From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53])
 by mx.groups.io with SMTP id smtpd.web10.14263.1667437919485587944
 for <devel@edk2.groups.io>;
 Wed, 02 Nov 2022 18:11:59 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20210112 header.b=UajaNbPx;
 spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: pedro.falcato@gmail.com)
Received: by mail-wm1-f53.google.com with SMTP id bg9-20020a05600c3c8900b003bf249616b0so212915wmb.3
        for <devel@edk2.groups.io>; Wed, 02 Nov 2022 18:11:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=oFItao2ghXMWcxJd2LEFsr5kLs2Ikd8cxx7B8B8qPy0=;
        b=UajaNbPx2vvr1d6RI7S6ZMnUwucDZvY8Urcs1g89lkpqCVzuDomCljSpATrkfL+IXY
         J8wlm320owL/Rt+s8b+FyNEXbe9EX21SXz/7QvSPfVZK9bEjMKXCivKwPytqmJPNIJeD
         qHIJgq7UGFdd8ayrLzUczRTdxsh7ae88hKkykQflL3RdIMuCIIDJ4SGkJflxZh3087MN
         UyNkoQo2opNVmRnhX4obyy8VbSnIYef2g/MirvylG7+X5ojCxCRjR2v8WZCIGy95nLEq
         tGGCuAPDDIyuDn++Ygv19hUEDUICDcGpgc/w6G1Lgc+bKnpTAAV/AmMOtpvWGuurXjRr
         QxZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=oFItao2ghXMWcxJd2LEFsr5kLs2Ikd8cxx7B8B8qPy0=;
        b=L56t1paXh1fEOeWVSx+HwnWctbq3pzUdhVcaIXCZBdFRrdEGcr03bQDs4Fqr30MHCl
         e/5B047CW36dcprCuA0sS62sLOxa5B92hRqBx57B/2MU4GYieRaaqcZpgAf2yqM7Jrpt
         Wc2hxy7VLSzJY31EMTEibE2nbioLyjixf3x4swbgTQOOMxp6V1xtWYRaZ/oK+Huxnbwc
         gkymk7GQaczlUn9tlUWrHKX1aapdWmf/3AO/mle1apo2wNse6zrfHbxCoGlVIHPCmLjW
         ygSgt6OO4Hgrbb+q6pMl/OE/QwH58DkOi0+lyg0E/Klt/8jMANtQK+dMwG3VROdLZTcU
         K+Ew==
X-Gm-Message-State: ACrzQf07g75GlH+TJ9KV392z09BLpd2/O0IliO3BUap6Z9M8E1AXtIEF
	nlYR0UY01tpgRiYtEeWeL3eCPRLofxns1+rB
X-Google-Smtp-Source: AMsMyM70nTZ9KeipwTmuwO9Cx2PYc4ug1zj/LmdHWuXFdgI0ma6DuS/Ypiu0/zg81g0Ecn1iK3WtJQ==
X-Received: by 2002:a05:600c:3b9b:b0:3cf:59ea:ea1b with SMTP id n27-20020a05600c3b9b00b003cf59eaea1bmr17510535wms.148.1667437917468;
        Wed, 02 Nov 2022 18:11:57 -0700 (PDT)
Return-Path: <pedro.falcato@gmail.com>
Received: from PC-PEDRO-ARCH.lan ([2001:8a0:7280:5801:9441:3dce:686c:bfc7])
        by smtp.gmail.com with ESMTPSA id az24-20020adfe198000000b0022e035a4e93sm14323840wrb.87.2022.11.02.18.11.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 02 Nov 2022 18:11:56 -0700 (PDT)
From: "Pedro Falcato" <pedro.falcato@gmail.com>
To: devel@edk2.groups.io
Cc: Pedro Falcato <pedro.falcato@gmail.com>,
	Vitaly Cheptsov <vit9696@protonmail.com>,
	=?UTF-8?q?Marvin=20H=C3=A4user?= <mhaeuser@posteo.de>,
	Michael D Kinney <michael.d.kinney@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Zhiguang Liu <zhiguang.liu@intel.com>,
	Jiewen Yao <Jiewen.yao@Intel.com>
Subject: [PATCH v3 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString
Date: Thu,  3 Nov 2022 01:11:49 +0000
Message-Id: <20221103011149.659815-1-pedro.falcato@gmail.com>
X-Mailer: git-send-email 2.38.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There was a OOB access in *StrHexTo* functions, when passed strings like
"XDEADBEEF".

OpenCore folks established an ASAN-equipped project to fuzz Ext4Dxe,
which was able to catch these (mostly harmless) issues.

Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Cc: Marvin Häuser <mhaeuser@posteo.de>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@Intel.com>
---
 MdePkg/Library/BaseLib/SafeString.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/MdePkg/Library/BaseLib/SafeString.c b/MdePkg/Library/BaseLib/SafeString.c
index f338a32a3a41..b75b33381732 100644
--- a/MdePkg/Library/BaseLib/SafeString.c
+++ b/MdePkg/Library/BaseLib/SafeString.c
@@ -863,6 +863,9 @@ StrHexToUintnS (
   OUT       UINTN   *Data
   )
 {
+  BOOLEAN  FoundLeadingZero;
+
+  FoundLeadingZero = FALSE;
   ASSERT (((UINTN)String & BIT0) == 0);
 
   //
@@ -892,12 +895,14 @@ StrHexToUintnS (
   //
   // Ignore leading Zeros after the spaces
   //
+
+  FoundLeadingZero = *String == L'0';
   while (*String == L'0') {
     String++;
   }
 
   if (CharToUpper (*String) == L'X') {
-    if (*(String - 1) != L'0') {
+    if (!FoundLeadingZero) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
@@ -992,6 +997,9 @@ StrHexToUint64S (
   OUT       UINT64  *Data
   )
 {
+  BOOLEAN  FoundLeadingZero;
+
+  FoundLeadingZero = FALSE;
   ASSERT (((UINTN)String & BIT0) == 0);
 
   //
@@ -1021,12 +1029,13 @@ StrHexToUint64S (
   //
   // Ignore leading Zeros after the spaces
   //
+  FoundLeadingZero = *String == L'0';
   while (*String == L'0') {
     String++;
   }
 
   if (CharToUpper (*String) == L'X') {
-    if (*(String - 1) != L'0') {
+    if (!FoundLeadingZero) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
@@ -2393,6 +2402,9 @@ AsciiStrHexToUintnS (
   OUT       UINTN  *Data
   )
 {
+  BOOLEAN  FoundLeadingZero;
+
+  FoundLeadingZero = FALSE;
   //
   // 1. Neither String nor Data shall be a null pointer.
   //
@@ -2420,12 +2432,13 @@ AsciiStrHexToUintnS (
   //
   // Ignore leading Zeros after the spaces
   //
+  FoundLeadingZero = *String == '0';
   while (*String == '0') {
     String++;
   }
 
   if (AsciiCharToUpper (*String) == 'X') {
-    if (*(String - 1) != '0') {
+    if (!FoundLeadingZero) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
@@ -2517,6 +2530,9 @@ AsciiStrHexToUint64S (
   OUT       UINT64  *Data
   )
 {
+  BOOLEAN  FoundLeadingZero;
+
+  FoundLeadingZero = FALSE;
   //
   // 1. Neither String nor Data shall be a null pointer.
   //
@@ -2544,12 +2560,13 @@ AsciiStrHexToUint64S (
   //
   // Ignore leading Zeros after the spaces
   //
+  FoundLeadingZero = *String == '0';
   while (*String == '0') {
     String++;
   }
 
   if (AsciiCharToUpper (*String) == 'X') {
-    if (*(String - 1) != '0') {
+    if (!FoundLeadingZero) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
-- 
2.38.1