From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"mikuback@linux.microsoft.com" <mikuback@linux.microsoft.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>
Cc: "Feng, Bob C" <bob.c.feng@intel.com>,
"Gao, Liming" <gaoliming@byosoft.com.cn>,
Sean Brogan <sean.brogan@microsoft.com>,
"Chen, Christine" <yuwei.chen@intel.com>
Subject: Re: [edk2-devel] [PATCH v1 03/12] BaseTools/VfrCompile: Fix potential buffer overwrites
Date: Thu, 24 Nov 2022 01:32:46 +0000 [thread overview]
Message-ID: <CO1PR11MB49298D9C0EA2B9043A7AA761D20F9@CO1PR11MB4929.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20221109173246.174-4-mikuback@linux.microsoft.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Michael Kubacki
> Sent: Wednesday, November 9, 2022 9:33 AM
> To: devel@edk2.groups.io
> Cc: Feng, Bob C <bob.c.feng@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Sean Brogan <sean.brogan@microsoft.com>; Chen, Christine <yuwei.chen@intel.com>
> Subject: [edk2-devel] [PATCH v1 03/12] BaseTools/VfrCompile: Fix potential buffer overwrites
>
> From: Michael Kubacki <michael.kubacki@microsoft.com>
>
> While more portable methods exist to handle these cases, this change
> does not attempt to do more than fix the immediate problem and
> follow the conventions already established in this code.
>
> `snprintf()` is introduced as the minimum improvement apart from
> making the buffers larger.
>
> Fixes the following CodeQL alerts:
>
> 1. Failure on line 2339 in
> BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c
>
> - Type: Potentially overrunning write
> - Severity: Critical
> - Problem: This 'call to sprintf' operation requires 17 bytes but
> the destination is only 16 bytes.
>
> 2. Failure on line 2341 in
> BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c
>
> - Type: Potentially overrunning write
> - Severity: Critical
> - Problem: This 'call to sprintf' operation requires 17 bytes but
> the destination is only 16 bytes.
>
> 3. Failure on line 1309 in
> BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c
>
> - Type: Potentially overrunning write
> - Severity: Critical
> - Problem: This 'call to sprintf' operation requires 25 bytes but
> the destination is only 20 bytes.
>
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
> ---
> BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c | 10 +++++-----
> BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c | 4 ++--
> 2 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c b/BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c
> index 8e41239f4751..33d9cac4c7de 100644
> --- a/BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c
> +++ b/BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c
> @@ -2331,14 +2331,14 @@ TokNode *p;
> set_nameErrSet = bufErrSet; /* MR23 */
> }
> else { /* wild card */
> - static char buf[sizeof("zzerr")+10];
> - static char bufErrSet[sizeof("zzerr")+10];
> + static char buf[sizeof("zzerr")+11];
> + static char bufErrSet[sizeof("zzerr")+11];
> int n = DefErrSet( &b, 0, NULL );
> int nErrSet = DefErrSetWithSuffix(0, &bErrSet, 1, NULL, "_set");
> - if ( GenCC ) sprintf(buf, "err%d", n);
> - else sprintf(buf, "zzerr%d", n);
> + if ( GenCC ) snprintf(buf, 11, "err%d", n);
> + else snprintf(buf, 11, "zzerr%d", n);
> if ( GenCC ) sprintf(bufErrSet, "err%d", nErrSet);
> - else sprintf(bufErrSet, "zzerr%d", nErrSet);
> + else snprintf(bufErrSet, 11, "zzerr%d", nErrSet);
> set_name = buf;
> set_nameErrSet = bufErrSet;
> }
> diff --git a/BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c b/BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c
> index 051ee4ec5d28..488b4b90461c 100644
> --- a/BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c
> +++ b/BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c
> @@ -1295,7 +1295,7 @@ int token;
> #endif
> {
> int j;
> - static char imag_name[20];
> + static char imag_name[25];
>
> /* look in all lexclasses for the token */
> if ( TokenString(token) != NULL ) return TokenString(token);
> @@ -1306,7 +1306,7 @@ int token;
> }
>
> if (1) {
> - sprintf(imag_name,"UnknownToken#%d",token); /* MR13 */
> + snprintf(imag_name, 25, "UnknownToken#%d", token); /* MR13 */
> return imag_name; /* MR13 */
> }
>
> --
> 2.28.0.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#96149): https://edk2.groups.io/g/devel/message/96149
> Mute This Topic: https://groups.io/mt/94918087/1643496
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [michael.d.kinney@intel.com]
> -=-=-=-=-=-=
>
next prev parent reply other threads:[~2022-11-24 1:33 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-09 17:32 [PATCH v1 00/12] Enable New CodeQL Queries Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 01/12] MdeModulePkg/SmbiosDxe: Fix pointer and buffer overflow CodeQL alerts Michael Kubacki
2022-11-24 1:28 ` [edk2-devel] " Michael D Kinney
2022-11-24 1:46 ` Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 02/12] BaseTools/PatchCheck.py: Add PCCTS to tab exemption list Michael Kubacki
2022-11-24 1:30 ` Michael D Kinney
2022-11-09 17:32 ` [PATCH v1 03/12] BaseTools/VfrCompile: Fix potential buffer overwrites Michael Kubacki
2022-11-24 1:32 ` Michael D Kinney [this message]
2022-11-09 17:32 ` [PATCH v1 04/12] CryptoPkg: Fix conditionally uninitialized variable Michael Kubacki
2022-11-24 1:37 ` [edk2-devel] " Michael D Kinney
2022-11-24 1:47 ` Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 05/12] MdeModulePkg: Fix conditionally uninitialized variables Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 06/12] MdePkg: " Michael Kubacki
2022-11-24 1:53 ` Michael D Kinney
2022-11-24 1:59 ` Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 07/12] NetworkPkg: " Michael Kubacki
2022-11-24 1:59 ` Michael D Kinney
2022-11-09 17:32 ` [PATCH v1 08/12] PcAtChipsetPkg: " Michael Kubacki
2022-11-24 2:00 ` Michael D Kinney
2022-11-24 5:01 ` Ni, Ray
2022-11-09 17:32 ` [PATCH v1 09/12] ShellPkg: " Michael Kubacki
2022-11-24 2:19 ` Gao, Zhichao
2022-11-24 2:36 ` [edk2-devel] " Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 10/12] UefiCpuPkg: " Michael Kubacki
2022-11-24 2:04 ` [edk2-devel] " Michael D Kinney
2022-11-24 2:14 ` Michael Kubacki
2022-11-24 2:31 ` Michael D Kinney
2022-11-24 5:12 ` Ni, Ray
2022-11-28 22:50 ` Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 11/12] .github/codeql/edk2.qls: Enable CWE 457, 676, and 758 queries Michael Kubacki
2022-11-24 2:05 ` [edk2-devel] " Michael D Kinney
2022-11-09 17:32 ` [PATCH v1 12/12] .github/codeql/edk2.qls: Enable CWE 120, 787, and 805 queries Michael Kubacki
2022-11-24 2:06 ` Michael D Kinney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CO1PR11MB49298D9C0EA2B9043A7AA761D20F9@CO1PR11MB4929.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox