From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ruiyu.ni@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=ruiyu.ni@intel.com;
 receiver=edk2-devel@lists.01.org 
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id DA214202E6182
 for <edk2-devel@lists.01.org>; Fri,  3 Nov 2017 01:19:34 -0700 (PDT)
Received: from orsmga004.jf.intel.com ([10.7.209.38])
 by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Nov 2017 01:23:29 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.44,337,1505804400"; d="scan'208";a="145502527"
Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204])
 by orsmga004.jf.intel.com with ESMTP; 03 Nov 2017 01:23:28 -0700
Received: from fmsmsx111.amr.corp.intel.com (10.18.116.5) by
 FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Fri, 3 Nov 2017 01:23:07 -0700
Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by
 fmsmsx111.amr.corp.intel.com (10.18.116.5) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Fri, 3 Nov 2017 01:23:06 -0700
Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.152]) by
 shsmsx102.ccr.corp.intel.com ([169.254.2.175]) with mapi id 14.03.0319.002;
 Fri, 3 Nov 2017 16:22:57 +0800
From: "Ni, Ruiyu" <ruiyu.ni@intel.com>
To: "Wang, Jian J" <jian.j.wang@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Carsey, Jaben" <jaben.carsey@intel.com>, "Bi, Dandan"
 <dandan.bi@intel.com>
Thread-Topic: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool
Thread-Index: AQHTVGBY/k4Ifk3HFkmxO/4jnsz+XaMCTnzA
Date: Fri, 3 Nov 2017 08:22:57 +0000
Message-ID: <734D49CCEBEEF84792F5B80ED585239D5BAB201A@SHSMSX104.ccr.corp.intel.com>
References: <20171103045759.26508-1-jian.j.wang@intel.com>
 <20171103045759.26508-3-jian.j.wang@intel.com>
In-Reply-To: <20171103045759.26508-3-jian.j.wang@intel.com>
Accept-Language: en-US, zh-CN
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYzQ5NDM1YWYtNTQyMi00YTgzLWFlOWYtMGU2MWQzM2Q5MDFmIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJuOUhTYUZxWkc0aW04SlVFc2dQRFFmZitvalVVbmhuOU52RVVQZThLK0VZMzVqaUoxaGlFUXoyQW1CRzRXb1JyIn0=
x-ctpclassification: CTP_IC
dlp-product: dlpe-windows
dlp-version: 11.0.0.116
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2017 08:19:35 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

2 comments below.

-----Original Message-----
From: Wang, Jian J=20
Sent: Friday, November 3, 2017 12:58 PM
To: edk2-devel@lists.01.org
Cc: Carsey, Jaben <jaben.carsey@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>;=
 Bi, Dandan <dandan.bi@intel.com>
Subject: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool

AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" bytes =
of
memory from old "Buffer" to new allocated one. If "AllocationSize" is bigge=
r
than size of "Buffer", heap memory overflow occurs during copy.

The solution is to allocate pool first then copy the necessary bytes to new
memory. This can avoid copying extra bytes from unknown memory range.

Cc: Jaben Carsey <jaben.carsey@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
 ShellPkg/Application/Shell/Shell.c                                 | 4 +++=
-
 ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c | 6 +++=
+--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/ShellPkg/Application/Shell/Shell.c b/ShellPkg/Application/Shel=
l/Shell.c
index 5471930ba1..24a04ca323 100644
--- a/ShellPkg/Application/Shell/Shell.c
+++ b/ShellPkg/Application/Shell/Shell.c
@@ -1646,7 +1646,9 @@ ShellConvertVariables (
   //
   // now do the replacements...
   //
-  NewCommandLine1 =3D AllocateCopyPool(NewSize, OriginalCommandLine);
+  NewCommandLine1 =3D AllocatePool(NewSize);
+  ASSERT (NewCommandLine1 !=3D NULL);
[Ray] 1. Please do not use assertion because there is NULL check in the bel=
ow if-statement.
    The rule in ShellPkg is avoid using assertion.

+  CopyMem (NewCommandLine1, OriginalCommandLine, StrSize (OriginalCommandL=
ine));
   NewCommandLine2 =3D AllocateZeroPool(NewSize);
   ItemTemp        =3D AllocateZeroPool(ItemSize+(2*sizeof(CHAR16)));
   if (NewCommandLine1 =3D=3D NULL || NewCommandLine2 =3D=3D NULL || ItemTe=
mp =3D=3D NULL) {
diff --git a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandL=
ib.c b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
index 1122c89b8b..5de62219b3 100644
--- a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
+++ b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
@@ -143,10 +143,11 @@ UpdateOptionalData(
     OriginalOptionDataSize +=3D (*(UINT16*)(OriginalData + sizeof(UINT32))=
);
     OriginalOptionDataSize -=3D OriginalSize;
     NewSize =3D OriginalSize - OriginalOptionDataSize + DataSize;
-    NewData =3D AllocateCopyPool(NewSize, OriginalData);
+    NewData =3D AllocatePool(NewSize);
     if (NewData =3D=3D NULL) {
       Status =3D EFI_OUT_OF_RESOURCES;
     } else {
+      CopyMem (NewData, OriginalData, OriginalSize - OriginalOptionDataSiz=
e);
       CopyMem(NewData + OriginalSize - OriginalOptionDataSize, Data, DataS=
ize);
     }
   }
@@ -1120,11 +1121,12 @@ BcfgAddOpt(
         // Now we know how many EFI_INPUT_KEY structs we need to attach to=
 the end of the EFI_KEY_OPTION struct. =20
         // Re-allocate with the added information.
         //
-        KeyOptionBuffer =3D AllocateCopyPool(sizeof(EFI_KEY_OPTION) + (siz=
eof(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount), &NewKeyOp=
tion);
+        KeyOptionBuffer =3D AllocatePool (sizeof(EFI_KEY_OPTION) + (sizeof=
(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount));
         if (KeyOptionBuffer =3D=3D NULL) {
           ShellPrintHiiEx(-1, -1, NULL, STRING_TOKEN (STR_GEN_NO_MEM), gSh=
ellBcfgHiiHandle, L"bcfg"); =20
           ShellStatus =3D SHELL_OUT_OF_RESOURCES;
         }
[Ray] 2. Should the above NULL check return?
+        CopyMem (KeyOptionBuffer, &NewKeyOption, sizeof(EFI_KEY_OPTION));
       }
       for (LoopCounter =3D 0 ; ShellStatus =3D=3D SHELL_SUCCESS && LoopCou=
nter < NewKeyOption.KeyData.Options.InputKeyCount; LoopCounter++) {
         //
--=20
2.14.1.windows.1