From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.web10.663.1666651411127159517 for ; Mon, 24 Oct 2022 15:43:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=XXs9ItDU; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: pedro.falcato@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id e20-20020a05600c449400b003cce0107a6fso163909wmo.0 for ; Mon, 24 Oct 2022 15:43:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=+AGP9VFZ6MWWchE2E1fT9O02MO2BaRQoc4oF7++wJLk=; b=XXs9ItDUWQHz43vhN9sPh4/khFX9cwB8c5zy5QFppaEdYOvwIlh/HAtzh2Zooi3khK ENgxS1uUO4/5Kfqk/RBZgX3K7ku81s4WcTWacVxsbN1DzfaA6g4yJ9aPrxaJ1EZYAxo5 bepv4DXkFfZoku3Pv1shEP/EooECSS2nooOJObYnVFmXGcNJZ1UFp930BuygZzWFAP2/ Yd9ue6p2wGVIt7R+AUu6puACAGoiMgTxMpUfZ36wy5IErFS/gURjp1ZAI3wCuQeb0MaX kL4TDac1eTvYxTILNDZMnOpS5HeRe52d8FjE79M3l/Tu5TpOYZXpyYrfsCFXO7NbvaS0 1Tyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+AGP9VFZ6MWWchE2E1fT9O02MO2BaRQoc4oF7++wJLk=; b=FDGhCuXwu0ZojuoR7y98YOQZ5lSSJd+NAPDcjfegt0pxSw8+ygywpwPA4zenR5OUEk JVNDsAff8JJ75h4/G0Tdzxb8uNIMJR68vGTh9IRz1WfhH6qp/271UyJWm2F6CS9ihYno twuaF8ED7/uf7dpaHmN7nKKuISaII7HCjKakhbAzuWxlQQgAHIOoxlV0vKQ+lWz6tcHK 9ur8bCxMxK2sjQINKnSOi9WWIGHBKPzwZeL3cWf3HRJGvICyv8SG48MMMKd/0nhNMKJt Z3DJ+acNspbetspexOSuPLaUujPp6O9yoUYHtgSOqsfbh8wbB5oCN9PoKIsTI2yL9Cyc g6OQ== X-Gm-Message-State: ACrzQf2HegrV+G1jzqltnIWZzg4h1wu/IVADc6etG61R1Vi5yGedhnCx 96Hvo/mueIb6xwmKIXokulQHZjsEiGE= X-Google-Smtp-Source: AMsMyM5CPlB16LBmDH/dhvAGuCkCDFonC1kOdkTxzmF7+dBBaaye1JzfHoN4Gx4YNylZFPsCXJzR0w== X-Received: by 2002:a05:600c:198d:b0:3c9:a5e8:add6 with SMTP id t13-20020a05600c198d00b003c9a5e8add6mr6409461wmq.110.1666651408791; Mon, 24 Oct 2022 15:43:28 -0700 (PDT) Return-Path: Received: from PC-PEDRO-ARCH.lan ([2001:8a0:7280:5801:9441:3dce:686c:bfc7]) by smtp.gmail.com with ESMTPSA id l6-20020a1c7906000000b003b497138093sm874953wme.47.2022.10.24.15.43.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Oct 2022 15:43:26 -0700 (PDT) From: "Pedro Falcato" To: devel@edk2.groups.io Cc: Pedro Falcato , Vitaly Cheptsov , =?UTF-8?q?Marvin=20H=C3=A4user?= , Michael D Kinney , Liming Gao , Zhiguang Liu Subject: [PATCH v2 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString Date: Mon, 24 Oct 2022 23:43:24 +0100 Message-Id: <20221024224324.26540-1-pedro.falcato@gmail.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenCore folks established an ASAN-equipped project to fuzz Ext4Dxe, which was able to catch these (mostly harmless) issues. Signed-off-by: Pedro Falcato Cc: Vitaly Cheptsov Cc: Marvin Häuser Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu --- MdePkg/Library/BaseLib/SafeString.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/MdePkg/Library/BaseLib/SafeString.c b/MdePkg/Library/BaseLib/SafeString.c index f338a32a3a41..77a2585ad56d 100644 --- a/MdePkg/Library/BaseLib/SafeString.c +++ b/MdePkg/Library/BaseLib/SafeString.c @@ -863,6 +863,9 @@ StrHexToUintnS ( OUT UINTN *Data ) { + BOOLEAN FoundLeadingZero; + + FoundLeadingZero = FALSE; ASSERT (((UINTN)String & BIT0) == 0); // @@ -893,11 +896,12 @@ StrHexToUintnS ( // Ignore leading Zeros after the spaces // while (*String == L'0') { + FoundLeadingZero = TRUE; String++; } if (CharToUpper (*String) == L'X') { - if (*(String - 1) != L'0') { + if (!FoundLeadingZero) { *Data = 0; return RETURN_SUCCESS; } @@ -992,6 +996,9 @@ StrHexToUint64S ( OUT UINT64 *Data ) { + BOOLEAN FoundLeadingZero; + + FoundLeadingZero = FALSE; ASSERT (((UINTN)String & BIT0) == 0); // @@ -1022,11 +1029,12 @@ StrHexToUint64S ( // Ignore leading Zeros after the spaces // while (*String == L'0') { + FoundLeadingZero = TRUE; String++; } if (CharToUpper (*String) == L'X') { - if (*(String - 1) != L'0') { + if (!FoundLeadingZero) { *Data = 0; return RETURN_SUCCESS; } @@ -2393,6 +2401,9 @@ AsciiStrHexToUintnS ( OUT UINTN *Data ) { + BOOLEAN FoundLeadingZero; + + FoundLeadingZero = FALSE; // // 1. Neither String nor Data shall be a null pointer. // @@ -2421,11 +2432,12 @@ AsciiStrHexToUintnS ( // Ignore leading Zeros after the spaces // while (*String == '0') { + FoundLeadingZero = TRUE; String++; } if (AsciiCharToUpper (*String) == 'X') { - if (*(String - 1) != '0') { + if (!FoundLeadingZero) { *Data = 0; return RETURN_SUCCESS; } @@ -2517,6 +2529,9 @@ AsciiStrHexToUint64S ( OUT UINT64 *Data ) { + BOOLEAN FoundLeadingZero; + + FoundLeadingZero = FALSE; // // 1. Neither String nor Data shall be a null pointer. // @@ -2545,11 +2560,12 @@ AsciiStrHexToUint64S ( // Ignore leading Zeros after the spaces // while (*String == '0') { + FoundLeadingZero = TRUE; String++; } if (AsciiCharToUpper (*String) == 'X') { - if (*(String - 1) != '0') { + if (!FoundLeadingZero) { *Data = 0; return RETURN_SUCCESS; } -- 2.38.1