From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ruiyu.ni@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.31; helo=mga06.intel.com;
 envelope-from=ruiyu.ni@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga06.intel.com (mga06.intel.com [134.134.136.31])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id BC15E2034D800
 for <edk2-devel@lists.01.org>; Mon,  6 Nov 2017 21:31:52 -0800 (PST)
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
 by orsmga104.jf.intel.com with ESMTP; 06 Nov 2017 21:35:51 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.44,356,1505804400"; d="scan'208";a="918367366"
Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202])
 by FMSMGA003.fm.intel.com with ESMTP; 06 Nov 2017 21:35:51 -0800
Received: from fmsmsx158.amr.corp.intel.com (10.18.116.75) by
 fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Mon, 6 Nov 2017 21:35:51 -0800
Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by
 fmsmsx158.amr.corp.intel.com (10.18.116.75) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Mon, 6 Nov 2017 21:35:51 -0800
Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.152]) by
 shsmsx102.ccr.corp.intel.com ([169.254.2.175]) with mapi id 14.03.0319.002;
 Tue, 7 Nov 2017 13:35:48 +0800
From: "Ni, Ruiyu" <ruiyu.ni@intel.com>
To: "Wang, Jian J" <jian.j.wang@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Carsey, Jaben" <jaben.carsey@intel.com>, "Bi, Dandan"
 <dandan.bi@intel.com>
Thread-Topic: [PATCH v2 2/3] ShellPkg: Fix misuses of AllocateCopyPool
Thread-Index: AQHTV4bayEZ2n0rSykuEh7MG0JdQqqMIZSiA
Date: Tue, 7 Nov 2017 05:35:46 +0000
Deferred-Delivery: Tue, 7 Nov 2017 05:35:00 +0000
Message-ID: <734D49CCEBEEF84792F5B80ED585239D5BAB580B@SHSMSX104.ccr.corp.intel.com>
References: <20171107051058.17640-1-jian.j.wang@intel.com>
 <20171107051058.17640-3-jian.j.wang@intel.com>
In-Reply-To: <20171107051058.17640-3-jian.j.wang@intel.com>
Accept-Language: en-US, zh-CN
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH v2 2/3] ShellPkg: Fix misuses of AllocateCopyPool
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 05:31:52 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>

Thanks/Ray

> -----Original Message-----
> From: Wang, Jian J
> Sent: Tuesday, November 7, 2017 1:11 PM
> To: edk2-devel@lists.01.org
> Cc: Carsey, Jaben <jaben.carsey@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com=
>;
> Bi, Dandan <dandan.bi@intel.com>
> Subject: [PATCH v2 2/3] ShellPkg: Fix misuses of AllocateCopyPool
>=20
> > v2:
> > a. Use ReallocatePool instead of allocating then copying wherever
> applicable
>=20
> AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" byte=
s of
> memory from old "Buffer" to new allocated one. If "AllocationSize" is big=
ger
> than size of "Buffer", heap memory overflow occurs during copy.
>=20
> One solution is to allocate pool first then copy the necessary bytes to n=
ew
> memory. Another is using ReallocatePool instead if old buffer will be fre=
ed
> on spot.
>=20
> Cc: Jaben Carsey <jaben.carsey@intel.com>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Bi Dandan <dandan.bi@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> ---
>  ShellPkg/Application/Shell/Shell.c                                 | 4 +=
++-
>  ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c | 7
> +++++--
>  2 files changed, 8 insertions(+), 3 deletions(-)
>=20
> diff --git a/ShellPkg/Application/Shell/Shell.c
> b/ShellPkg/Application/Shell/Shell.c
> index 5471930ba1..656206fdce 100644
> --- a/ShellPkg/Application/Shell/Shell.c
> +++ b/ShellPkg/Application/Shell/Shell.c
> @@ -1646,7 +1646,7 @@ ShellConvertVariables (
>    //
>    // now do the replacements...
>    //
> -  NewCommandLine1 =3D AllocateCopyPool(NewSize, OriginalCommandLine);
> +  NewCommandLine1 =3D AllocateZeroPool (NewSize);
>    NewCommandLine2 =3D AllocateZeroPool(NewSize);
>    ItemTemp        =3D AllocateZeroPool(ItemSize+(2*sizeof(CHAR16)));
>    if (NewCommandLine1 =3D=3D NULL || NewCommandLine2 =3D=3D NULL ||
> ItemTemp =3D=3D NULL) {
> @@ -1655,6 +1655,8 @@ ShellConvertVariables (
>      SHELL_FREE_NON_NULL(ItemTemp);
>      return (NULL);
>    }
> +  CopyMem (NewCommandLine1, OriginalCommandLine, StrSize
> (OriginalCommandLine));
> +
>    for (MasterEnvList =3D EfiShellGetEnv(NULL)
>      ;  MasterEnvList !=3D NULL && *MasterEnvList !=3D CHAR_NULL
>      ;  MasterEnvList +=3D StrLen(MasterEnvList) + 1
> diff --git
> a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> index 1122c89b8b..ee3db63358 100644
> ---
> a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> +++
> b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> @@ -143,10 +143,11 @@ UpdateOptionalData(
>      OriginalOptionDataSize +=3D (*(UINT16*)(OriginalData + sizeof(UINT32=
)));
>      OriginalOptionDataSize -=3D OriginalSize;
>      NewSize =3D OriginalSize - OriginalOptionDataSize + DataSize;
> -    NewData =3D AllocateCopyPool(NewSize, OriginalData);
> +    NewData =3D AllocatePool(NewSize);
>      if (NewData =3D=3D NULL) {
>        Status =3D EFI_OUT_OF_RESOURCES;
>      } else {
> +      CopyMem (NewData, OriginalData, OriginalSize - OriginalOptionDataS=
ize);
>        CopyMem(NewData + OriginalSize - OriginalOptionDataSize, Data,
> DataSize);
>      }
>    }
> @@ -1120,11 +1121,13 @@ BcfgAddOpt(
>          // Now we know how many EFI_INPUT_KEY structs we need to attach =
to
> the end of the EFI_KEY_OPTION struct.
>          // Re-allocate with the added information.
>          //
> -        KeyOptionBuffer =3D AllocateCopyPool(sizeof(EFI_KEY_OPTION) +
> (sizeof(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount),
> &NewKeyOption);
> +        KeyOptionBuffer =3D AllocatePool (sizeof(EFI_KEY_OPTION) +
> (sizeof(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount));
>          if (KeyOptionBuffer =3D=3D NULL) {
>            ShellPrintHiiEx(-1, -1, NULL, STRING_TOKEN (STR_GEN_NO_MEM),
> gShellBcfgHiiHandle, L"bcfg");
>            ShellStatus =3D SHELL_OUT_OF_RESOURCES;
> +          return ShellStatus;
>          }
> +        CopyMem (KeyOptionBuffer, &NewKeyOption,
> sizeof(EFI_KEY_OPTION));
>        }
>        for (LoopCounter =3D 0 ; ShellStatus =3D=3D SHELL_SUCCESS && LoopC=
ounter <
> NewKeyOption.KeyData.Options.InputKeyCount; LoopCounter++) {
>          //
> --
> 2.14.1.windows.1