From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5A13A1A1DFA for ; Thu, 25 Aug 2016 09:20:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1472142026; x=2336055626; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=83XxWl6hEi/5/4S1/p/bEmSRpc9YfkXBGozPOXDnZdc=; b=A35PTjbPSlX2cNVkAvulIQtC96Wtw2DRCrFSrTrIOFfaU0gHX0bZ1SRXvIuAKQEt afc7ETP9N9q3tEI7b705MBIjWe2XyZt/U/+ZvxcfDlKq4Unf6UENwaB/nlt1M8b6 eQwg4HqsVD13dH9kyMyMLqhxuNmRzVcH0lEc6Ft+b7aDYfNMCWjk56WxX43nmLlU XmEUdSWVWMkWeIc+p+9mWSsjJql6dkVBETJGT+PATKZwOBvkqV3xtVCpkWCpYTBT jBqivxf6xjdtc7zaDUZw+6+w0X12wXHEzGe3hMPImhhSTLUBx13mTI/a3rzrd+QV JYexGeHHzH3rUQOBcgRwWA==; Received: from relay6.apple.com (relay6.apple.com [17.128.113.90]) by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id CD.0B.07433.9CA1FB75; Thu, 25 Aug 2016 09:20:25 -0700 (PDT) X-AuditID: 11973e12-f79b16d000001d09-08-57bf1ac9db22 Received: from chive.apple.com (chive.apple.com [17.128.115.15]) by relay6.apple.com (Apple SCV relay) with SMTP id AB.FF.04916.9CA1FB75; Thu, 25 Aug 2016 09:20:25 -0700 (PDT) MIME-version: 1.0 Received: from [17.153.51.43] by chive.apple.com (Oracle Communications Messaging Server 8.0.1.1.0 64bit (built May 17 2016)) with ESMTPSA id <0OCH00B5U420MS00@chive.apple.com>; Thu, 25 Aug 2016 09:20:25 -0700 (PDT) Sender: afish@apple.com From: Andrew Fish In-reply-to: Date: Thu, 25 Aug 2016 09:20:24 -0700 Cc: edk2-devel , "Ni, Ruiyu" Message-id: <4779EDDB-FD2C-47FD-A447-EC4D7EBBB09A@apple.com> References: <095E0E05-A876-48C3-B87D-FA5874921821@apple.com> <0B832F72-ABF8-4E9E-A123-604A579CA9E0@apple.com> To: "Carsey, Jaben" X-Mailer: Apple Mail (2.3112) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJLMWRmVeSWpSXmKPExsUi2FAYpXtSan+4weEZNhZ7Dh1lttjY9IfV 4mXPanYHZo/Fe14yeXTP/scSwBTFZZOSmpNZllqkb5fAldF+vJ+xYLtKxdLmSWwNjFPkuhg5 OCQETCRW3PXpYuQEMsUkLtxbzwZiCwnsZZQ4+VUJIm4isWTfcqYuRi6g+EZGiW+rjoMV8QoI SvyYfI8FZA6zgLzEwfOyIGFmAS2J749aWSDq7zJKbJr8lwUkISwgLvHuzCZmkHphgSSJZ7PD QcJsAsoSK+Z/YAexOQXCJPbffgJmswioSmw82McIMdNLYu2xH0wQa20kGm8cZYOYv41JouVp I1hCREBHYvWtz8wQR8tK7NuwgA3C3sEmsfaEzARGkVlIzp6FcPYsJGcvYGRexSiUm5iZo5uZ Z6KXWFCQk6qXnJ+7iREU9tPthHYwnlpldYhRgINRiYf3A/v+cCHWxLLiytxDjNIcLErivEIq +8KFBNITS1KzU1MLUovii0pzUosPMTJxcEo1MPrvF9sqso+hZsncELa36orym6Pz2D/9MNhb t//Qs4tL38dbX/yT8Ov9qq8HCndP5DTanGe2Ov9KmsZProUva6dLSz15sld+T8i6qu6audWR PO8Mbve+Ovur4u26FC+dGq5LJltjudeUTfn9dsYtEx33hXaF015G5+b9LZoe2W984ezZmzNu f9BTYinOSDTUYi4qTgQA73OflFwCAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnkeLIzCtJLcpLzFFi42IRbCjm1z0ptT/cYONuC4s9h44yW2xs+sNq 8bJnNbsDs8fiPS+ZPLpn/2MJYIrisklJzcksSy3St0vgymg/3s9YsF2lYmnzJLYGxilyXYyc HBICJhJL9i1ngrDFJC7cW8/WxcjFISSwkVHi26rjbCAJXgFBiR+T77F0MXJwMAvISxw8LwsS ZhbQkvj+qJUFov4uo8SmyX9ZQBLCAuIS785sYgapFxZIkng2OxwkzCagLLFi/gd2EJtTIExi /+0nYDaLgKrExoN9jBAzvSTWHvvBBLHWRqLxxlGoe7YxSbQ8bQRLiAjoSKy+9ZkZ4mhZiX0b FrBNYBScheTUWQinzkJy6gJG5lWMAkWpOYmVZnqJBQU5qXrJ+bmbGMHBWhi1g7FhudUhRgEO RiUe3g/s+8OFWBPLiitzDzFKcDArifAqA0NdiDclsbIqtSg/vqg0J7X4EGMy0AMTmaVEk/OB kZRXEm9oYmJgYmxsZmxsbmJOmrCSOC/Dsd3hQgLpiSWp2ampBalFMFuYODilGhjlmvPzi2b8 bTrZ8FY4M7Th8XIWtpK/XIwrHBw+37lk/qhHRnCCZ9zBGv+7MmUfPVybmDtaS5KMeqXmGt05 n6HwRNldxjX7ivRsCcYNUvoXXt58qH29Wdmbj7ngQZd5n8//3YdTJaYUf268f5eP0VOlq+r2 haxnztPPLN/HJmM9MSh9kxdLkhJLcUaioRZzUXEiAHSZ6uWaAgAA Subject: Re: I found a fun bug in the Shell today. Looks like we have been getting lucky? X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2016 16:20:26 -0000 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII > On Aug 25, 2016, at 9:17 AM, Carsey, Jaben wrote: > > Doh! Thanks! I didn't realize that was the bug. I will have to finally learn that servers name one of these days... > No worries I thought the URL would be more obvious, I should have labeled it. Thanks, Andrew Fish >> -----Original Message----- >> From: afish@apple.com [mailto:afish@apple.com] >> Sent: Thursday, August 25, 2016 9:08 AM >> To: Carsey, Jaben >> Cc: edk2-devel ; Ni, Ruiyu >> Subject: Re: [edk2] I found a fun bug in the Shell today. Looks like we have >> been getting lucky? >> Importance: High >> >> >>> On Aug 25, 2016, at 9:05 AM, Carsey, Jaben >> wrote: >>> >>> Andrew, >>> >>> Can you file a Bugzilla issue so we can track this issue properly? >>> >> >> Jaben, >> >> I attached the URL at the end of the original mail: >> https://tianocore.acgmultimedia.com/show_bug.cgi?id=105 >> >> Thanks, >> >> Andrew Fish >> >>> -Jaben >>> >>>> -----Original Message----- >>>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of >>>> Andrew Fish >>>> Sent: Wednesday, August 24, 2016 6:26 PM >>>> To: edk2-devel >>>> Subject: Re: [edk2] I found a fun bug in the Shell today. Looks like we >> have >>>> been getting lucky? >>>> Importance: High >>>> >>>> >>>>> On Aug 24, 2016, at 5:59 PM, Andrew Fish wrote: >>>>> >>>>> I was tracking down a data corruption issue when paging was enabled on >> an >>>> edk2 shell command. The crash was in a custom ConSpliter over writing a >> DXE >>>> Core data structure. The buffer overflow seemed to be caused by the >>>> Console getting confused on the location of the end of the screen. I set a >>>> watchpoint on gST->ConOut->Mode->CursorRow and found the shell was >>>> the one corrupting the Mode data. >>>>> >>>>> UEFI Spec: The following data values in the >> SIMPLE_TEXT_OUTPUT_MODE >>>> interface are read-only and are changed by using the appropriate >> interface >>>> functions: >>>>> >>>>> (master)>git grep "OurConOut.Mode" >>>>> Application/Shell/ConsoleLogger.c:72: (*ConsoleInfo)- >>> OurConOut.Mode >>>> = gST->ConOut->Mode; >>>>> Application/Shell/ConsoleLogger.c:647:// ShellInfoObject.ConsoleInfo- >>>>> OurConOut.Mode->CursorRow = 0; >>>>> Application/Shell/ConsoleLogger.c:648:// ShellInfoObject.ConsoleInfo- >>>>> OurConOut.Mode->CursorColumn = 0; >>>>> Application/Shell/ConsoleLogger.c:704: if (ConsoleInfo- >>>>> OurConOut.Mode->CursorColumn > 0) { >>>>> Application/Shell/ConsoleLogger.c:705: ConsoleInfo- >>>>> OurConOut.Mode->CursorColumn--; >>>>> Application/Shell/ConsoleLogger.c:734: ConsoleInfo- >>> OurConOut.Mode- >>>>> CursorRow++; >>>>> Application/Shell/ConsoleLogger.c:741: ConsoleInfo- >>> OurConOut.Mode- >>>>> CursorColumn = 0; >>>>> Application/Shell/ConsoleLogger.c:747: ConsoleInfo- >>> OurConOut.Mode- >>>>> CursorColumn++; >>>>> Application/Shell/ConsoleLogger.c:751: if ((INTN)ConsoleInfo- >>>>> ColsPerScreen == ConsoleInfo->OurConOut.Mode->CursorColumn + 1) { >>>>> Application/Shell/ConsoleLogger.c:781: ConsoleInfo- >>>>> OurConOut.Mode->CursorRow++; >>>>> Application/Shell/ConsoleLogger.c:782: ConsoleInfo- >>>>> OurConOut.Mode->CursorColumn = 0; >>>>> Application/Shell/ConsoleLogger.c:976: ConsoleInfo- >>> OurConOut.Mode = >>>> ConsoleInfo->OldConOut->Mode; >>>>> >>>>> >>>>> I'm not exactly sure what this code is trying to do as the console should >>>> update Mode structure directly? Maybe the intent was to have a copy of >>>> gST->ConOut->Mode and keep it in sync? It seems like this should cause >>>> more issues, but maybe the edk2 ConSplitter is not broken by this >> behavior >>>> and we are getting lucky? >>>>> >>>> >>>> I forgot to mention that setting the Mode->CursorRow in the console >> code >>>> back to the last row if was larger looks like it hides this bug in the shell. >>>> >>>> Thanks, >>>> >>>> Andrew Fish >>>> >>>> >>>>> Thanks, >>>>> >>>>> Andrew Fish >>>>> >>>>> https://tianocore.acgmultimedia.com/show_bug.cgi?id=105 >>>>> _______________________________________________ >>>>> edk2-devel mailing list >>>>> edk2-devel@lists.01.org >>>>> https://lists.01.org/mailman/listinfo/edk2-devel >>>> >>>> _______________________________________________ >>>> edk2-devel mailing list >>>> edk2-devel@lists.01.org >>>> https://lists.01.org/mailman/listinfo/edk2-devel >