From: "Heinrich Schuchardt" <xypron.glpk@gmx.de>
To: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>,
Eric Jin <eric.jin@intel.com>,
G Edhaya Chandran <Edhaya.Chandran@arm.com>,
EDK II Development <devel@edk2.groups.io>
Cc: Grant Likely <grant.likely@arm.com>,
Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: [PATCH 1/1] uefi-sct/SctPkg: NULL deref in DevicePathToText test
Date: Thu, 29 Oct 2020 21:01:42 +0100 [thread overview]
Message-ID: <20201029200142.10743-1-xypron.glpk@gmx.de> (raw)
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3029
Function DevicePathToTextConvertDeviceNodeToTextCoverageTest() tests if
DeviceNodeToText() correctly converts a Relative Offset Range node. After
calling SctConvertTextToDeviceNode() it tries to set the field Reserved
of the returned device node to 0.
If the tested firmware does not return the expected text
SctConvertTextToDeviceNode() may return NULL or a device node that is
shorter than expected. In both cases it is not possible to access the
field Reserved.
So we must check both that the returned node is not NULL and that it has
the exepected size.
Due to the missing check a NULL dereference was observed when running the
SCT on U-Boot.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
.../BlackBoxTest/DevicePathToTextBBTestCoverage.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/DevicePathToText/BlackBoxTest/DevicePathToTextBBTestCoverage.c b/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/DevicePathToText/BlackBoxTest/DevicePathToTextBBTestCoverage.c
index ee91bdfb..784d4748 100644
--- a/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/DevicePathToText/BlackBoxTest/DevicePathToTextBBTestCoverage.c
+++ b/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/DevicePathToText/BlackBoxTest/DevicePathToTextBBTestCoverage.c
@@ -1198,8 +1198,12 @@ DevicePathToTextConvertDeviceNodeToTextCoverageTest (
((MEDIA_OFFSET_DEVICE_PATH *)pDeviceNode1)->EndingOffset = 0x1234;
Text = DevicePathToText->ConvertDeviceNodeToText (pDeviceNode1, FALSE, FALSE);
pDeviceNode2 = SctConvertTextToDeviceNode(Text);
- ((MEDIA_OFFSET_DEVICE_PATH *)pDeviceNode2)->Reserved = 0;
-
+ SctPrint(L"pDeviceNode2 = %p\n", pDeviceNode2);
+ if (pDeviceNode2 &&
+ ((MEDIA_OFFSET_DEVICE_PATH *)pDeviceNode2)->Length ==
+ sizeof(MEDIA_OFFSET_DEVICE_PATH)) {
+ ((MEDIA_OFFSET_DEVICE_PATH *)pDeviceNode2)->Reserved = 0;
+ }
if ((pDeviceNode2 != NULL) && (SctCompareMem (pDeviceNode2, pDeviceNode1, SctDevicePathNodeLength(pDeviceNode1)) == 0)) {
AssertionType = EFI_TEST_ASSERTION_PASSED;
} else {
--
2.28.0
next reply other threads:[~2020-10-29 20:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-29 20:01 Heinrich Schuchardt [this message]
2020-11-04 15:52 ` [edk2-devel] [PATCH 1/1] uefi-sct/SctPkg: NULL deref in DevicePathToText test G Edhaya Chandran
2020-11-23 10:25 ` Grant Likely
2020-11-24 16:07 ` G Edhaya Chandran
2020-11-24 16:26 ` Heinrich Schuchardt
2020-11-24 16:33 ` G Edhaya Chandran
2020-11-24 17:08 ` Heinrich Schuchardt
2020-11-25 6:40 ` G Edhaya Chandran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201029200142.10743-1-xypron.glpk@gmx.de \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox