From: "Vitaly Cheptsov" <cheptsov@ispras.ru>
To: "Kinney, Michael D" <michael.d.kinney@intel.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"Andrew Fish" <afish@apple.com>,
"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
"Bret Barkelew" <bret.barkelew@microsoft.com>,
"Brian J . Johnson" <brian.johnson@hpe.com>,
"Chiu, Chasel" <chasel.chiu@intel.com>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
"Laszlo Ersek" <lersek@redhat.com>,
"Leif Lindholm" <leif@nuviainc.com>,
"Gao, Liming" <liming.gao@intel.com>,
"Marvin Häuser" <mhaeuser@outlook.de>,
"Zimmer, Vincent" <vincent.zimmer@intel.com>,
"Gao, Zhichao" <zhichao.gao@intel.com>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Date: Thu, 14 May 2020 20:39:04 +0300 [thread overview]
Message-ID: <B28C8285-E178-417F-A2ED-2465E3ACB1BD@ispras.ru> (raw)
In-Reply-To: <MN2PR11MB4461CC95E8C6660BFFA3106FD2BC0@MN2PR11MB4461.namprd11.prod.outlook.com>
[-- Attachment #1: Type: text/plain, Size: 37496 bytes --]
Mike,
Firstly, NULL check and odd-address checks are essentially different things:
— NULL address is basically «no object», «optional argument» (e.g. failed allocation).
— Odd address is memory corruption, as there is no way to craft such address anyhow else.
For this reason the implementation is allowed to treat them differently.
Secondly, as I said in my cover letter there is no behaviour change here for RELEASE builds. Behaviour changes unrelated to the bugfix will have to go to a separate patch. I agree that we may want to reconsider the interface in the future, but that’s for a separate bugzilla and patch. Not discussing it currently is important to avoid diverting from the primary problem. Could create a bugzilla not to forget about it soon after the stable tag.
Best wishes,
Vitaly
> 14 мая 2020 г., в 19:38, Kinney, Michael D <michael.d.kinney@intel.com> написал(а):
>
> Why preserve the ASSERT()s for an a Unicode strings
> that are not aligned in a 16-bit boundary?
>
> This is essentially the same as an invalid pointer value
> just like NULL. If NULL pointer returns an error code,
> shouldn't and invalid pointer value?
>
> Thanks,
>
> Mike
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On
>> Behalf Of Vitaly Cheptsov
>> Sent: Thursday, May 14, 2020 2:26 AM
>> To: devel@edk2.groups.io
>> Cc: Andrew Fish <afish@apple.com>; Ard Biesheuvel
>> <ard.biesheuvel@linaro.org>; Bret Barkelew
>> <bret.barkelew@microsoft.com>; Brian J . Johnson
>> <brian.johnson@hpe.com>; Chiu, Chasel
>> <chasel.chiu@intel.com>; Justen, Jordan L
>> <jordan.l.justen@intel.com>; Laszlo Ersek
>> <lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>;
>> Gao, Liming <liming.gao@intel.com>; Marvin Häuser
>> <mhaeuser@outlook.de>; Kinney, Michael D
>> <michael.d.kinney@intel.com>; Zimmer, Vincent
>> <vincent.zimmer@intel.com>; Gao, Zhichao
>> <zhichao.gao@intel.com>
>> Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
>> SafeString performing assertions on runtime checks
>>
>> REF:
>> https://bugzilla.tianocore.org/show_bug.cgi?id=2054
>>
>>
>>
>>
>>
>> Runtime checks returned via status return code should
>> not work as
>>
>>
>> assertions to permit parsing not trusted data with
>> SafeString
>>
>>
>> interfaces.
>>
>>
>>
>>
>>
>> CC: Andrew Fish <afish@apple.com>
>>
>>
>> CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>>
>>
>> CC: Bret Barkelew <bret.barkelew@microsoft.com>
>>
>>
>> CC: Brian J. Johnson <brian.johnson@hpe.com>
>>
>>
>> CC: Chasel Chiu <chasel.chiu@intel.com>
>>
>>
>> CC: Jordan Justen <jordan.l.justen@intel.com>
>>
>>
>> CC: Laszlo Ersek <lersek@redhat.com>
>>
>>
>> CC: Leif Lindholm <leif@nuviainc.com>
>>
>>
>> CC: Liming Gao <liming.gao@intel.com>
>>
>>
>> CC: Marvin Häuser <mhaeuser@outlook.de>
>>
>>
>> CC: Mike Kinney <michael.d.kinney@intel.com>
>>
>>
>> CC: Vincent Zimmer <vincent.zimmer@intel.com>
>>
>>
>> CC: Zhichao Gao <zhichao.gao@intel.com>
>>
>>
>> Signed-off-by: Vitaly Cheptsov <vit9696@protonmail.com>
>>
>>
>> ---
>>
>>
>> MdePkg/Include/Library/BaseLib.h | 120 ++----------
>> --------
>>
>>
>> MdePkg/Library/BaseLib/SafeString.c | 80 ------------
>> -
>>
>>
>> 2 files changed, 7 insertions(+), 193 deletions(-)
>>
>>
>>
>>
>>
>> diff --git a/MdePkg/Include/Library/BaseLib.h
>> b/MdePkg/Include/Library/BaseLib.h
>>
>>
>> index ecadff8b23..62dc3151bc 100644
>>
>>
>> --- a/MdePkg/Include/Library/BaseLib.h
>>
>>
>> +++ b/MdePkg/Include/Library/BaseLib.h
>>
>>
>> @@ -189,7 +189,6 @@ StrnSizeS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -225,7 +224,6 @@ StrCpyS (
>>
>>
>>
>>
>>
>> If Length > 0 and Destination is not aligned on a
>> 16-bit boundary, then ASSERT().
>>
>>
>> If Length > 0 and Source is not aligned on a 16-bit
>> boundary, then ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -263,7 +261,6 @@ StrnCpyS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -303,7 +300,6 @@ StrCatS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -350,12 +346,7 @@ StrnCatS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> @@ -406,12 +397,7 @@ StrDecimalToUintnS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> @@ -467,12 +453,7 @@ StrDecimalToUint64S (
>>
>>
>> the first character that is a not a valid
>> hexadecimal character or NULL,
>>
>>
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> @@ -528,12 +509,7 @@ StrHexToUintnS (
>>
>>
>> the first character that is a not a valid
>> hexadecimal character or NULL,
>>
>>
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> @@ -622,8 +598,6 @@ AsciiStrnSizeS (
>>
>>
>>
>>
>>
>> This function is similar as strcpy_s defined in C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -656,8 +630,6 @@ AsciiStrCpyS (
>>
>>
>>
>>
>>
>> This function is similar as strncpy_s defined in
>> C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -692,8 +664,6 @@ AsciiStrnCpyS (
>>
>>
>>
>>
>>
>> This function is similar as strcat_s defined in C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -730,8 +700,6 @@ AsciiStrCatS (
>>
>>
>>
>>
>>
>> This function is similar as strncat_s defined in
>> C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -777,12 +745,6 @@ AsciiStrnCatS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINTN, then
>>
>>
>> @@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINT64, then
>>
>>
>> @@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
>>
>>
>> character that is a not a valid hexadecimal
>> character or Null-terminator,
>>
>>
>> whichever on comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINTN, then
>>
>>
>> @@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
>>
>>
>> character that is a not a valid hexadecimal
>> character or Null-terminator,
>>
>>
>> whichever on comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINT64, then
>>
>>
>> @@ -1506,16 +1450,8 @@ StrHexToUint64 (
>>
>>
>> "::" can be used to compress one or more groups of X
>> when X contains only 0.
>>
>>
>> The "::" can only appear once in the String.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>>
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> by EndPointer.
>>
>>
>> @@ -1567,15 +1503,10 @@ StrToIpv6Address (
>>
>>
>> When /P is in the String, the function stops at the
>> first character that is not
>>
>>
>> a valid decimal digit character after P is
>> converted.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>>
>>
>>
>> If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> @@ -1640,8 +1571,6 @@ StrToIpv4Address (
>>
>>
>> oo Data4[48:55]
>>
>>
>> pp Data4[56:63]
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Guid is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>>
>>
>>
>> @param String Pointer to a Null-
>> terminated Unicode string.
>>
>>
>> @@ -1676,17 +1605,6 @@ StrToGuid (
>>
>>
>>
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Buffer is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Length is not multiple of 2, then ASSERT().
>>
>>
>> -
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero and
>> Length is greater than
>>
>>
>> - PcdMaximumUnicodeStringLength, then ASSERT().
>>
>>
>> -
>>
>>
>> - If MaxBufferSize is less than (Length / 2), then
>> ASSERT().
>>
>>
>> -
>>
>>
>> @param String Pointer to a Null-
>> terminated Unicode string.
>>
>>
>> @param Length The number of
>> Unicode characters to decode.
>>
>>
>> @param Buffer Pointer to the
>> converted bytes array.
>>
>>
>> @@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
>>
>>
>> the upper 8 bits, then ASSERT().
>>
>>
>>
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
>>
>>
>> bits of each Unicode character. The function
>> terminates the Ascii string
>>
>>
>> Destination by appending a Null-terminator character
>> at the end.
>>
>>
>>
>>
>>
>> - The caller is responsible to make sure Destination
>> points to a buffer with size
>>
>>
>> - equal or greater than ((StrLen (Source) + 1) *
>> sizeof (CHAR8)) in bytes.
>>
>>
>> + The caller is responsible to make sure Destination
>> points to a buffer with
>>
>>
>> + size not smaller than ((MIN(StrLen(Source), Length)
>> + 1) * sizeof (CHAR8))
>>
>>
>> + in bytes.
>>
>>
>>
>>
>>
>> If any Unicode characters in Source contain non-zero
>> value in the upper 8
>>
>>
>> bits, then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> - If an error is returned, then the Destination is
>> unmodified.
>>
>>
>> + If an error is returned, then Destination and
>> DestinationLength are
>>
>>
>> + unmodified.
>>
>>
>>
>>
>>
>> @param Source The pointer to a Null-
>> terminated Unicode string.
>>
>>
>> @param Length The maximum number of
>> Unicode characters to
>>
>>
>> convert.
>>
>>
>> @param Destination The pointer to a Null-
>> terminated Ascii string.
>>
>>
>> - @param DestMax The maximum number of
>> Destination Ascii
>>
>>
>> - char, including
>> terminating null char.
>>
>>
>> + @param DestMax The maximum number of
>> Destination Ascii char,
>>
>>
>> + including terminating
>> null char.
>>
>>
>> @param DestinationLength The number of Unicode
>> characters converted.
>>
>>
>>
>>
>>
>> @retval RETURN_SUCCESS String is
>> converted.
>>
>>
>> @@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
>>
>>
>> "::" can be used to compress one or more groups of X
>> when X contains only 0.
>>
>>
>> The "::" can only appear once in the String.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> by EndPointer.
>>
>>
>> @@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
>>
>>
>> When /P is in the String, the function stops at the
>> first character that is not
>>
>>
>> a valid decimal digit character after P is
>> converted.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> by EndPointer.
>>
>>
>> @@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
>>
>>
>> oo Data4[48:55]
>>
>>
>> pp Data4[56:63]
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Guid is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> @param String Pointer to a Null-
>> terminated ASCII string.
>>
>>
>> @param Guid Pointer to the
>> converted GUID.
>>
>>
>>
>>
>>
>> @@ -2541,17 +2448,6 @@ AsciiStrToGuid (
>>
>>
>> decoding stops after Length of characters and
>> outputs Buffer containing
>>
>>
>> (Length / 2) bytes.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Buffer is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Length is not multiple of 2, then ASSERT().
>>
>>
>> -
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero and
>> Length is greater than
>>
>>
>> - PcdMaximumAsciiStringLength, then ASSERT().
>>
>>
>> -
>>
>>
>> - If MaxBufferSize is less than (Length / 2), then
>> ASSERT().
>>
>>
>> -
>>
>>
>> @param String Pointer to a Null-
>> terminated ASCII string.
>>
>>
>> @param Length The number of ASCII
>> characters to decode.
>>
>>
>> @param Buffer Pointer to the
>> converted bytes array.
>>
>>
>> @@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
>>
>>
>> equal or greater than ((AsciiStrLen (Source) + 1) *
>> sizeof (CHAR16)) in bytes.
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
>>
>>
>> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
>> (CHAR8)) in bytes.
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then Destination and
>> DestinationLength are
>>
>>
>> unmodified.
>>
>>
>> diff --git a/MdePkg/Library/BaseLib/SafeString.c
>> b/MdePkg/Library/BaseLib/SafeString.c
>>
>>
>> index 7dc03d2caa..1db42abb05 100644
>>
>>
>> --- a/MdePkg/Library/BaseLib/SafeString.c
>>
>>
>> +++ b/MdePkg/Library/BaseLib/SafeString.c
>>
>>
>> @@ -14,7 +14,6 @@
>>
>>
>>
>>
>>
>> #define SAFE_STRING_CONSTRAINT_CHECK(Expression,
>> Status) \
>>
>>
>> do { \
>>
>>
>> - ASSERT (Expression); \
>>
>>
>> if (!(Expression)) { \
>>
>>
>> return Status; \
>>
>>
>> } \
>>
>>
>> @@ -197,7 +196,6 @@ StrnSizeS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -279,7 +277,6 @@ StrCpyS (
>>
>>
>>
>>
>>
>> If Length > 0 and Destination is not aligned on a
>> 16-bit boundary, then ASSERT().
>>
>>
>> If Length > 0 and Source is not aligned on a 16-bit
>> boundary, then ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -372,7 +369,6 @@ StrnCpyS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -473,7 +469,6 @@ StrCatS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -590,12 +585,7 @@ StrnCatS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> @@ -705,12 +695,7 @@ StrDecimalToUintnS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> @@ -825,12 +810,7 @@ StrDecimalToUint64S (
>>
>>
>> the first character that is a not a valid
>> hexadecimal character or NULL,
>>
>>
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> @@ -956,12 +936,7 @@ StrHexToUintnS (
>>
>>
>> the first character that is a not a valid
>> hexadecimal character or NULL,
>>
>>
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> @@ -1856,8 +1831,6 @@ AsciiStrCpyS (
>>
>>
>>
>>
>>
>> This function is similar as strncpy_s defined in
>> C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
>>
>>
>>
>>
>>
>> This function is similar as strcat_s defined in C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -2040,8 +2011,6 @@ AsciiStrCatS (
>>
>>
>>
>>
>>
>> This function is similar as strncat_s defined in
>> C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -2154,12 +2123,6 @@ AsciiStrnCatS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINTN, then
>>
>>
>> @@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINT64, then
>>
>>
>> @@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
>>
>>
>> character that is a not a valid hexadecimal
>> character or Null-terminator,
>>
>>
>> whichever on comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINTN, then
>>
>>
>> @@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
>>
>>
>> character that is a not a valid hexadecimal
>> character or Null-terminator,
>>
>>
>> whichever on comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINT64, then
>>
>>
>> @@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
>>
>>
>> the upper 8 bits, then ASSERT().
>>
>>
>>
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
>>
>>
>> If any Unicode characters in Source contain non-zero
>> value in the upper 8
>>
>>
>> bits, then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then Destination and
>> DestinationLength are
>>
>>
>> unmodified.
>>
>>
>> @@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
>>
>>
>> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
>> (CHAR8)) in bytes.
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then Destination and
>> DestinationLength are
>>
>>
>> unmodified.
>>
>>
>> @@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
>>
>>
>> "::" can be used to compress one or more groups of X
>> when X contains only 0.
>>
>>
>> The "::" can only appear once in the String.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> by EndPointer.
>>
>>
>> @@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
>>
>>
>> When /P is in the String, the function stops at the
>> first character that is not
>>
>>
>> a valid decimal digit character after P is
>> converted.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> by EndPointer.
>>
>>
>> @@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
>>
>>
>> oo Data4[48:55]
>>
>>
>> pp Data4[56:63]
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Guid is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> @param String Pointer to a Null-
>> terminated ASCII string.
>>
>>
>> @param Guid Pointer to the
>> converted GUID.
>>
>>
>>
>>
>>
>> @@ -3550,17 +3481,6 @@ AsciiStrToGuid (
>>
>>
>> decoding stops after Length of characters and
>> outputs Buffer containing
>>
>>
>> (Length / 2) bytes.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Buffer is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Length is not multiple of 2, then ASSERT().
>>
>>
>> -
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero and
>> Length is greater than
>>
>>
>> - PcdMaximumAsciiStringLength, then ASSERT().
>>
>>
>> -
>>
>>
>> - If MaxBufferSize is less than (Length / 2), then
>> ASSERT().
>>
>>
>> -
>>
>>
>> @param String Pointer to a Null-
>> terminated ASCII string.
>>
>>
>> @param Length The number of ASCII
>> characters to decode.
>>
>>
>> @param Buffer Pointer to the
>> converted bytes array.
>>
>>
>> --
>>
>>
>> 2.24.2 (Apple Git-127)
>>
>>
>>
>>
>>
>>
>>
>
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2020-05-14 17:39 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-14 9:25 [PATCH V6 0/1] Disable safe string constraint assertions Vitaly Cheptsov
2020-05-14 9:25 ` [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks Vitaly Cheptsov
2020-05-14 13:35 ` Laszlo Ersek
2020-05-14 16:38 ` [edk2-devel] " Michael D Kinney
2020-05-14 17:39 ` Vitaly Cheptsov [this message]
2020-05-14 17:58 ` Michael D Kinney
2020-05-14 18:59 ` Vitaly Cheptsov
2020-05-14 19:45 ` Ard Biesheuvel
2020-05-14 21:07 ` Michael D Kinney
2020-05-14 21:15 ` [EXTERNAL] " Bret Barkelew
2020-05-14 22:14 ` Michael D Kinney
2020-05-15 9:28 ` Marvin Häuser
2020-05-15 9:30 ` [EXTERNAL] " Vitaly Cheptsov
2020-05-15 15:26 ` Bret Barkelew
2020-05-14 11:33 ` [edk2-devel] [PATCH V6 0/1] Disable safe string constraint assertions Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B28C8285-E178-417F-A2ED-2465E3ACB1BD@ispras.ru \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox