From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jaben.carsey@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.43; helo=mga05.intel.com;
 envelope-from=jaben.carsey@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 1213F2035D0E7
 for <edk2-devel@lists.01.org>; Wed,  8 Nov 2017 07:46:17 -0800 (PST)
Received: from orsmga001.jf.intel.com ([10.7.209.18])
 by fmsmga105.fm.intel.com with ESMTP; 08 Nov 2017 07:50:18 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.44,364,1505804400"; 
   d="scan'208";a="2492743"
Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205])
 by orsmga001.jf.intel.com with ESMTP; 08 Nov 2017 07:50:18 -0800
Received: from fmsmsx151.amr.corp.intel.com (10.18.125.4) by
 fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Wed, 8 Nov 2017 07:50:17 -0800
Received: from fmsmsx103.amr.corp.intel.com ([169.254.2.117]) by
 FMSMSX151.amr.corp.intel.com ([169.254.7.181]) with mapi id 14.03.0319.002;
 Wed, 8 Nov 2017 07:50:17 -0800
From: "Carsey, Jaben" <jaben.carsey@intel.com>
To: "Wang, Jian J" <jian.j.wang@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Ni, Ruiyu" <ruiyu.ni@intel.com>, "Bi, Dandan" <dandan.bi@intel.com>
Thread-Topic: [PATCH v3 2/3] ShellPkg: Fix misuses of AllocateCopyPool
Thread-Index: AQHTWDcIzevrCtopcUGcQzaE02Uuj6MKoeMQ
Date: Wed, 8 Nov 2017 15:50:17 +0000
Message-ID: <CB6E33457884FA40993F35157061515CA3BCAAA6@FMSMSX103.amr.corp.intel.com>
References: <20171108021201.17436-1-jian.j.wang@intel.com>
 <20171108021201.17436-3-jian.j.wang@intel.com>
In-Reply-To: <20171108021201.17436-3-jian.j.wang@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiN2Q1YjliMWMtZjE1Yi00MmM5LTk3MzYtNjdjNDA1ZjQxMWViIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE2LjUuOS4zIiwiVHJ1c3RlZExhYmVsSGFzaCI6ImdHZ093NTI1Y0Irc0tqWVd3UXJ6dzlzZkxXdVBzSTRGZHB0VFlWckpiOVU9In0=
x-ctpclassification: CTP_IC
x-originating-ip: [10.1.200.107]
MIME-Version: 1.0
Subject: Re: [PATCH v3 2/3] ShellPkg: Fix misuses of AllocateCopyPool
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 15:46:18 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Why not use the StrCpy_s function to copy strings?  CopyMem and StrSize fee=
ls odd to me.

> -----Original Message-----
> From: Wang, Jian J
> Sent: Tuesday, November 07, 2017 6:12 PM
> To: edk2-devel@lists.01.org
> Cc: Carsey, Jaben <jaben.carsey@intel.com>; Ni, Ruiyu
> <ruiyu.ni@intel.com>; Bi, Dandan <dandan.bi@intel.com>
> Subject: [PATCH v3 2/3] ShellPkg: Fix misuses of AllocateCopyPool
> Importance: High
>=20
> > v3:
> >   No update
>=20
> > v2:
> > a. Use ReallocatePool instead of allocating then copying wherever
> applicable
>=20
> AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" byte=
s of
> memory from old "Buffer" to new allocated one. If "AllocationSize" is big=
ger
> than size of "Buffer", heap memory overflow occurs during copy.
>=20
> One solution is to allocate pool first then copy the necessary bytes to n=
ew
> memory. Another is using ReallocatePool instead if old buffer will be fre=
ed
> on spot.
>=20
> Cc: Jaben Carsey <jaben.carsey@intel.com>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Bi Dandan <dandan.bi@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> ---
>  ShellPkg/Application/Shell/Shell.c                                 | 4 +=
++-
>  ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c | 7
> +++++--
>  2 files changed, 8 insertions(+), 3 deletions(-)
>=20
> diff --git a/ShellPkg/Application/Shell/Shell.c
> b/ShellPkg/Application/Shell/Shell.c
> index 5471930ba1..656206fdce 100644
> --- a/ShellPkg/Application/Shell/Shell.c
> +++ b/ShellPkg/Application/Shell/Shell.c
> @@ -1646,7 +1646,7 @@ ShellConvertVariables (
>    //
>    // now do the replacements...
>    //
> -  NewCommandLine1 =3D AllocateCopyPool(NewSize, OriginalCommandLine);
> +  NewCommandLine1 =3D AllocateZeroPool (NewSize);
>    NewCommandLine2 =3D AllocateZeroPool(NewSize);
>    ItemTemp        =3D AllocateZeroPool(ItemSize+(2*sizeof(CHAR16)));
>    if (NewCommandLine1 =3D=3D NULL || NewCommandLine2 =3D=3D NULL ||
> ItemTemp =3D=3D NULL) {
> @@ -1655,6 +1655,8 @@ ShellConvertVariables (
>      SHELL_FREE_NON_NULL(ItemTemp);
>      return (NULL);
>    }
> +  CopyMem (NewCommandLine1, OriginalCommandLine, StrSize
> (OriginalCommandLine));
> +
>    for (MasterEnvList =3D EfiShellGetEnv(NULL)
>      ;  MasterEnvList !=3D NULL && *MasterEnvList !=3D CHAR_NULL
>      ;  MasterEnvList +=3D StrLen(MasterEnvList) + 1
> diff --git
> a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> index 1122c89b8b..ee3db63358 100644
> ---
> a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> +++
> b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> @@ -143,10 +143,11 @@ UpdateOptionalData(
>      OriginalOptionDataSize +=3D (*(UINT16*)(OriginalData + sizeof(UINT32=
)));
>      OriginalOptionDataSize -=3D OriginalSize;
>      NewSize =3D OriginalSize - OriginalOptionDataSize + DataSize;
> -    NewData =3D AllocateCopyPool(NewSize, OriginalData);
> +    NewData =3D AllocatePool(NewSize);
>      if (NewData =3D=3D NULL) {
>        Status =3D EFI_OUT_OF_RESOURCES;
>      } else {
> +      CopyMem (NewData, OriginalData, OriginalSize -
> OriginalOptionDataSize);
>        CopyMem(NewData + OriginalSize - OriginalOptionDataSize, Data,
> DataSize);
>      }
>    }
> @@ -1120,11 +1121,13 @@ BcfgAddOpt(
>          // Now we know how many EFI_INPUT_KEY structs we need to attach =
to
> the end of the EFI_KEY_OPTION struct.
>          // Re-allocate with the added information.
>          //
> -        KeyOptionBuffer =3D AllocateCopyPool(sizeof(EFI_KEY_OPTION) +
> (sizeof(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount),
> &NewKeyOption);
> +        KeyOptionBuffer =3D AllocatePool (sizeof(EFI_KEY_OPTION) +
> (sizeof(EFI_INPUT_KEY) *
> NewKeyOption.KeyData.Options.InputKeyCount));
>          if (KeyOptionBuffer =3D=3D NULL) {
>            ShellPrintHiiEx(-1, -1, NULL, STRING_TOKEN (STR_GEN_NO_MEM),
> gShellBcfgHiiHandle, L"bcfg");
>            ShellStatus =3D SHELL_OUT_OF_RESOURCES;
> +          return ShellStatus;
>          }
> +        CopyMem (KeyOptionBuffer, &NewKeyOption,
> sizeof(EFI_KEY_OPTION));
>        }
>        for (LoopCounter =3D 0 ; ShellStatus =3D=3D SHELL_SUCCESS && LoopC=
ounter <
> NewKeyOption.KeyData.Options.InputKeyCount; LoopCounter++) {
>          //
> --
> 2.14.1.windows.1