From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jaben.carsey@intel.com>
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 9B3F31A1E4C
 for <edk2-devel@lists.01.org>; Thu, 25 Aug 2016 09:18:03 -0700 (PDT)
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
 by orsmga102.jf.intel.com with ESMTP; 25 Aug 2016 09:17:59 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.28,576,1464678000"; d="scan'208";a="1031235779"
Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206])
 by fmsmga001.fm.intel.com with ESMTP; 25 Aug 2016 09:18:00 -0700
Received: from fmsmsx102.amr.corp.intel.com (10.18.124.200) by
 FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Thu, 25 Aug 2016 09:17:59 -0700
Received: from fmsmsx103.amr.corp.intel.com ([169.254.2.39]) by
 FMSMSX102.amr.corp.intel.com ([10.18.124.200]) with mapi id 14.03.0248.002;
 Thu, 25 Aug 2016 09:17:58 -0700
From: "Carsey, Jaben" <jaben.carsey@intel.com>
To: "afish@apple.com" <afish@apple.com>
CC: edk2-devel <edk2-devel@lists.01.org>, "Ni, Ruiyu" <ruiyu.ni@intel.com>,
 "Carsey, Jaben" <jaben.carsey@intel.com>
Thread-Topic: [edk2] I found a fun bug in the Shell today. Looks like we
 have been getting lucky?
Thread-Index: AQHR/mwAbkxI5FMecUSc/Dw5klGU/qBZV+KAgACAPlCAAHYpAP//jT2Q
Date: Thu, 25 Aug 2016 16:17:58 +0000
Message-ID: <CB6E33457884FA40993F35157061515C54A2D4D4@FMSMSX103.amr.corp.intel.com>
References: <095E0E05-A876-48C3-B87D-FA5874921821@apple.com>
 <B883F72C-4CCC-4867-A2AA-5D1D13E958AE@apple.com>
 <CB6E33457884FA40993F35157061515C54A2D473@FMSMSX103.amr.corp.intel.com>
 <0B832F72-ABF8-4E9E-A123-604A579CA9E0@apple.com>
In-Reply-To: <0B832F72-ABF8-4E9E-A123-604A579CA9E0@apple.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMGJhOTg0NmYtNWU1NS00YjE3LTlhZTQtZDhjYjI1MWUzY2ZlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6IlFNc09zU0lldmtUdFQrT3N3M0lnV1RZWWljOWpVMjRYVHVjR011YWhyenc9In0=
x-ctpclassification: CTP_IC
x-originating-ip: [10.1.200.106]
MIME-Version: 1.0
Subject: Re: I found a fun bug in the Shell today. Looks like we have been getting lucky?
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 16:18:03 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Doh!  Thanks!  I didn't realize that was the bug.  I will have to finally l=
earn that servers name one of these days...

> -----Original Message-----
> From: afish@apple.com [mailto:afish@apple.com]
> Sent: Thursday, August 25, 2016 9:08 AM
> To: Carsey, Jaben <jaben.carsey@intel.com>
> Cc: edk2-devel <edk2-devel@lists.01.org>; Ni, Ruiyu <ruiyu.ni@intel.com>
> Subject: Re: [edk2] I found a fun bug in the Shell today. Looks like we h=
ave
> been getting lucky?
> Importance: High
>=20
>=20
> > On Aug 25, 2016, at 9:05 AM, Carsey, Jaben <jaben.carsey@intel.com>
> wrote:
> >
> > Andrew,
> >
> > Can you file a Bugzilla issue so we can track this issue properly?
> >
>=20
> Jaben,
>=20
> I attached the URL at the end of the original mail:
> https://tianocore.acgmultimedia.com/show_bug.cgi?id=3D105
>=20
> Thanks,
>=20
> Andrew Fish
>=20
> > -Jaben
> >
> >> -----Original Message-----
> >> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> >> Andrew Fish
> >> Sent: Wednesday, August 24, 2016 6:26 PM
> >> To: edk2-devel <edk2-devel@lists.01.org>
> >> Subject: Re: [edk2] I found a fun bug in the Shell today. Looks like w=
e
> have
> >> been getting lucky?
> >> Importance: High
> >>
> >>
> >>> On Aug 24, 2016, at 5:59 PM, Andrew Fish <afish@apple.com> wrote:
> >>>
> >>> I was tracking down a data corruption issue when paging was enabled o=
n
> an
> >> edk2 shell command. The crash was in a custom ConSpliter over writing =
a
> DXE
> >> Core data structure. The buffer overflow seemed to be caused by the
> >> Console getting confused on the location of the end of the screen. I s=
et a
> >> watchpoint on gST->ConOut->Mode->CursorRow and found the shell was
> >> the one corrupting the Mode data.
> >>>
> >>> UEFI Spec: The following data values in the
> SIMPLE_TEXT_OUTPUT_MODE
> >> interface are read-only and are changed by using the appropriate
> interface
> >> functions:
> >>>
> >>> (master)>git grep "OurConOut.Mode"
> >>> Application/Shell/ConsoleLogger.c:72:  (*ConsoleInfo)-
> >OurConOut.Mode
> >> =3D gST->ConOut->Mode;
> >>> Application/Shell/ConsoleLogger.c:647://    ShellInfoObject.ConsoleIn=
fo-
> >>> OurConOut.Mode->CursorRow    =3D 0;
> >>> Application/Shell/ConsoleLogger.c:648://    ShellInfoObject.ConsoleIn=
fo-
> >>> OurConOut.Mode->CursorColumn =3D 0;
> >>> Application/Shell/ConsoleLogger.c:704:      if (ConsoleInfo-
> >>> OurConOut.Mode->CursorColumn > 0) {
> >>> Application/Shell/ConsoleLogger.c:705:        ConsoleInfo-
> >>> OurConOut.Mode->CursorColumn--;
> >>> Application/Shell/ConsoleLogger.c:734:      ConsoleInfo-
> >OurConOut.Mode-
> >>> CursorRow++;
> >>> Application/Shell/ConsoleLogger.c:741:      ConsoleInfo-
> >OurConOut.Mode-
> >>> CursorColumn =3D 0;
> >>> Application/Shell/ConsoleLogger.c:747:      ConsoleInfo-
> >OurConOut.Mode-
> >>> CursorColumn++;
> >>> Application/Shell/ConsoleLogger.c:751:      if ((INTN)ConsoleInfo-
> >>> ColsPerScreen =3D=3D ConsoleInfo->OurConOut.Mode->CursorColumn + 1) {
> >>> Application/Shell/ConsoleLogger.c:781:        ConsoleInfo-
> >>> OurConOut.Mode->CursorRow++;
> >>> Application/Shell/ConsoleLogger.c:782:        ConsoleInfo-
> >>> OurConOut.Mode->CursorColumn =3D 0;
> >>> Application/Shell/ConsoleLogger.c:976:    ConsoleInfo-
> >OurConOut.Mode =3D
> >> ConsoleInfo->OldConOut->Mode;
> >>>
> >>>
> >>> I'm not exactly sure what this code is trying to do as the console sh=
ould
> >> update Mode structure directly? Maybe the intent was to have a copy of
> >> gST->ConOut->Mode and keep it in sync? It seems like this should cause
> >> more issues, but maybe the edk2 ConSplitter is not broken by this
> behavior
> >> and we are getting lucky?
> >>>
> >>
> >> I forgot to mention that setting the Mode->CursorRow in the console
> code
> >> back to the last row if was larger looks like it hides this bug in the=
 shell.
> >>
> >> Thanks,
> >>
> >> Andrew Fish
> >>
> >>
> >>> Thanks,
> >>>
> >>> Andrew Fish
> >>>
> >>> https://tianocore.acgmultimedia.com/show_bug.cgi?id=3D105
> >>> _______________________________________________
> >>> edk2-devel mailing list
> >>> edk2-devel@lists.01.org
> >>> https://lists.01.org/mailman/listinfo/edk2-devel
> >>
> >> _______________________________________________
> >> edk2-devel mailing list
> >> edk2-devel@lists.01.org
> >> https://lists.01.org/mailman/listinfo/edk2-devel