From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 411B521A16EEF for ; Fri, 19 May 2017 00:31:26 -0700 (PDT) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 May 2017 00:31:25 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.38,363,1491289200"; d="scan'208";a="1171576166" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga002.fm.intel.com with ESMTP; 19 May 2017 00:31:25 -0700 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 19 May 2017 00:31:25 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.246]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.224]) with mapi id 14.03.0319.002; Fri, 19 May 2017 15:31:15 +0800 From: "Fan, Jeff" To: "Ni, Ruiyu" , "edk2-devel@lists.01.org" CC: "Shi, Steven" , "Zeng, Star" Thread-Topic: [PATCH v2] MdeModulePkg/BDS: Fix a buffer overflow bug Thread-Index: AQHS0HEn0emsOEVZh0KKnV1AR80CqKH7QsBw Date: Fri, 19 May 2017 07:31:14 +0000 Message-ID: <542CF652F8836A4AB8DBFAAD40ED192A4C5E52A4@shsmsx102.ccr.corp.intel.com> References: <20170519072538.34664-1-ruiyu.ni@intel.com> In-Reply-To: <20170519072538.34664-1-ruiyu.ni@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYjhmZjRlMDQtZjM5Ni00YWIxLTgxNTYtZmI4M2MzNmVjNjg5IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6ImdreFwvdWJUa1wvbWZncWhraXVYUUpjc1lYeFZPNFprSGdVaUFIYVdVZHF1OD0ifQ== x-ctpclassification: CTP_IC x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2] MdeModulePkg/BDS: Fix a buffer overflow bug X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 07:31:26 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jeff Fan -----Original Message----- From: Ni, Ruiyu=20 Sent: Friday, May 19, 2017 3:26 PM To: edk2-devel@lists.01.org Cc: Shi, Steven; Zeng, Star; Fan, Jeff Subject: [PATCH v2] MdeModulePkg/BDS: Fix a buffer overflow bug KeyOption points to a buffer holding the content of Key####. So its size is smaller than EFI_BOOT_MANAGER_KEY_OPTION. Old code to assign value to KeyOption->OptionNumber modifies the memory out= side of the KeyOption buffer. The patch fixes this bug. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ruiyu Ni Cc: Steven Shi Cc: Star Zeng Cc: Jeff Fan --- MdeModulePkg/Library/UefiBootManagerLib/BmHotkey.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/MdeModulePkg/Library/UefiBootManagerLib/BmHotkey.c b/MdeModule= Pkg/Library/UefiBootManagerLib/BmHotkey.c index 0f2e677c8a..efad073880 100644 --- a/MdeModulePkg/Library/UefiBootManagerLib/BmHotkey.c +++ b/MdeModulePkg/Library/UefiBootManagerLib/BmHotkey.c @@ -42,7 +42,7 @@ VOID *mBmTxtInExRegistration =3D= NULL; **/ UINTN BmSizeOfKeyOption ( - EFI_BOOT_MANAGER_KEY_OPTION *KeyOption + IN CONST EFI_BOOT_MANAGER_KEY_OPTION *KeyOption ) { return OFFSET_OF (EFI_BOOT_MANAGER_KEY_OPTION, Keys) @@ -61,8 +61,8 @@ B= mSizeOfKeyOption ( **/ BOOLEAN BmIsKeyOptionValid ( - IN EFI_BOOT_MANAGER_KEY_OPTION *KeyOption, - IN UINTN KeyOptionSize + IN CONST EFI_BOOT_MANAGER_KEY_OPTION *KeyOption, + IN UINTN KeyOptionSize ) { UINT16 OptionName[BM_OPTION_NAME_LEN]; @@ -158,16 +158,15 @@ BmCollectKeyOptions ( { UINTN Index; BM_COLLECT_KEY_OPTIONS_PARAM *Param; - EFI_BOOT_MANAGER_KEY_OPTION *KeyOption; + VOID *KeyOption; UINT16 OptionNumber; UINTN KeyOptionSize; =20 Param =3D (BM_COLLECT_KEY_OPTIONS_PARAM *) Context; =20 if (BmIsKeyOptionVariable (Name, Guid, &OptionNumber)) { - GetEfiGlobalVariable2 (Name, (VOID**) &KeyOption, &KeyOptionSize); + GetEfiGlobalVariable2 (Name, &KeyOption, &KeyOptionSize); ASSERT (KeyOption !=3D NULL); - KeyOption->OptionNumber =3D OptionNumber; if (BmIsKeyOptionValid (KeyOption, KeyOptionSize)) { Param->KeyOptions =3D ReallocatePool ( Param->KeyOptionCount * sizeof (EFI_BOOT_MANAG= ER_KEY_OPTION), @@ -179,12 +178,13 @@ BmCollectKeyOptions ( // Insert the key option in order // for (Index =3D 0; Index < Param->KeyOptionCount; Index++) { - if (KeyOption->OptionNumber < Param->KeyOptions[Index].OptionNumbe= r) { + if (OptionNumber < Param->KeyOptions[Index].OptionNumber) { break; } } CopyMem (&Param->KeyOptions[Index + 1], &Param->KeyOptions[Index], (= Param->KeyOptionCount - Index) * sizeof (EFI_BOOT_MANAGER_KEY_OPTION)); - CopyMem (&Param->KeyOptions[Index], KeyOption, BmSizeOfKeyOption (Ke= yOption)); + CopyMem (&Param->KeyOptions[Index], KeyOption, KeyOptionSize); + Param->KeyOptions[Index].OptionNumber =3D OptionNumber; Param->KeyOptionCount++; } FreePool (KeyOption); -- 2.12.2.windows.2