From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <afish@apple.com>
Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 34CD61A1E43
 for <edk2-devel@lists.01.org>; Wed, 24 Aug 2016 18:26:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s;
 c=relaxed/simple; 
 q=dns/txt; i=@apple.com; t=1472088385; x=2336001985;
 h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type:
 Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=2xAqYPNRzrsP6woPBnpC2b2j1Ys6g/rxdXXMqRE6Vdc=;
 b=FQ9sw/59X2rmNNFt0J6Aad4EslHs3xL8QgeN+2AnjGJE8UPH4V7/6eN19imWfw8x
 8EgY4IkAvtUvGVZqTYNtWiBVw4jlUvWyc19wZquC9mhGxb4/qVKj1PJym7y4MWtd
 vVP+MMurJkFgKZ28fUf4p1ZB7E73UzCsygHwDN3TDXQBFQ2kpP8n/0SZVSYXJJAJ
 M1DhbBskNb8+T+X30jITgFM1oX1Wy+uU5n3OTpNcSOWQRqQJdCXgwiXmwzcCGnoV
 a0drGDJrS6SHJjieWfVzAthonablVi4iLc/1u0Cue0xwPpVcNZZ0sZbm44K2QADw
 DTzH31OcoMgdHlzCz2sl1Q==;
Received: from relay6.apple.com (relay6.apple.com [17.128.113.90])
 by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id
 AF.99.07433.1494EB75; Wed, 24 Aug 2016 18:26:25 -0700 (PDT)
X-AuditID: 11973e12-f79b16d000001d09-68-57be49414ec9
Received: from chive.apple.com (chive.apple.com [17.128.115.15])
 by relay6.apple.com (Apple SCV relay) with SMTP id CA.6B.04916.1494EB75;
 Wed, 24 Aug 2016 18:26:25 -0700 (PDT)
MIME-version: 1.0
Received: from [17.153.51.43] by chive.apple.com
 (Oracle Communications Messaging Server 8.0.1.1.0 64bit (built May 17 2016))
 with ESMTPSA id <0OCF00IWSYNZ9K80@chive.apple.com> for
 edk2-devel@lists.01.org; Wed, 24 Aug 2016 18:26:25 -0700 (PDT)
Sender: afish@apple.com
From: Andrew Fish <afish@apple.com>
In-reply-to: <095E0E05-A876-48C3-B87D-FA5874921821@apple.com>
Date: Wed, 24 Aug 2016 18:26:23 -0700
Message-id: <B883F72C-4CCC-4867-A2AA-5D1D13E958AE@apple.com>
References: <095E0E05-A876-48C3-B87D-FA5874921821@apple.com>
To: edk2-devel <edk2-devel@lists.01.org>
X-Mailer: Apple Mail (2.3112)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrPLMWRmVeSWpSXmKPExsUi2FAYpevouS/c4OJdc4s9h44yOzB6dM/+
 xxLAGMVlk5Kak1mWWqRvl8CVcXXqT9aCNyIVB/adY21gvCDYxcjJISFgIrFy61lWCFtM4sK9
 9WxdjFwcQgJ7GSX+XF3HAlP09/EvRojERkaJE2evMIEkeAUEJX5MvgdUxMHBLCAvcfC8LEiY
 WUBL4vujVhaI+p+MEgdu/QerFxYQl3h3ZhMzSL2wQJLEs9nhIGE2AWWJFfM/sIPYnAK2Eod6
 /jCD2CwCqhI9G7YwgZTzCthILH0tChIWAjKfHL0DdpqIgIbE1u5WZogzZSX2bVgAdr+EwBw2
 ielvG1knMArPQnLpLIRLZyG5dAEj8ypGodzEzBzdzDwTvcSCgpxUveT83E2MoBCebie0g/HU
 KqtDjAIcjEo8vAJr94YLsSaWFVfmHmKU5mBREucVUtkXLiSQnliSmp2aWpBaFF9UmpNafIiR
 iYNTqoExLuC25B0RRQHj8FrvFRwHltZwM+i8il9mbhpuobVIalWtROyXBxu2/i7jzf7oIPPg
 Qq2TrJVSXadxke3O1X4SC0xltRJMsg+uenwy43gBX9n3c2fjdi2oaYxs/3+uZe9LF49nETX7
 FR3LTuxctzB6w5VAz+ud7EKLK5+f3vJ7ynweQ8MjSXZKLMUZiYZazEXFiQCR0t/TQgIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFLMWRmVeSWpSXmKPExsUi2FDMr+vouS/cYMJ5E4s9h44yOzB6dM/+
 xxLAGMVlk5Kak1mWWqRvl8CVcXXqT9aCNyIVB/adY21gvCDYxcjJISFgIvH38S9GCFtM4sK9
 9WxdjFwcQgIbGSVOnL3CBJLgFRCU+DH5HksXIwcHs4C8xMHzsiBhZgEtie+PWlkg6n8yShy4
 9R+sXlhAXOLdmU3MIPXCAkkSz2aHg4TZBJQlVsz/wA5icwrYShzq+cMMYrMIqEr0bNjCBFLO
 K2AjsfS1KEhYCMh8cvQOC4gtIqAhsbW7lRniTFmJfRsWsE1gFJiF5LhZCMfNQnLcAkbmVYwC
 Rak5iZVmeokFBTmpesn5uZsYwSFXGLWDsWG51SFGAQ5GJR5egbV7w4VYE8uKK3MPMUpwMCuJ
 8Ora7wsX4k1JrKxKLcqPLyrNSS0+xJgMdPJEZinR5HxgPOSVxBuamBiYGBubGRubm5iTJqwk
 zstwbHe4kEB6YklqdmpqQWoRzBYmDk6pBsa8qMLrxb0GBeLZhyvzNXaqShU6/Xx1NVpqycSA
 NmVdszr9G9Xq/BovxVef/vxgVUr6OaE5y7nZ7oXvvFPxOXmNj9mMx07t85Xlp+2QM97rdbk0
 M6RNrTv3Ac90sT+X6syaZeubG8W2evz5kMU3aR83e+ks56CFvq3XHV9rbFWyedQzaV3wHCWW
 4oxEQy3mouJEAFuuHJ59AgAA
Subject: Re: I found a fun bug in the Shell today. Looks like we have been getting lucky?
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 01:26:26 -0000
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII


> On Aug 24, 2016, at 5:59 PM, Andrew Fish <afish@apple.com> wrote:
> 
> I was tracking down a data corruption issue when paging was enabled on an edk2 shell command. The crash was in a custom ConSpliter over writing a DXE Core data structure. The buffer overflow seemed to be caused by the Console getting confused on the location of the end of the screen. I set a watchpoint on gST->ConOut->Mode->CursorRow and found the shell was the one corrupting the Mode data. 
> 
> UEFI Spec: The following data values in the SIMPLE_TEXT_OUTPUT_MODE interface are read-only and are changed by using the appropriate interface functions:
> 
> (master)>git grep "OurConOut.Mode"
> Application/Shell/ConsoleLogger.c:72:  (*ConsoleInfo)->OurConOut.Mode              = gST->ConOut->Mode;
> Application/Shell/ConsoleLogger.c:647://    ShellInfoObject.ConsoleInfo->OurConOut.Mode->CursorRow    = 0;
> Application/Shell/ConsoleLogger.c:648://    ShellInfoObject.ConsoleInfo->OurConOut.Mode->CursorColumn = 0;
> Application/Shell/ConsoleLogger.c:704:      if (ConsoleInfo->OurConOut.Mode->CursorColumn > 0) {
> Application/Shell/ConsoleLogger.c:705:        ConsoleInfo->OurConOut.Mode->CursorColumn--;
> Application/Shell/ConsoleLogger.c:734:      ConsoleInfo->OurConOut.Mode->CursorRow++;
> Application/Shell/ConsoleLogger.c:741:      ConsoleInfo->OurConOut.Mode->CursorColumn = 0;
> Application/Shell/ConsoleLogger.c:747:      ConsoleInfo->OurConOut.Mode->CursorColumn++;
> Application/Shell/ConsoleLogger.c:751:      if ((INTN)ConsoleInfo->ColsPerScreen == ConsoleInfo->OurConOut.Mode->CursorColumn + 1) {
> Application/Shell/ConsoleLogger.c:781:        ConsoleInfo->OurConOut.Mode->CursorRow++;
> Application/Shell/ConsoleLogger.c:782:        ConsoleInfo->OurConOut.Mode->CursorColumn = 0;
> Application/Shell/ConsoleLogger.c:976:    ConsoleInfo->OurConOut.Mode = ConsoleInfo->OldConOut->Mode;
> 
> 
> I'm not exactly sure what this code is trying to do as the console should update Mode structure directly? Maybe the intent was to have a copy of gST->ConOut->Mode and keep it in sync? It seems like this should cause more issues, but maybe the edk2 ConSplitter is not broken by this behavior and we are getting lucky? 
> 

I forgot to mention that setting the Mode->CursorRow in the console code back to the last row if was larger looks like it hides this bug in the shell. 

Thanks,

Andrew Fish


> Thanks,
> 
> Andrew Fish
> 
> https://tianocore.acgmultimedia.com/show_bug.cgi?id=105
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel