From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com [209.85.221.65])
 by mx.groups.io with SMTP id smtpd.web10.3545.1593657102453736750
 for <devel@edk2.groups.io>;
 Wed, 01 Jul 2020 19:31:43 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@broadcom.com header.s=google header.b=a4iHGcBu;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: broadcom.com, ip: 209.85.221.65, mailfrom: vladimir.olovyannikov@broadcom.com)
Received: by mail-wr1-f65.google.com with SMTP id b6so26164033wrs.11
        for <devel@edk2.groups.io>; Wed, 01 Jul 2020 19:31:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=broadcom.com; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=Il7n0NEXrXKSyQZ56S0fBfwNeWLWgy2luUXE5blFsfE=;
        b=a4iHGcBuBM8/4im5VLK5GIKNEWti8S4/ri8a+vt9OKKuT5u7GN5qqWp9olgru0UN66
         hWclSPj/TbUYeCCjG/kASV1uSWe8Mu8nfi7RGsae6imIdVgAiZU6eWWTlBwBiJrK6m0W
         O56p7XHD8FirwhkEfVxRolkmgbvFCbJdgfof8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=Il7n0NEXrXKSyQZ56S0fBfwNeWLWgy2luUXE5blFsfE=;
        b=DNZed7NiuVvEKMcrlsOxqp89xf5A8olLcRMw73XkHY/cDVm5dTpLexyQ1aZUaixH95
         aOl/YIJz9JEM1pJPDvsF/+eu6BWpJsB/RyySHpBN+r0whDnIzzPxiYSw8nCcCnYJ7AjV
         tMEmZcrDxFFFQEpR8wFhB18BFWHNA1wc5RfqtA9xeYSzLCtkUshsXfDeW+iH3nOjYzpW
         4rWdzrD1d7LAqlgqnOYCbxomIqz7wy8bhtuEcPhSe2p7zkv+sIuQCmZlM4JFkGl8aI9R
         WiLdJL28xrgEEr1srm/PqNkHssuDEVtmwFuJlqTdGIpTJCSKdG1aTGK26RHj0Ywgn3ic
         Azeg==
X-Gm-Message-State: AOAM531lmN/FXFqpyWxzD5E3kFgEVJB/l5kNK1BCYckjWjj5F0cFmJ7p
	SibWtBBFv9fpFqzLuZaWlWo+X91efuD2JQ36raVSey5QfH9prlN0nZZ1H/JLFdJXFu3HhmvTELF
	f4SGgeJyJtgeE1k7NDeHlakaG9tzPzno3fsaO+6TAYjnr3CBu+WidZ45OGb+W4fMdUmhUh+Q+gp
	8Zu/TsYD+d
X-Google-Smtp-Source: ABdhPJw7sty40AFHtNlkplIAnZ65F9ZW4HWsafilkCItSaOfbQexv7VHlnyTecmIryy8m0LZgEHwyQ==
X-Received: by 2002:adf:c382:: with SMTP id p2mr28833528wrf.283.1593657100546;
        Wed, 01 Jul 2020 19:31:40 -0700 (PDT)
Return-Path: <vladimir.olovyannikov@broadcom.com>
Received: from LBRMN-LNXUB114.ric.broadcom.net ([192.19.228.250])
        by smtp.gmail.com with ESMTPSA id a22sm8614006wmb.4.2020.07.01.19.31.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 01 Jul 2020 19:31:39 -0700 (PDT)
From: "Vladimir Olovyannikov" <vladimir.olovyannikov@broadcom.com>
To: devel@edk2.groups.io
Cc: Vladimir Olovyannikov <vladimir.olovyannikov@broadcom.com>,
	Michael D Kinney <michael.d.kinney@intel.com>,
	Liming Gao <liming.gao@intel.com>,
	Zhiguang Liu <zhiguang.liu@intel.com>
Subject: [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix buffer overrun in FileHandleReadLine()
Date: Wed,  1 Jul 2020 19:31:13 -0700
Message-Id: <20200702023113.10517-1-vladimir.olovyannikov@broadcom.com>
X-Mailer: git-send-email 2.26.2.266.ge870325ee8
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

If the size of the supplied buffer in FileHandleReadLine(), module
UefiFileHandleLib.c, was not 0, but was not enough to fit in
the line, the size is increased, and then the Buffer of the new
size is zeroed. This size is always larger than the supplied buffer size,
causing supplied buffer overrun. Fix the issue by using the
supplied buffer size in ZeroMem().

Signed-off-by: Vladimir Olovyannikov <vladimir.olovyannikov@broadcom.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
---
 MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c b/MdePkg/=
Library/UefiFileHandleLib/UefiFileHandleLib.c
index 28e28e5f67d5..ab34e6ccd5f4 100644
--- a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
+++ b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
@@ -969,6 +969,7 @@ FileHandleReadLine(
   UINTN       CharSize;=0D
   UINTN       CountSoFar;=0D
   UINTN       CrCount;=0D
+  UINTN       OldSize;=0D
   UINT64      OriginalFilePosition;=0D
 =0D
   if (Handle =3D=3D NULL=0D
@@ -1039,10 +1040,11 @@ FileHandleReadLine(
   // if we ran out of space tell when...=0D
   //=0D
   if ((CountSoFar+1-CrCount)*sizeof(CHAR16) > *Size){=0D
+    OldSize =3D *Size;=0D
     *Size =3D (CountSoFar+1-CrCount)*sizeof(CHAR16);=0D
     if (!Truncate) {=0D
-      if (Buffer !=3D NULL && *Size !=3D 0) {=0D
-        ZeroMem(Buffer, *Size);=0D
+      if (Buffer !=3D NULL && OldSize !=3D 0) {=0D
+        ZeroMem(Buffer, OldSize);=0D
       }=0D
       FileHandleSetPosition(Handle, OriginalFilePosition);=0D
       return (EFI_BUFFER_TOO_SMALL);=0D
--=20
2.26.2.266.ge870325ee8