From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.81]) by mx.groups.io with SMTP id smtpd.web10.1062.1598287945018248092 for ; Mon, 24 Aug 2020 09:52:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IKR80hX7; spf=pass (domain: redhat.com, ip: 207.211.31.81, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1598287944; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tXekfBjmhr76k70BEyv6NKQt7RkaWN0GABxi1Wmuu+s=; b=IKR80hX7sJqs4XxAuyP07XEtjJDQad8Hy0Yxi7ioIF7ao1k28p7ble993VbeP0O/nyTPLZ eIC26WwN5Bh2zrgcy26ppLj4cS1JN8O/3d7NUr9PnkPivovuBIC0pWBZ/x8waRhmIBsB4l 6uScESAILo8psVbsSFXCZLMvkCy3oAg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-159-2UlGbFZFNniMEK6RIJPN7A-1; Mon, 24 Aug 2020 12:52:13 -0400 X-MC-Unique: 2UlGbFZFNniMEK6RIJPN7A-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C5C718064AA; Mon, 24 Aug 2020 16:52:11 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-186.ams2.redhat.com [10.36.112.186]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9321F10013C1; Mon, 24 Aug 2020 16:52:10 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix buffer overrun in FileHandleReadLine() From: "Laszlo Ersek" To: devel@edk2.groups.io, zhiguang.liu@intel.com, "vladimir.olovyannikov@broadcom.com" Cc: "Kinney, Michael D" , "Gao, Liming" References: <20200702023113.10517-1-vladimir.olovyannikov@broadcom.com> Message-ID: <75a66368-c26d-41bd-cc88-adcf709715a2@redhat.com> Date: Mon, 24 Aug 2020 18:52:09 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0.002 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 08/24/20 18:18, Laszlo Ersek wrote: > On 07/03/20 04:30, Zhiguang Liu wrote: >> Reviewed-by: Zhiguang Liu > > Merged as commit 4535fc312b76, via > . The commit message does not mention a TianoCore BZ. If there *is* an associated TianoCore BZ, please set it to RESOLVED|FIXED now, and also mark the above commit hash in a comment on it. Thanks Laszlo > > Thanks, > Laszlo > >> >>> -----Original Message----- >>> From: devel@edk2.groups.io On Behalf Of Vladimir >>> Olovyannikov via groups.io >>> Sent: Thursday, July 2, 2020 10:31 AM >>> To: devel@edk2.groups.io >>> Cc: Vladimir Olovyannikov ; Kinney, >>> Michael D ; Gao, Liming >>> ; Liu, Zhiguang >>> Subject: [edk2-devel] [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix buffer >>> overrun in FileHandleReadLine() >>> >>> If the size of the supplied buffer in FileHandleReadLine(), module >>> UefiFileHandleLib.c, was not 0, but was not enough to fit in >>> the line, the size is increased, and then the Buffer of the new >>> size is zeroed. This size is always larger than the supplied buffer size, >>> causing supplied buffer overrun. Fix the issue by using the >>> supplied buffer size in ZeroMem(). >>> >>> Signed-off-by: Vladimir Olovyannikov >>> >>> Cc: Michael D Kinney >>> Cc: Liming Gao >>> Cc: Zhiguang Liu >>> --- >>> MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c | 6 ++++-- >>> 1 file changed, 4 insertions(+), 2 deletions(-) >>> >>> diff --git a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c >>> b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c >>> index 28e28e5f67d5..ab34e6ccd5f4 100644 >>> --- a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c >>> +++ b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c >>> @@ -969,6 +969,7 @@ FileHandleReadLine( >>> UINTN CharSize; >>> >>> UINTN CountSoFar; >>> >>> UINTN CrCount; >>> >>> + UINTN OldSize; >>> >>> UINT64 OriginalFilePosition; >>> >>> >>> >>> if (Handle == NULL >>> >>> @@ -1039,10 +1040,11 @@ FileHandleReadLine( >>> // if we ran out of space tell when... >>> >>> // >>> >>> if ((CountSoFar+1-CrCount)*sizeof(CHAR16) > *Size){ >>> >>> + OldSize = *Size; >>> >>> *Size = (CountSoFar+1-CrCount)*sizeof(CHAR16); >>> >>> if (!Truncate) { >>> >>> - if (Buffer != NULL && *Size != 0) { >>> >>> - ZeroMem(Buffer, *Size); >>> >>> + if (Buffer != NULL && OldSize != 0) { >>> >>> + ZeroMem(Buffer, OldSize); >>> >>> } >>> >>> FileHandleSetPosition(Handle, OriginalFilePosition); >>> >>> return (EFI_BUFFER_TOO_SMALL); >>> >>> -- >>> 2.26.2.266.ge870325ee8 >