From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.120]) by mx.groups.io with SMTP id smtpd.web12.7460.1572884873160242726 for ; Mon, 04 Nov 2019 08:27:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IqGNLhGG; spf=pass (domain: redhat.com, ip: 205.139.110.120, mailfrom: philmd@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1572884872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=G82PHKf0UoymQAK2czUmdHpRtDnWVIPfCK/z0kOGPdo=; b=IqGNLhGG3+D5JJQFLbL/F95FRhVH303gt/kuKjT1jy3xfD3TfjfUXgQ7l7lkZN/XfaSC6Z YoF9Ixw74NcDSJ+i2fY3VTQqdLMy517+pE5QKYj+0qL1nQgwsMsTip+lU/xxebVzEyZxeR SdtNIn65e+x0DwFbkE+Ig9rM8jNgOMg= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-170-b1Pj40iiNKaECTvWayphGQ-1; Mon, 04 Nov 2019 11:27:49 -0500 Received: by mail-wr1-f72.google.com with SMTP id m17so10593327wrb.20 for ; Mon, 04 Nov 2019 08:27:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=ERv5tAd3+NpHNHUwf1a/lXqv5VQpOUuZJpYxO6sGm5s=; b=O7uDu1L1uEtYwAsHer/9d0+Ox2Ey7hS1YB+bM+EeN5KSKtOwJ5FIkeJm5tK2svaNpW EEgR0JprABt5Exnn1NodMVsGBWMELeGBriy7f8IPrcCa9HTM+Xk+0sLNnUs2GLjVO7wW punTgp9OeZUTZLPMuNupyIaQkku8R8LIUMqKDyh6+LC3N68AaaK34Ma6VEAohSOUI1sp RkqEVaaztZxxq0Zh4x9rbmvYIL1BJ711sjHKf5neGipj7zFaQclkm0Tj6dcKPP6nAqCu DK9Q42+K0RyXRuxZSHuDcTnd+6ze73Wc+htakqAffq+bLWIIRLSFeJC/UblmODCbeANZ JM3Q== X-Gm-Message-State: APjAAAUXoy67urTTSGPjeN2OypJK+u9AGmLLOkw72gngn/U4d7+PMwPs J2ucmDhD3mOAicbLYp6hqyeCRG1Tnc3AbJz7zjPWzuq5f9fUpbUH/BWV+zRkHKlnWdn2c8uD6aU IshEBJDaUpSwzgQ== X-Received: by 2002:a7b:c642:: with SMTP id q2mr16016348wmk.169.1572884868230; Mon, 04 Nov 2019 08:27:48 -0800 (PST) X-Google-Smtp-Source: APXvYqwCMubRmkFjQQqBzxiMeg/M0cWbWsw1VbYM3ujZ5/KzxtRJT6ZVU1ltispM5AQ086Nhq4OIYA== X-Received: by 2002:a7b:c642:: with SMTP id q2mr16016331wmk.169.1572884868018; Mon, 04 Nov 2019 08:27:48 -0800 (PST) Return-Path: Received: from [192.168.1.24] (lfbn-1-7864-228.w92-167.abo.wanadoo.fr. [92.167.33.228]) by smtp.gmail.com with ESMTPSA id y19sm21146360wmd.29.2019.11.04.08.27.45 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 Nov 2019 08:27:47 -0800 (PST) Subject: Re: [edk2-platforms][PATCH 1/1] Platform/RPi: Prevent buffer over-read when the command line is empty To: Pete Batard , devel@edk2.groups.io Cc: ard.biesheuvel@linaro.org, leif.lindholm@linaro.org References: <20191104160617.11036-1-pete@akeo.ie> From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= Message-ID: <6a212357-4938-8950-4681-08523910c60f@redhat.com> Date: Mon, 4 Nov 2019 17:27:08 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1 MIME-Version: 1.0 In-Reply-To: <20191104160617.11036-1-pete@akeo.ie> X-MC-Unique: b1Pj40iiNKaECTvWayphGQ-1 X-Mimecast-Spam-Score: 0 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 11/4/19 5:06 PM, Pete Batard wrote: > From: Andrei Warkentin >=20 > It is possible for the command line to be empty > (Cmd->TagHead.TagValueSize =3D 0), in which case the code should not > attempt to read the value at CommandLine[-1]. Oops... Reviewed-by: Philippe Mathieu-Daude > Signed-off-by: Pete Batard > --- > Platform/RaspberryPi/Drivers/RpiFirmwareDxe/RpiFirmwareDxe.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) >=20 > diff --git a/Platform/RaspberryPi/Drivers/RpiFirmwareDxe/RpiFirmwareDxe.c= b/Platform/RaspberryPi/Drivers/RpiFirmwareDxe/RpiFirmwareDxe.c > index 5a9d4c3f1787..9b4aa068857c 100644 > --- a/Platform/RaspberryPi/Drivers/RpiFirmwareDxe/RpiFirmwareDxe.c > +++ b/Platform/RaspberryPi/Drivers/RpiFirmwareDxe/RpiFirmwareDxe.c > @@ -927,7 +927,8 @@ RpiFirmwareGetCommmandLine ( > =20 > CopyMem (CommandLine, Cmd->CommandLine, Cmd->TagHead.TagValueSize); > =20 > - if (CommandLine[Cmd->TagHead.TagValueSize - 1] !=3D '\0') { > + if (Cmd->TagHead.TagValueSize =3D=3D 0 || > + CommandLine[Cmd->TagHead.TagValueSize - 1] !=3D '\0') { > // > // Add a NUL terminator if required. > // >=20