From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 6331EAC0A67 for ; Tue, 16 Jan 2024 06:58:48 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=nay3zYZ2CB2az7qEBHmyfGOksSUh0jWAgzjyOxQdCAw=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20140610; t=1705388327; v=1; b=o1PaxJgFmTzr/qj57zOeEkn1LDa3GqpPE4ilehxgUUX5sSMvdVOFI8wOFjEJnxqHHuThsqMP uYyolG2rden8G2vigxfwV3IBRGPxFGiQp+IoWpUVSTqAu3WByGcF2XIG4YCosC0f3SQbAbmSvpK GL2+mEwh/ZCG1H2YZvrFrvXM= X-Received: by 127.0.0.2 with SMTP id hX2zYY7687511xvnVQsKrWA0; Mon, 15 Jan 2024 22:58:47 -0800 X-Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) by mx.groups.io with SMTP id smtpd.web10.74136.1705309925459931013 for ; Mon, 15 Jan 2024 01:12:06 -0800 X-Received: by mail-ej1-f44.google.com with SMTP id a640c23a62f3a-a27733ae1dfso972067966b.3 for ; Mon, 15 Jan 2024 01:12:04 -0800 (PST) X-Gm-Message-State: hZf0MhrMD9Yz4xpV0gVbVkIcx7686176AA= X-Google-Smtp-Source: AGHT+IHVZzN973unVLLklZtj5bvTc4W4xyXpl9f3U5Bg08XpG0nNGjGiibv20ginUNXjeKEoqEBERcn+IKkPyin0x/I= X-Received: by 2002:a17:906:79c5:b0:a28:f771:aeb2 with SMTP id m5-20020a17090679c500b00a28f771aeb2mr1306751ejo.180.1705309923357; Mon, 15 Jan 2024 01:12:03 -0800 (PST) MIME-Version: 1.0 References: <48d2fc1437b07b1e815f3ca8cabc9c1a2fc05a87.1704696950.git.patrick.rudolph@9elements.com> In-Reply-To: From: "Sean Rhodes" Date: Mon, 15 Jan 2024 09:11:52 +0000 Message-ID: Subject: Re: [edk2-devel] [PATCH] UefiPayloadPkg: CbParseLib: Fix integer overflow To: "Guo, Gua" Cc: "Tan, Lean Sheng" , "Rudolph, Patrick" , "devel@edk2.groups.io" , "Lu, James" , "Ni, Ray" , "Dong, Guo" Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,sean@starlabs.systems List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: multipart/alternative; boundary="00000000000036c7ee060ef86862" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=o1PaxJgF; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=starlabs.systems (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io --00000000000036c7ee060ef86862 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Sean Rhodes On Fri, 12 Jan 2024 at 11:43, Guo, Gua wrote: > Reviewed-by: Gua Guo > ------------------------------ > *From:* Lean Sheng Tan > *Sent:* Friday, January 12, 2024 7:33:00 PM > *To:* Rudolph, Patrick > *Cc:* devel@edk2.groups.io ; Rhodes, Sean > ; Guo, Gua ; Lu, James < > james.lu@intel.com>; Ni, Ray ; Dong, Guo < > guo.dong@intel.com> > *Subject:* Re: [PATCH] UefiPayloadPkg: CbParseLib: Fix integer overflow > > Hi Gua or Sean, > Would you mind to help review this? > Thanks! > > Best Regards, > *Lean Sheng Tan* > > > > 9elements GmbH, Kortumstra=C3=9Fe 19-21, 44787 Bochum, Germany > Email: sheng.tan@9elements.com > Phone: *+49 234 68 94 188 <+492346894188>* > Mobile: *+49 176 76 113842 <+4917676113842>* > > Registered office: Bochum > Commercial register: Amtsgericht Bochum, HRB 17519 > Management: Sebastian German, Eray Bazaar > > Data protection information according to Art. 13 GDPR > > > > On Mon, 8 Jan 2024 at 08:00, Patrick Rudolph < > patrick.rudolph@9elements.com> wrote: > > The IMD entry uses the 32bit start field as relative offset > to root. On Ia32X64 this works fine as UINTN is also 32 bit and > negative relative offsets are properly calculated due to an > integer overflow. > > On X64 this doesn't work as UINTN is 64 bit and the offset > is no longer subtracted, but it's added to the root. Fix that > by sign extending the start field to 64 bit. > > Test: Booting UefiPayloadPkg still works on Ia32X64 and now also > works on X64. > > Signed-off-by: Patrick Rudolph > --- > UefiPayloadPkg/Library/CbParseLib/CbParseLib.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/UefiPayloadPkg/Library/CbParseLib/CbParseLib.c > b/UefiPayloadPkg/Library/CbParseLib/CbParseLib.c > index 8a353f77f6..9e149532a7 100644 > --- a/UefiPayloadPkg/Library/CbParseLib/CbParseLib.c > +++ b/UefiPayloadPkg/Library/CbParseLib/CbParseLib.c > @@ -282,7 +282,7 @@ FindCbMemTable ( > for (Idx =3D 0; Idx < Root->num_entries; Idx++) { > if (Entries[Idx].id =3D=3D TableId) { > if (IsImdEntry) { > - *MemTable =3D (VOID *)((UINTN)Entries[Idx].start + (UINTN)Root); > + *MemTable =3D (VOID *)((INTN)(INT32)Entries[Idx].start + > (UINTN)Root); > } else { > *MemTable =3D (VOID *)(UINTN)Entries[Idx].start; > } > -- > 2.43.0 > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113812): https://edk2.groups.io/g/devel/message/113812 Mute This Topic: https://groups.io/mt/103593206/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --00000000000036c7ee060ef86862 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Reviewed-by: Sean Rhodes <sean@starlabs.systems>

On Fri, 12 Jan 2024 at 11:43, Guo, Gua <gua.guo@intel.com> wrote:
Reviewed-by: Gua Guo <gua.guo@intel.com>
From:= Lean Sheng Tan <sheng.tan@9elements.com>
Sent: Friday, January 12, 2024 7:33:00 PM
To: Rudolph, Patrick <patrick.rudolph@9elements.com>
Cc: devel@= edk2.groups.io <devel@edk2.groups.io>; Rhodes, Sean <sean@starlabs.systems&= gt;; Guo, Gua <gu= a.guo@intel.com>; Lu, James <james.lu@intel.com>; Ni, Ray <ray.ni@intel.com>; Dong, Guo = <guo.dong@intel.= com>
Subject: Re: [PATCH] UefiPayloadPkg: CbParseLib: Fix integer overflo= w
=C2=A0
Hi Gua or Sean,
Would you mind to help review this?
Thanks!

Best Regards,
Lean Sh= eng Tan



9elements GmbH, Kortumstra=C3=9Fe 19-21, 44787 Bochum, Germany
Email:=C2=A0she= ng.tan@9elements.com
Phone:=C2=A0+49 234 68 94 188
Mobile:=C2=A0+49 176 76 113842

Registered office: Bochum
Commercial register: Amtsgericht Bo= chum, HRB 17519
Management: Sebastian German, Eray = Bazaar


On Mon, 8 Jan 2024 at 08:00, Patrick Rudolph <patrick.rudolph= @9elements.com> wrote:
The IMD entry uses the 32bit start field as relative offset
to root. On Ia32X64 this works fine as UINTN is also 32 bit and
negative relative offsets are properly calculated due to an
integer overflow.

On X64 this doesn't work as UINTN is 64 bit and the offset
is no longer subtracted, but it's added to the root. Fix that
by sign extending the start field to 64 bit.

Test: Booting UefiPayloadPkg still works on Ia32X64 and now also
=C2=A0 =C2=A0 =C2=A0 works on X64.

Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
---
=C2=A0UefiPayloadPkg/Library/CbParseLib/CbParseLib.c | 2 +-
=C2=A01 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/UefiPayloadPkg/Library/CbParseLib/CbParseLib.c b/UefiPayloadPk= g/Library/CbParseLib/CbParseLib.c
index 8a353f77f6..9e149532a7 100644
--- a/UefiPayloadPkg/Library/CbParseLib/CbParseLib.c
+++ b/UefiPayloadPkg/Library/CbParseLib/CbParseLib.c
@@ -282,7 +282,7 @@ FindCbMemTable (
=C2=A0 =C2=A0for (Idx =3D 0; Idx < Root->num_entries; Idx++) {
=C2=A0 =C2=A0 =C2=A0if (Entries[Idx].id =3D=3D TableId) {
=C2=A0 =C2=A0 =C2=A0 =C2=A0if (IsImdEntry) {
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 *MemTable =3D (VOID *)((UINTN)Entries[Idx].sta= rt + (UINTN)Root);
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 *MemTable =3D (VOID *)((INTN)(INT32)Entries[Id= x].start + (UINTN)Root);
=C2=A0 =C2=A0 =C2=A0 =C2=A0} else {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0*MemTable =3D (VOID *)(UINTN)Entries[Idx]= .start;
=C2=A0 =C2=A0 =C2=A0 =C2=A0}
--
2.43.0

_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#113812) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--00000000000036c7ee060ef86862--