From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com [209.85.221.65]) by mx.groups.io with SMTP id smtpd.web10.3545.1593657102453736750 for ; Wed, 01 Jul 2020 19:31:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@broadcom.com header.s=google header.b=a4iHGcBu; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: broadcom.com, ip: 209.85.221.65, mailfrom: vladimir.olovyannikov@broadcom.com) Received: by mail-wr1-f65.google.com with SMTP id b6so26164033wrs.11 for ; Wed, 01 Jul 2020 19:31:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Il7n0NEXrXKSyQZ56S0fBfwNeWLWgy2luUXE5blFsfE=; b=a4iHGcBuBM8/4im5VLK5GIKNEWti8S4/ri8a+vt9OKKuT5u7GN5qqWp9olgru0UN66 hWclSPj/TbUYeCCjG/kASV1uSWe8Mu8nfi7RGsae6imIdVgAiZU6eWWTlBwBiJrK6m0W O56p7XHD8FirwhkEfVxRolkmgbvFCbJdgfof8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Il7n0NEXrXKSyQZ56S0fBfwNeWLWgy2luUXE5blFsfE=; b=DNZed7NiuVvEKMcrlsOxqp89xf5A8olLcRMw73XkHY/cDVm5dTpLexyQ1aZUaixH95 aOl/YIJz9JEM1pJPDvsF/+eu6BWpJsB/RyySHpBN+r0whDnIzzPxiYSw8nCcCnYJ7AjV tMEmZcrDxFFFQEpR8wFhB18BFWHNA1wc5RfqtA9xeYSzLCtkUshsXfDeW+iH3nOjYzpW 4rWdzrD1d7LAqlgqnOYCbxomIqz7wy8bhtuEcPhSe2p7zkv+sIuQCmZlM4JFkGl8aI9R WiLdJL28xrgEEr1srm/PqNkHssuDEVtmwFuJlqTdGIpTJCSKdG1aTGK26RHj0Ywgn3ic Azeg== X-Gm-Message-State: AOAM531lmN/FXFqpyWxzD5E3kFgEVJB/l5kNK1BCYckjWjj5F0cFmJ7p SibWtBBFv9fpFqzLuZaWlWo+X91efuD2JQ36raVSey5QfH9prlN0nZZ1H/JLFdJXFu3HhmvTELF f4SGgeJyJtgeE1k7NDeHlakaG9tzPzno3fsaO+6TAYjnr3CBu+WidZ45OGb+W4fMdUmhUh+Q+gp 8Zu/TsYD+d X-Google-Smtp-Source: ABdhPJw7sty40AFHtNlkplIAnZ65F9ZW4HWsafilkCItSaOfbQexv7VHlnyTecmIryy8m0LZgEHwyQ== X-Received: by 2002:adf:c382:: with SMTP id p2mr28833528wrf.283.1593657100546; Wed, 01 Jul 2020 19:31:40 -0700 (PDT) Return-Path: Received: from LBRMN-LNXUB114.ric.broadcom.net ([192.19.228.250]) by smtp.gmail.com with ESMTPSA id a22sm8614006wmb.4.2020.07.01.19.31.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Jul 2020 19:31:39 -0700 (PDT) From: "Vladimir Olovyannikov" To: devel@edk2.groups.io Cc: Vladimir Olovyannikov , Michael D Kinney , Liming Gao , Zhiguang Liu Subject: [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix buffer overrun in FileHandleReadLine() Date: Wed, 1 Jul 2020 19:31:13 -0700 Message-Id: <20200702023113.10517-1-vladimir.olovyannikov@broadcom.com> X-Mailer: git-send-email 2.26.2.266.ge870325ee8 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable If the size of the supplied buffer in FileHandleReadLine(), module UefiFileHandleLib.c, was not 0, but was not enough to fit in the line, the size is increased, and then the Buffer of the new size is zeroed. This size is always larger than the supplied buffer size, causing supplied buffer overrun. Fix the issue by using the supplied buffer size in ZeroMem(). Signed-off-by: Vladimir Olovyannikov Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu --- MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c b/MdePkg/= Library/UefiFileHandleLib/UefiFileHandleLib.c index 28e28e5f67d5..ab34e6ccd5f4 100644 --- a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c +++ b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c @@ -969,6 +969,7 @@ FileHandleReadLine( UINTN CharSize;=0D UINTN CountSoFar;=0D UINTN CrCount;=0D + UINTN OldSize;=0D UINT64 OriginalFilePosition;=0D =0D if (Handle =3D=3D NULL=0D @@ -1039,10 +1040,11 @@ FileHandleReadLine( // if we ran out of space tell when...=0D //=0D if ((CountSoFar+1-CrCount)*sizeof(CHAR16) > *Size){=0D + OldSize =3D *Size;=0D *Size =3D (CountSoFar+1-CrCount)*sizeof(CHAR16);=0D if (!Truncate) {=0D - if (Buffer !=3D NULL && *Size !=3D 0) {=0D - ZeroMem(Buffer, *Size);=0D + if (Buffer !=3D NULL && OldSize !=3D 0) {=0D + ZeroMem(Buffer, OldSize);=0D }=0D FileHandleSetPosition(Handle, OriginalFilePosition);=0D return (EFI_BUFFER_TOO_SMALL);=0D --=20 2.26.2.266.ge870325ee8