From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15])
 by mx.groups.io with SMTP id smtpd.web11.2976.1604001715525274268
 for <devel@edk2.groups.io>;
 Thu, 29 Oct 2020 13:01:56 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=atnFYT0z;
 spf=pass (domain: gmx.de, ip: 212.227.15.15, mailfrom: xypron.glpk@gmx.de)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
	s=badeba3b8450; t=1604001708;
	bh=u5Z0/saQ34zuVGxaWefcsOTYUaUW3iY3e5KOqcmnjdg=;
	h=X-UI-Sender-Class:From:To:Cc:Subject:Date;
	b=atnFYT0z6pm7l8LbYuVfmD1YA1O2EL986ttpIommi4Kqz+ryMsWtJ9UTNsDhQK/QR
	 73Ls5m7MmTa5Fg9U+naGOj4F8VR9f6K7OR/8n+OcSJDqAR0BuD0/MOpbbwLY/Lyp4X
	 xnSZ5an0q/2sAKDU88ANcgoo3SLy03jTlH6ZC+54=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from mcbin.fritz.box ([178.202.41.107]) by mail.gmx.com (mrgmx004
 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MmlT2-1k8XjW2C6I-00jsYA; Thu, 29
 Oct 2020 21:01:48 +0100
From: "Heinrich Schuchardt" <xypron.glpk@gmx.de>
To: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>,
	Eric Jin <eric.jin@intel.com>,
	G Edhaya Chandran <Edhaya.Chandran@arm.com>,
	EDK II Development <devel@edk2.groups.io>
Cc: Grant Likely <grant.likely@arm.com>,
	Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: [PATCH 1/1] uefi-sct/SctPkg: NULL deref in DevicePathToText test
Date: Thu, 29 Oct 2020 21:01:42 +0100
Message-Id: <20201029200142.10743-1-xypron.glpk@gmx.de>
X-Mailer: git-send-email 2.28.0
MIME-Version: 1.0
X-Provags-ID: V03:K1:5q1kZCnhHuErgJ49qC7dFs0F9xVuVjtFv1fOiQeGdlH95LEkEV/
 RqTSaom8R7WwHOr0jj5B3M/OkCu2FGbO6LcoGvgqG0jh9aBCX3Ml0131g7Wgi68som1sQ4u
 CgKU0KoHJQKb+ZJdqPfk3lydjHBj2vrvAygmMhNZXeALgV2BFrQ+/E715jOYfWeQuPr7pwv
 9DGxt7y7R93FOarNcg8AA==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:58OSdsbDozY=:nxgE25oKbZvlr4/guB5cYl
 6hneEkFrtTFQvhk3CloFKqxbEhbs5dYzK02ruwBCC68SLdBxee3ciTGnAsPLmhROTsBJXZDok
 nhfXwgjoI6mw4kunSksDH4jQj8H6FKopLR1XuFp4CcFaWYQMhUNlxKKYfr0OHNqahKBghlR+0
 O2n2ScqSAHyvQ3f4hQ5xAgs8IXZwsYNoxYtKjokSNgTwStSvdQox+V/nIYVWbLoGXpPaANirk
 WXC4pKBbyKXpDmnYAq1CdV80NSiamTmK4eTwsN3PjscnkjC5CWMWaKTZuMik6JFWJFXL7wttK
 3lAZdtRTDWqdovi+0gX6wn9ntxY9wAZ9uuDOaKzIoRsQqZ+uUffYrR7Nj8ioiDd0aOXG+vcnq
 wz7PzIkd/nr81TYt840nCCnyudfB1Xxrh6enjcjFlrZDicbjX9T0msyvpP0B5HYIyd00rNRkC
 xxQvj1c+RJeE5q/90Ud4FGnR4S6D1Z+DMaylic8/Npkw6dO3bRlUCLYv6nFB2932VsyhBAL2T
 I4qUiLivu1oFt5cR1iZtpzuYHG/ii4wjnHr59s5f0A216crrWbQaBzvFKePF3JT8KYb4LiMh6
 vJ5YOvF0Z8u/PwLvuiLh5M7XXol8HRgm1Fa4E4QYbhoNY3WXtndfvjCTRngKjcP0d1UoIgFyH
 PmkOnXEHBvqDgU9s8VMFTUf2qIEZxDxjTgFN0i9UQIt2q2F4J25Y8Q7Ux2XifCzQ+GoyS0O0i
 xYqjb5PmUwe5MqqKKhJ70Qcto+vU9K0s4AdshLXvXrHHsJUbZCR3r8WWzdK7oI+7Qpf2JwmQ4
 oI0DdQdgvivsWLHFobUTFI2y8erCPleOZD4zJX3HY8HHcMv8Ej7e362LX8NBwknhNjjf/3TKf
 qbA2IIoUNPj+MN1IuXQA==
Content-Transfer-Encoding: quoted-printable

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3029

Function DevicePathToTextConvertDeviceNodeToTextCoverageTest() tests if
DeviceNodeToText() correctly converts a Relative Offset Range node. After
calling SctConvertTextToDeviceNode() it tries to set the field Reserved
of the returned device node to 0.

If the tested firmware does not return the expected text
SctConvertTextToDeviceNode() may return NULL or a device node that is
shorter than expected. In both cases it is not possible to access the
field Reserved.

So we must check both that the returned node is not NULL and that it has
the exepected size.

Due to the missing check a NULL dereference was observed when running the
SCT on U-Boot.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 .../BlackBoxTest/DevicePathToTextBBTestCoverage.c         | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/DevicePathToText/Bl=
ackBoxTest/DevicePathToTextBBTestCoverage.c b/uefi-sct/SctPkg/TestCase/UEFI=
/EFI/Protocol/DevicePathToText/BlackBoxTest/DevicePathToTextBBTestCoverage.c
index ee91bdfb..784d4748 100644
--- a/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/DevicePathToText/BlackBoxT=
est/DevicePathToTextBBTestCoverage.c
+++ b/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/DevicePathToText/BlackBoxT=
est/DevicePathToTextBBTestCoverage.c
@@ -1198,8 +1198,12 @@ DevicePathToTextConvertDeviceNodeToTextCoverageTest (
   ((MEDIA_OFFSET_DEVICE_PATH *)pDeviceNode1)->EndingOffset =3D 0x1234;=0D
   Text =3D DevicePathToText->ConvertDeviceNodeToText (pDeviceNode1, FALSE,=
 FALSE);=0D
   pDeviceNode2 =3D SctConvertTextToDeviceNode(Text);=0D
-  ((MEDIA_OFFSET_DEVICE_PATH *)pDeviceNode2)->Reserved =3D 0;=0D
-=0D
+  SctPrint(L"pDeviceNode2 =3D %p\n", pDeviceNode2);=0D
+  if (pDeviceNode2 &&=0D
+      ((MEDIA_OFFSET_DEVICE_PATH *)pDeviceNode2)->Length =3D=3D=0D
+      sizeof(MEDIA_OFFSET_DEVICE_PATH)) {=0D
+    ((MEDIA_OFFSET_DEVICE_PATH *)pDeviceNode2)->Reserved =3D 0;=0D
+  }=0D
   if ((pDeviceNode2 !=3D NULL) && (SctCompareMem (pDeviceNode2, pDeviceNod=
e1, SctDevicePathNodeLength(pDeviceNode1)) =3D=3D 0)) {=0D
     AssertionType =3D EFI_TEST_ASSERTION_PASSED;=0D
   } else {=0D
--=20
2.28.0