From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web11.1661.1581566616018178782 for ; Wed, 12 Feb 2020 20:03:36 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: dandan.bi@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Feb 2020 20:03:35 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,434,1574150400"; d="scan'208";a="380976114" Received: from shwdeopenpsi114.ccr.corp.intel.com ([10.239.157.126]) by orsmga004.jf.intel.com with ESMTP; 12 Feb 2020 20:03:33 -0800 From: "Dandan Bi" To: devel@edk2.groups.io Cc: Liming Gao , Eric Dong , Jian J Wang Subject: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558) Date: Thu, 13 Feb 2020 12:03:02 +0800 Message-Id: <20200213040303.53336-2-dandan.bi@intel.com> X-Mailer: git-send-email 2.18.0.windows.1 In-Reply-To: <20200213040303.53336-1-dandan.bi@intel.com> References: <20200213040303.53336-1-dandan.bi@intel.com> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611 Cc: Liming Gao Cc: Eric Dong Cc: Jian J Wang Signed-off-by: Dandan Bi --- MdeModulePkg/Universal/HiiDatabaseDxe/String.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c index 505e063d49..10a1e691a3 100644 --- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c @@ -1004,10 +1004,11 @@ SetStringWorker ( BlockPtr, StringTextPtr + AsciiStrSize ((CHAR8 *)StringTextPtr), TmpSize ); + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = Block; StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize); break; @@ -1037,10 +1038,11 @@ SetStringWorker ( BlockPtr, StringTextPtr + StringSize, OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - StringSize ); + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = Block; StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize); break; @@ -1088,10 +1090,11 @@ SetStringWorker ( ); BlockPtr += StrSize (GlobalFont->FontInfo->FontName); CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize); + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = Block; StringPackage->StringPkgHdr->Header.Length += Ext2.Length; return EFI_SUCCESS; @@ -1273,10 +1276,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize; PackageListNode->PackageListHdr.PackageLength += Ucs2BlockSize; } @@ -1404,10 +1408,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize; PackageListNode->PackageListHdr.PackageLength += Ucs2BlockSize; @@ -1446,10 +1451,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize; PackageListNode->PackageListHdr.PackageLength += Ucs2FontBlockSize; @@ -1507,10 +1513,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += FontBlockSize + Ucs2FontBlockSize; PackageListNode->PackageListHdr.PackageLength += FontBlockSize + Ucs2FontBlockSize; -- 2.18.0.windows.1