* [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference @ 2020-03-18 6:12 Xu, Wei6 2020-03-18 15:15 ` Michael D Kinney 0 siblings, 1 reply; 8+ messages in thread From: Xu, Wei6 @ 2020-03-18 6:12 UTC (permalink / raw) To: devel; +Cc: Kun Qin, Michael D Kinney, Liming Gao From: Kun Qin <kuqin@microsoft.com> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2602 Zero the allocated buffer in case GetImageInfo `continue` in the middle of a loop. This will cause unexpected GetImageInfo failure not clearing the corresponding entry and lead to GP faults when dereferencing this entry. Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com> Signed-off-by: Wei6 Xu <wei6.xu@intel.com> --- FmpDevicePkg/FmpDxe/Dependency.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/FmpDevicePkg/FmpDxe/Dependency.c b/FmpDevicePkg/FmpDxe/Dependency.c index 8f97c42916..65c23989c6 100644 --- a/FmpDevicePkg/FmpDxe/Dependency.c +++ b/FmpDevicePkg/FmpDxe/Dependency.c @@ -550,11 +550,11 @@ EvaluateImageDependencies ( ); if (EFI_ERROR (Status)) { return EFI_ABORTED; } - mFmpImageInfoBuf = AllocatePool (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * mNumberOfFmpInstance); + mFmpImageInfoBuf = AllocateZeroPool (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * mNumberOfFmpInstance); if (mFmpImageInfoBuf == NULL) { return EFI_OUT_OF_RESOURCES; } for (Index = 0; Index < mNumberOfFmpInstance; Index ++) { -- 2.16.2.windows.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference 2020-03-18 6:12 [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Xu, Wei6 @ 2020-03-18 15:15 ` Michael D Kinney 2020-03-23 7:21 ` Guomin Jiang 0 siblings, 1 reply; 8+ messages in thread From: Michael D Kinney @ 2020-03-18 15:15 UTC (permalink / raw) To: Xu, Wei6, devel@edk2.groups.io, Kinney, Michael D; +Cc: Kun Qin, Gao, Liming Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> > -----Original Message----- > From: Xu, Wei6 <wei6.xu@intel.com> > Sent: Tuesday, March 17, 2020 11:12 PM > To: devel@edk2.groups.io > Cc: Kun Qin <kuqin@microsoft.com>; Kinney, Michael D > <michael.d.kinney@intel.com>; Gao, Liming > <liming.gao@intel.com> > Subject: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix > uninitialized pointer dereference > > From: Kun Qin <kuqin@microsoft.com> > > REF: > https://bugzilla.tianocore.org/show_bug.cgi?id=2602 > > Zero the allocated buffer in case GetImageInfo > `continue` in the middle of > a loop. This will cause unexpected GetImageInfo failure > not clearing the > corresponding entry and lead to GP faults when > dereferencing this entry. > > Cc: Michael D Kinney <michael.d.kinney@intel.com> > Cc: Liming Gao <liming.gao@intel.com> > Signed-off-by: Wei6 Xu <wei6.xu@intel.com> > --- > FmpDevicePkg/FmpDxe/Dependency.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/FmpDevicePkg/FmpDxe/Dependency.c > b/FmpDevicePkg/FmpDxe/Dependency.c > index 8f97c42916..65c23989c6 100644 > --- a/FmpDevicePkg/FmpDxe/Dependency.c > +++ b/FmpDevicePkg/FmpDxe/Dependency.c > @@ -550,11 +550,11 @@ EvaluateImageDependencies ( > ); > if (EFI_ERROR (Status)) { > return EFI_ABORTED; > } > > - mFmpImageInfoBuf = AllocatePool > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > + mFmpImageInfoBuf = AllocateZeroPool > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > if (mFmpImageInfoBuf == NULL) { > return EFI_OUT_OF_RESOURCES; > } > > for (Index = 0; Index < mNumberOfFmpInstance; Index > ++) { > -- > 2.16.2.windows.1 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference 2020-03-18 15:15 ` Michael D Kinney @ 2020-03-23 7:21 ` Guomin Jiang 2020-03-23 7:40 ` Kun Qin 2020-03-23 16:05 ` Michael D Kinney 0 siblings, 2 replies; 8+ messages in thread From: Guomin Jiang @ 2020-03-23 7:21 UTC (permalink / raw) To: devel@edk2.groups.io, Kinney, Michael D, Xu, Wei6; +Cc: Kun Qin, Gao, Liming Hi Xuwei, QinKun, Have you indeed encounter this issue or just think it is potential issue. I think below code will always initialize the mFmpImageInfoBuf[] and make sure it is valid. Line 585 - mFmpImageInfoBuf[Index] = AllocateZeroPool (ImageInfoSize); If the second GetImageInfo() is runned, I think it will always have correct mfmpImageInfoBuf[] address. Of course, it is ok to use AllocateZeroPool to ensure zero buffer is allocated. Thanks > -----Original Message----- > From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of > Michael D Kinney > Sent: Wednesday, March 18, 2020 11:15 PM > To: Xu, Wei6 <wei6.xu@intel.com>; devel@edk2.groups.io; Kinney, Michael > D <michael.d.kinney@intel.com> > Cc: Kun Qin <kuqin@microsoft.com>; Gao, Liming <liming.gao@intel.com> > Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized > pointer dereference > > Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> > > > -----Original Message----- > > From: Xu, Wei6 <wei6.xu@intel.com> > > Sent: Tuesday, March 17, 2020 11:12 PM > > To: devel@edk2.groups.io > > Cc: Kun Qin <kuqin@microsoft.com>; Kinney, Michael D > > <michael.d.kinney@intel.com>; Gao, Liming <liming.gao@intel.com> > > Subject: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized > > pointer dereference > > > > From: Kun Qin <kuqin@microsoft.com> > > > > REF: > > https://bugzilla.tianocore.org/show_bug.cgi?id=2602 > > > > Zero the allocated buffer in case GetImageInfo `continue` in the > > middle of a loop. This will cause unexpected GetImageInfo failure not > > clearing the corresponding entry and lead to GP faults when > > dereferencing this entry. > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com> > > Cc: Liming Gao <liming.gao@intel.com> > > Signed-off-by: Wei6 Xu <wei6.xu@intel.com> > > --- > > FmpDevicePkg/FmpDxe/Dependency.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/FmpDevicePkg/FmpDxe/Dependency.c > > b/FmpDevicePkg/FmpDxe/Dependency.c > > index 8f97c42916..65c23989c6 100644 > > --- a/FmpDevicePkg/FmpDxe/Dependency.c > > +++ b/FmpDevicePkg/FmpDxe/Dependency.c > > @@ -550,11 +550,11 @@ EvaluateImageDependencies ( > > ); > > if (EFI_ERROR (Status)) { > > return EFI_ABORTED; > > } > > > > - mFmpImageInfoBuf = AllocatePool > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > > + mFmpImageInfoBuf = AllocateZeroPool > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > > if (mFmpImageInfoBuf == NULL) { > > return EFI_OUT_OF_RESOURCES; > > } > > > > for (Index = 0; Index < mNumberOfFmpInstance; Index > > ++) { > > -- > > 2.16.2.windows.1 > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference 2020-03-23 7:21 ` Guomin Jiang @ 2020-03-23 7:40 ` Kun Qin 2020-03-23 8:12 ` Guomin Jiang [not found] ` <15FEE0ADB157EE06.9780@groups.io> 2020-03-23 16:05 ` Michael D Kinney 1 sibling, 2 replies; 8+ messages in thread From: Kun Qin @ 2020-03-23 7:40 UTC (permalink / raw) To: Jiang, Guomin, devel@edk2.groups.io, Kinney, Michael D, Xu, Wei6 Cc: Gao, Liming [-- Attachment #1: Type: text/plain, Size: 4203 bytes --] Hi Guomin, Thanks for reaching out. I did encounter a GP fault because of this issue: If Line 582<https://github.com/tianocore/edk2/blob/4c0f6e349d32cf27a7104ddd3e729d6ebc88ea70/FmpDevicePkg/FmpDxe/Dependency.c#L582> is triggered when the first Fmp->GetImageInfo failed, this specific mFmpImageInfoBuf[Index] will remain to be uninitialized value (0xFAFAFAFAFAF in my case). Later on when it comes to line 632<https://github.com/tianocore/edk2/blob/4c0f6e349d32cf27a7104ddd3e729d6ebc88ea70/FmpDevicePkg/FmpDxe/Dependency.c#L632>, it will pass the null pointer check and try to dereference it, which leads to GP fault. Please let me know if you need further clarification. Thanks, Kun From: Jiang, Guomin<mailto:guomin.jiang@intel.com> Sent: Monday, March 23, 2020 12:21 AM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael D<mailto:michael.d.kinney@intel.com>; Xu, Wei6<mailto:wei6.xu@intel.com> Cc: Kun Qin<mailto:Kun.Qin@microsoft.com>; Gao, Liming<mailto:liming.gao@intel.com> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Hi Xuwei, QinKun, Have you indeed encounter this issue or just think it is potential issue. I think below code will always initialize the mFmpImageInfoBuf[] and make sure it is valid. Line 585 - mFmpImageInfoBuf[Index] = AllocateZeroPool (ImageInfoSize); If the second GetImageInfo() is runned, I think it will always have correct mfmpImageInfoBuf[] address. Of course, it is ok to use AllocateZeroPool to ensure zero buffer is allocated. Thanks > -----Original Message----- > From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of > Michael D Kinney > Sent: Wednesday, March 18, 2020 11:15 PM > To: Xu, Wei6 <wei6.xu@intel.com>; devel@edk2.groups.io; Kinney, Michael > D <michael.d.kinney@intel.com> > Cc: Kun Qin <kuqin@microsoft.com>; Gao, Liming <liming.gao@intel.com> > Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized > pointer dereference > > Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> > > > -----Original Message----- > > From: Xu, Wei6 <wei6.xu@intel.com> > > Sent: Tuesday, March 17, 2020 11:12 PM > > To: devel@edk2.groups.io > > Cc: Kun Qin <kuqin@microsoft.com>; Kinney, Michael D > > <michael.d.kinney@intel.com>; Gao, Liming <liming.gao@intel.com> > > Subject: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized > > pointer dereference > > > > From: Kun Qin <kuqin@microsoft.com> > > > > REF: > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2602&data=02%7C01%7CKun.Qin%40microsoft.com%7C3c1042cd095b42a51b9d08d7cefad022%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637205448946602054&sdata=95z6fDC0uceCCs2MuoeCR4MXgRhAI3dVssWeddsWT5s%3D&reserved=0 > > > > Zero the allocated buffer in case GetImageInfo `continue` in the > > middle of a loop. This will cause unexpected GetImageInfo failure not > > clearing the corresponding entry and lead to GP faults when > > dereferencing this entry. > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com> > > Cc: Liming Gao <liming.gao@intel.com> > > Signed-off-by: Wei6 Xu <wei6.xu@intel.com> > > --- > > FmpDevicePkg/FmpDxe/Dependency.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/FmpDevicePkg/FmpDxe/Dependency.c > > b/FmpDevicePkg/FmpDxe/Dependency.c > > index 8f97c42916..65c23989c6 100644 > > --- a/FmpDevicePkg/FmpDxe/Dependency.c > > +++ b/FmpDevicePkg/FmpDxe/Dependency.c > > @@ -550,11 +550,11 @@ EvaluateImageDependencies ( > > ); > > if (EFI_ERROR (Status)) { > > return EFI_ABORTED; > > } > > > > - mFmpImageInfoBuf = AllocatePool > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > > + mFmpImageInfoBuf = AllocateZeroPool > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > > if (mFmpImageInfoBuf == NULL) { > > return EFI_OUT_OF_RESOURCES; > > } > > > > for (Index = 0; Index < mNumberOfFmpInstance; Index > > ++) { > > -- > > 2.16.2.windows.1 > > > [-- Attachment #2: Type: text/html, Size: 7833 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference 2020-03-23 7:40 ` Kun Qin @ 2020-03-23 8:12 ` Guomin Jiang [not found] ` <15FEE0ADB157EE06.9780@groups.io> 1 sibling, 0 replies; 8+ messages in thread From: Guomin Jiang @ 2020-03-23 8:12 UTC (permalink / raw) To: Kun Qin, devel@edk2.groups.io, Kinney, Michael D, Xu, Wei6; +Cc: Gao, Liming [-- Attachment #1: Type: text/plain, Size: 5164 bytes --] Hi Kun, It is clear and i have no confusion. Reviewed-by: Guomin Jiang <guomin.jiang@intel.com> Thanks guomin From: Kun Qin [mailto:Kun.Qin@microsoft.com] Sent: Monday, March 23, 2020 3:40 PM To: Jiang, Guomin <guomin.jiang@intel.com>; devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>; Xu, Wei6 <wei6.xu@intel.com> Cc: Gao, Liming <liming.gao@intel.com> Subject: RE: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Hi Guomin, Thanks for reaching out. I did encounter a GP fault because of this issue: If Line 582<https://github.com/tianocore/edk2/blob/4c0f6e349d32cf27a7104ddd3e729d6ebc88ea70/FmpDevicePkg/FmpDxe/Dependency.c#L582> is triggered when the first Fmp->GetImageInfo failed, this specific mFmpImageInfoBuf[Index] will remain to be uninitialized value (0xFAFAFAFAFAF in my case). Later on when it comes to line 632<https://github.com/tianocore/edk2/blob/4c0f6e349d32cf27a7104ddd3e729d6ebc88ea70/FmpDevicePkg/FmpDxe/Dependency.c#L632>, it will pass the null pointer check and try to dereference it, which leads to GP fault. Please let me know if you need further clarification. Thanks, Kun From: Jiang, Guomin<mailto:guomin.jiang@intel.com> Sent: Monday, March 23, 2020 12:21 AM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael D<mailto:michael.d.kinney@intel.com>; Xu, Wei6<mailto:wei6.xu@intel.com> Cc: Kun Qin<mailto:Kun.Qin@microsoft.com>; Gao, Liming<mailto:liming.gao@intel.com> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Hi Xuwei, QinKun, Have you indeed encounter this issue or just think it is potential issue. I think below code will always initialize the mFmpImageInfoBuf[] and make sure it is valid. Line 585 - mFmpImageInfoBuf[Index] = AllocateZeroPool (ImageInfoSize); If the second GetImageInfo() is runned, I think it will always have correct mfmpImageInfoBuf[] address. Of course, it is ok to use AllocateZeroPool to ensure zero buffer is allocated. Thanks > -----Original Message----- > From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> [mailto:devel@edk2.groups.io] On Behalf Of > Michael D Kinney > Sent: Wednesday, March 18, 2020 11:15 PM > To: Xu, Wei6 <wei6.xu@intel.com<mailto:wei6.xu@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael > D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> > Cc: Kun Qin <kuqin@microsoft.com<mailto:kuqin@microsoft.com>>; Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>> > Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized > pointer dereference > > Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> > > > -----Original Message----- > > From: Xu, Wei6 <wei6.xu@intel.com<mailto:wei6.xu@intel.com>> > > Sent: Tuesday, March 17, 2020 11:12 PM > > To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> > > Cc: Kun Qin <kuqin@microsoft.com<mailto:kuqin@microsoft.com>>; Kinney, Michael D > > <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>> > > Subject: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized > > pointer dereference > > > > From: Kun Qin <kuqin@microsoft.com<mailto:kuqin@microsoft.com>> > > > > REF: > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2602&data=02%7C01%7CKun.Qin%40microsoft.com%7C3c1042cd095b42a51b9d08d7cefad022%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637205448946602054&sdata=95z6fDC0uceCCs2MuoeCR4MXgRhAI3dVssWeddsWT5s%3D&reserved=0 > > > > Zero the allocated buffer in case GetImageInfo `continue` in the > > middle of a loop. This will cause unexpected GetImageInfo failure not > > clearing the corresponding entry and lead to GP faults when > > dereferencing this entry. > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> > > Cc: Liming Gao <liming.gao@intel.com<mailto:liming.gao@intel.com>> > > Signed-off-by: Wei6 Xu <wei6.xu@intel.com<mailto:wei6.xu@intel.com>> > > --- > > FmpDevicePkg/FmpDxe/Dependency.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/FmpDevicePkg/FmpDxe/Dependency.c > > b/FmpDevicePkg/FmpDxe/Dependency.c > > index 8f97c42916..65c23989c6 100644 > > --- a/FmpDevicePkg/FmpDxe/Dependency.c > > +++ b/FmpDevicePkg/FmpDxe/Dependency.c > > @@ -550,11 +550,11 @@ EvaluateImageDependencies ( > > ); > > if (EFI_ERROR (Status)) { > > return EFI_ABORTED; > > } > > > > - mFmpImageInfoBuf = AllocatePool > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > > + mFmpImageInfoBuf = AllocateZeroPool > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > > if (mFmpImageInfoBuf == NULL) { > > return EFI_OUT_OF_RESOURCES; > > } > > > > for (Index = 0; Index < mNumberOfFmpInstance; Index > > ++) { > > -- > > 2.16.2.windows.1 > > > [-- Attachment #2: Type: text/html, Size: 10283 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <15FEE0ADB157EE06.9780@groups.io>]
* Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference [not found] ` <15FEE0ADB157EE06.9780@groups.io> @ 2020-05-06 1:35 ` Guomin Jiang 2020-05-06 3:17 ` Xu, Wei6 0 siblings, 1 reply; 8+ messages in thread From: Guomin Jiang @ 2020-05-06 1:35 UTC (permalink / raw) To: devel@edk2.groups.io, Jiang, Guomin, Kun Qin, Kinney, Michael D, Xu, Wei6 Cc: Gao, Liming [-- Attachment #1: Type: text/plain, Size: 5846 bytes --] I can't search the patch in master, anyone can pull the patch if it haven't been pull. Best Regards guomin From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin Jiang Sent: Monday, March 23, 2020 4:13 PM To: Kun Qin <Kun.Qin@microsoft.com>; devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>; Xu, Wei6 <wei6.xu@intel.com> Cc: Gao, Liming <liming.gao@intel.com> Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Hi Kun, It is clear and i have no confusion. Reviewed-by: Guomin Jiang <guomin.jiang@intel.com<mailto:guomin.jiang@intel.com>> Thanks guomin From: Kun Qin [mailto:Kun.Qin@microsoft.com] Sent: Monday, March 23, 2020 3:40 PM To: Jiang, Guomin <guomin.jiang@intel.com<mailto:guomin.jiang@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Xu, Wei6 <wei6.xu@intel.com<mailto:wei6.xu@intel.com>> Cc: Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>> Subject: RE: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Hi Guomin, Thanks for reaching out. I did encounter a GP fault because of this issue: If Line 582<https://github.com/tianocore/edk2/blob/4c0f6e349d32cf27a7104ddd3e729d6ebc88ea70/FmpDevicePkg/FmpDxe/Dependency.c#L582> is triggered when the first Fmp->GetImageInfo failed, this specific mFmpImageInfoBuf[Index] will remain to be uninitialized value (0xFAFAFAFAFAF in my case). Later on when it comes to line 632<https://github.com/tianocore/edk2/blob/4c0f6e349d32cf27a7104ddd3e729d6ebc88ea70/FmpDevicePkg/FmpDxe/Dependency.c#L632>, it will pass the null pointer check and try to dereference it, which leads to GP fault. Please let me know if you need further clarification. Thanks, Kun From: Jiang, Guomin<mailto:guomin.jiang@intel.com> Sent: Monday, March 23, 2020 12:21 AM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael D<mailto:michael.d.kinney@intel.com>; Xu, Wei6<mailto:wei6.xu@intel.com> Cc: Kun Qin<mailto:Kun.Qin@microsoft.com>; Gao, Liming<mailto:liming.gao@intel.com> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Hi Xuwei, QinKun, Have you indeed encounter this issue or just think it is potential issue. I think below code will always initialize the mFmpImageInfoBuf[] and make sure it is valid. Line 585 - mFmpImageInfoBuf[Index] = AllocateZeroPool (ImageInfoSize); If the second GetImageInfo() is runned, I think it will always have correct mfmpImageInfoBuf[] address. Of course, it is ok to use AllocateZeroPool to ensure zero buffer is allocated. Thanks > -----Original Message----- > From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> [mailto:devel@edk2.groups.io] On Behalf Of > Michael D Kinney > Sent: Wednesday, March 18, 2020 11:15 PM > To: Xu, Wei6 <wei6.xu@intel.com<mailto:wei6.xu@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael > D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> > Cc: Kun Qin <kuqin@microsoft.com<mailto:kuqin@microsoft.com>>; Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>> > Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized > pointer dereference > > Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> > > > -----Original Message----- > > From: Xu, Wei6 <wei6.xu@intel.com<mailto:wei6.xu@intel.com>> > > Sent: Tuesday, March 17, 2020 11:12 PM > > To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> > > Cc: Kun Qin <kuqin@microsoft.com<mailto:kuqin@microsoft.com>>; Kinney, Michael D > > <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>> > > Subject: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized > > pointer dereference > > > > From: Kun Qin <kuqin@microsoft.com<mailto:kuqin@microsoft.com>> > > > > REF: > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2602&data=02%7C01%7CKun.Qin%40microsoft.com%7C3c1042cd095b42a51b9d08d7cefad022%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637205448946602054&sdata=95z6fDC0uceCCs2MuoeCR4MXgRhAI3dVssWeddsWT5s%3D&reserved=0 > > > > Zero the allocated buffer in case GetImageInfo `continue` in the > > middle of a loop. This will cause unexpected GetImageInfo failure not > > clearing the corresponding entry and lead to GP faults when > > dereferencing this entry. > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> > > Cc: Liming Gao <liming.gao@intel.com<mailto:liming.gao@intel.com>> > > Signed-off-by: Wei6 Xu <wei6.xu@intel.com<mailto:wei6.xu@intel.com>> > > --- > > FmpDevicePkg/FmpDxe/Dependency.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/FmpDevicePkg/FmpDxe/Dependency.c > > b/FmpDevicePkg/FmpDxe/Dependency.c > > index 8f97c42916..65c23989c6 100644 > > --- a/FmpDevicePkg/FmpDxe/Dependency.c > > +++ b/FmpDevicePkg/FmpDxe/Dependency.c > > @@ -550,11 +550,11 @@ EvaluateImageDependencies ( > > ); > > if (EFI_ERROR (Status)) { > > return EFI_ABORTED; > > } > > > > - mFmpImageInfoBuf = AllocatePool > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > > + mFmpImageInfoBuf = AllocateZeroPool > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > > if (mFmpImageInfoBuf == NULL) { > > return EFI_OUT_OF_RESOURCES; > > } > > > > for (Index = 0; Index < mNumberOfFmpInstance; Index > > ++) { > > -- > > 2.16.2.windows.1 > > > [-- Attachment #2: Type: text/html, Size: 12241 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference 2020-05-06 1:35 ` Guomin Jiang @ 2020-05-06 3:17 ` Xu, Wei6 0 siblings, 0 replies; 8+ messages in thread From: Xu, Wei6 @ 2020-05-06 3:17 UTC (permalink / raw) To: Jiang, Guomin, devel@edk2.groups.io, Kun Qin, Kinney, Michael D Cc: Gao, Liming [-- Attachment #1: Type: text/plain, Size: 6518 bytes --] Hi Guomin, The patch was just pushed. Thanks a lot. BR, Wei From: Jiang, Guomin <guomin.jiang@intel.com> Sent: Wednesday, May 6, 2020 9:36 AM To: devel@edk2.groups.io; Jiang, Guomin <guomin.jiang@intel.com>; Kun Qin <Kun.Qin@microsoft.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Xu, Wei6 <wei6.xu@intel.com> Cc: Gao, Liming <liming.gao@intel.com> Subject: RE: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference I can't search the patch in master, anyone can pull the patch if it haven't been pull. Best Regards guomin From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Guomin Jiang Sent: Monday, March 23, 2020 4:13 PM To: Kun Qin <Kun.Qin@microsoft.com<mailto:Kun.Qin@microsoft.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Xu, Wei6 <wei6.xu@intel.com<mailto:wei6.xu@intel.com>> Cc: Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>> Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Hi Kun, It is clear and i have no confusion. Reviewed-by: Guomin Jiang <guomin.jiang@intel.com<mailto:guomin.jiang@intel.com>> Thanks guomin From: Kun Qin [mailto:Kun.Qin@microsoft.com] Sent: Monday, March 23, 2020 3:40 PM To: Jiang, Guomin <guomin.jiang@intel.com<mailto:guomin.jiang@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Xu, Wei6 <wei6.xu@intel.com<mailto:wei6.xu@intel.com>> Cc: Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>> Subject: RE: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Hi Guomin, Thanks for reaching out. I did encounter a GP fault because of this issue: If Line 582<https://github.com/tianocore/edk2/blob/4c0f6e349d32cf27a7104ddd3e729d6ebc88ea70/FmpDevicePkg/FmpDxe/Dependency.c#L582> is triggered when the first Fmp->GetImageInfo failed, this specific mFmpImageInfoBuf[Index] will remain to be uninitialized value (0xFAFAFAFAFAF in my case). Later on when it comes to line 632<https://github.com/tianocore/edk2/blob/4c0f6e349d32cf27a7104ddd3e729d6ebc88ea70/FmpDevicePkg/FmpDxe/Dependency.c#L632>, it will pass the null pointer check and try to dereference it, which leads to GP fault. Please let me know if you need further clarification. Thanks, Kun From: Jiang, Guomin<mailto:guomin.jiang@intel.com> Sent: Monday, March 23, 2020 12:21 AM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael D<mailto:michael.d.kinney@intel.com>; Xu, Wei6<mailto:wei6.xu@intel.com> Cc: Kun Qin<mailto:Kun.Qin@microsoft.com>; Gao, Liming<mailto:liming.gao@intel.com> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Hi Xuwei, QinKun, Have you indeed encounter this issue or just think it is potential issue. I think below code will always initialize the mFmpImageInfoBuf[] and make sure it is valid. Line 585 - mFmpImageInfoBuf[Index] = AllocateZeroPool (ImageInfoSize); If the second GetImageInfo() is runned, I think it will always have correct mfmpImageInfoBuf[] address. Of course, it is ok to use AllocateZeroPool to ensure zero buffer is allocated. Thanks > -----Original Message----- > From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> [mailto:devel@edk2.groups.io] On Behalf Of > Michael D Kinney > Sent: Wednesday, March 18, 2020 11:15 PM > To: Xu, Wei6 <wei6.xu@intel.com<mailto:wei6.xu@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael > D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> > Cc: Kun Qin <kuqin@microsoft.com<mailto:kuqin@microsoft.com>>; Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>> > Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized > pointer dereference > > Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> > > > -----Original Message----- > > From: Xu, Wei6 <wei6.xu@intel.com<mailto:wei6.xu@intel.com>> > > Sent: Tuesday, March 17, 2020 11:12 PM > > To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> > > Cc: Kun Qin <kuqin@microsoft.com<mailto:kuqin@microsoft.com>>; Kinney, Michael D > > <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>> > > Subject: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized > > pointer dereference > > > > From: Kun Qin <kuqin@microsoft.com<mailto:kuqin@microsoft.com>> > > > > REF: > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2602&data=02%7C01%7CKun.Qin%40microsoft.com%7C3c1042cd095b42a51b9d08d7cefad022%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637205448946602054&sdata=95z6fDC0uceCCs2MuoeCR4MXgRhAI3dVssWeddsWT5s%3D&reserved=0 > > > > Zero the allocated buffer in case GetImageInfo `continue` in the > > middle of a loop. This will cause unexpected GetImageInfo failure not > > clearing the corresponding entry and lead to GP faults when > > dereferencing this entry. > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> > > Cc: Liming Gao <liming.gao@intel.com<mailto:liming.gao@intel.com>> > > Signed-off-by: Wei6 Xu <wei6.xu@intel.com<mailto:wei6.xu@intel.com>> > > --- > > FmpDevicePkg/FmpDxe/Dependency.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/FmpDevicePkg/FmpDxe/Dependency.c > > b/FmpDevicePkg/FmpDxe/Dependency.c > > index 8f97c42916..65c23989c6 100644 > > --- a/FmpDevicePkg/FmpDxe/Dependency.c > > +++ b/FmpDevicePkg/FmpDxe/Dependency.c > > @@ -550,11 +550,11 @@ EvaluateImageDependencies ( > > ); > > if (EFI_ERROR (Status)) { > > return EFI_ABORTED; > > } > > > > - mFmpImageInfoBuf = AllocatePool > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > > + mFmpImageInfoBuf = AllocateZeroPool > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > mNumberOfFmpInstance); > > if (mFmpImageInfoBuf == NULL) { > > return EFI_OUT_OF_RESOURCES; > > } > > > > for (Index = 0; Index < mNumberOfFmpInstance; Index > > ++) { > > -- > > 2.16.2.windows.1 > > > [-- Attachment #2: Type: text/html, Size: 14824 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference 2020-03-23 7:21 ` Guomin Jiang 2020-03-23 7:40 ` Kun Qin @ 2020-03-23 16:05 ` Michael D Kinney 1 sibling, 0 replies; 8+ messages in thread From: Michael D Kinney @ 2020-03-23 16:05 UTC (permalink / raw) To: Jiang, Guomin, devel@edk2.groups.io, Xu, Wei6, Sean Brogan, Kinney, Michael D Cc: Kun Qin, Gao, Liming The BZ report indicates that an invalid point access was observed. Perhaps Sean can add the details in the BZ for which line of code generated in invalid access. https://bugzilla.tianocore.org/show_bug.cgi?id=2602 Mike > -----Original Message----- > From: Jiang, Guomin <guomin.jiang@intel.com> > Sent: Monday, March 23, 2020 12:21 AM > To: devel@edk2.groups.io; Kinney, Michael D > <michael.d.kinney@intel.com>; Xu, Wei6 > <wei6.xu@intel.com> > Cc: Kun Qin <kuqin@microsoft.com>; Gao, Liming > <liming.gao@intel.com> > Subject: RE: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: > Fix uninitialized pointer dereference > > Hi Xuwei, QinKun, > > Have you indeed encounter this issue or just think it > is potential issue. > > I think below code will always initialize the > mFmpImageInfoBuf[] and make sure it is valid. > Line 585 - mFmpImageInfoBuf[Index] = AllocateZeroPool > (ImageInfoSize); > > If the second GetImageInfo() is runned, I think it will > always have correct mfmpImageInfoBuf[] address. > > Of course, it is ok to use AllocateZeroPool to ensure > zero buffer is allocated. > > Thanks > > > -----Original Message----- > > From: devel@edk2.groups.io > [mailto:devel@edk2.groups.io] On Behalf Of > > Michael D Kinney > > Sent: Wednesday, March 18, 2020 11:15 PM > > To: Xu, Wei6 <wei6.xu@intel.com>; > devel@edk2.groups.io; Kinney, Michael > > D <michael.d.kinney@intel.com> > > Cc: Kun Qin <kuqin@microsoft.com>; Gao, Liming > <liming.gao@intel.com> > > Subject: Re: [edk2-devel] [PATCH] > FmpDevicePkg/FmpDxe: Fix uninitialized > > pointer dereference > > > > Reviewed-by: Michael D Kinney > <michael.d.kinney@intel.com> > > > > > -----Original Message----- > > > From: Xu, Wei6 <wei6.xu@intel.com> > > > Sent: Tuesday, March 17, 2020 11:12 PM > > > To: devel@edk2.groups.io > > > Cc: Kun Qin <kuqin@microsoft.com>; Kinney, Michael > D > > > <michael.d.kinney@intel.com>; Gao, Liming > <liming.gao@intel.com> > > > Subject: [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: > Fix uninitialized > > > pointer dereference > > > > > > From: Kun Qin <kuqin@microsoft.com> > > > > > > REF: > > > https://bugzilla.tianocore.org/show_bug.cgi?id=2602 > > > > > > Zero the allocated buffer in case GetImageInfo > `continue` in the > > > middle of a loop. This will cause unexpected > GetImageInfo failure not > > > clearing the corresponding entry and lead to GP > faults when > > > dereferencing this entry. > > > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com> > > > Cc: Liming Gao <liming.gao@intel.com> > > > Signed-off-by: Wei6 Xu <wei6.xu@intel.com> > > > --- > > > FmpDevicePkg/FmpDxe/Dependency.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/FmpDevicePkg/FmpDxe/Dependency.c > > > b/FmpDevicePkg/FmpDxe/Dependency.c > > > index 8f97c42916..65c23989c6 100644 > > > --- a/FmpDevicePkg/FmpDxe/Dependency.c > > > +++ b/FmpDevicePkg/FmpDxe/Dependency.c > > > @@ -550,11 +550,11 @@ EvaluateImageDependencies ( > > > ); > > > if (EFI_ERROR (Status)) { > > > return EFI_ABORTED; > > > } > > > > > > - mFmpImageInfoBuf = AllocatePool > > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > > mNumberOfFmpInstance); > > > + mFmpImageInfoBuf = AllocateZeroPool > > > (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * > > mNumberOfFmpInstance); > > > if (mFmpImageInfoBuf == NULL) { > > > return EFI_OUT_OF_RESOURCES; > > > } > > > > > > for (Index = 0; Index < mNumberOfFmpInstance; > Index > > > ++) { > > > -- > > > 2.16.2.windows.1 > > > > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-05-06 3:17 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-18 6:12 [edk2-devel] [PATCH] FmpDevicePkg/FmpDxe: Fix uninitialized pointer dereference Xu, Wei6
2020-03-18 15:15 ` Michael D Kinney
2020-03-23 7:21 ` Guomin Jiang
2020-03-23 7:40 ` Kun Qin
2020-03-23 8:12 ` Guomin Jiang
[not found] ` <15FEE0ADB157EE06.9780@groups.io>
2020-05-06 1:35 ` Guomin Jiang
2020-05-06 3:17 ` Xu, Wei6
2020-03-23 16:05 ` Michael D Kinney
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox