* [PATCH 0/2] Avoid consuming content beyond string boundaries @ 2017-09-19 11:38 Hao Wu 2017-09-19 11:38 ` [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Hao Wu 2017-09-19 11:38 ` [PATCH 2/2] MdePkg/BaseLib: " Hao Wu 0 siblings, 2 replies; 6+ messages in thread From: Hao Wu @ 2017-09-19 11:38 UTC (permalink / raw) To: edk2-devel Cc: Hao Wu, Steven Shi, Ruiyu Ni, Jaben Carsey, Michael Kinney, Liming Gao The series adds checks to avoid reading content beyond string boundaries. Cc: Steven Shi <steven.shi@intel.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Jaben Carsey <jaben.carsey@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com> Hao Wu (2): ShellPkg/Shell: Avoid reading content beyond string boundary MdePkg/BaseLib: Avoid reading content beyond string boundary MdePkg/Library/BaseLib/FilePaths.c | 4 ++-- ShellPkg/Application/Shell/ShellProtocol.c | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) -- 2.12.0.windows.1 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary 2017-09-19 11:38 [PATCH 0/2] Avoid consuming content beyond string boundaries Hao Wu @ 2017-09-19 11:38 ` Hao Wu 2017-09-19 13:22 ` Carsey, Jaben 2017-09-19 14:55 ` Ni, Ruiyu 2017-09-19 11:38 ` [PATCH 2/2] MdePkg/BaseLib: " Hao Wu 1 sibling, 2 replies; 6+ messages in thread From: Hao Wu @ 2017-09-19 11:38 UTC (permalink / raw) To: edk2-devel; +Cc: Hao Wu, Ruiyu Ni, Jaben Carsey, Steven Shi REF: https://bugzilla.tianocore.org/show_bug.cgi?id=690 Within function EfiShellGetDevicePathFromFilePath(), when the input parameter 'Path' string is like: "FS0:" It is possible for the below statement: "if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {" to read the content 1 byte beyond the string boundary (both 'Path' and 'MapName' will be FS0: in this case). This commit adds additional checks to avoid this. Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Jaben Carsey <jaben.carsey@intel.com> Cc: Steven Shi <steven.shi@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> --- ShellPkg/Application/Shell/ShellProtocol.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ShellPkg/Application/Shell/ShellProtocol.c b/ShellPkg/Application/Shell/ShellProtocol.c index 40e5e653ae..5e34b8dad1 100644 --- a/ShellPkg/Application/Shell/ShellProtocol.c +++ b/ShellPkg/Application/Shell/ShellProtocol.c @@ -598,7 +598,8 @@ EfiShellGetDevicePathFromFilePath( // // build the full device path // - if (*(Path+StrLen(MapName)+1) == CHAR_NULL) { + if ((*(Path+StrLen(MapName)) != CHAR_NULL) && + (*(Path+StrLen(MapName)+1) == CHAR_NULL)) { DevicePathForReturn = FileDevicePath(Handle, L"\\"); } else { DevicePathForReturn = FileDevicePath(Handle, Path+StrLen(MapName)); -- 2.12.0.windows.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary 2017-09-19 11:38 ` [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Hao Wu @ 2017-09-19 13:22 ` Carsey, Jaben 2017-09-19 14:55 ` Ni, Ruiyu 1 sibling, 0 replies; 6+ messages in thread From: Carsey, Jaben @ 2017-09-19 13:22 UTC (permalink / raw) To: Wu, Hao A, edk2-devel@lists.01.org; +Cc: Ni, Ruiyu, Shi, Steven Reviewed-by: Jaben Carsey <jaben.carsey@intel.com> > -----Original Message----- > From: Wu, Hao A > Sent: Tuesday, September 19, 2017 4:39 AM > To: edk2-devel@lists.01.org > Cc: Wu, Hao A <hao.a.wu@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; > Carsey, Jaben <jaben.carsey@intel.com>; Shi, Steven > <steven.shi@intel.com> > Subject: [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string > boundary > Importance: High > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=690 > > Within function EfiShellGetDevicePathFromFilePath(), when the input > parameter 'Path' string is like: > "FS0:" > > It is possible for the below statement: > "if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {" > > to read the content 1 byte beyond the string boundary (both 'Path' and > 'MapName' will be FS0: in this case). > > This commit adds additional checks to avoid this. > > Cc: Ruiyu Ni <ruiyu.ni@intel.com> > Cc: Jaben Carsey <jaben.carsey@intel.com> > Cc: Steven Shi <steven.shi@intel.com> > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Hao Wu <hao.a.wu@intel.com> > --- > ShellPkg/Application/Shell/ShellProtocol.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/ShellPkg/Application/Shell/ShellProtocol.c > b/ShellPkg/Application/Shell/ShellProtocol.c > index 40e5e653ae..5e34b8dad1 100644 > --- a/ShellPkg/Application/Shell/ShellProtocol.c > +++ b/ShellPkg/Application/Shell/ShellProtocol.c > @@ -598,7 +598,8 @@ EfiShellGetDevicePathFromFilePath( > // > // build the full device path > // > - if (*(Path+StrLen(MapName)+1) == CHAR_NULL) { > + if ((*(Path+StrLen(MapName)) != CHAR_NULL) && > + (*(Path+StrLen(MapName)+1) == CHAR_NULL)) { > DevicePathForReturn = FileDevicePath(Handle, L"\\"); > } else { > DevicePathForReturn = FileDevicePath(Handle, Path+StrLen(MapName)); > -- > 2.12.0.windows.1 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary 2017-09-19 11:38 ` [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Hao Wu 2017-09-19 13:22 ` Carsey, Jaben @ 2017-09-19 14:55 ` Ni, Ruiyu 1 sibling, 0 replies; 6+ messages in thread From: Ni, Ruiyu @ 2017-09-19 14:55 UTC (permalink / raw) To: Wu, Hao A, edk2-devel@lists.01.org; +Cc: Wu, Hao A, Carsey, Jaben Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com> -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Hao Wu Sent: Tuesday, September 19, 2017 7:39 PM To: edk2-devel@lists.01.org Cc: Wu, Hao A <hao.a.wu@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Carsey, Jaben <jaben.carsey@intel.com> Subject: [edk2] [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary REF: https://bugzilla.tianocore.org/show_bug.cgi?id=690 Within function EfiShellGetDevicePathFromFilePath(), when the input parameter 'Path' string is like: "FS0:" It is possible for the below statement: "if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {" to read the content 1 byte beyond the string boundary (both 'Path' and 'MapName' will be FS0: in this case). This commit adds additional checks to avoid this. Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Jaben Carsey <jaben.carsey@intel.com> Cc: Steven Shi <steven.shi@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> --- ShellPkg/Application/Shell/ShellProtocol.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ShellPkg/Application/Shell/ShellProtocol.c b/ShellPkg/Application/Shell/ShellProtocol.c index 40e5e653ae..5e34b8dad1 100644 --- a/ShellPkg/Application/Shell/ShellProtocol.c +++ b/ShellPkg/Application/Shell/ShellProtocol.c @@ -598,7 +598,8 @@ EfiShellGetDevicePathFromFilePath( // // build the full device path // - if (*(Path+StrLen(MapName)+1) == CHAR_NULL) { + if ((*(Path+StrLen(MapName)) != CHAR_NULL) && + (*(Path+StrLen(MapName)+1) == CHAR_NULL)) { DevicePathForReturn = FileDevicePath(Handle, L"\\"); } else { DevicePathForReturn = FileDevicePath(Handle, Path+StrLen(MapName)); -- 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/2] MdePkg/BaseLib: Avoid reading content beyond string boundary 2017-09-19 11:38 [PATCH 0/2] Avoid consuming content beyond string boundaries Hao Wu 2017-09-19 11:38 ` [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Hao Wu @ 2017-09-19 11:38 ` Hao Wu 2017-09-19 14:55 ` Ni, Ruiyu 1 sibling, 1 reply; 6+ messages in thread From: Hao Wu @ 2017-09-19 11:38 UTC (permalink / raw) To: edk2-devel; +Cc: Hao Wu, Ruiyu Ni, Steven Shi, Michael Kinney, Liming Gao REF: https://bugzilla.tianocore.org/show_bug.cgi?id=705 As mentioned in the above Bugzilla link by Steven, within the function PathCleanUpDirectories(), when executing command: "cd ." under Shell, the input parameter 'Path' string will have string length less than 2. Hence, it is possible for the below statement: "if (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0) {" to read contents before the string boundary. This commit adds additional checks to avoid this. Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Steven Shi <steven.shi@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> --- MdePkg/Library/BaseLib/FilePaths.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MdePkg/Library/BaseLib/FilePaths.c b/MdePkg/Library/BaseLib/FilePaths.c index 203045ccdc..d6f3758ecb 100644 --- a/MdePkg/Library/BaseLib/FilePaths.c +++ b/MdePkg/Library/BaseLib/FilePaths.c @@ -1,7 +1,7 @@ /** @file Defines file-path manipulation functions. - Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR> + Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -91,7 +91,7 @@ PathCleanUpDirectories( while ((TempString = StrStr (Path, L"\\.\\")) != NULL) { CopyMem (TempString, TempString + 2, StrSize (TempString + 2)); } - if (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0) { + if ((StrLen (Path) >= 2) && (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0)) { Path[StrLen (Path) - 1] = CHAR_NULL; } -- 2.12.0.windows.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 2/2] MdePkg/BaseLib: Avoid reading content beyond string boundary 2017-09-19 11:38 ` [PATCH 2/2] MdePkg/BaseLib: " Hao Wu @ 2017-09-19 14:55 ` Ni, Ruiyu 0 siblings, 0 replies; 6+ messages in thread From: Ni, Ruiyu @ 2017-09-19 14:55 UTC (permalink / raw) To: Wu, Hao A, edk2-devel@lists.01.org Cc: Wu, Hao A, Kinney, Michael D, Gao, Liming Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com> -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Hao Wu Sent: Tuesday, September 19, 2017 7:39 PM To: edk2-devel@lists.01.org Cc: Wu, Hao A <hao.a.wu@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming <liming.gao@intel.com> Subject: [edk2] [PATCH 2/2] MdePkg/BaseLib: Avoid reading content beyond string boundary REF: https://bugzilla.tianocore.org/show_bug.cgi?id=705 As mentioned in the above Bugzilla link by Steven, within the function PathCleanUpDirectories(), when executing command: "cd ." under Shell, the input parameter 'Path' string will have string length less than 2. Hence, it is possible for the below statement: "if (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0) {" to read contents before the string boundary. This commit adds additional checks to avoid this. Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Steven Shi <steven.shi@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> --- MdePkg/Library/BaseLib/FilePaths.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MdePkg/Library/BaseLib/FilePaths.c b/MdePkg/Library/BaseLib/FilePaths.c index 203045ccdc..d6f3758ecb 100644 --- a/MdePkg/Library/BaseLib/FilePaths.c +++ b/MdePkg/Library/BaseLib/FilePaths.c @@ -1,7 +1,7 @@ /** @file Defines file-path manipulation functions. - Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR> + Copyright (c) 2011 - 2017, Intel Corporation. All rights + reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -91,7 +91,7 @@ PathCleanUpDirectories( while ((TempString = StrStr (Path, L"\\.\\")) != NULL) { CopyMem (TempString, TempString + 2, StrSize (TempString + 2)); } - if (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0) { + if ((StrLen (Path) >= 2) && (StrCmp (Path + StrLen (Path) - 2, + L"\\.") == 0)) { Path[StrLen (Path) - 1] = CHAR_NULL; } -- 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-09-19 14:52 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-09-19 11:38 [PATCH 0/2] Avoid consuming content beyond string boundaries Hao Wu 2017-09-19 11:38 ` [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Hao Wu 2017-09-19 13:22 ` Carsey, Jaben 2017-09-19 14:55 ` Ni, Ruiyu 2017-09-19 11:38 ` [PATCH 2/2] MdePkg/BaseLib: " Hao Wu 2017-09-19 14:55 ` Ni, Ruiyu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox