointers before use ShellPkg: acpiview: DBG2: Validate global pointers before use ShellPkg/Library/UefiShellAcpiViewCommandLib/AcpiParser.c | 9 ++- ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c | 43 ++++++++++++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Fadt/FadtParser.c | 21 +++---- ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c | 37 ++++++++++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c | 52 +++++++++++++++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c | 13 +++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c | 25 ++++++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Rsdp/RsdpParser.c | 12 ++++ ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Slit/SlitParser.c | 61 ++++++++++++++++++-- ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c | 13 +++++ 10 files changed, 269 insertions(+), 17 deletions(-) -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'