* [PATCH V6 0/1] Disable safe string constraint assertions
@ 2020-05-14 9:25 Vitaly Cheptsov
2020-05-14 9:25 ` [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks Vitaly Cheptsov
2020-05-14 11:33 ` [edk2-devel] [PATCH V6 0/1] Disable safe string constraint assertions Ard Biesheuvel
0 siblings, 2 replies; 15+ messages in thread
From: Vitaly Cheptsov @ 2020-05-14 9:25 UTC (permalink / raw)
To: devel
Cc: Andrew Fish, Ard Biesheuvel, Bret Barkelew, Brian J . Johnson,
Chasel Chiu, Jordan Justen, Laszlo Ersek, Leif Lindholm,
Liming Gao, Marvin Häuser, Mike Kinney, Vincent Zimmer,
Zhichao Gao
CC: Andrew Fish <afish@apple.com>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
CC: Bret Barkelew <bret.barkelew@microsoft.com>
CC: Brian J. Johnson <brian.johnson@hpe.com>
CC: Chasel Chiu <chasel.chiu@intel.com>
CC: Jordan Justen <jordan.l.justen@intel.com>
CC: Laszlo Ersek <lersek@redhat.com>
CC: Leif Lindholm <leif@nuviainc.com>
CC: Liming Gao <liming.gao@intel.com>
CC: Marvin Häuser <mhaeuser@outlook.de>
CC: Mike Kinney <michael.d.kinney@intel.com>
CC: Vincent Zimmer <vincent.zimmer@intel.com>
CC: Zhichao Gao <zhichao.gao@intel.com>
Current implementation of SafeString does not let one parse untrusted
data with its interfaces as they ASSERT on failing runtime checks and
require one to effectively reimplement the function on the caller side.
All the former proposals made it clear that the attempts to introduce
a solution preserving this behaviour require a lot of changes
throughout the codebase including platform code (e.g. introducing
constraint assertions and updating all DebugLib implementations)
or require all sorts of hacks.
Since the original code has roughly no benefit except in some very
special cases and the effort required to preserve it is very high,
I propose to remove it as agreed on with several other parties.
Please note, that this patch does not change the behaviour of the
functions in RELEASE builds. I.e. they will still check for NULL
and return RETURN_INVALID_PARAMETER. In the future we may (or may
not) want them to simply ASSERT in this case. Regardless this should
be done in a separate BZ entry and a separate commit. For this reason
I ask everyone not to touch this subject.
Due to the amount of discussion this has already undergone after
almost a year I kindly request everyone to reduce the communication
to the minimum and abstain from proposing another approach.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2054
Requesting to merge this into edk2-stable202005.
Vitaly Cheptsov (1):
MdePkg: Fix SafeString performing assertions on runtime checks
MdePkg/Include/Library/BaseLib.h | 120 ++------------------
MdePkg/Library/BaseLib/SafeString.c | 80 -------------
2 files changed, 7 insertions(+), 193 deletions(-)
--
2.24.2 (Apple Git-127)
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 9:25 [PATCH V6 0/1] Disable safe string constraint assertions Vitaly Cheptsov
@ 2020-05-14 9:25 ` Vitaly Cheptsov
2020-05-14 13:35 ` Laszlo Ersek
2020-05-14 16:38 ` [edk2-devel] " Michael D Kinney
2020-05-14 11:33 ` [edk2-devel] [PATCH V6 0/1] Disable safe string constraint assertions Ard Biesheuvel
1 sibling, 2 replies; 15+ messages in thread
From: Vitaly Cheptsov @ 2020-05-14 9:25 UTC (permalink / raw)
To: devel
Cc: Andrew Fish, Ard Biesheuvel, Bret Barkelew, Brian J . Johnson,
Chasel Chiu, Jordan Justen, Laszlo Ersek, Leif Lindholm,
Liming Gao, Marvin Häuser, Mike Kinney, Vincent Zimmer,
Zhichao Gao
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2054
Runtime checks returned via status return code should not work as
assertions to permit parsing not trusted data with SafeString
interfaces.
CC: Andrew Fish <afish@apple.com>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
CC: Bret Barkelew <bret.barkelew@microsoft.com>
CC: Brian J. Johnson <brian.johnson@hpe.com>
CC: Chasel Chiu <chasel.chiu@intel.com>
CC: Jordan Justen <jordan.l.justen@intel.com>
CC: Laszlo Ersek <lersek@redhat.com>
CC: Leif Lindholm <leif@nuviainc.com>
CC: Liming Gao <liming.gao@intel.com>
CC: Marvin Häuser <mhaeuser@outlook.de>
CC: Mike Kinney <michael.d.kinney@intel.com>
CC: Vincent Zimmer <vincent.zimmer@intel.com>
CC: Zhichao Gao <zhichao.gao@intel.com>
Signed-off-by: Vitaly Cheptsov <vit9696@protonmail.com>
---
MdePkg/Include/Library/BaseLib.h | 120 ++------------------
MdePkg/Library/BaseLib/SafeString.c | 80 -------------
2 files changed, 7 insertions(+), 193 deletions(-)
diff --git a/MdePkg/Include/Library/BaseLib.h b/MdePkg/Include/Library/BaseLib.h
index ecadff8b23..62dc3151bc 100644
--- a/MdePkg/Include/Library/BaseLib.h
+++ b/MdePkg/Include/Library/BaseLib.h
@@ -189,7 +189,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit boundary, then ASSERT().
If Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -225,7 +224,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a 16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -263,7 +261,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit boundary, then ASSERT().
If Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -303,7 +300,6 @@ StrCatS (
If Destination is not aligned on a 16-bit boundary, then ASSERT().
If Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -350,12 +346,7 @@ StrnCatS (
be ignored. Then, the function stops at the first character that is a not a
valid decimal character or a Null-terminator, whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary, then ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and String contains more than
- PcdMaximumUnicodeStringLength Unicode characters, not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above format, then 0 is stored
at the location pointed to by Data.
@@ -406,12 +397,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first character that is a not a
valid decimal character or a Null-terminator, whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary, then ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and String contains more than
- PcdMaximumUnicodeStringLength Unicode characters, not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above format, then 0 is stored
at the location pointed to by Data.
@@ -467,12 +453,7 @@ StrDecimalToUint64S (
the first character that is a not a valid hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary, then ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and String contains more than
- PcdMaximumUnicodeStringLength Unicode characters, not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the above format, then 0 is
stored at the location pointed to by Data.
@@ -528,12 +509,7 @@ StrHexToUintnS (
the first character that is a not a valid hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary, then ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and String contains more than
- PcdMaximumUnicodeStringLength Unicode characters, not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the above format, then 0 is
stored at the location pointed to by Data.
@@ -622,8 +598,6 @@ AsciiStrnSizeS (
This function is similar as strcpy_s defined in C11.
- If an error would be returned, then the function will also ASSERT().
-
If an error is returned, then the Destination is unmodified.
@param Destination A pointer to a Null-terminated Ascii string.
@@ -656,8 +630,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in C11.
- If an error would be returned, then the function will also ASSERT().
-
If an error is returned, then the Destination is unmodified.
@param Destination A pointer to a Null-terminated Ascii string.
@@ -692,8 +664,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in C11.
- If an error would be returned, then the function will also ASSERT().
-
If an error is returned, then the Destination is unmodified.
@param Destination A pointer to a Null-terminated Ascii string.
@@ -730,8 +700,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in C11.
- If an error would be returned, then the function will also ASSERT().
-
If an error is returned, then the Destination is unmodified.
@param Destination A pointer to a Null-terminated Ascii string.
@@ -777,12 +745,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first character that is a not a
valid decimal character or a Null-terminator, whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the range defined by UINTN, then
@@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first character that is a not a
valid decimal character or a Null-terminator, whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the range defined by UINT64, then
@@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the range defined by UINTN, then
@@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the range defined by UINT64, then
@@ -1506,16 +1450,8 @@ StrHexToUint64 (
"::" can be used to compress one or more groups of X when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary, then ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and String contains more than
- PcdMaximumUnicodeStringLength Unicode characters, not including the
- Null-terminator, then ASSERT().
-
If EndPointer is not NULL and Address is translated from String, a pointer
to the character that stopped the scan is stored at the location pointed to
by EndPointer.
@@ -1567,15 +1503,10 @@ StrToIpv6Address (
When /P is in the String, the function stops at the first character that is not
a valid decimal digit character after P is converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary, then ASSERT().
If PcdMaximumUnicodeStringLength is not zero, and String contains more than
PcdMaximumUnicodeStringLength Unicode characters, not including the
- Null-terminator, then ASSERT().
If EndPointer is not NULL and Address is translated from String, a pointer
to the character that stopped the scan is stored at the location pointed to
@@ -1640,8 +1571,6 @@ StrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary, then ASSERT().
@param String Pointer to a Null-terminated Unicode string.
@@ -1676,17 +1605,6 @@ StrToGuid (
If String is not aligned in a 16-bit boundary, then ASSERT().
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumUnicodeStringLength is not zero and Length is greater than
- PcdMaximumUnicodeStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then ASSERT().
-
@param String Pointer to a Null-terminated Unicode string.
@param Length The number of Unicode characters to decode.
@param Buffer Pointer to the converted bytes array.
@@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
bits of each Unicode character. The function terminates the Ascii string
Destination by appending a Null-terminator character at the end.
- The caller is responsible to make sure Destination points to a buffer with size
- equal or greater than ((StrLen (Source) + 1) * sizeof (CHAR8)) in bytes.
+ The caller is responsible to make sure Destination points to a buffer with
+ size not smaller than ((MIN(StrLen(Source), Length) + 1) * sizeof (CHAR8))
+ in bytes.
If any Unicode characters in Source contain non-zero value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
- If an error is returned, then the Destination is unmodified.
+ If an error is returned, then Destination and DestinationLength are
+ unmodified.
@param Source The pointer to a Null-terminated Unicode string.
@param Length The maximum number of Unicode characters to
convert.
@param Destination The pointer to a Null-terminated Ascii string.
- @param DestMax The maximum number of Destination Ascii
- char, including terminating null char.
+ @param DestMax The maximum number of Destination Ascii char,
+ including terminating null char.
@param DestinationLength The number of Unicode characters converted.
@retval RETURN_SUCCESS String is converted.
@@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
"::" can be used to compress one or more groups of X when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is translated from String, a pointer
to the character that stopped the scan is stored at the location pointed to
by EndPointer.
@@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at the first character that is not
a valid decimal digit character after P is converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is translated from String, a pointer
to the character that stopped the scan is stored at the location pointed to
by EndPointer.
@@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a Null-terminated ASCII string.
@param Guid Pointer to the converted GUID.
@@ -2541,17 +2448,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then ASSERT().
-
@param String Pointer to a Null-terminated ASCII string.
@param Length The number of ASCII characters to decode.
@param Buffer Pointer to the converted bytes array.
@@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
equal or greater than ((AsciiStrLen (Source) + 1) * sizeof (CHAR16)) in bytes.
If Destination is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof (CHAR8)) in bytes.
If Destination is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then Destination and DestinationLength are
unmodified.
diff --git a/MdePkg/Library/BaseLib/SafeString.c b/MdePkg/Library/BaseLib/SafeString.c
index 7dc03d2caa..1db42abb05 100644
--- a/MdePkg/Library/BaseLib/SafeString.c
+++ b/MdePkg/Library/BaseLib/SafeString.c
@@ -14,7 +14,6 @@
#define SAFE_STRING_CONSTRAINT_CHECK(Expression, Status) \
do { \
- ASSERT (Expression); \
if (!(Expression)) { \
return Status; \
} \
@@ -197,7 +196,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit boundary, then ASSERT().
If Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -279,7 +277,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a 16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -372,7 +369,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit boundary, then ASSERT().
If Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -473,7 +469,6 @@ StrCatS (
If Destination is not aligned on a 16-bit boundary, then ASSERT().
If Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -590,12 +585,7 @@ StrnCatS (
be ignored. Then, the function stops at the first character that is a not a
valid decimal character or a Null-terminator, whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary, then ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and String contains more than
- PcdMaximumUnicodeStringLength Unicode characters, not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above format, then 0 is stored
at the location pointed to by Data.
@@ -705,12 +695,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first character that is a not a
valid decimal character or a Null-terminator, whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary, then ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and String contains more than
- PcdMaximumUnicodeStringLength Unicode characters, not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above format, then 0 is stored
at the location pointed to by Data.
@@ -825,12 +810,7 @@ StrDecimalToUint64S (
the first character that is a not a valid hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary, then ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and String contains more than
- PcdMaximumUnicodeStringLength Unicode characters, not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the above format, then 0 is
stored at the location pointed to by Data.
@@ -956,12 +936,7 @@ StrHexToUintnS (
the first character that is a not a valid hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary, then ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and String contains more than
- PcdMaximumUnicodeStringLength Unicode characters, not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the above format, then 0 is
stored at the location pointed to by Data.
@@ -1856,8 +1831,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in C11.
- If an error would be returned, then the function will also ASSERT().
-
If an error is returned, then the Destination is unmodified.
@param Destination A pointer to a Null-terminated Ascii string.
@@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in C11.
- If an error would be returned, then the function will also ASSERT().
-
If an error is returned, then the Destination is unmodified.
@param Destination A pointer to a Null-terminated Ascii string.
@@ -2040,8 +2011,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in C11.
- If an error would be returned, then the function will also ASSERT().
-
If an error is returned, then the Destination is unmodified.
@param Destination A pointer to a Null-terminated Ascii string.
@@ -2154,12 +2123,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first character that is a not a
valid decimal character or a Null-terminator, whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the range defined by UINTN, then
@@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first character that is a not a
valid decimal character or a Null-terminator, whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the range defined by UINT64, then
@@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the range defined by UINTN, then
@@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the range defined by UINT64, then
@@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then the Destination is unmodified.
@@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
If any Unicode characters in Source contain non-zero value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then Destination and DestinationLength are
unmodified.
@@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof (CHAR8)) in bytes.
If Destination is not aligned on a 16-bit boundary, then ASSERT().
- If an error would be returned, then the function will also ASSERT().
If an error is returned, then Destination and DestinationLength are
unmodified.
@@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
"::" can be used to compress one or more groups of X when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is translated from String, a pointer
to the character that stopped the scan is stored at the location pointed to
by EndPointer.
@@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at the first character that is not
a valid decimal digit character after P is converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is translated from String, a pointer
to the character that stopped the scan is stored at the location pointed to
by EndPointer.
@@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a Null-terminated ASCII string.
@param Guid Pointer to the converted GUID.
@@ -3550,17 +3481,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then ASSERT().
-
@param String Pointer to a Null-terminated ASCII string.
@param Length The number of ASCII characters to decode.
@param Buffer Pointer to the converted bytes array.
--
2.24.2 (Apple Git-127)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [edk2-devel] [PATCH V6 0/1] Disable safe string constraint assertions
2020-05-14 9:25 [PATCH V6 0/1] Disable safe string constraint assertions Vitaly Cheptsov
2020-05-14 9:25 ` [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks Vitaly Cheptsov
@ 2020-05-14 11:33 ` Ard Biesheuvel
1 sibling, 0 replies; 15+ messages in thread
From: Ard Biesheuvel @ 2020-05-14 11:33 UTC (permalink / raw)
To: devel, cheptsov
Cc: Andrew Fish, Ard Biesheuvel, Bret Barkelew, Brian J . Johnson,
Chasel Chiu, Jordan Justen, Laszlo Ersek, Leif Lindholm,
Liming Gao, Marvin Häuser, Mike Kinney, Vincent Zimmer,
Zhichao Gao
On 5/14/20 11:25 AM, Vitaly Cheptsov via groups.io wrote:
> CC: Andrew Fish <afish@apple.com>
> CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> CC: Bret Barkelew <bret.barkelew@microsoft.com>
> CC: Brian J. Johnson <brian.johnson@hpe.com>
> CC: Chasel Chiu <chasel.chiu@intel.com>
> CC: Jordan Justen <jordan.l.justen@intel.com>
> CC: Laszlo Ersek <lersek@redhat.com>
> CC: Leif Lindholm <leif@nuviainc.com>
> CC: Liming Gao <liming.gao@intel.com>
> CC: Marvin Häuser <mhaeuser@outlook.de>
> CC: Mike Kinney <michael.d.kinney@intel.com>
> CC: Vincent Zimmer <vincent.zimmer@intel.com>
> CC: Zhichao Gao <zhichao.gao@intel.com>
>
> Current implementation of SafeString does not let one parse untrusted
> data with its interfaces as they ASSERT on failing runtime checks and
> require one to effectively reimplement the function on the caller side.
>
> All the former proposals made it clear that the attempts to introduce
> a solution preserving this behaviour require a lot of changes
> throughout the codebase including platform code (e.g. introducing
> constraint assertions and updating all DebugLib implementations)
> or require all sorts of hacks.
>
> Since the original code has roughly no benefit except in some very
> special cases and the effort required to preserve it is very high,
> I propose to remove it as agreed on with several other parties.
>
> Please note, that this patch does not change the behaviour of the
> functions in RELEASE builds. I.e. they will still check for NULL
> and return RETURN_INVALID_PARAMETER. In the future we may (or may
> not) want them to simply ASSERT in this case. Regardless this should
> be done in a separate BZ entry and a separate commit. For this reason
> I ask everyone not to touch this subject.
>
> Due to the amount of discussion this has already undergone after
> almost a year I kindly request everyone to reduce the communication
> to the minimum and abstain from proposing another approach.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2054
>
> Requesting to merge this into edk2-stable202005.
>
> Vitaly Cheptsov (1):
> MdePkg: Fix SafeString performing assertions on runtime checks
>
> MdePkg/Include/Library/BaseLib.h | 120 ++------------------
> MdePkg/Library/BaseLib/SafeString.c | 80 -------------
> 2 files changed, 7 insertions(+), 193 deletions(-)
>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 9:25 ` [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks Vitaly Cheptsov
@ 2020-05-14 13:35 ` Laszlo Ersek
2020-05-14 16:38 ` [edk2-devel] " Michael D Kinney
1 sibling, 0 replies; 15+ messages in thread
From: Laszlo Ersek @ 2020-05-14 13:35 UTC (permalink / raw)
To: Vitaly Cheptsov, devel
Cc: Andrew Fish, Ard Biesheuvel, Bret Barkelew, Brian J . Johnson,
Chasel Chiu, Jordan Justen, Leif Lindholm, Liming Gao,
Marvin Häuser, Mike Kinney, Vincent Zimmer, Zhichao Gao
On 05/14/20 11:25, Vitaly Cheptsov wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2054
>
> Runtime checks returned via status return code should not work as
> assertions to permit parsing not trusted data with SafeString
> interfaces.
>
> CC: Andrew Fish <afish@apple.com>
> CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> CC: Bret Barkelew <bret.barkelew@microsoft.com>
> CC: Brian J. Johnson <brian.johnson@hpe.com>
> CC: Chasel Chiu <chasel.chiu@intel.com>
> CC: Jordan Justen <jordan.l.justen@intel.com>
> CC: Laszlo Ersek <lersek@redhat.com>
> CC: Leif Lindholm <leif@nuviainc.com>
> CC: Liming Gao <liming.gao@intel.com>
> CC: Marvin Häuser <mhaeuser@outlook.de>
> CC: Mike Kinney <michael.d.kinney@intel.com>
> CC: Vincent Zimmer <vincent.zimmer@intel.com>
> CC: Zhichao Gao <zhichao.gao@intel.com>
> Signed-off-by: Vitaly Cheptsov <vit9696@protonmail.com>
> ---
> MdePkg/Include/Library/BaseLib.h | 120 ++------------------
> MdePkg/Library/BaseLib/SafeString.c | 80 -------------
> 2 files changed, 7 insertions(+), 193 deletions(-)
This patch is a lot harder to review than it initially seems, for two
reasons:
- The existent comment blocks on the functions are absolutely huge.
- The comment blocks are duplicated between the lib class header and the
implementation.
Therefore, I reviewed this patch as follows: displayed the lib class
header diff to the left with 40 lines of context, displayed the
implementation diff to the right (with 40 lines of context again), and
compared those. I also made an effor to check whether the code behavior
would be in sync with the updated comments.
I'm not going to quote any context from the patch, because the context
is too small for helping me convey my points; I'll just list my remarks.
(1) The comment update on AsciiStrCpyS() only covers the header, the
implementation's comment was missed.
(2) Ditto for StrToIpv6Address().
(3) Ditto for StrToIpv4Address().
(4) Even in the lib class header, the leading comment on
StrToIpv4Address() is not updated correctly. The third ASSERT()
paragraph that's being removed (referencing
PcdMaximumUnicodeStringLength) is not fully removed; only its last line
is removed.
(5) The comment update on StrToGuid() only covers the header, the
implementation's comment was missed.
(6) Ditto for StrHexToBytes().
(7) Regarding the UnicodeStrnToAsciiStrS() function, the comment updates
between lib class header and implementation are inconsistent. Namely,
the header file also received such comment updates that:
(7aa) are semantic fixes (not related to whether we assert a particular
condition or not), such as "MIN", and near "DestinationLength",
(7b) are indentation / wrapping updates (near DestMax").
While these comment updates may be valid too, they should be split to
separate patches.
(8) The comment update on AsciiStrToUnicodeStrS() only covers the
header, the implementation's comment was missed.
Thanks
Laszlo
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 9:25 ` [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks Vitaly Cheptsov
2020-05-14 13:35 ` Laszlo Ersek
@ 2020-05-14 16:38 ` Michael D Kinney
2020-05-14 17:39 ` Vitaly Cheptsov
1 sibling, 1 reply; 15+ messages in thread
From: Michael D Kinney @ 2020-05-14 16:38 UTC (permalink / raw)
To: devel@edk2.groups.io, cheptsov@ispras.ru, Kinney, Michael D
Cc: Andrew Fish, Ard Biesheuvel, Bret Barkelew, Brian J . Johnson,
Chiu, Chasel, Justen, Jordan L, Laszlo Ersek, Leif Lindholm,
Gao, Liming, Marvin Häuser, Zimmer, Vincent, Gao, Zhichao
Why preserve the ASSERT()s for an a Unicode strings
that are not aligned in a 16-bit boundary?
This is essentially the same as an invalid pointer value
just like NULL. If NULL pointer returns an error code,
shouldn't and invalid pointer value?
Thanks,
Mike
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On
> Behalf Of Vitaly Cheptsov
> Sent: Thursday, May 14, 2020 2:26 AM
> To: devel@edk2.groups.io
> Cc: Andrew Fish <afish@apple.com>; Ard Biesheuvel
> <ard.biesheuvel@linaro.org>; Bret Barkelew
> <bret.barkelew@microsoft.com>; Brian J . Johnson
> <brian.johnson@hpe.com>; Chiu, Chasel
> <chasel.chiu@intel.com>; Justen, Jordan L
> <jordan.l.justen@intel.com>; Laszlo Ersek
> <lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>;
> Gao, Liming <liming.gao@intel.com>; Marvin Häuser
> <mhaeuser@outlook.de>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Zimmer, Vincent
> <vincent.zimmer@intel.com>; Gao, Zhichao
> <zhichao.gao@intel.com>
> Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
> SafeString performing assertions on runtime checks
>
> REF:
> https://bugzilla.tianocore.org/show_bug.cgi?id=2054
>
>
>
>
>
> Runtime checks returned via status return code should
> not work as
>
>
> assertions to permit parsing not trusted data with
> SafeString
>
>
> interfaces.
>
>
>
>
>
> CC: Andrew Fish <afish@apple.com>
>
>
> CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>
>
> CC: Bret Barkelew <bret.barkelew@microsoft.com>
>
>
> CC: Brian J. Johnson <brian.johnson@hpe.com>
>
>
> CC: Chasel Chiu <chasel.chiu@intel.com>
>
>
> CC: Jordan Justen <jordan.l.justen@intel.com>
>
>
> CC: Laszlo Ersek <lersek@redhat.com>
>
>
> CC: Leif Lindholm <leif@nuviainc.com>
>
>
> CC: Liming Gao <liming.gao@intel.com>
>
>
> CC: Marvin Häuser <mhaeuser@outlook.de>
>
>
> CC: Mike Kinney <michael.d.kinney@intel.com>
>
>
> CC: Vincent Zimmer <vincent.zimmer@intel.com>
>
>
> CC: Zhichao Gao <zhichao.gao@intel.com>
>
>
> Signed-off-by: Vitaly Cheptsov <vit9696@protonmail.com>
>
>
> ---
>
>
> MdePkg/Include/Library/BaseLib.h | 120 ++----------
> --------
>
>
> MdePkg/Library/BaseLib/SafeString.c | 80 ------------
> -
>
>
> 2 files changed, 7 insertions(+), 193 deletions(-)
>
>
>
>
>
> diff --git a/MdePkg/Include/Library/BaseLib.h
> b/MdePkg/Include/Library/BaseLib.h
>
>
> index ecadff8b23..62dc3151bc 100644
>
>
> --- a/MdePkg/Include/Library/BaseLib.h
>
>
> +++ b/MdePkg/Include/Library/BaseLib.h
>
>
> @@ -189,7 +189,6 @@ StrnSizeS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit boundary,
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary, then
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -225,7 +224,6 @@ StrCpyS (
>
>
>
>
>
> If Length > 0 and Destination is not aligned on a
> 16-bit boundary, then ASSERT().
>
>
> If Length > 0 and Source is not aligned on a 16-bit
> boundary, then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -263,7 +261,6 @@ StrnCpyS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit boundary,
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary, then
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -303,7 +300,6 @@ StrCatS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit boundary,
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary, then
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -350,12 +346,7 @@ StrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -406,12 +397,7 @@ StrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -467,12 +453,7 @@ StrDecimalToUint64S (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -528,12 +509,7 @@ StrHexToUintnS (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -622,8 +598,6 @@ AsciiStrnSizeS (
>
>
>
>
>
> This function is similar as strcpy_s defined in C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -656,8 +630,6 @@ AsciiStrCpyS (
>
>
>
>
>
> This function is similar as strncpy_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -692,8 +664,6 @@ AsciiStrnCpyS (
>
>
>
>
>
> This function is similar as strcat_s defined in C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -730,8 +700,6 @@ AsciiStrCatS (
>
>
>
>
>
> This function is similar as strncat_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -777,12 +745,6 @@ AsciiStrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -1506,16 +1450,8 @@ StrHexToUint64 (
>
>
> "::" can be used to compress one or more groups of X
> when X contains only 0.
>
>
> The "::" can only appear once in the String.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
>
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is translated
> from String, a pointer
>
>
> to the character that stopped the scan is stored at
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -1567,15 +1503,10 @@ StrToIpv6Address (
>
>
> When /P is in the String, the function stops at the
> first character that is not
>
>
> a valid decimal digit character after P is
> converted.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
>
>
>
> If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If EndPointer is not NULL and Address is translated
> from String, a pointer
>
>
> to the character that stopped the scan is stored at
> the location pointed to
>
>
> @@ -1640,8 +1571,6 @@ StrToIpv4Address (
>
>
> oo Data4[48:55]
>
>
> pp Data4[56:63]
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Guid is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
>
>
>
> @param String Pointer to a Null-
> terminated Unicode string.
>
>
> @@ -1676,17 +1605,6 @@ StrToGuid (
>
>
>
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Buffer is NULL, then ASSERT().
>
>
> -
>
>
> - If Length is not multiple of 2, then ASSERT().
>
>
> -
>
>
> - If PcdMaximumUnicodeStringLength is not zero and
> Length is greater than
>
>
> - PcdMaximumUnicodeStringLength, then ASSERT().
>
>
> -
>
>
> - If MaxBufferSize is less than (Length / 2), then
> ASSERT().
>
>
> -
>
>
> @param String Pointer to a Null-
> terminated Unicode string.
>
>
> @param Length The number of
> Unicode characters to decode.
>
>
> @param Buffer Pointer to the
> converted bytes array.
>
>
> @@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
>
>
> the upper 8 bits, then ASSERT().
>
>
>
>
>
> If Source is not aligned on a 16-bit boundary, then
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
>
>
> bits of each Unicode character. The function
> terminates the Ascii string
>
>
> Destination by appending a Null-terminator character
> at the end.
>
>
>
>
>
> - The caller is responsible to make sure Destination
> points to a buffer with size
>
>
> - equal or greater than ((StrLen (Source) + 1) *
> sizeof (CHAR8)) in bytes.
>
>
> + The caller is responsible to make sure Destination
> points to a buffer with
>
>
> + size not smaller than ((MIN(StrLen(Source), Length)
> + 1) * sizeof (CHAR8))
>
>
> + in bytes.
>
>
>
>
>
> If any Unicode characters in Source contain non-zero
> value in the upper 8
>
>
> bits, then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary, then
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> - If an error is returned, then the Destination is
> unmodified.
>
>
> + If an error is returned, then Destination and
> DestinationLength are
>
>
> + unmodified.
>
>
>
>
>
> @param Source The pointer to a Null-
> terminated Unicode string.
>
>
> @param Length The maximum number of
> Unicode characters to
>
>
> convert.
>
>
> @param Destination The pointer to a Null-
> terminated Ascii string.
>
>
> - @param DestMax The maximum number of
> Destination Ascii
>
>
> - char, including
> terminating null char.
>
>
> + @param DestMax The maximum number of
> Destination Ascii char,
>
>
> + including terminating
> null char.
>
>
> @param DestinationLength The number of Unicode
> characters converted.
>
>
>
>
>
> @retval RETURN_SUCCESS String is
> converted.
>
>
> @@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
>
>
> "::" can be used to compress one or more groups of X
> when X contains only 0.
>
>
> The "::" can only appear once in the String.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is translated
> from String, a pointer
>
>
> to the character that stopped the scan is stored at
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
>
>
> When /P is in the String, the function stops at the
> first character that is not
>
>
> a valid decimal digit character after P is
> converted.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is translated
> from String, a pointer
>
>
> to the character that stopped the scan is stored at
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
>
>
> oo Data4[48:55]
>
>
> pp Data4[56:63]
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Guid is NULL, then ASSERT().
>
>
> -
>
>
> @param String Pointer to a Null-
> terminated ASCII string.
>
>
> @param Guid Pointer to the
> converted GUID.
>
>
>
>
>
> @@ -2541,17 +2448,6 @@ AsciiStrToGuid (
>
>
> decoding stops after Length of characters and
> outputs Buffer containing
>
>
> (Length / 2) bytes.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Buffer is NULL, then ASSERT().
>
>
> -
>
>
> - If Length is not multiple of 2, then ASSERT().
>
>
> -
>
>
> - If PcdMaximumAsciiStringLength is not zero and
> Length is greater than
>
>
> - PcdMaximumAsciiStringLength, then ASSERT().
>
>
> -
>
>
> - If MaxBufferSize is less than (Length / 2), then
> ASSERT().
>
>
> -
>
>
> @param String Pointer to a Null-
> terminated ASCII string.
>
>
> @param Length The number of ASCII
> characters to decode.
>
>
> @param Buffer Pointer to the
> converted bytes array.
>
>
> @@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
>
>
> equal or greater than ((AsciiStrLen (Source) + 1) *
> sizeof (CHAR16)) in bytes.
>
>
>
>
>
> If Destination is not aligned on a 16-bit boundary,
> then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
>
>
> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
> (CHAR8)) in bytes.
>
>
>
>
>
> If Destination is not aligned on a 16-bit boundary,
> then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then Destination and
> DestinationLength are
>
>
> unmodified.
>
>
> diff --git a/MdePkg/Library/BaseLib/SafeString.c
> b/MdePkg/Library/BaseLib/SafeString.c
>
>
> index 7dc03d2caa..1db42abb05 100644
>
>
> --- a/MdePkg/Library/BaseLib/SafeString.c
>
>
> +++ b/MdePkg/Library/BaseLib/SafeString.c
>
>
> @@ -14,7 +14,6 @@
>
>
>
>
>
> #define SAFE_STRING_CONSTRAINT_CHECK(Expression,
> Status) \
>
>
> do { \
>
>
> - ASSERT (Expression); \
>
>
> if (!(Expression)) { \
>
>
> return Status; \
>
>
> } \
>
>
> @@ -197,7 +196,6 @@ StrnSizeS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit boundary,
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary, then
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -279,7 +277,6 @@ StrCpyS (
>
>
>
>
>
> If Length > 0 and Destination is not aligned on a
> 16-bit boundary, then ASSERT().
>
>
> If Length > 0 and Source is not aligned on a 16-bit
> boundary, then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -372,7 +369,6 @@ StrnCpyS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit boundary,
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary, then
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -473,7 +469,6 @@ StrCatS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit boundary,
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary, then
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -590,12 +585,7 @@ StrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -705,12 +695,7 @@ StrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -825,12 +810,7 @@ StrDecimalToUint64S (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -956,12 +936,7 @@ StrHexToUintnS (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary, then
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -1856,8 +1831,6 @@ AsciiStrCpyS (
>
>
>
>
>
> This function is similar as strncpy_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
>
>
>
>
>
> This function is similar as strcat_s defined in C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -2040,8 +2011,6 @@ AsciiStrCatS (
>
>
>
>
>
> This function is similar as strncat_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -2154,12 +2123,6 @@ AsciiStrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
>
>
> the upper 8 bits, then ASSERT().
>
>
>
>
>
> If Source is not aligned on a 16-bit boundary, then
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
>
>
> If any Unicode characters in Source contain non-zero
> value in the upper 8
>
>
> bits, then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary, then
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then Destination and
> DestinationLength are
>
>
> unmodified.
>
>
> @@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
>
>
> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
> (CHAR8)) in bytes.
>
>
>
>
>
> If Destination is not aligned on a 16-bit boundary,
> then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then Destination and
> DestinationLength are
>
>
> unmodified.
>
>
> @@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
>
>
> "::" can be used to compress one or more groups of X
> when X contains only 0.
>
>
> The "::" can only appear once in the String.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is translated
> from String, a pointer
>
>
> to the character that stopped the scan is stored at
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
>
>
> When /P is in the String, the function stops at the
> first character that is not
>
>
> a valid decimal digit character after P is
> converted.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is translated
> from String, a pointer
>
>
> to the character that stopped the scan is stored at
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
>
>
> oo Data4[48:55]
>
>
> pp Data4[56:63]
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Guid is NULL, then ASSERT().
>
>
> -
>
>
> @param String Pointer to a Null-
> terminated ASCII string.
>
>
> @param Guid Pointer to the
> converted GUID.
>
>
>
>
>
> @@ -3550,17 +3481,6 @@ AsciiStrToGuid (
>
>
> decoding stops after Length of characters and
> outputs Buffer containing
>
>
> (Length / 2) bytes.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Buffer is NULL, then ASSERT().
>
>
> -
>
>
> - If Length is not multiple of 2, then ASSERT().
>
>
> -
>
>
> - If PcdMaximumAsciiStringLength is not zero and
> Length is greater than
>
>
> - PcdMaximumAsciiStringLength, then ASSERT().
>
>
> -
>
>
> - If MaxBufferSize is less than (Length / 2), then
> ASSERT().
>
>
> -
>
>
> @param String Pointer to a Null-
> terminated ASCII string.
>
>
> @param Length The number of ASCII
> characters to decode.
>
>
> @param Buffer Pointer to the
> converted bytes array.
>
>
> --
>
>
> 2.24.2 (Apple Git-127)
>
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 16:38 ` [edk2-devel] " Michael D Kinney
@ 2020-05-14 17:39 ` Vitaly Cheptsov
2020-05-14 17:58 ` Michael D Kinney
0 siblings, 1 reply; 15+ messages in thread
From: Vitaly Cheptsov @ 2020-05-14 17:39 UTC (permalink / raw)
To: Kinney, Michael D
Cc: devel@edk2.groups.io, Andrew Fish, Ard Biesheuvel, Bret Barkelew,
Brian J . Johnson, Chiu, Chasel, Justen, Jordan L, Laszlo Ersek,
Leif Lindholm, Gao, Liming, Marvin Häuser, Zimmer, Vincent,
Gao, Zhichao
[-- Attachment #1: Type: text/plain, Size: 37496 bytes --]
Mike,
Firstly, NULL check and odd-address checks are essentially different things:
— NULL address is basically «no object», «optional argument» (e.g. failed allocation).
— Odd address is memory corruption, as there is no way to craft such address anyhow else.
For this reason the implementation is allowed to treat them differently.
Secondly, as I said in my cover letter there is no behaviour change here for RELEASE builds. Behaviour changes unrelated to the bugfix will have to go to a separate patch. I agree that we may want to reconsider the interface in the future, but that’s for a separate bugzilla and patch. Not discussing it currently is important to avoid diverting from the primary problem. Could create a bugzilla not to forget about it soon after the stable tag.
Best wishes,
Vitaly
> 14 мая 2020 г., в 19:38, Kinney, Michael D <michael.d.kinney@intel.com> написал(а):
>
> Why preserve the ASSERT()s for an a Unicode strings
> that are not aligned in a 16-bit boundary?
>
> This is essentially the same as an invalid pointer value
> just like NULL. If NULL pointer returns an error code,
> shouldn't and invalid pointer value?
>
> Thanks,
>
> Mike
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On
>> Behalf Of Vitaly Cheptsov
>> Sent: Thursday, May 14, 2020 2:26 AM
>> To: devel@edk2.groups.io
>> Cc: Andrew Fish <afish@apple.com>; Ard Biesheuvel
>> <ard.biesheuvel@linaro.org>; Bret Barkelew
>> <bret.barkelew@microsoft.com>; Brian J . Johnson
>> <brian.johnson@hpe.com>; Chiu, Chasel
>> <chasel.chiu@intel.com>; Justen, Jordan L
>> <jordan.l.justen@intel.com>; Laszlo Ersek
>> <lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>;
>> Gao, Liming <liming.gao@intel.com>; Marvin Häuser
>> <mhaeuser@outlook.de>; Kinney, Michael D
>> <michael.d.kinney@intel.com>; Zimmer, Vincent
>> <vincent.zimmer@intel.com>; Gao, Zhichao
>> <zhichao.gao@intel.com>
>> Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
>> SafeString performing assertions on runtime checks
>>
>> REF:
>> https://bugzilla.tianocore.org/show_bug.cgi?id=2054
>>
>>
>>
>>
>>
>> Runtime checks returned via status return code should
>> not work as
>>
>>
>> assertions to permit parsing not trusted data with
>> SafeString
>>
>>
>> interfaces.
>>
>>
>>
>>
>>
>> CC: Andrew Fish <afish@apple.com>
>>
>>
>> CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>>
>>
>> CC: Bret Barkelew <bret.barkelew@microsoft.com>
>>
>>
>> CC: Brian J. Johnson <brian.johnson@hpe.com>
>>
>>
>> CC: Chasel Chiu <chasel.chiu@intel.com>
>>
>>
>> CC: Jordan Justen <jordan.l.justen@intel.com>
>>
>>
>> CC: Laszlo Ersek <lersek@redhat.com>
>>
>>
>> CC: Leif Lindholm <leif@nuviainc.com>
>>
>>
>> CC: Liming Gao <liming.gao@intel.com>
>>
>>
>> CC: Marvin Häuser <mhaeuser@outlook.de>
>>
>>
>> CC: Mike Kinney <michael.d.kinney@intel.com>
>>
>>
>> CC: Vincent Zimmer <vincent.zimmer@intel.com>
>>
>>
>> CC: Zhichao Gao <zhichao.gao@intel.com>
>>
>>
>> Signed-off-by: Vitaly Cheptsov <vit9696@protonmail.com>
>>
>>
>> ---
>>
>>
>> MdePkg/Include/Library/BaseLib.h | 120 ++----------
>> --------
>>
>>
>> MdePkg/Library/BaseLib/SafeString.c | 80 ------------
>> -
>>
>>
>> 2 files changed, 7 insertions(+), 193 deletions(-)
>>
>>
>>
>>
>>
>> diff --git a/MdePkg/Include/Library/BaseLib.h
>> b/MdePkg/Include/Library/BaseLib.h
>>
>>
>> index ecadff8b23..62dc3151bc 100644
>>
>>
>> --- a/MdePkg/Include/Library/BaseLib.h
>>
>>
>> +++ b/MdePkg/Include/Library/BaseLib.h
>>
>>
>> @@ -189,7 +189,6 @@ StrnSizeS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -225,7 +224,6 @@ StrCpyS (
>>
>>
>>
>>
>>
>> If Length > 0 and Destination is not aligned on a
>> 16-bit boundary, then ASSERT().
>>
>>
>> If Length > 0 and Source is not aligned on a 16-bit
>> boundary, then ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -263,7 +261,6 @@ StrnCpyS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -303,7 +300,6 @@ StrCatS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -350,12 +346,7 @@ StrnCatS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> @@ -406,12 +397,7 @@ StrDecimalToUintnS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> @@ -467,12 +453,7 @@ StrDecimalToUint64S (
>>
>>
>> the first character that is a not a valid
>> hexadecimal character or NULL,
>>
>>
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> @@ -528,12 +509,7 @@ StrHexToUintnS (
>>
>>
>> the first character that is a not a valid
>> hexadecimal character or NULL,
>>
>>
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> @@ -622,8 +598,6 @@ AsciiStrnSizeS (
>>
>>
>>
>>
>>
>> This function is similar as strcpy_s defined in C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -656,8 +630,6 @@ AsciiStrCpyS (
>>
>>
>>
>>
>>
>> This function is similar as strncpy_s defined in
>> C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -692,8 +664,6 @@ AsciiStrnCpyS (
>>
>>
>>
>>
>>
>> This function is similar as strcat_s defined in C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -730,8 +700,6 @@ AsciiStrCatS (
>>
>>
>>
>>
>>
>> This function is similar as strncat_s defined in
>> C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -777,12 +745,6 @@ AsciiStrnCatS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINTN, then
>>
>>
>> @@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINT64, then
>>
>>
>> @@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
>>
>>
>> character that is a not a valid hexadecimal
>> character or Null-terminator,
>>
>>
>> whichever on comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINTN, then
>>
>>
>> @@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
>>
>>
>> character that is a not a valid hexadecimal
>> character or Null-terminator,
>>
>>
>> whichever on comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINT64, then
>>
>>
>> @@ -1506,16 +1450,8 @@ StrHexToUint64 (
>>
>>
>> "::" can be used to compress one or more groups of X
>> when X contains only 0.
>>
>>
>> The "::" can only appear once in the String.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>>
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> by EndPointer.
>>
>>
>> @@ -1567,15 +1503,10 @@ StrToIpv6Address (
>>
>>
>> When /P is in the String, the function stops at the
>> first character that is not
>>
>>
>> a valid decimal digit character after P is
>> converted.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>>
>>
>>
>> If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> @@ -1640,8 +1571,6 @@ StrToIpv4Address (
>>
>>
>> oo Data4[48:55]
>>
>>
>> pp Data4[56:63]
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Guid is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>>
>>
>>
>> @param String Pointer to a Null-
>> terminated Unicode string.
>>
>>
>> @@ -1676,17 +1605,6 @@ StrToGuid (
>>
>>
>>
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Buffer is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Length is not multiple of 2, then ASSERT().
>>
>>
>> -
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero and
>> Length is greater than
>>
>>
>> - PcdMaximumUnicodeStringLength, then ASSERT().
>>
>>
>> -
>>
>>
>> - If MaxBufferSize is less than (Length / 2), then
>> ASSERT().
>>
>>
>> -
>>
>>
>> @param String Pointer to a Null-
>> terminated Unicode string.
>>
>>
>> @param Length The number of
>> Unicode characters to decode.
>>
>>
>> @param Buffer Pointer to the
>> converted bytes array.
>>
>>
>> @@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
>>
>>
>> the upper 8 bits, then ASSERT().
>>
>>
>>
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
>>
>>
>> bits of each Unicode character. The function
>> terminates the Ascii string
>>
>>
>> Destination by appending a Null-terminator character
>> at the end.
>>
>>
>>
>>
>>
>> - The caller is responsible to make sure Destination
>> points to a buffer with size
>>
>>
>> - equal or greater than ((StrLen (Source) + 1) *
>> sizeof (CHAR8)) in bytes.
>>
>>
>> + The caller is responsible to make sure Destination
>> points to a buffer with
>>
>>
>> + size not smaller than ((MIN(StrLen(Source), Length)
>> + 1) * sizeof (CHAR8))
>>
>>
>> + in bytes.
>>
>>
>>
>>
>>
>> If any Unicode characters in Source contain non-zero
>> value in the upper 8
>>
>>
>> bits, then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> - If an error is returned, then the Destination is
>> unmodified.
>>
>>
>> + If an error is returned, then Destination and
>> DestinationLength are
>>
>>
>> + unmodified.
>>
>>
>>
>>
>>
>> @param Source The pointer to a Null-
>> terminated Unicode string.
>>
>>
>> @param Length The maximum number of
>> Unicode characters to
>>
>>
>> convert.
>>
>>
>> @param Destination The pointer to a Null-
>> terminated Ascii string.
>>
>>
>> - @param DestMax The maximum number of
>> Destination Ascii
>>
>>
>> - char, including
>> terminating null char.
>>
>>
>> + @param DestMax The maximum number of
>> Destination Ascii char,
>>
>>
>> + including terminating
>> null char.
>>
>>
>> @param DestinationLength The number of Unicode
>> characters converted.
>>
>>
>>
>>
>>
>> @retval RETURN_SUCCESS String is
>> converted.
>>
>>
>> @@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
>>
>>
>> "::" can be used to compress one or more groups of X
>> when X contains only 0.
>>
>>
>> The "::" can only appear once in the String.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> by EndPointer.
>>
>>
>> @@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
>>
>>
>> When /P is in the String, the function stops at the
>> first character that is not
>>
>>
>> a valid decimal digit character after P is
>> converted.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> by EndPointer.
>>
>>
>> @@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
>>
>>
>> oo Data4[48:55]
>>
>>
>> pp Data4[56:63]
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Guid is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> @param String Pointer to a Null-
>> terminated ASCII string.
>>
>>
>> @param Guid Pointer to the
>> converted GUID.
>>
>>
>>
>>
>>
>> @@ -2541,17 +2448,6 @@ AsciiStrToGuid (
>>
>>
>> decoding stops after Length of characters and
>> outputs Buffer containing
>>
>>
>> (Length / 2) bytes.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Buffer is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Length is not multiple of 2, then ASSERT().
>>
>>
>> -
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero and
>> Length is greater than
>>
>>
>> - PcdMaximumAsciiStringLength, then ASSERT().
>>
>>
>> -
>>
>>
>> - If MaxBufferSize is less than (Length / 2), then
>> ASSERT().
>>
>>
>> -
>>
>>
>> @param String Pointer to a Null-
>> terminated ASCII string.
>>
>>
>> @param Length The number of ASCII
>> characters to decode.
>>
>>
>> @param Buffer Pointer to the
>> converted bytes array.
>>
>>
>> @@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
>>
>>
>> equal or greater than ((AsciiStrLen (Source) + 1) *
>> sizeof (CHAR16)) in bytes.
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
>>
>>
>> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
>> (CHAR8)) in bytes.
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then Destination and
>> DestinationLength are
>>
>>
>> unmodified.
>>
>>
>> diff --git a/MdePkg/Library/BaseLib/SafeString.c
>> b/MdePkg/Library/BaseLib/SafeString.c
>>
>>
>> index 7dc03d2caa..1db42abb05 100644
>>
>>
>> --- a/MdePkg/Library/BaseLib/SafeString.c
>>
>>
>> +++ b/MdePkg/Library/BaseLib/SafeString.c
>>
>>
>> @@ -14,7 +14,6 @@
>>
>>
>>
>>
>>
>> #define SAFE_STRING_CONSTRAINT_CHECK(Expression,
>> Status) \
>>
>>
>> do { \
>>
>>
>> - ASSERT (Expression); \
>>
>>
>> if (!(Expression)) { \
>>
>>
>> return Status; \
>>
>>
>> } \
>>
>>
>> @@ -197,7 +196,6 @@ StrnSizeS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -279,7 +277,6 @@ StrCpyS (
>>
>>
>>
>>
>>
>> If Length > 0 and Destination is not aligned on a
>> 16-bit boundary, then ASSERT().
>>
>>
>> If Length > 0 and Source is not aligned on a 16-bit
>> boundary, then ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -372,7 +369,6 @@ StrnCpyS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -473,7 +469,6 @@ StrCatS (
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -590,12 +585,7 @@ StrnCatS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> @@ -705,12 +695,7 @@ StrDecimalToUintnS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> @@ -825,12 +810,7 @@ StrDecimalToUint64S (
>>
>>
>> the first character that is a not a valid
>> hexadecimal character or NULL,
>>
>>
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> @@ -956,12 +936,7 @@ StrHexToUintnS (
>>
>>
>> the first character that is a not a valid
>> hexadecimal character or NULL,
>>
>>
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> If String is not aligned in a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If PcdMaximumUnicodeStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumUnicodeStringLength Unicode characters,
>> not including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>>
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> @@ -1856,8 +1831,6 @@ AsciiStrCpyS (
>>
>>
>>
>>
>>
>> This function is similar as strncpy_s defined in
>> C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
>>
>>
>>
>>
>>
>> This function is similar as strcat_s defined in C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -2040,8 +2011,6 @@ AsciiStrCatS (
>>
>>
>>
>>
>>
>> This function is similar as strncat_s defined in
>> C11.
>>
>>
>>
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>> -
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @param Destination A pointer to a
>> Null-terminated Ascii string.
>>
>>
>> @@ -2154,12 +2123,6 @@ AsciiStrnCatS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINTN, then
>>
>>
>> @@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
>>
>>
>> be ignored. Then, the function stops at the first
>> character that is a not a
>>
>>
>> valid decimal character or a Null-terminator,
>> whichever one comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid decimal digits in the above
>> format, then 0 is stored
>>
>>
>> at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINT64, then
>>
>>
>> @@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
>>
>>
>> character that is a not a valid hexadecimal
>> character or Null-terminator,
>>
>>
>> whichever on comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINTN, then
>>
>>
>> @@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
>>
>>
>> character that is a not a valid hexadecimal
>> character or Null-terminator,
>>
>>
>> whichever on comes first.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Data is NULL, then ASSERT().
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero, and
>> String contains more than
>>
>>
>> - PcdMaximumAsciiStringLength Ascii characters, not
>> including the
>>
>>
>> - Null-terminator, then ASSERT().
>>
>>
>> -
>>
>>
>> If String has no valid hexadecimal digits in the
>> above format, then 0 is
>>
>>
>> stored at the location pointed to by Data.
>>
>>
>> If the number represented by String exceeds the
>> range defined by UINT64, then
>>
>>
>> @@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
>>
>>
>> the upper 8 bits, then ASSERT().
>>
>>
>>
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then the Destination is
>> unmodified.
>>
>>
>>
>>
>>
>> @@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
>>
>>
>> If any Unicode characters in Source contain non-zero
>> value in the upper 8
>>
>>
>> bits, then ASSERT().
>>
>>
>> If Source is not aligned on a 16-bit boundary, then
>> ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then Destination and
>> DestinationLength are
>>
>>
>> unmodified.
>>
>>
>> @@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
>>
>>
>> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
>> (CHAR8)) in bytes.
>>
>>
>>
>>
>>
>> If Destination is not aligned on a 16-bit boundary,
>> then ASSERT().
>>
>>
>> - If an error would be returned, then the function
>> will also ASSERT().
>>
>>
>>
>>
>>
>> If an error is returned, then Destination and
>> DestinationLength are
>>
>>
>> unmodified.
>>
>>
>> @@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
>>
>>
>> "::" can be used to compress one or more groups of X
>> when X contains only 0.
>>
>>
>> The "::" can only appear once in the String.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> by EndPointer.
>>
>>
>> @@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
>>
>>
>> When /P is in the String, the function stops at the
>> first character that is not
>>
>>
>> a valid decimal digit character after P is
>> converted.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Address is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> If EndPointer is not NULL and Address is translated
>> from String, a pointer
>>
>>
>> to the character that stopped the scan is stored at
>> the location pointed to
>>
>>
>> by EndPointer.
>>
>>
>> @@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
>>
>>
>> oo Data4[48:55]
>>
>>
>> pp Data4[56:63]
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> - If Guid is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> @param String Pointer to a Null-
>> terminated ASCII string.
>>
>>
>> @param Guid Pointer to the
>> converted GUID.
>>
>>
>>
>>
>>
>> @@ -3550,17 +3481,6 @@ AsciiStrToGuid (
>>
>>
>> decoding stops after Length of characters and
>> outputs Buffer containing
>>
>>
>> (Length / 2) bytes.
>>
>>
>>
>>
>>
>> - If String is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Buffer is NULL, then ASSERT().
>>
>>
>> -
>>
>>
>> - If Length is not multiple of 2, then ASSERT().
>>
>>
>> -
>>
>>
>> - If PcdMaximumAsciiStringLength is not zero and
>> Length is greater than
>>
>>
>> - PcdMaximumAsciiStringLength, then ASSERT().
>>
>>
>> -
>>
>>
>> - If MaxBufferSize is less than (Length / 2), then
>> ASSERT().
>>
>>
>> -
>>
>>
>> @param String Pointer to a Null-
>> terminated ASCII string.
>>
>>
>> @param Length The number of ASCII
>> characters to decode.
>>
>>
>> @param Buffer Pointer to the
>> converted bytes array.
>>
>>
>> --
>>
>>
>> 2.24.2 (Apple Git-127)
>>
>>
>>
>>
>>
>>
>>
>
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 17:39 ` Vitaly Cheptsov
@ 2020-05-14 17:58 ` Michael D Kinney
2020-05-14 18:59 ` Vitaly Cheptsov
0 siblings, 1 reply; 15+ messages in thread
From: Michael D Kinney @ 2020-05-14 17:58 UTC (permalink / raw)
To: devel@edk2.groups.io, cheptsov@ispras.ru, Kinney, Michael D
Cc: Andrew Fish, Ard Biesheuvel, Bret Barkelew, Brian J . Johnson,
Chiu, Chasel, Justen, Jordan L, Laszlo Ersek, Leif Lindholm,
Gao, Liming, Marvin Häuser, Zimmer, Vincent, Gao, Zhichao
Vitaly,
Why do you think there is no way to craft an odd address
without memory corruption.
UINT8 ByteArray[100];
CHAR16 *String
String = (CHAR16 *)(&Array[3]);
The reason I raised the question of these other ASSERT()s
is that I thought the use case was using these safe string
APIs from a UEFI App, and the UEFI App always wants to evaluate
the return status to know if the operation was completed or
not. In build that removes all ASSERT()s, an odd address
will generate an exception on some CPU archs. Wouldn’t it
be better for the UEFI App that is already designed to handle
error return status to get an error code instead of an
exception?
Mike
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On
> Behalf Of Vitaly Cheptsov
> Sent: Thursday, May 14, 2020 10:39 AM
> To: Kinney, Michael D <michael.d.kinney@intel.com>
> Cc: devel@edk2.groups.io; Andrew Fish
> <afish@apple.com>; Ard Biesheuvel
> <ard.biesheuvel@linaro.org>; Bret Barkelew
> <bret.barkelew@microsoft.com>; Brian J . Johnson
> <brian.johnson@hpe.com>; Chiu, Chasel
> <chasel.chiu@intel.com>; Justen, Jordan L
> <jordan.l.justen@intel.com>; Laszlo Ersek
> <lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>;
> Gao, Liming <liming.gao@intel.com>; Marvin Häuser
> <mhaeuser@outlook.de>; Zimmer, Vincent
> <vincent.zimmer@intel.com>; Gao, Zhichao
> <zhichao.gao@intel.com>
> Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
> SafeString performing assertions on runtime checks
>
> Mike,
>
> Firstly, NULL check and odd-address checks are
> essentially different things:
> — NULL address is basically «no object», «optional
> argument» (e.g. failed allocation).
> — Odd address is memory corruption, as there is no way
> to craft such address anyhow else.
> For this reason the implementation is allowed to treat
> them differently.
>
> Secondly, as I said in my cover letter there is no
> behaviour change here for RELEASE builds. Behaviour
> changes unrelated to the bugfix will have to go to a
> separate patch. I agree that we may want to reconsider
> the interface in the future, but that’s for a separate
> bugzilla and patch. Not discussing it currently is
> important to avoid diverting from the primary problem.
> Could create a bugzilla not to forget about it soon
> after the stable tag.
>
> Best wishes,
> Vitaly
>
> > 14 мая 2020 г., в 19:38, Kinney, Michael D
> <michael.d.kinney@intel.com> написал(а):
> >
> > Why preserve the ASSERT()s for an a Unicode strings
> > that are not aligned in a 16-bit boundary?
> >
> > This is essentially the same as an invalid pointer
> value
> > just like NULL. If NULL pointer returns an error
> code,
> > shouldn't and invalid pointer value?
> >
> > Thanks,
> >
> > Mike
> >
> >> -----Original Message-----
> >> From: devel@edk2.groups.io <devel@edk2.groups.io> On
> >> Behalf Of Vitaly Cheptsov
> >> Sent: Thursday, May 14, 2020 2:26 AM
> >> To: devel@edk2.groups.io
> >> Cc: Andrew Fish <afish@apple.com>; Ard Biesheuvel
> >> <ard.biesheuvel@linaro.org>; Bret Barkelew
> >> <bret.barkelew@microsoft.com>; Brian J . Johnson
> >> <brian.johnson@hpe.com>; Chiu, Chasel
> >> <chasel.chiu@intel.com>; Justen, Jordan L
> >> <jordan.l.justen@intel.com>; Laszlo Ersek
> >> <lersek@redhat.com>; Leif Lindholm
> <leif@nuviainc.com>;
> >> Gao, Liming <liming.gao@intel.com>; Marvin Häuser
> >> <mhaeuser@outlook.de>; Kinney, Michael D
> >> <michael.d.kinney@intel.com>; Zimmer, Vincent
> >> <vincent.zimmer@intel.com>; Gao, Zhichao
> >> <zhichao.gao@intel.com>
> >> Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
> >> SafeString performing assertions on runtime checks
> >>
> >> REF:
> >> https://bugzilla.tianocore.org/show_bug.cgi?id=2054
> >>
> >>
> >>
> >>
> >>
> >> Runtime checks returned via status return code
> should
> >> not work as
> >>
> >>
> >> assertions to permit parsing not trusted data with
> >> SafeString
> >>
> >>
> >> interfaces.
> >>
> >>
> >>
> >>
> >>
> >> CC: Andrew Fish <afish@apple.com>
> >>
> >>
> >> CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> >>
> >>
> >> CC: Bret Barkelew <bret.barkelew@microsoft.com>
> >>
> >>
> >> CC: Brian J. Johnson <brian.johnson@hpe.com>
> >>
> >>
> >> CC: Chasel Chiu <chasel.chiu@intel.com>
> >>
> >>
> >> CC: Jordan Justen <jordan.l.justen@intel.com>
> >>
> >>
> >> CC: Laszlo Ersek <lersek@redhat.com>
> >>
> >>
> >> CC: Leif Lindholm <leif@nuviainc.com>
> >>
> >>
> >> CC: Liming Gao <liming.gao@intel.com>
> >>
> >>
> >> CC: Marvin Häuser <mhaeuser@outlook.de>
> >>
> >>
> >> CC: Mike Kinney <michael.d.kinney@intel.com>
> >>
> >>
> >> CC: Vincent Zimmer <vincent.zimmer@intel.com>
> >>
> >>
> >> CC: Zhichao Gao <zhichao.gao@intel.com>
> >>
> >>
> >> Signed-off-by: Vitaly Cheptsov
> <vit9696@protonmail.com>
> >>
> >>
> >> ---
> >>
> >>
> >> MdePkg/Include/Library/BaseLib.h | 120 ++--------
> --
> >> --------
> >>
> >>
> >> MdePkg/Library/BaseLib/SafeString.c | 80 ----------
> --
> >> -
> >>
> >>
> >> 2 files changed, 7 insertions(+), 193 deletions(-)
> >>
> >>
> >>
> >>
> >>
> >> diff --git a/MdePkg/Include/Library/BaseLib.h
> >> b/MdePkg/Include/Library/BaseLib.h
> >>
> >>
> >> index ecadff8b23..62dc3151bc 100644
> >>
> >>
> >> --- a/MdePkg/Include/Library/BaseLib.h
> >>
> >>
> >> +++ b/MdePkg/Include/Library/BaseLib.h
> >>
> >>
> >> @@ -189,7 +189,6 @@ StrnSizeS (
> >>
> >>
> >>
> >>
> >>
> >> If Destination is not aligned on a 16-bit
> boundary,
> >> then ASSERT().
> >>
> >>
> >> If Source is not aligned on a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -225,7 +224,6 @@ StrCpyS (
> >>
> >>
> >>
> >>
> >>
> >> If Length > 0 and Destination is not aligned on a
> >> 16-bit boundary, then ASSERT().
> >>
> >>
> >> If Length > 0 and Source is not aligned on a 16-
> bit
> >> boundary, then ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -263,7 +261,6 @@ StrnCpyS (
> >>
> >>
> >>
> >>
> >>
> >> If Destination is not aligned on a 16-bit
> boundary,
> >> then ASSERT().
> >>
> >>
> >> If Source is not aligned on a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -303,7 +300,6 @@ StrCatS (
> >>
> >>
> >>
> >>
> >>
> >> If Destination is not aligned on a 16-bit
> boundary,
> >> then ASSERT().
> >>
> >>
> >> If Source is not aligned on a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -350,12 +346,7 @@ StrnCatS (
> >>
> >>
> >> be ignored. Then, the function stops at the first
> >> character that is a not a
> >>
> >>
> >> valid decimal character or a Null-terminator,
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If PcdMaximumUnicodeStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumUnicodeStringLength Unicode characters,
> >> not including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If String has no valid decimal digits in the above
> >> format, then 0 is stored
> >>
> >>
> >> at the location pointed to by Data.
> >>
> >>
> >> @@ -406,12 +397,7 @@ StrDecimalToUintnS (
> >>
> >>
> >> be ignored. Then, the function stops at the first
> >> character that is a not a
> >>
> >>
> >> valid decimal character or a Null-terminator,
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If PcdMaximumUnicodeStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumUnicodeStringLength Unicode characters,
> >> not including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If String has no valid decimal digits in the above
> >> format, then 0 is stored
> >>
> >>
> >> at the location pointed to by Data.
> >>
> >>
> >> @@ -467,12 +453,7 @@ StrDecimalToUint64S (
> >>
> >>
> >> the first character that is a not a valid
> >> hexadecimal character or NULL,
> >>
> >>
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If PcdMaximumUnicodeStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumUnicodeStringLength Unicode characters,
> >> not including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If String has no valid hexadecimal digits in the
> >> above format, then 0 is
> >>
> >>
> >> stored at the location pointed to by Data.
> >>
> >>
> >> @@ -528,12 +509,7 @@ StrHexToUintnS (
> >>
> >>
> >> the first character that is a not a valid
> >> hexadecimal character or NULL,
> >>
> >>
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If PcdMaximumUnicodeStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumUnicodeStringLength Unicode characters,
> >> not including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If String has no valid hexadecimal digits in the
> >> above format, then 0 is
> >>
> >>
> >> stored at the location pointed to by Data.
> >>
> >>
> >> @@ -622,8 +598,6 @@ AsciiStrnSizeS (
> >>
> >>
> >>
> >>
> >>
> >> This function is similar as strcpy_s defined in
> C11.
> >>
> >>
> >>
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @param Destination A pointer to a
> >> Null-terminated Ascii string.
> >>
> >>
> >> @@ -656,8 +630,6 @@ AsciiStrCpyS (
> >>
> >>
> >>
> >>
> >>
> >> This function is similar as strncpy_s defined in
> >> C11.
> >>
> >>
> >>
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @param Destination A pointer to a
> >> Null-terminated Ascii string.
> >>
> >>
> >> @@ -692,8 +664,6 @@ AsciiStrnCpyS (
> >>
> >>
> >>
> >>
> >>
> >> This function is similar as strcat_s defined in
> C11.
> >>
> >>
> >>
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @param Destination A pointer to a
> >> Null-terminated Ascii string.
> >>
> >>
> >> @@ -730,8 +700,6 @@ AsciiStrCatS (
> >>
> >>
> >>
> >>
> >>
> >> This function is similar as strncat_s defined in
> >> C11.
> >>
> >>
> >>
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @param Destination A pointer to a
> >> Null-terminated Ascii string.
> >>
> >>
> >> @@ -777,12 +745,6 @@ AsciiStrnCatS (
> >>
> >>
> >> be ignored. Then, the function stops at the first
> >> character that is a not a
> >>
> >>
> >> valid decimal character or a Null-terminator,
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> - If PcdMaximumAsciiStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumAsciiStringLength Ascii characters, not
> >> including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If String has no valid decimal digits in the above
> >> format, then 0 is stored
> >>
> >>
> >> at the location pointed to by Data.
> >>
> >>
> >> If the number represented by String exceeds the
> >> range defined by UINTN, then
> >>
> >>
> >> @@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
> >>
> >>
> >> be ignored. Then, the function stops at the first
> >> character that is a not a
> >>
> >>
> >> valid decimal character or a Null-terminator,
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> - If PcdMaximumAsciiStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumAsciiStringLength Ascii characters, not
> >> including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If String has no valid decimal digits in the above
> >> format, then 0 is stored
> >>
> >>
> >> at the location pointed to by Data.
> >>
> >>
> >> If the number represented by String exceeds the
> >> range defined by UINT64, then
> >>
> >>
> >> @@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
> >>
> >>
> >> character that is a not a valid hexadecimal
> >> character or Null-terminator,
> >>
> >>
> >> whichever on comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> - If PcdMaximumAsciiStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumAsciiStringLength Ascii characters, not
> >> including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If String has no valid hexadecimal digits in the
> >> above format, then 0 is
> >>
> >>
> >> stored at the location pointed to by Data.
> >>
> >>
> >> If the number represented by String exceeds the
> >> range defined by UINTN, then
> >>
> >>
> >> @@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
> >>
> >>
> >> character that is a not a valid hexadecimal
> >> character or Null-terminator,
> >>
> >>
> >> whichever on comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> - If PcdMaximumAsciiStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumAsciiStringLength Ascii characters, not
> >> including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If String has no valid hexadecimal digits in the
> >> above format, then 0 is
> >>
> >>
> >> stored at the location pointed to by Data.
> >>
> >>
> >> If the number represented by String exceeds the
> >> range defined by UINT64, then
> >>
> >>
> >> @@ -1506,16 +1450,8 @@ StrHexToUint64 (
> >>
> >>
> >> "::" can be used to compress one or more groups of
> X
> >> when X contains only 0.
> >>
> >>
> >> The "::" can only appear once in the String.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Address is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> - If PcdMaximumUnicodeStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumUnicodeStringLength Unicode characters,
> >> not including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If EndPointer is not NULL and Address is
> translated
> >> from String, a pointer
> >>
> >>
> >> to the character that stopped the scan is stored
> at
> >> the location pointed to
> >>
> >>
> >> by EndPointer.
> >>
> >>
> >> @@ -1567,15 +1503,10 @@ StrToIpv6Address (
> >>
> >>
> >> When /P is in the String, the function stops at
> the
> >> first character that is not
> >>
> >>
> >> a valid decimal digit character after P is
> >> converted.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Address is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If PcdMaximumUnicodeStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> PcdMaximumUnicodeStringLength Unicode characters,
> >> not including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If EndPointer is not NULL and Address is
> translated
> >> from String, a pointer
> >>
> >>
> >> to the character that stopped the scan is stored
> at
> >> the location pointed to
> >>
> >>
> >> @@ -1640,8 +1571,6 @@ StrToIpv4Address (
> >>
> >>
> >> oo Data4[48:55]
> >>
> >>
> >> pp Data4[56:63]
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Guid is NULL, then ASSERT().
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> @param String Pointer to a
> Null-
> >> terminated Unicode string.
> >>
> >>
> >> @@ -1676,17 +1605,6 @@ StrToGuid (
> >>
> >>
> >>
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Buffer is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Length is not multiple of 2, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If PcdMaximumUnicodeStringLength is not zero and
> >> Length is greater than
> >>
> >>
> >> - PcdMaximumUnicodeStringLength, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If MaxBufferSize is less than (Length / 2), then
> >> ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> @param String Pointer to a
> Null-
> >> terminated Unicode string.
> >>
> >>
> >> @param Length The number of
> >> Unicode characters to decode.
> >>
> >>
> >> @param Buffer Pointer to the
> >> converted bytes array.
> >>
> >>
> >> @@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
> >>
> >>
> >> the upper 8 bits, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If Source is not aligned on a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
> >>
> >>
> >> bits of each Unicode character. The function
> >> terminates the Ascii string
> >>
> >>
> >> Destination by appending a Null-terminator
> character
> >> at the end.
> >>
> >>
> >>
> >>
> >>
> >> - The caller is responsible to make sure
> Destination
> >> points to a buffer with size
> >>
> >>
> >> - equal or greater than ((StrLen (Source) + 1) *
> >> sizeof (CHAR8)) in bytes.
> >>
> >>
> >> + The caller is responsible to make sure
> Destination
> >> points to a buffer with
> >>
> >>
> >> + size not smaller than ((MIN(StrLen(Source),
> Length)
> >> + 1) * sizeof (CHAR8))
> >>
> >>
> >> + in bytes.
> >>
> >>
> >>
> >>
> >>
> >> If any Unicode characters in Source contain non-
> zero
> >> value in the upper 8
> >>
> >>
> >> bits, then ASSERT().
> >>
> >>
> >> If Source is not aligned on a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> - If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >> + If an error is returned, then Destination and
> >> DestinationLength are
> >>
> >>
> >> + unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @param Source The pointer to a Null-
> >> terminated Unicode string.
> >>
> >>
> >> @param Length The maximum number of
> >> Unicode characters to
> >>
> >>
> >> convert.
> >>
> >>
> >> @param Destination The pointer to a Null-
> >> terminated Ascii string.
> >>
> >>
> >> - @param DestMax The maximum number of
> >> Destination Ascii
> >>
> >>
> >> - char, including
> >> terminating null char.
> >>
> >>
> >> + @param DestMax The maximum number of
> >> Destination Ascii char,
> >>
> >>
> >> + including terminating
> >> null char.
> >>
> >>
> >> @param DestinationLength The number of Unicode
> >> characters converted.
> >>
> >>
> >>
> >>
> >>
> >> @retval RETURN_SUCCESS String is
> >> converted.
> >>
> >>
> >> @@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
> >>
> >>
> >> "::" can be used to compress one or more groups of
> X
> >> when X contains only 0.
> >>
> >>
> >> The "::" can only appear once in the String.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Address is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If EndPointer is not NULL and Address is
> translated
> >> from String, a pointer
> >>
> >>
> >> to the character that stopped the scan is stored
> at
> >> the location pointed to
> >>
> >>
> >> by EndPointer.
> >>
> >>
> >> @@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
> >>
> >>
> >> When /P is in the String, the function stops at
> the
> >> first character that is not
> >>
> >>
> >> a valid decimal digit character after P is
> >> converted.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Address is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If EndPointer is not NULL and Address is
> translated
> >> from String, a pointer
> >>
> >>
> >> to the character that stopped the scan is stored
> at
> >> the location pointed to
> >>
> >>
> >> by EndPointer.
> >>
> >>
> >> @@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
> >>
> >>
> >> oo Data4[48:55]
> >>
> >>
> >> pp Data4[56:63]
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Guid is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> @param String Pointer to a
> Null-
> >> terminated ASCII string.
> >>
> >>
> >> @param Guid Pointer to the
> >> converted GUID.
> >>
> >>
> >>
> >>
> >>
> >> @@ -2541,17 +2448,6 @@ AsciiStrToGuid (
> >>
> >>
> >> decoding stops after Length of characters and
> >> outputs Buffer containing
> >>
> >>
> >> (Length / 2) bytes.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Buffer is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Length is not multiple of 2, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If PcdMaximumAsciiStringLength is not zero and
> >> Length is greater than
> >>
> >>
> >> - PcdMaximumAsciiStringLength, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If MaxBufferSize is less than (Length / 2), then
> >> ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> @param String Pointer to a
> Null-
> >> terminated ASCII string.
> >>
> >>
> >> @param Length The number of
> ASCII
> >> characters to decode.
> >>
> >>
> >> @param Buffer Pointer to the
> >> converted bytes array.
> >>
> >>
> >> @@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
> >>
> >>
> >> equal or greater than ((AsciiStrLen (Source) + 1)
> *
> >> sizeof (CHAR16)) in bytes.
> >>
> >>
> >>
> >>
> >>
> >> If Destination is not aligned on a 16-bit
> boundary,
> >> then ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
> >>
> >>
> >> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
> >> (CHAR8)) in bytes.
> >>
> >>
> >>
> >>
> >>
> >> If Destination is not aligned on a 16-bit
> boundary,
> >> then ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then Destination and
> >> DestinationLength are
> >>
> >>
> >> unmodified.
> >>
> >>
> >> diff --git a/MdePkg/Library/BaseLib/SafeString.c
> >> b/MdePkg/Library/BaseLib/SafeString.c
> >>
> >>
> >> index 7dc03d2caa..1db42abb05 100644
> >>
> >>
> >> --- a/MdePkg/Library/BaseLib/SafeString.c
> >>
> >>
> >> +++ b/MdePkg/Library/BaseLib/SafeString.c
> >>
> >>
> >> @@ -14,7 +14,6 @@
> >>
> >>
> >>
> >>
> >>
> >> #define SAFE_STRING_CONSTRAINT_CHECK(Expression,
> >> Status) \
> >>
> >>
> >> do { \
> >>
> >>
> >> - ASSERT (Expression); \
> >>
> >>
> >> if (!(Expression)) { \
> >>
> >>
> >> return Status; \
> >>
> >>
> >> } \
> >>
> >>
> >> @@ -197,7 +196,6 @@ StrnSizeS (
> >>
> >>
> >>
> >>
> >>
> >> If Destination is not aligned on a 16-bit
> boundary,
> >> then ASSERT().
> >>
> >>
> >> If Source is not aligned on a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -279,7 +277,6 @@ StrCpyS (
> >>
> >>
> >>
> >>
> >>
> >> If Length > 0 and Destination is not aligned on a
> >> 16-bit boundary, then ASSERT().
> >>
> >>
> >> If Length > 0 and Source is not aligned on a 16-
> bit
> >> boundary, then ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -372,7 +369,6 @@ StrnCpyS (
> >>
> >>
> >>
> >>
> >>
> >> If Destination is not aligned on a 16-bit
> boundary,
> >> then ASSERT().
> >>
> >>
> >> If Source is not aligned on a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -473,7 +469,6 @@ StrCatS (
> >>
> >>
> >>
> >>
> >>
> >> If Destination is not aligned on a 16-bit
> boundary,
> >> then ASSERT().
> >>
> >>
> >> If Source is not aligned on a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -590,12 +585,7 @@ StrnCatS (
> >>
> >>
> >> be ignored. Then, the function stops at the first
> >> character that is a not a
> >>
> >>
> >> valid decimal character or a Null-terminator,
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If PcdMaximumUnicodeStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumUnicodeStringLength Unicode characters,
> >> not including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If String has no valid decimal digits in the above
> >> format, then 0 is stored
> >>
> >>
> >> at the location pointed to by Data.
> >>
> >>
> >> @@ -705,12 +695,7 @@ StrDecimalToUintnS (
> >>
> >>
> >> be ignored. Then, the function stops at the first
> >> character that is a not a
> >>
> >>
> >> valid decimal character or a Null-terminator,
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If PcdMaximumUnicodeStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumUnicodeStringLength Unicode characters,
> >> not including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If String has no valid decimal digits in the above
> >> format, then 0 is stored
> >>
> >>
> >> at the location pointed to by Data.
> >>
> >>
> >> @@ -825,12 +810,7 @@ StrDecimalToUint64S (
> >>
> >>
> >> the first character that is a not a valid
> >> hexadecimal character or NULL,
> >>
> >>
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If PcdMaximumUnicodeStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumUnicodeStringLength Unicode characters,
> >> not including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If String has no valid hexadecimal digits in the
> >> above format, then 0 is
> >>
> >>
> >> stored at the location pointed to by Data.
> >>
> >>
> >> @@ -956,12 +936,7 @@ StrHexToUintnS (
> >>
> >>
> >> the first character that is a not a valid
> >> hexadecimal character or NULL,
> >>
> >>
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> If String is not aligned in a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If PcdMaximumUnicodeStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumUnicodeStringLength Unicode characters,
> >> not including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If String has no valid hexadecimal digits in the
> >> above format, then 0 is
> >>
> >>
> >> stored at the location pointed to by Data.
> >>
> >>
> >> @@ -1856,8 +1831,6 @@ AsciiStrCpyS (
> >>
> >>
> >>
> >>
> >>
> >> This function is similar as strncpy_s defined in
> >> C11.
> >>
> >>
> >>
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @param Destination A pointer to a
> >> Null-terminated Ascii string.
> >>
> >>
> >> @@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
> >>
> >>
> >>
> >>
> >>
> >> This function is similar as strcat_s defined in
> C11.
> >>
> >>
> >>
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @param Destination A pointer to a
> >> Null-terminated Ascii string.
> >>
> >>
> >> @@ -2040,8 +2011,6 @@ AsciiStrCatS (
> >>
> >>
> >>
> >>
> >>
> >> This function is similar as strncat_s defined in
> >> C11.
> >>
> >>
> >>
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @param Destination A pointer to a
> >> Null-terminated Ascii string.
> >>
> >>
> >> @@ -2154,12 +2123,6 @@ AsciiStrnCatS (
> >>
> >>
> >> be ignored. Then, the function stops at the first
> >> character that is a not a
> >>
> >>
> >> valid decimal character or a Null-terminator,
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> - If PcdMaximumAsciiStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumAsciiStringLength Ascii characters, not
> >> including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If String has no valid decimal digits in the above
> >> format, then 0 is stored
> >>
> >>
> >> at the location pointed to by Data.
> >>
> >>
> >> If the number represented by String exceeds the
> >> range defined by UINTN, then
> >>
> >>
> >> @@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
> >>
> >>
> >> be ignored. Then, the function stops at the first
> >> character that is a not a
> >>
> >>
> >> valid decimal character or a Null-terminator,
> >> whichever one comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> - If PcdMaximumAsciiStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumAsciiStringLength Ascii characters, not
> >> including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If String has no valid decimal digits in the above
> >> format, then 0 is stored
> >>
> >>
> >> at the location pointed to by Data.
> >>
> >>
> >> If the number represented by String exceeds the
> >> range defined by UINT64, then
> >>
> >>
> >> @@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
> >>
> >>
> >> character that is a not a valid hexadecimal
> >> character or Null-terminator,
> >>
> >>
> >> whichever on comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> - If PcdMaximumAsciiStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumAsciiStringLength Ascii characters, not
> >> including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If String has no valid hexadecimal digits in the
> >> above format, then 0 is
> >>
> >>
> >> stored at the location pointed to by Data.
> >>
> >>
> >> If the number represented by String exceeds the
> >> range defined by UINTN, then
> >>
> >>
> >> @@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
> >>
> >>
> >> character that is a not a valid hexadecimal
> >> character or Null-terminator,
> >>
> >>
> >> whichever on comes first.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Data is NULL, then ASSERT().
> >>
> >>
> >> - If PcdMaximumAsciiStringLength is not zero, and
> >> String contains more than
> >>
> >>
> >> - PcdMaximumAsciiStringLength Ascii characters, not
> >> including the
> >>
> >>
> >> - Null-terminator, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If String has no valid hexadecimal digits in the
> >> above format, then 0 is
> >>
> >>
> >> stored at the location pointed to by Data.
> >>
> >>
> >> If the number represented by String exceeds the
> >> range defined by UINT64, then
> >>
> >>
> >> @@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
> >>
> >>
> >> the upper 8 bits, then ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If Source is not aligned on a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then the Destination is
> >> unmodified.
> >>
> >>
> >>
> >>
> >>
> >> @@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
> >>
> >>
> >> If any Unicode characters in Source contain non-
> zero
> >> value in the upper 8
> >>
> >>
> >> bits, then ASSERT().
> >>
> >>
> >> If Source is not aligned on a 16-bit boundary,
> then
> >> ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then Destination and
> >> DestinationLength are
> >>
> >>
> >> unmodified.
> >>
> >>
> >> @@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
> >>
> >>
> >> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
> >> (CHAR8)) in bytes.
> >>
> >>
> >>
> >>
> >>
> >> If Destination is not aligned on a 16-bit
> boundary,
> >> then ASSERT().
> >>
> >>
> >> - If an error would be returned, then the function
> >> will also ASSERT().
> >>
> >>
> >>
> >>
> >>
> >> If an error is returned, then Destination and
> >> DestinationLength are
> >>
> >>
> >> unmodified.
> >>
> >>
> >> @@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
> >>
> >>
> >> "::" can be used to compress one or more groups of
> X
> >> when X contains only 0.
> >>
> >>
> >> The "::" can only appear once in the String.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Address is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If EndPointer is not NULL and Address is
> translated
> >> from String, a pointer
> >>
> >>
> >> to the character that stopped the scan is stored
> at
> >> the location pointed to
> >>
> >>
> >> by EndPointer.
> >>
> >>
> >> @@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
> >>
> >>
> >> When /P is in the String, the function stops at
> the
> >> first character that is not
> >>
> >>
> >> a valid decimal digit character after P is
> >> converted.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Address is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> If EndPointer is not NULL and Address is
> translated
> >> from String, a pointer
> >>
> >>
> >> to the character that stopped the scan is stored
> at
> >> the location pointed to
> >>
> >>
> >> by EndPointer.
> >>
> >>
> >> @@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
> >>
> >>
> >> oo Data4[48:55]
> >>
> >>
> >> pp Data4[56:63]
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> - If Guid is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> @param String Pointer to a
> Null-
> >> terminated ASCII string.
> >>
> >>
> >> @param Guid Pointer to the
> >> converted GUID.
> >>
> >>
> >>
> >>
> >>
> >> @@ -3550,17 +3481,6 @@ AsciiStrToGuid (
> >>
> >>
> >> decoding stops after Length of characters and
> >> outputs Buffer containing
> >>
> >>
> >> (Length / 2) bytes.
> >>
> >>
> >>
> >>
> >>
> >> - If String is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Buffer is NULL, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If Length is not multiple of 2, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If PcdMaximumAsciiStringLength is not zero and
> >> Length is greater than
> >>
> >>
> >> - PcdMaximumAsciiStringLength, then ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> - If MaxBufferSize is less than (Length / 2), then
> >> ASSERT().
> >>
> >>
> >> -
> >>
> >>
> >> @param String Pointer to a
> Null-
> >> terminated ASCII string.
> >>
> >>
> >> @param Length The number of
> ASCII
> >> characters to decode.
> >>
> >>
> >> @param Buffer Pointer to the
> >> converted bytes array.
> >>
> >>
> >> --
> >>
> >>
> >> 2.24.2 (Apple Git-127)
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
>
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 17:58 ` Michael D Kinney
@ 2020-05-14 18:59 ` Vitaly Cheptsov
2020-05-14 19:45 ` Ard Biesheuvel
2020-05-14 21:07 ` Michael D Kinney
0 siblings, 2 replies; 15+ messages in thread
From: Vitaly Cheptsov @ 2020-05-14 18:59 UTC (permalink / raw)
To: Kinney, Michael D
Cc: devel@edk2.groups.io, Andrew Fish, Ard Biesheuvel, Bret Barkelew,
Brian J . Johnson, Chiu, Chasel, Justen, Jordan L, Laszlo Ersek,
Leif Lindholm, Gao, Liming, Marvin Häuser, Zimmer, Vincent,
Gao, Zhichao
[-- Attachment #1.1: Type: text/plain, Size: 44758 bytes --]
Mike,
The code you posted may inflict undefined behaviour is not valid C for several reasons. The compiler is free to do whatever it desires. Please refer to ISO/IEC 9899 for more details.
If applications cast raw pointers to typed pointers without checking their alignment, well, god bless them :)
My opinion is both the compiler and the hardware are welcome to do the worst once your third line is discovered. On a number of CPUs such addresses cannot be even represented in the first place.
Yet, once again it is out of the scope of the current problem.
Best wishes,
Vitaly
> 14 мая 2020 г., в 20:58, Kinney, Michael D <michael.d.kinney@intel.com> написал(а):
>
> Vitaly,
>
> Why do you think there is no way to craft an odd address
> without memory corruption.
>
> UINT8 ByteArray[100];
> CHAR16 *String
>
> String = (CHAR16 *)(&Array[3]);
>
> The reason I raised the question of these other ASSERT()s
> is that I thought the use case was using these safe string
> APIs from a UEFI App, and the UEFI App always wants to evaluate
> the return status to know if the operation was completed or
> not. In build that removes all ASSERT()s, an odd address
> will generate an exception on some CPU archs. Wouldn’t it
> be better for the UEFI App that is already designed to handle
> error return status to get an error code instead of an
> exception?
>
> Mike
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On
>> Behalf Of Vitaly Cheptsov
>> Sent: Thursday, May 14, 2020 10:39 AM
>> To: Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>
>> Cc: devel@edk2.groups.io <mailto:devel@edk2.groups.io>; Andrew Fish
>> <afish@apple.com <mailto:afish@apple.com>>; Ard Biesheuvel
>> <ard.biesheuvel@linaro.org <mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
>> <bret.barkelew@microsoft.com <mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
>> <brian.johnson@hpe.com <mailto:brian.johnson@hpe.com>>; Chiu, Chasel
>> <chasel.chiu@intel.com <mailto:chasel.chiu@intel.com>>; Justen, Jordan L
>> <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
>> <lersek@redhat.com <mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com <mailto:leif@nuviainc.com>>;
>> Gao, Liming <liming.gao@intel.com <mailto:liming.gao@intel.com>>; Marvin Häuser
>> <mhaeuser@outlook.de <mailto:mhaeuser@outlook.de>>; Zimmer, Vincent
>> <vincent.zimmer@intel.com <mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
>> <zhichao.gao@intel.com <mailto:zhichao.gao@intel.com>>
>> Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
>> SafeString performing assertions on runtime checks
>>
>> Mike,
>>
>> Firstly, NULL check and odd-address checks are
>> essentially different things:
>> — NULL address is basically «no object», «optional
>> argument» (e.g. failed allocation).
>> — Odd address is memory corruption, as there is no way
>> to craft such address anyhow else.
>> For this reason the implementation is allowed to treat
>> them differently.
>>
>> Secondly, as I said in my cover letter there is no
>> behaviour change here for RELEASE builds. Behaviour
>> changes unrelated to the bugfix will have to go to a
>> separate patch. I agree that we may want to reconsider
>> the interface in the future, but that’s for a separate
>> bugzilla and patch. Not discussing it currently is
>> important to avoid diverting from the primary problem.
>> Could create a bugzilla not to forget about it soon
>> after the stable tag.
>>
>> Best wishes,
>> Vitaly
>>
>>> 14 мая 2020 г., в 19:38, Kinney, Michael D
>> <michael.d.kinney@intel.com> написал(а):
>>>
>>> Why preserve the ASSERT()s for an a Unicode strings
>>> that are not aligned in a 16-bit boundary?
>>>
>>> This is essentially the same as an invalid pointer
>> value
>>> just like NULL. If NULL pointer returns an error
>> code,
>>> shouldn't and invalid pointer value?
>>>
>>> Thanks,
>>>
>>> Mike
>>>
>>>> -----Original Message-----
>>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On
>>>> Behalf Of Vitaly Cheptsov
>>>> Sent: Thursday, May 14, 2020 2:26 AM
>>>> To: devel@edk2.groups.io
>>>> Cc: Andrew Fish <afish@apple.com>; Ard Biesheuvel
>>>> <ard.biesheuvel@linaro.org>; Bret Barkelew
>>>> <bret.barkelew@microsoft.com>; Brian J . Johnson
>>>> <brian.johnson@hpe.com>; Chiu, Chasel
>>>> <chasel.chiu@intel.com>; Justen, Jordan L
>>>> <jordan.l.justen@intel.com>; Laszlo Ersek
>>>> <lersek@redhat.com>; Leif Lindholm
>> <leif@nuviainc.com>;
>>>> Gao, Liming <liming.gao@intel.com>; Marvin Häuser
>>>> <mhaeuser@outlook.de>; Kinney, Michael D
>>>> <michael.d.kinney@intel.com>; Zimmer, Vincent
>>>> <vincent.zimmer@intel.com>; Gao, Zhichao
>>>> <zhichao.gao@intel.com>
>>>> Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
>>>> SafeString performing assertions on runtime checks
>>>>
>>>> REF:
>>>> https://bugzilla.tianocore.org/show_bug.cgi?id=2054
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Runtime checks returned via status return code
>> should
>>>> not work as
>>>>
>>>>
>>>> assertions to permit parsing not trusted data with
>>>> SafeString
>>>>
>>>>
>>>> interfaces.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> CC: Andrew Fish <afish@apple.com>
>>>>
>>>>
>>>> CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>>>>
>>>>
>>>> CC: Bret Barkelew <bret.barkelew@microsoft.com>
>>>>
>>>>
>>>> CC: Brian J. Johnson <brian.johnson@hpe.com>
>>>>
>>>>
>>>> CC: Chasel Chiu <chasel.chiu@intel.com>
>>>>
>>>>
>>>> CC: Jordan Justen <jordan.l.justen@intel.com>
>>>>
>>>>
>>>> CC: Laszlo Ersek <lersek@redhat.com>
>>>>
>>>>
>>>> CC: Leif Lindholm <leif@nuviainc.com>
>>>>
>>>>
>>>> CC: Liming Gao <liming.gao@intel.com>
>>>>
>>>>
>>>> CC: Marvin Häuser <mhaeuser@outlook.de>
>>>>
>>>>
>>>> CC: Mike Kinney <michael.d.kinney@intel.com>
>>>>
>>>>
>>>> CC: Vincent Zimmer <vincent.zimmer@intel.com>
>>>>
>>>>
>>>> CC: Zhichao Gao <zhichao.gao@intel.com>
>>>>
>>>>
>>>> Signed-off-by: Vitaly Cheptsov
>> <vit9696@protonmail.com>
>>>>
>>>>
>>>> ---
>>>>
>>>>
>>>> MdePkg/Include/Library/BaseLib.h | 120 ++--------
>> --
>>>> --------
>>>>
>>>>
>>>> MdePkg/Library/BaseLib/SafeString.c | 80 ----------
>> --
>>>> -
>>>>
>>>>
>>>> 2 files changed, 7 insertions(+), 193 deletions(-)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> diff --git a/MdePkg/Include/Library/BaseLib.h
>>>> b/MdePkg/Include/Library/BaseLib.h
>>>>
>>>>
>>>> index ecadff8b23..62dc3151bc 100644
>>>>
>>>>
>>>> --- a/MdePkg/Include/Library/BaseLib.h
>>>>
>>>>
>>>> +++ b/MdePkg/Include/Library/BaseLib.h
>>>>
>>>>
>>>> @@ -189,7 +189,6 @@ StrnSizeS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Destination is not aligned on a 16-bit
>> boundary,
>>>> then ASSERT().
>>>>
>>>>
>>>> If Source is not aligned on a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -225,7 +224,6 @@ StrCpyS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Length > 0 and Destination is not aligned on a
>>>> 16-bit boundary, then ASSERT().
>>>>
>>>>
>>>> If Length > 0 and Source is not aligned on a 16-
>> bit
>>>> boundary, then ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -263,7 +261,6 @@ StrnCpyS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Destination is not aligned on a 16-bit
>> boundary,
>>>> then ASSERT().
>>>>
>>>>
>>>> If Source is not aligned on a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -303,7 +300,6 @@ StrCatS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Destination is not aligned on a 16-bit
>> boundary,
>>>> then ASSERT().
>>>>
>>>>
>>>> If Source is not aligned on a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -350,12 +346,7 @@ StrnCatS (
>>>>
>>>>
>>>> be ignored. Then, the function stops at the first
>>>> character that is a not a
>>>>
>>>>
>>>> valid decimal character or a Null-terminator,
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumUnicodeStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumUnicodeStringLength Unicode characters,
>>>> not including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If String has no valid decimal digits in the above
>>>> format, then 0 is stored
>>>>
>>>>
>>>> at the location pointed to by Data.
>>>>
>>>>
>>>> @@ -406,12 +397,7 @@ StrDecimalToUintnS (
>>>>
>>>>
>>>> be ignored. Then, the function stops at the first
>>>> character that is a not a
>>>>
>>>>
>>>> valid decimal character or a Null-terminator,
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumUnicodeStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumUnicodeStringLength Unicode characters,
>>>> not including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If String has no valid decimal digits in the above
>>>> format, then 0 is stored
>>>>
>>>>
>>>> at the location pointed to by Data.
>>>>
>>>>
>>>> @@ -467,12 +453,7 @@ StrDecimalToUint64S (
>>>>
>>>>
>>>> the first character that is a not a valid
>>>> hexadecimal character or NULL,
>>>>
>>>>
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumUnicodeStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumUnicodeStringLength Unicode characters,
>>>> not including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If String has no valid hexadecimal digits in the
>>>> above format, then 0 is
>>>>
>>>>
>>>> stored at the location pointed to by Data.
>>>>
>>>>
>>>> @@ -528,12 +509,7 @@ StrHexToUintnS (
>>>>
>>>>
>>>> the first character that is a not a valid
>>>> hexadecimal character or NULL,
>>>>
>>>>
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumUnicodeStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumUnicodeStringLength Unicode characters,
>>>> not including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If String has no valid hexadecimal digits in the
>>>> above format, then 0 is
>>>>
>>>>
>>>> stored at the location pointed to by Data.
>>>>
>>>>
>>>> @@ -622,8 +598,6 @@ AsciiStrnSizeS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> This function is similar as strcpy_s defined in
>> C11.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @param Destination A pointer to a
>>>> Null-terminated Ascii string.
>>>>
>>>>
>>>> @@ -656,8 +630,6 @@ AsciiStrCpyS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> This function is similar as strncpy_s defined in
>>>> C11.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @param Destination A pointer to a
>>>> Null-terminated Ascii string.
>>>>
>>>>
>>>> @@ -692,8 +664,6 @@ AsciiStrnCpyS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> This function is similar as strcat_s defined in
>> C11.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @param Destination A pointer to a
>>>> Null-terminated Ascii string.
>>>>
>>>>
>>>> @@ -730,8 +700,6 @@ AsciiStrCatS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> This function is similar as strncat_s defined in
>>>> C11.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @param Destination A pointer to a
>>>> Null-terminated Ascii string.
>>>>
>>>>
>>>> @@ -777,12 +745,6 @@ AsciiStrnCatS (
>>>>
>>>>
>>>> be ignored. Then, the function stops at the first
>>>> character that is a not a
>>>>
>>>>
>>>> valid decimal character or a Null-terminator,
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumAsciiStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumAsciiStringLength Ascii characters, not
>>>> including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If String has no valid decimal digits in the above
>>>> format, then 0 is stored
>>>>
>>>>
>>>> at the location pointed to by Data.
>>>>
>>>>
>>>> If the number represented by String exceeds the
>>>> range defined by UINTN, then
>>>>
>>>>
>>>> @@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
>>>>
>>>>
>>>> be ignored. Then, the function stops at the first
>>>> character that is a not a
>>>>
>>>>
>>>> valid decimal character or a Null-terminator,
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumAsciiStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumAsciiStringLength Ascii characters, not
>>>> including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If String has no valid decimal digits in the above
>>>> format, then 0 is stored
>>>>
>>>>
>>>> at the location pointed to by Data.
>>>>
>>>>
>>>> If the number represented by String exceeds the
>>>> range defined by UINT64, then
>>>>
>>>>
>>>> @@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
>>>>
>>>>
>>>> character that is a not a valid hexadecimal
>>>> character or Null-terminator,
>>>>
>>>>
>>>> whichever on comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumAsciiStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumAsciiStringLength Ascii characters, not
>>>> including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If String has no valid hexadecimal digits in the
>>>> above format, then 0 is
>>>>
>>>>
>>>> stored at the location pointed to by Data.
>>>>
>>>>
>>>> If the number represented by String exceeds the
>>>> range defined by UINTN, then
>>>>
>>>>
>>>> @@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
>>>>
>>>>
>>>> character that is a not a valid hexadecimal
>>>> character or Null-terminator,
>>>>
>>>>
>>>> whichever on comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumAsciiStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumAsciiStringLength Ascii characters, not
>>>> including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If String has no valid hexadecimal digits in the
>>>> above format, then 0 is
>>>>
>>>>
>>>> stored at the location pointed to by Data.
>>>>
>>>>
>>>> If the number represented by String exceeds the
>>>> range defined by UINT64, then
>>>>
>>>>
>>>> @@ -1506,16 +1450,8 @@ StrHexToUint64 (
>>>>
>>>>
>>>> "::" can be used to compress one or more groups of
>> X
>>>> when X contains only 0.
>>>>
>>>>
>>>> The "::" can only appear once in the String.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Address is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If PcdMaximumUnicodeStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumUnicodeStringLength Unicode characters,
>>>> not including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If EndPointer is not NULL and Address is
>> translated
>>>> from String, a pointer
>>>>
>>>>
>>>> to the character that stopped the scan is stored
>> at
>>>> the location pointed to
>>>>
>>>>
>>>> by EndPointer.
>>>>
>>>>
>>>> @@ -1567,15 +1503,10 @@ StrToIpv6Address (
>>>>
>>>>
>>>> When /P is in the String, the function stops at
>> the
>>>> first character that is not
>>>>
>>>>
>>>> a valid decimal digit character after P is
>>>> converted.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Address is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If PcdMaximumUnicodeStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> PcdMaximumUnicodeStringLength Unicode characters,
>>>> not including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If EndPointer is not NULL and Address is
>> translated
>>>> from String, a pointer
>>>>
>>>>
>>>> to the character that stopped the scan is stored
>> at
>>>> the location pointed to
>>>>
>>>>
>>>> @@ -1640,8 +1571,6 @@ StrToIpv4Address (
>>>>
>>>>
>>>> oo Data4[48:55]
>>>>
>>>>
>>>> pp Data4[56:63]
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Guid is NULL, then ASSERT().
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @param String Pointer to a
>> Null-
>>>> terminated Unicode string.
>>>>
>>>>
>>>> @@ -1676,17 +1605,6 @@ StrToGuid (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Buffer is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Length is not multiple of 2, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If PcdMaximumUnicodeStringLength is not zero and
>>>> Length is greater than
>>>>
>>>>
>>>> - PcdMaximumUnicodeStringLength, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If MaxBufferSize is less than (Length / 2), then
>>>> ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> @param String Pointer to a
>> Null-
>>>> terminated Unicode string.
>>>>
>>>>
>>>> @param Length The number of
>>>> Unicode characters to decode.
>>>>
>>>>
>>>> @param Buffer Pointer to the
>>>> converted bytes array.
>>>>
>>>>
>>>> @@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
>>>>
>>>>
>>>> the upper 8 bits, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Source is not aligned on a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
>>>>
>>>>
>>>> bits of each Unicode character. The function
>>>> terminates the Ascii string
>>>>
>>>>
>>>> Destination by appending a Null-terminator
>> character
>>>> at the end.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - The caller is responsible to make sure
>> Destination
>>>> points to a buffer with size
>>>>
>>>>
>>>> - equal or greater than ((StrLen (Source) + 1) *
>>>> sizeof (CHAR8)) in bytes.
>>>>
>>>>
>>>> + The caller is responsible to make sure
>> Destination
>>>> points to a buffer with
>>>>
>>>>
>>>> + size not smaller than ((MIN(StrLen(Source),
>> Length)
>>>> + 1) * sizeof (CHAR8))
>>>>
>>>>
>>>> + in bytes.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If any Unicode characters in Source contain non-
>> zero
>>>> value in the upper 8
>>>>
>>>>
>>>> bits, then ASSERT().
>>>>
>>>>
>>>> If Source is not aligned on a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>> + If an error is returned, then Destination and
>>>> DestinationLength are
>>>>
>>>>
>>>> + unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @param Source The pointer to a Null-
>>>> terminated Unicode string.
>>>>
>>>>
>>>> @param Length The maximum number of
>>>> Unicode characters to
>>>>
>>>>
>>>> convert.
>>>>
>>>>
>>>> @param Destination The pointer to a Null-
>>>> terminated Ascii string.
>>>>
>>>>
>>>> - @param DestMax The maximum number of
>>>> Destination Ascii
>>>>
>>>>
>>>> - char, including
>>>> terminating null char.
>>>>
>>>>
>>>> + @param DestMax The maximum number of
>>>> Destination Ascii char,
>>>>
>>>>
>>>> + including terminating
>>>> null char.
>>>>
>>>>
>>>> @param DestinationLength The number of Unicode
>>>> characters converted.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @retval RETURN_SUCCESS String is
>>>> converted.
>>>>
>>>>
>>>> @@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
>>>>
>>>>
>>>> "::" can be used to compress one or more groups of
>> X
>>>> when X contains only 0.
>>>>
>>>>
>>>> The "::" can only appear once in the String.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Address is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If EndPointer is not NULL and Address is
>> translated
>>>> from String, a pointer
>>>>
>>>>
>>>> to the character that stopped the scan is stored
>> at
>>>> the location pointed to
>>>>
>>>>
>>>> by EndPointer.
>>>>
>>>>
>>>> @@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
>>>>
>>>>
>>>> When /P is in the String, the function stops at
>> the
>>>> first character that is not
>>>>
>>>>
>>>> a valid decimal digit character after P is
>>>> converted.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Address is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If EndPointer is not NULL and Address is
>> translated
>>>> from String, a pointer
>>>>
>>>>
>>>> to the character that stopped the scan is stored
>> at
>>>> the location pointed to
>>>>
>>>>
>>>> by EndPointer.
>>>>
>>>>
>>>> @@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
>>>>
>>>>
>>>> oo Data4[48:55]
>>>>
>>>>
>>>> pp Data4[56:63]
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Guid is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> @param String Pointer to a
>> Null-
>>>> terminated ASCII string.
>>>>
>>>>
>>>> @param Guid Pointer to the
>>>> converted GUID.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -2541,17 +2448,6 @@ AsciiStrToGuid (
>>>>
>>>>
>>>> decoding stops after Length of characters and
>>>> outputs Buffer containing
>>>>
>>>>
>>>> (Length / 2) bytes.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Buffer is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Length is not multiple of 2, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If PcdMaximumAsciiStringLength is not zero and
>>>> Length is greater than
>>>>
>>>>
>>>> - PcdMaximumAsciiStringLength, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If MaxBufferSize is less than (Length / 2), then
>>>> ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> @param String Pointer to a
>> Null-
>>>> terminated ASCII string.
>>>>
>>>>
>>>> @param Length The number of
>> ASCII
>>>> characters to decode.
>>>>
>>>>
>>>> @param Buffer Pointer to the
>>>> converted bytes array.
>>>>
>>>>
>>>> @@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
>>>>
>>>>
>>>> equal or greater than ((AsciiStrLen (Source) + 1)
>> *
>>>> sizeof (CHAR16)) in bytes.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Destination is not aligned on a 16-bit
>> boundary,
>>>> then ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
>>>>
>>>>
>>>> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
>>>> (CHAR8)) in bytes.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Destination is not aligned on a 16-bit
>> boundary,
>>>> then ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then Destination and
>>>> DestinationLength are
>>>>
>>>>
>>>> unmodified.
>>>>
>>>>
>>>> diff --git a/MdePkg/Library/BaseLib/SafeString.c
>>>> b/MdePkg/Library/BaseLib/SafeString.c
>>>>
>>>>
>>>> index 7dc03d2caa..1db42abb05 100644
>>>>
>>>>
>>>> --- a/MdePkg/Library/BaseLib/SafeString.c
>>>>
>>>>
>>>> +++ b/MdePkg/Library/BaseLib/SafeString.c
>>>>
>>>>
>>>> @@ -14,7 +14,6 @@
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> #define SAFE_STRING_CONSTRAINT_CHECK(Expression,
>>>> Status) \
>>>>
>>>>
>>>> do { \
>>>>
>>>>
>>>> - ASSERT (Expression); \
>>>>
>>>>
>>>> if (!(Expression)) { \
>>>>
>>>>
>>>> return Status; \
>>>>
>>>>
>>>> } \
>>>>
>>>>
>>>> @@ -197,7 +196,6 @@ StrnSizeS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Destination is not aligned on a 16-bit
>> boundary,
>>>> then ASSERT().
>>>>
>>>>
>>>> If Source is not aligned on a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -279,7 +277,6 @@ StrCpyS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Length > 0 and Destination is not aligned on a
>>>> 16-bit boundary, then ASSERT().
>>>>
>>>>
>>>> If Length > 0 and Source is not aligned on a 16-
>> bit
>>>> boundary, then ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -372,7 +369,6 @@ StrnCpyS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Destination is not aligned on a 16-bit
>> boundary,
>>>> then ASSERT().
>>>>
>>>>
>>>> If Source is not aligned on a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -473,7 +469,6 @@ StrCatS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Destination is not aligned on a 16-bit
>> boundary,
>>>> then ASSERT().
>>>>
>>>>
>>>> If Source is not aligned on a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -590,12 +585,7 @@ StrnCatS (
>>>>
>>>>
>>>> be ignored. Then, the function stops at the first
>>>> character that is a not a
>>>>
>>>>
>>>> valid decimal character or a Null-terminator,
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumUnicodeStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumUnicodeStringLength Unicode characters,
>>>> not including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If String has no valid decimal digits in the above
>>>> format, then 0 is stored
>>>>
>>>>
>>>> at the location pointed to by Data.
>>>>
>>>>
>>>> @@ -705,12 +695,7 @@ StrDecimalToUintnS (
>>>>
>>>>
>>>> be ignored. Then, the function stops at the first
>>>> character that is a not a
>>>>
>>>>
>>>> valid decimal character or a Null-terminator,
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumUnicodeStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumUnicodeStringLength Unicode characters,
>>>> not including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If String has no valid decimal digits in the above
>>>> format, then 0 is stored
>>>>
>>>>
>>>> at the location pointed to by Data.
>>>>
>>>>
>>>> @@ -825,12 +810,7 @@ StrDecimalToUint64S (
>>>>
>>>>
>>>> the first character that is a not a valid
>>>> hexadecimal character or NULL,
>>>>
>>>>
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumUnicodeStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumUnicodeStringLength Unicode characters,
>>>> not including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If String has no valid hexadecimal digits in the
>>>> above format, then 0 is
>>>>
>>>>
>>>> stored at the location pointed to by Data.
>>>>
>>>>
>>>> @@ -956,12 +936,7 @@ StrHexToUintnS (
>>>>
>>>>
>>>> the first character that is a not a valid
>>>> hexadecimal character or NULL,
>>>>
>>>>
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> If String is not aligned in a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumUnicodeStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumUnicodeStringLength Unicode characters,
>>>> not including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If String has no valid hexadecimal digits in the
>>>> above format, then 0 is
>>>>
>>>>
>>>> stored at the location pointed to by Data.
>>>>
>>>>
>>>> @@ -1856,8 +1831,6 @@ AsciiStrCpyS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> This function is similar as strncpy_s defined in
>>>> C11.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @param Destination A pointer to a
>>>> Null-terminated Ascii string.
>>>>
>>>>
>>>> @@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> This function is similar as strcat_s defined in
>> C11.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @param Destination A pointer to a
>>>> Null-terminated Ascii string.
>>>>
>>>>
>>>> @@ -2040,8 +2011,6 @@ AsciiStrCatS (
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> This function is similar as strncat_s defined in
>>>> C11.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @param Destination A pointer to a
>>>> Null-terminated Ascii string.
>>>>
>>>>
>>>> @@ -2154,12 +2123,6 @@ AsciiStrnCatS (
>>>>
>>>>
>>>> be ignored. Then, the function stops at the first
>>>> character that is a not a
>>>>
>>>>
>>>> valid decimal character or a Null-terminator,
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumAsciiStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumAsciiStringLength Ascii characters, not
>>>> including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If String has no valid decimal digits in the above
>>>> format, then 0 is stored
>>>>
>>>>
>>>> at the location pointed to by Data.
>>>>
>>>>
>>>> If the number represented by String exceeds the
>>>> range defined by UINTN, then
>>>>
>>>>
>>>> @@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
>>>>
>>>>
>>>> be ignored. Then, the function stops at the first
>>>> character that is a not a
>>>>
>>>>
>>>> valid decimal character or a Null-terminator,
>>>> whichever one comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumAsciiStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumAsciiStringLength Ascii characters, not
>>>> including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If String has no valid decimal digits in the above
>>>> format, then 0 is stored
>>>>
>>>>
>>>> at the location pointed to by Data.
>>>>
>>>>
>>>> If the number represented by String exceeds the
>>>> range defined by UINT64, then
>>>>
>>>>
>>>> @@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
>>>>
>>>>
>>>> character that is a not a valid hexadecimal
>>>> character or Null-terminator,
>>>>
>>>>
>>>> whichever on comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumAsciiStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumAsciiStringLength Ascii characters, not
>>>> including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If String has no valid hexadecimal digits in the
>>>> above format, then 0 is
>>>>
>>>>
>>>> stored at the location pointed to by Data.
>>>>
>>>>
>>>> If the number represented by String exceeds the
>>>> range defined by UINTN, then
>>>>
>>>>
>>>> @@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
>>>>
>>>>
>>>> character that is a not a valid hexadecimal
>>>> character or Null-terminator,
>>>>
>>>>
>>>> whichever on comes first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Data is NULL, then ASSERT().
>>>>
>>>>
>>>> - If PcdMaximumAsciiStringLength is not zero, and
>>>> String contains more than
>>>>
>>>>
>>>> - PcdMaximumAsciiStringLength Ascii characters, not
>>>> including the
>>>>
>>>>
>>>> - Null-terminator, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If String has no valid hexadecimal digits in the
>>>> above format, then 0 is
>>>>
>>>>
>>>> stored at the location pointed to by Data.
>>>>
>>>>
>>>> If the number represented by String exceeds the
>>>> range defined by UINT64, then
>>>>
>>>>
>>>> @@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
>>>>
>>>>
>>>> the upper 8 bits, then ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Source is not aligned on a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then the Destination is
>>>> unmodified.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
>>>>
>>>>
>>>> If any Unicode characters in Source contain non-
>> zero
>>>> value in the upper 8
>>>>
>>>>
>>>> bits, then ASSERT().
>>>>
>>>>
>>>> If Source is not aligned on a 16-bit boundary,
>> then
>>>> ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then Destination and
>>>> DestinationLength are
>>>>
>>>>
>>>> unmodified.
>>>>
>>>>
>>>> @@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
>>>>
>>>>
>>>> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
>>>> (CHAR8)) in bytes.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If Destination is not aligned on a 16-bit
>> boundary,
>>>> then ASSERT().
>>>>
>>>>
>>>> - If an error would be returned, then the function
>>>> will also ASSERT().
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If an error is returned, then Destination and
>>>> DestinationLength are
>>>>
>>>>
>>>> unmodified.
>>>>
>>>>
>>>> @@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
>>>>
>>>>
>>>> "::" can be used to compress one or more groups of
>> X
>>>> when X contains only 0.
>>>>
>>>>
>>>> The "::" can only appear once in the String.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Address is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If EndPointer is not NULL and Address is
>> translated
>>>> from String, a pointer
>>>>
>>>>
>>>> to the character that stopped the scan is stored
>> at
>>>> the location pointed to
>>>>
>>>>
>>>> by EndPointer.
>>>>
>>>>
>>>> @@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
>>>>
>>>>
>>>> When /P is in the String, the function stops at
>> the
>>>> first character that is not
>>>>
>>>>
>>>> a valid decimal digit character after P is
>>>> converted.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Address is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> If EndPointer is not NULL and Address is
>> translated
>>>> from String, a pointer
>>>>
>>>>
>>>> to the character that stopped the scan is stored
>> at
>>>> the location pointed to
>>>>
>>>>
>>>> by EndPointer.
>>>>
>>>>
>>>> @@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
>>>>
>>>>
>>>> oo Data4[48:55]
>>>>
>>>>
>>>> pp Data4[56:63]
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> - If Guid is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> @param String Pointer to a
>> Null-
>>>> terminated ASCII string.
>>>>
>>>>
>>>> @param Guid Pointer to the
>>>> converted GUID.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> @@ -3550,17 +3481,6 @@ AsciiStrToGuid (
>>>>
>>>>
>>>> decoding stops after Length of characters and
>>>> outputs Buffer containing
>>>>
>>>>
>>>> (Length / 2) bytes.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - If String is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Buffer is NULL, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If Length is not multiple of 2, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If PcdMaximumAsciiStringLength is not zero and
>>>> Length is greater than
>>>>
>>>>
>>>> - PcdMaximumAsciiStringLength, then ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> - If MaxBufferSize is less than (Length / 2), then
>>>> ASSERT().
>>>>
>>>>
>>>> -
>>>>
>>>>
>>>> @param String Pointer to a
>> Null-
>>>> terminated ASCII string.
>>>>
>>>>
>>>> @param Length The number of
>> ASCII
>>>> characters to decode.
>>>>
>>>>
>>>> @param Buffer Pointer to the
>>>> converted bytes array.
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>> 2.24.2 (Apple Git-127)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
[-- Attachment #1.2: Type: text/html, Size: 88016 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 18:59 ` Vitaly Cheptsov
@ 2020-05-14 19:45 ` Ard Biesheuvel
2020-05-14 21:07 ` Michael D Kinney
1 sibling, 0 replies; 15+ messages in thread
From: Ard Biesheuvel @ 2020-05-14 19:45 UTC (permalink / raw)
To: devel, cheptsov, Kinney, Michael D
Cc: Andrew Fish, Bret Barkelew, Brian J . Johnson, Chiu, Chasel,
Justen, Jordan L, Laszlo Ersek, Leif Lindholm, Gao, Liming,
Marvin Häuser, Zimmer, Vincent, Gao, Zhichao
On 5/14/20 8:59 PM, Vitaly Cheptsov via groups.io wrote:
> Mike,
>
> The code you posted may inflict undefined behaviour is not valid C for
> several reasons. The compiler is free to do whatever it desires. Please
> refer to ISO/IEC 9899 for more details.
>
> If applications cast raw pointers to typed pointers without checking
> their alignment, well, god bless them :)
> My opinion is both the compiler and the hardware are welcome to do the
> worst once your third line is discovered. On a number of CPUs such
> addresses cannot be even represented in the first place.
>
> Yet, once again it is out of the scope of the current problem.
>
This has come up a couple of times in the past, and it is indeed a
serious issue with the EDK2 codebase.
For example, in BaseLib we have
UINT16
EFIAPI
WriteUnaligned16 (
OUT UINT16 *Buffer,
IN UINT16 Value
);
which does not make any sense, since a UINT16* is defined as being
aligned to 16 bits, and so the compiler is permitted to generate code
assuming that constraint is never violated.
So the correct way would be to define this prototype as
UINT16
EFIAPI
WriteUnaligned16 (
OUT VOID *Buffer,
IN UINT16 Value
);
and let the underlying implementation deal with the misalignment.
As I said, I'm sure this has come up in the past, and there may even be
a bugzilla entry for it.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 18:59 ` Vitaly Cheptsov
2020-05-14 19:45 ` Ard Biesheuvel
@ 2020-05-14 21:07 ` Michael D Kinney
2020-05-14 21:15 ` [EXTERNAL] " Bret Barkelew
1 sibling, 1 reply; 15+ messages in thread
From: Michael D Kinney @ 2020-05-14 21:07 UTC (permalink / raw)
To: devel@edk2.groups.io, cheptsov@ispras.ru, Kinney, Michael D
Cc: Andrew Fish, Ard Biesheuvel, Bret Barkelew, Brian J . Johnson,
Chiu, Chasel, Justen, Jordan L, Laszlo Ersek, Leif Lindholm,
Gao, Liming, Marvin Häuser, Zimmer, Vincent, Gao, Zhichao
[-- Attachment #1: Type: text/plain, Size: 36061 bytes --]
Hi Vitaly,
What about this ASSERT() in UnicodeStrnToAsciiStrS(). It is an ASSERT() on the data contents.
//
// Convert string
//
while ((*Source != 0) && (SourceLen > 0)) {
//
// If any Unicode characters in Source contain non-zero value in the upper
// 8 bits, then ASSERT().
//
ASSERT (*Source < 0x100);
*(Destination++) = (CHAR8) *(Source++);
SourceLen--;
(*DestinationLength)++;
}
*Destination = 0;
Mike
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 11:59 AM
To: Kinney, Michael D <michael.d.kinney@intel.com>
Cc: devel@edk2.groups.io; Andrew Fish <afish@apple.com>; Ard Biesheuvel <ard.biesheuvel@linaro.org>; Bret Barkelew <bret.barkelew@microsoft.com>; Brian J . Johnson <brian.johnson@hpe.com>; Chiu, Chasel <chasel.chiu@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>; Gao, Liming <liming.gao@intel.com>; Marvin Häuser <mhaeuser@outlook.de>; Zimmer, Vincent <vincent.zimmer@intel.com>; Gao, Zhichao <zhichao.gao@intel.com>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Mike,
The code you posted may inflict undefined behaviour is not valid C for several reasons. The compiler is free to do whatever it desires. Please refer to ISO/IEC 9899 for more details.
If applications cast raw pointers to typed pointers without checking their alignment, well, god bless them :)
My opinion is both the compiler and the hardware are welcome to do the worst once your third line is discovered. On a number of CPUs such addresses cannot be even represented in the first place.
Yet, once again it is out of the scope of the current problem.
Best wishes,
Vitaly
14 мая 2020 г., в 20:58, Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> написал(а):
Vitaly,
Why do you think there is no way to craft an odd address
without memory corruption.
UINT8 ByteArray[100];
CHAR16 *String
String = (CHAR16 *)(&Array[3]);
The reason I raised the question of these other ASSERT()s
is that I thought the use case was using these safe string
APIs from a UEFI App, and the UEFI App always wants to evaluate
the return status to know if the operation was completed or
not. In build that removes all ASSERT()s, an odd address
will generate an exception on some CPU archs. Wouldn’t it
be better for the UEFI App that is already designed to handle
error return status to get an error code instead of an
exception?
Mike
-----Original Message-----
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On
Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 10:39 AM
To: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Andrew Fish
<afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel
<ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
<bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
<brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel
<chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L
<jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
<lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>;
Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser
<mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Zimmer, Vincent
<vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
<zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks
Mike,
Firstly, NULL check and odd-address checks are
essentially different things:
— NULL address is basically «no object», «optional
argument» (e.g. failed allocation).
— Odd address is memory corruption, as there is no way
to craft such address anyhow else.
For this reason the implementation is allowed to treat
them differently.
Secondly, as I said in my cover letter there is no
behaviour change here for RELEASE builds. Behaviour
changes unrelated to the bugfix will have to go to a
separate patch. I agree that we may want to reconsider
the interface in the future, but that’s for a separate
bugzilla and patch. Not discussing it currently is
important to avoid diverting from the primary problem.
Could create a bugzilla not to forget about it soon
after the stable tag.
Best wishes,
Vitaly
14 мая 2020 г., в 19:38, Kinney, Michael D
<michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> написал(а):
Why preserve the ASSERT()s for an a Unicode strings
that are not aligned in a 16-bit boundary?
This is essentially the same as an invalid pointer
value
just like NULL. If NULL pointer returns an error
code,
shouldn't and invalid pointer value?
Thanks,
Mike
-----Original Message-----
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On
Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 2:26 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Andrew Fish <afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel
<ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
<bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
<brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel
<chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L
<jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
<lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm
<leif@nuviainc.com<mailto:leif@nuviainc.com>>;
Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser
<mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Kinney, Michael D
<michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Zimmer, Vincent
<vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
<zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks
REF:
https://bugzilla.tianocore.org/show_bug.cgi?id=2054
Runtime checks returned via status return code
should
not work as
assertions to permit parsing not trusted data with
SafeString
interfaces.
CC: Andrew Fish <afish@apple.com<mailto:afish@apple.com>>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>
CC: Bret Barkelew <bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>
CC: Brian J. Johnson <brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>
CC: Chasel Chiu <chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>
CC: Jordan Justen <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>
CC: Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com>>
CC: Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>
CC: Liming Gao <liming.gao@intel.com<mailto:liming.gao@intel.com>>
CC: Marvin Häuser <mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>
CC: Mike Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
CC: Vincent Zimmer <vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>
CC: Zhichao Gao <zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Signed-off-by: Vitaly Cheptsov
<vit9696@protonmail.com<mailto:vit9696@protonmail.com>>
---
MdePkg/Include/Library/BaseLib.h | 120 ++--------
--
--------
MdePkg/Library/BaseLib/SafeString.c | 80 ----------
--
-
2 files changed, 7 insertions(+), 193 deletions(-)
diff --git a/MdePkg/Include/Library/BaseLib.h
b/MdePkg/Include/Library/BaseLib.h
index ecadff8b23..62dc3151bc 100644
--- a/MdePkg/Include/Library/BaseLib.h
+++ b/MdePkg/Include/Library/BaseLib.h
@@ -189,7 +189,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -225,7 +224,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a
16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-
bit
boundary, then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -263,7 +261,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -303,7 +300,6 @@ StrCatS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -350,12 +346,7 @@ StrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -406,12 +397,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -467,12 +453,7 @@ StrDecimalToUint64S (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -528,12 +509,7 @@ StrHexToUintnS (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -622,8 +598,6 @@ AsciiStrnSizeS (
This function is similar as strcpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -656,8 +630,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -692,8 +664,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -730,8 +700,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -777,12 +745,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -1506,16 +1450,8 @@ StrHexToUint64 (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -1567,15 +1503,10 @@ StrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary,
then
ASSERT().
If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
@@ -1640,8 +1571,6 @@ StrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
@param String Pointer to a
Null-
terminated Unicode string.
@@ -1676,17 +1605,6 @@ StrToGuid (
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumUnicodeStringLength is not zero and
Length is greater than
- PcdMaximumUnicodeStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated Unicode string.
@param Length The number of
Unicode characters to decode.
@param Buffer Pointer to the
converted bytes array.
@@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
bits of each Unicode character. The function
terminates the Ascii string
Destination by appending a Null-terminator
character
at the end.
- The caller is responsible to make sure
Destination
points to a buffer with size
- equal or greater than ((StrLen (Source) + 1) *
sizeof (CHAR8)) in bytes.
+ The caller is responsible to make sure
Destination
points to a buffer with
+ size not smaller than ((MIN(StrLen(Source),
Length)
+ 1) * sizeof (CHAR8))
+ in bytes.
If any Unicode characters in Source contain non-
zero
value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
- If an error is returned, then the Destination is
unmodified.
+ If an error is returned, then Destination and
DestinationLength are
+ unmodified.
@param Source The pointer to a Null-
terminated Unicode string.
@param Length The maximum number of
Unicode characters to
convert.
@param Destination The pointer to a Null-
terminated Ascii string.
- @param DestMax The maximum number of
Destination Ascii
- char, including
terminating null char.
+ @param DestMax The maximum number of
Destination Ascii char,
+ including terminating
null char.
@param DestinationLength The number of Unicode
characters converted.
@retval RETURN_SUCCESS String is
converted.
@@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Guid Pointer to the
converted GUID.
@@ -2541,17 +2448,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and
outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and
Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Length The number of
ASCII
characters to decode.
@param Buffer Pointer to the
converted bytes array.
@@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
equal or greater than ((AsciiStrLen (Source) + 1)
*
sizeof (CHAR16)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
diff --git a/MdePkg/Library/BaseLib/SafeString.c
b/MdePkg/Library/BaseLib/SafeString.c
index 7dc03d2caa..1db42abb05 100644
--- a/MdePkg/Library/BaseLib/SafeString.c
+++ b/MdePkg/Library/BaseLib/SafeString.c
@@ -14,7 +14,6 @@
#define SAFE_STRING_CONSTRAINT_CHECK(Expression,
Status) \
do { \
- ASSERT (Expression); \
if (!(Expression)) { \
return Status; \
} \
@@ -197,7 +196,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -279,7 +277,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a
16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-
bit
boundary, then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -372,7 +369,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -473,7 +469,6 @@ StrCatS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -590,12 +585,7 @@ StrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -705,12 +695,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -825,12 +810,7 @@ StrDecimalToUint64S (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -956,12 +936,7 @@ StrHexToUintnS (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -1856,8 +1831,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -2040,8 +2011,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -2154,12 +2123,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
If any Unicode characters in Source contain non-
zero
value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
@@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
@@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Guid Pointer to the
converted GUID.
@@ -3550,17 +3481,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and
outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and
Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Length The number of
ASCII
characters to decode.
@param Buffer Pointer to the
converted bytes array.
--
2.24.2 (Apple Git-127)
[-- Attachment #2: Type: text/html, Size: 145942 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 21:07 ` Michael D Kinney
@ 2020-05-14 21:15 ` Bret Barkelew
2020-05-14 22:14 ` Michael D Kinney
0 siblings, 1 reply; 15+ messages in thread
From: Bret Barkelew @ 2020-05-14 21:15 UTC (permalink / raw)
To: devel@edk2.groups.io, Kinney, Michael D, cheptsov@ispras.ru
Cc: Andrew Fish, Ard Biesheuvel, Brian J . Johnson, Chiu, Chasel,
Justen, Jordan L, Laszlo Ersek, Leif Lindholm, liming.gao,
Marvin Häuser, Zimmer, Vincent, Gao, Zhichao
[-- Attachment #1.1: Type: text/plain, Size: 37696 bytes --]
Why isn’t that a failed return value?
That would be unexpected behavior in RELEASE.
Either that, or the function should take in a substitution character (e.g. ‘?’) for invalid characters.
The prototype of this function is bad if it doesn’t allow for this possibility, and an ASSERT isn’t making code any better/safer by only ASSERTing.
- Bret
From: Michael D Kinney via groups.io<mailto:michael.d.kinney=intel.com@groups.io>
Sent: Thursday, May 14, 2020 2:07 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; cheptsov@ispras.ru<mailto:cheptsov@ispras.ru>; Kinney, Michael D<mailto:michael.d.kinney@intel.com>
Cc: Andrew Fish<mailto:afish@apple.com>; Ard Biesheuvel<mailto:ard.biesheuvel@linaro.org>; Bret Barkelew<mailto:Bret.Barkelew@microsoft.com>; Brian J . Johnson<mailto:brian.johnson@hpe.com>; Chiu, Chasel<mailto:chasel.chiu@intel.com>; Justen, Jordan L<mailto:jordan.l.justen@intel.com>; Laszlo Ersek<mailto:lersek@redhat.com>; Leif Lindholm<mailto:leif@nuviainc.com>; liming.gao<mailto:liming.gao@intel.com>; Marvin Häuser<mailto:mhaeuser@outlook.de>; Zimmer, Vincent<mailto:vincent.zimmer@intel.com>; Gao, Zhichao<mailto:zhichao.gao@intel.com>
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Hi Vitaly,
What about this ASSERT() in UnicodeStrnToAsciiStrS(). It is an ASSERT() on the data contents.
//
// Convert string
//
while ((*Source != 0) && (SourceLen > 0)) {
//
// If any Unicode characters in Source contain non-zero value in the upper
// 8 bits, then ASSERT().
//
ASSERT (*Source < 0x100);
*(Destination++) = (CHAR8) *(Source++);
SourceLen--;
(*DestinationLength)++;
}
*Destination = 0;
Mike
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 11:59 AM
To: Kinney, Michael D <michael.d.kinney@intel.com>
Cc: devel@edk2.groups.io; Andrew Fish <afish@apple.com>; Ard Biesheuvel <ard.biesheuvel@linaro.org>; Bret Barkelew <bret.barkelew@microsoft.com>; Brian J . Johnson <brian.johnson@hpe.com>; Chiu, Chasel <chasel.chiu@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>; Gao, Liming <liming.gao@intel.com>; Marvin Häuser <mhaeuser@outlook.de>; Zimmer, Vincent <vincent.zimmer@intel.com>; Gao, Zhichao <zhichao.gao@intel.com>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Mike,
The code you posted may inflict undefined behaviour is not valid C for several reasons. The compiler is free to do whatever it desires. Please refer to ISO/IEC 9899 for more details.
If applications cast raw pointers to typed pointers without checking their alignment, well, god bless them :)
My opinion is both the compiler and the hardware are welcome to do the worst once your third line is discovered. On a number of CPUs such addresses cannot be even represented in the first place.
Yet, once again it is out of the scope of the current problem.
Best wishes,
Vitaly
14 мая 2020 г., в 20:58, Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> написал(а):
Vitaly,
Why do you think there is no way to craft an odd address
without memory corruption.
UINT8 ByteArray[100];
CHAR16 *String
String = (CHAR16 *)(&Array[3]);
The reason I raised the question of these other ASSERT()s
is that I thought the use case was using these safe string
APIs from a UEFI App, and the UEFI App always wants to evaluate
the return status to know if the operation was completed or
not. In build that removes all ASSERT()s, an odd address
will generate an exception on some CPU archs. Wouldn’t it
be better for the UEFI App that is already designed to handle
error return status to get an error code instead of an
exception?
Mike
-----Original Message-----
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On
Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 10:39 AM
To: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Andrew Fish
<afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel
<ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
<bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
<brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel
<chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L
<jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
<lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>;
Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser
<mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Zimmer, Vincent
<vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
<zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks
Mike,
Firstly, NULL check and odd-address checks are
essentially different things:
— NULL address is basically «no object», «optional
argument» (e.g. failed allocation).
— Odd address is memory corruption, as there is no way
to craft such address anyhow else.
For this reason the implementation is allowed to treat
them differently.
Secondly, as I said in my cover letter there is no
behaviour change here for RELEASE builds. Behaviour
changes unrelated to the bugfix will have to go to a
separate patch. I agree that we may want to reconsider
the interface in the future, but that’s for a separate
bugzilla and patch. Not discussing it currently is
important to avoid diverting from the primary problem.
Could create a bugzilla not to forget about it soon
after the stable tag.
Best wishes,
Vitaly
14 мая 2020 г., в 19:38, Kinney, Michael D
<michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> написал(а):
Why preserve the ASSERT()s for an a Unicode strings
that are not aligned in a 16-bit boundary?
This is essentially the same as an invalid pointer
value
just like NULL. If NULL pointer returns an error
code,
shouldn't and invalid pointer value?
Thanks,
Mike
-----Original Message-----
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On
Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 2:26 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Andrew Fish <afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel
<ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
<bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
<brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel
<chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L
<jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
<lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm
<leif@nuviainc.com<mailto:leif@nuviainc.com>>;
Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser
<mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Kinney, Michael D
<michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Zimmer, Vincent
<vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
<zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks
REF:
https://bugzilla.tianocore.org/show_bug.cgi?id=2054<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2054&data=02%7C01%7CBret.Barkelew%40microsoft.com%7C854c0200e7ed412219a008d7f84ad4e5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637250872617792374&sdata=obXC2njAL18GchcPz1HyiGBSNcBYk8i2Q0ZhWDwICCQ%3D&reserved=0>
Runtime checks returned via status return code
should
not work as
assertions to permit parsing not trusted data with
SafeString
interfaces.
CC: Andrew Fish <afish@apple.com<mailto:afish@apple.com>>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>
CC: Bret Barkelew <bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>
CC: Brian J. Johnson <brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>
CC: Chasel Chiu <chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>
CC: Jordan Justen <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>
CC: Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com>>
CC: Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>
CC: Liming Gao <liming.gao@intel.com<mailto:liming.gao@intel.com>>
CC: Marvin Häuser <mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>
CC: Mike Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
CC: Vincent Zimmer <vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>
CC: Zhichao Gao <zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Signed-off-by: Vitaly Cheptsov
<vit9696@protonmail.com<mailto:vit9696@protonmail.com>>
---
MdePkg/Include/Library/BaseLib.h | 120 ++--------
--
--------
MdePkg/Library/BaseLib/SafeString.c | 80 ----------
--
-
2 files changed, 7 insertions(+), 193 deletions(-)
diff --git a/MdePkg/Include/Library/BaseLib.h
b/MdePkg/Include/Library/BaseLib.h
index ecadff8b23..62dc3151bc 100644
--- a/MdePkg/Include/Library/BaseLib.h
+++ b/MdePkg/Include/Library/BaseLib.h
@@ -189,7 +189,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -225,7 +224,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a
16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-
bit
boundary, then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -263,7 +261,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -303,7 +300,6 @@ StrCatS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -350,12 +346,7 @@ StrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -406,12 +397,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -467,12 +453,7 @@ StrDecimalToUint64S (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -528,12 +509,7 @@ StrHexToUintnS (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -622,8 +598,6 @@ AsciiStrnSizeS (
This function is similar as strcpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -656,8 +630,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -692,8 +664,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -730,8 +700,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -777,12 +745,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -1506,16 +1450,8 @@ StrHexToUint64 (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -1567,15 +1503,10 @@ StrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary,
then
ASSERT().
If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
@@ -1640,8 +1571,6 @@ StrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
@param String Pointer to a
Null-
terminated Unicode string.
@@ -1676,17 +1605,6 @@ StrToGuid (
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumUnicodeStringLength is not zero and
Length is greater than
- PcdMaximumUnicodeStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated Unicode string.
@param Length The number of
Unicode characters to decode.
@param Buffer Pointer to the
converted bytes array.
@@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
bits of each Unicode character. The function
terminates the Ascii string
Destination by appending a Null-terminator
character
at the end.
- The caller is responsible to make sure
Destination
points to a buffer with size
- equal or greater than ((StrLen (Source) + 1) *
sizeof (CHAR8)) in bytes.
+ The caller is responsible to make sure
Destination
points to a buffer with
+ size not smaller than ((MIN(StrLen(Source),
Length)
+ 1) * sizeof (CHAR8))
+ in bytes.
If any Unicode characters in Source contain non-
zero
value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
- If an error is returned, then the Destination is
unmodified.
+ If an error is returned, then Destination and
DestinationLength are
+ unmodified.
@param Source The pointer to a Null-
terminated Unicode string.
@param Length The maximum number of
Unicode characters to
convert.
@param Destination The pointer to a Null-
terminated Ascii string.
- @param DestMax The maximum number of
Destination Ascii
- char, including
terminating null char.
+ @param DestMax The maximum number of
Destination Ascii char,
+ including terminating
null char.
@param DestinationLength The number of Unicode
characters converted.
@retval RETURN_SUCCESS String is
converted.
@@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Guid Pointer to the
converted GUID.
@@ -2541,17 +2448,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and
outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and
Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Length The number of
ASCII
characters to decode.
@param Buffer Pointer to the
converted bytes array.
@@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
equal or greater than ((AsciiStrLen (Source) + 1)
*
sizeof (CHAR16)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
diff --git a/MdePkg/Library/BaseLib/SafeString.c
b/MdePkg/Library/BaseLib/SafeString.c
index 7dc03d2caa..1db42abb05 100644
--- a/MdePkg/Library/BaseLib/SafeString.c
+++ b/MdePkg/Library/BaseLib/SafeString.c
@@ -14,7 +14,6 @@
#define SAFE_STRING_CONSTRAINT_CHECK(Expression,
Status) \
do { \
- ASSERT (Expression); \
if (!(Expression)) { \
return Status; \
} \
@@ -197,7 +196,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -279,7 +277,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a
16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-
bit
boundary, then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -372,7 +369,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -473,7 +469,6 @@ StrCatS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -590,12 +585,7 @@ StrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -705,12 +695,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -825,12 +810,7 @@ StrDecimalToUint64S (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -956,12 +936,7 @@ StrHexToUintnS (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -1856,8 +1831,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -2040,8 +2011,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -2154,12 +2123,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
If any Unicode characters in Source contain non-
zero
value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
@@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
@@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Guid Pointer to the
converted GUID.
@@ -3550,17 +3481,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and
outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and
Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Length The number of
ASCII
characters to decode.
@param Buffer Pointer to the
converted bytes array.
--
2.24.2 (Apple Git-127)
[-- Attachment #1.2: Type: text/html, Size: 88929 bytes --]
[-- Attachment #2: B33B0C378E55447FA189751994867757.png --]
[-- Type: image/png, Size: 140 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 21:15 ` [EXTERNAL] " Bret Barkelew
@ 2020-05-14 22:14 ` Michael D Kinney
2020-05-15 9:28 ` Marvin Häuser
2020-05-15 9:30 ` [EXTERNAL] " Vitaly Cheptsov
0 siblings, 2 replies; 15+ messages in thread
From: Michael D Kinney @ 2020-05-14 22:14 UTC (permalink / raw)
To: devel@edk2.groups.io, bret.barkelew@microsoft.com,
cheptsov@ispras.ru, Kinney, Michael D
Cc: Andrew Fish, Ard Biesheuvel, Brian J . Johnson, Chiu, Chasel,
Justen, Jordan L, Laszlo Ersek, Leif Lindholm, Gao, Liming,
Marvin Häuser, Zimmer, Vincent, Gao, Zhichao
[-- Attachment #1: Type: text/plain, Size: 39436 bytes --]
Bret,
I agree with all your points. Which is why I am asking if we should address this in the current patch under review.
I will also point out that another way to get an off pointer address value for a CHAR16 is through use of packed structures. If a CHAR16 string is in a packaged structure and starts at an odd byte offset, then directly passing the CHAR16 string field to one of these APIs will ASSERT() or generate an exception if the ASSERT()s are removed. When using packed structures, fields that are larger than 1-byte need to either be copied to an aligned location or accessed using the Unaligned Read/Write APIs.
Mike
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Bret Barkelew via groups.io
Sent: Thursday, May 14, 2020 2:15 PM
To: devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>; cheptsov@ispras.ru
Cc: Andrew Fish <afish@apple.com>; Ard Biesheuvel <ard.biesheuvel@linaro.org>; Brian J . Johnson <brian.johnson@hpe.com>; Chiu, Chasel <chasel.chiu@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>; Gao, Liming <liming.gao@intel.com>; Marvin Häuser <mhaeuser@outlook.de>; Zimmer, Vincent <vincent.zimmer@intel.com>; Gao, Zhichao <zhichao.gao@intel.com>
Subject: Re: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Why isn’t that a failed return value?
That would be unexpected behavior in RELEASE.
Either that, or the function should take in a substitution character (e.g. ‘?’) for invalid characters.
The prototype of this function is bad if it doesn’t allow for this possibility, and an ASSERT isn’t making code any better/safer by only ASSERTing.
- Bret
From: Michael D Kinney via groups.io<mailto:michael.d.kinney=intel.com@groups.io>
Sent: Thursday, May 14, 2020 2:07 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; cheptsov@ispras.ru<mailto:cheptsov@ispras.ru>; Kinney, Michael D<mailto:michael.d.kinney@intel.com>
Cc: Andrew Fish<mailto:afish@apple.com>; Ard Biesheuvel<mailto:ard.biesheuvel@linaro.org>; Bret Barkelew<mailto:Bret.Barkelew@microsoft.com>; Brian J . Johnson<mailto:brian.johnson@hpe.com>; Chiu, Chasel<mailto:chasel.chiu@intel.com>; Justen, Jordan L<mailto:jordan.l.justen@intel.com>; Laszlo Ersek<mailto:lersek@redhat.com>; Leif Lindholm<mailto:leif@nuviainc.com>; liming.gao<mailto:liming.gao@intel.com>; Marvin Häuser<mailto:mhaeuser@outlook.de>; Zimmer, Vincent<mailto:vincent.zimmer@intel.com>; Gao, Zhichao<mailto:zhichao.gao@intel.com>
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Hi Vitaly,
What about this ASSERT() in UnicodeStrnToAsciiStrS(). It is an ASSERT() on the data contents.
//
// Convert string
//
while ((*Source != 0) && (SourceLen > 0)) {
//
// If any Unicode characters in Source contain non-zero value in the upper
// 8 bits, then ASSERT().
//
ASSERT (*Source < 0x100);
*(Destination++) = (CHAR8) *(Source++);
SourceLen--;
(*DestinationLength)++;
}
*Destination = 0;
Mike
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 11:59 AM
To: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Andrew Fish <afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel <ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew <bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson <brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel <chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>; Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser <mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Zimmer, Vincent <vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao <zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Mike,
The code you posted may inflict undefined behaviour is not valid C for several reasons. The compiler is free to do whatever it desires. Please refer to ISO/IEC 9899 for more details.
If applications cast raw pointers to typed pointers without checking their alignment, well, god bless them :)
My opinion is both the compiler and the hardware are welcome to do the worst once your third line is discovered. On a number of CPUs such addresses cannot be even represented in the first place.
Yet, once again it is out of the scope of the current problem.
Best wishes,
Vitaly
14 мая 2020 г., в 20:58, Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> написал(а):
Vitaly,
Why do you think there is no way to craft an odd address
without memory corruption.
UINT8 ByteArray[100];
CHAR16 *String
String = (CHAR16 *)(&Array[3]);
The reason I raised the question of these other ASSERT()s
is that I thought the use case was using these safe string
APIs from a UEFI App, and the UEFI App always wants to evaluate
the return status to know if the operation was completed or
not. In build that removes all ASSERT()s, an odd address
will generate an exception on some CPU archs. Wouldn’t it
be better for the UEFI App that is already designed to handle
error return status to get an error code instead of an
exception?
Mike
-----Original Message-----
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On
Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 10:39 AM
To: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Andrew Fish
<afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel
<ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
<bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
<brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel
<chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L
<jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
<lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>;
Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser
<mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Zimmer, Vincent
<vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
<zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks
Mike,
Firstly, NULL check and odd-address checks are
essentially different things:
— NULL address is basically «no object», «optional
argument» (e.g. failed allocation).
— Odd address is memory corruption, as there is no way
to craft such address anyhow else.
For this reason the implementation is allowed to treat
them differently.
Secondly, as I said in my cover letter there is no
behaviour change here for RELEASE builds. Behaviour
changes unrelated to the bugfix will have to go to a
separate patch. I agree that we may want to reconsider
the interface in the future, but that’s for a separate
bugzilla and patch. Not discussing it currently is
important to avoid diverting from the primary problem.
Could create a bugzilla not to forget about it soon
after the stable tag.
Best wishes,
Vitaly
14 мая 2020 г., в 19:38, Kinney, Michael D
<michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> написал(а):
Why preserve the ASSERT()s for an a Unicode strings
that are not aligned in a 16-bit boundary?
This is essentially the same as an invalid pointer
value
just like NULL. If NULL pointer returns an error
code,
shouldn't and invalid pointer value?
Thanks,
Mike
-----Original Message-----
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On
Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 2:26 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Andrew Fish <afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel
<ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
<bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
<brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel
<chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L
<jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
<lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm
<leif@nuviainc.com<mailto:leif@nuviainc.com>>;
Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser
<mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Kinney, Michael D
<michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Zimmer, Vincent
<vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
<zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks
REF:
https://bugzilla.tianocore.org/show_bug.cgi?id=2054<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2054&data=02%7C01%7CBret.Barkelew%40microsoft.com%7C854c0200e7ed412219a008d7f84ad4e5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637250872617792374&sdata=obXC2njAL18GchcPz1HyiGBSNcBYk8i2Q0ZhWDwICCQ%3D&reserved=0>
Runtime checks returned via status return code
should
not work as
assertions to permit parsing not trusted data with
SafeString
interfaces.
CC: Andrew Fish <afish@apple.com<mailto:afish@apple.com>>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>
CC: Bret Barkelew <bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>
CC: Brian J. Johnson <brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>
CC: Chasel Chiu <chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>
CC: Jordan Justen <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>
CC: Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com>>
CC: Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>
CC: Liming Gao <liming.gao@intel.com<mailto:liming.gao@intel.com>>
CC: Marvin Häuser <mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>
CC: Mike Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
CC: Vincent Zimmer <vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>
CC: Zhichao Gao <zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Signed-off-by: Vitaly Cheptsov
<vit9696@protonmail.com<mailto:vit9696@protonmail.com>>
---
MdePkg/Include/Library/BaseLib.h | 120 ++--------
--
--------
MdePkg/Library/BaseLib/SafeString.c | 80 ----------
--
-
2 files changed, 7 insertions(+), 193 deletions(-)
diff --git a/MdePkg/Include/Library/BaseLib.h
b/MdePkg/Include/Library/BaseLib.h
index ecadff8b23..62dc3151bc 100644
--- a/MdePkg/Include/Library/BaseLib.h
+++ b/MdePkg/Include/Library/BaseLib.h
@@ -189,7 +189,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -225,7 +224,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a
16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-
bit
boundary, then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -263,7 +261,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -303,7 +300,6 @@ StrCatS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -350,12 +346,7 @@ StrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -406,12 +397,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -467,12 +453,7 @@ StrDecimalToUint64S (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -528,12 +509,7 @@ StrHexToUintnS (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -622,8 +598,6 @@ AsciiStrnSizeS (
This function is similar as strcpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -656,8 +630,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -692,8 +664,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -730,8 +700,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -777,12 +745,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -1506,16 +1450,8 @@ StrHexToUint64 (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -1567,15 +1503,10 @@ StrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary,
then
ASSERT().
If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
@@ -1640,8 +1571,6 @@ StrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
@param String Pointer to a
Null-
terminated Unicode string.
@@ -1676,17 +1605,6 @@ StrToGuid (
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumUnicodeStringLength is not zero and
Length is greater than
- PcdMaximumUnicodeStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated Unicode string.
@param Length The number of
Unicode characters to decode.
@param Buffer Pointer to the
converted bytes array.
@@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
bits of each Unicode character. The function
terminates the Ascii string
Destination by appending a Null-terminator
character
at the end.
- The caller is responsible to make sure
Destination
points to a buffer with size
- equal or greater than ((StrLen (Source) + 1) *
sizeof (CHAR8)) in bytes.
+ The caller is responsible to make sure
Destination
points to a buffer with
+ size not smaller than ((MIN(StrLen(Source),
Length)
+ 1) * sizeof (CHAR8))
+ in bytes.
If any Unicode characters in Source contain non-
zero
value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
- If an error is returned, then the Destination is
unmodified.
+ If an error is returned, then Destination and
DestinationLength are
+ unmodified.
@param Source The pointer to a Null-
terminated Unicode string.
@param Length The maximum number of
Unicode characters to
convert.
@param Destination The pointer to a Null-
terminated Ascii string.
- @param DestMax The maximum number of
Destination Ascii
- char, including
terminating null char.
+ @param DestMax The maximum number of
Destination Ascii char,
+ including terminating
null char.
@param DestinationLength The number of Unicode
characters converted.
@retval RETURN_SUCCESS String is
converted.
@@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Guid Pointer to the
converted GUID.
@@ -2541,17 +2448,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and
outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and
Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Length The number of
ASCII
characters to decode.
@param Buffer Pointer to the
converted bytes array.
@@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
equal or greater than ((AsciiStrLen (Source) + 1)
*
sizeof (CHAR16)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
diff --git a/MdePkg/Library/BaseLib/SafeString.c
b/MdePkg/Library/BaseLib/SafeString.c
index 7dc03d2caa..1db42abb05 100644
--- a/MdePkg/Library/BaseLib/SafeString.c
+++ b/MdePkg/Library/BaseLib/SafeString.c
@@ -14,7 +14,6 @@
#define SAFE_STRING_CONSTRAINT_CHECK(Expression,
Status) \
do { \
- ASSERT (Expression); \
if (!(Expression)) { \
return Status; \
} \
@@ -197,7 +196,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -279,7 +277,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a
16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-
bit
boundary, then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -372,7 +369,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -473,7 +469,6 @@ StrCatS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -590,12 +585,7 @@ StrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -705,12 +695,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -825,12 +810,7 @@ StrDecimalToUint64S (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -956,12 +936,7 @@ StrHexToUintnS (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -1856,8 +1831,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -2040,8 +2011,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -2154,12 +2123,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
If any Unicode characters in Source contain non-
zero
value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
@@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
@@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Guid Pointer to the
converted GUID.
@@ -3550,17 +3481,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and
outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and
Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Length The number of
ASCII
characters to decode.
@param Buffer Pointer to the
converted bytes array.
--
2.24.2 (Apple Git-127)
[-- Attachment #2: Type: text/html, Size: 131165 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 22:14 ` Michael D Kinney
@ 2020-05-15 9:28 ` Marvin Häuser
2020-05-15 9:30 ` [EXTERNAL] " Vitaly Cheptsov
1 sibling, 0 replies; 15+ messages in thread
From: Marvin Häuser @ 2020-05-15 9:28 UTC (permalink / raw)
To: devel, michael.d.kinney, bret.barkelew@microsoft.com,
cheptsov@ispras.ru
Cc: Andrew Fish, Ard Biesheuvel, Brian J . Johnson, Chiu, Chasel,
Justen, Jordan L, Laszlo Ersek, Leif Lindholm, Gao, Liming,
Zimmer, Vincent, Gao, Zhichao
Good day Mike,
You can also set a different union member to an unaligned pointer and
grab a CHAR16* member. What all those cases have in common is that they
are UB. If that is what you are trying to do, you cannot find any way at
all to get an unaligned pointer without UB. It is not just that they may
not be dereferenced, they need not be representable at all.
I'm voicing this now because as part of the reworked PE loader we
mentioned a few times that family of problems will get further attention
and it's best to find an agreement early. If we have an unaligned
pointer, it is already too late, so the inverted ASSERT condition is
insane. As such, I don't believe there is a need for a runtime error at
all, as what is checked for is "impossible" and may even not be accurate
- at that point it's a lucky heuristic. In fact, the ASSERTs should
possibly be removed entirely, but in a separate(!) patch set in a
separate BZ that also targets Read/WriteUnaligned* and similar issues as
they are found. This patch does exactly what is described, preserve
RELEASE runtime behaviour.
For your specific example, you can use -Waddress-of-packed-member to not
have to rely on ASSERTs catching it.
Please feel free to comment on this matter as time permits, but in
respect to Vitaly's several attempts to fix the original BZ, I'd like to
ask you to consider devoting your time to ensure this patch can land in
the next stable tag first and postpone the alignment discussion till
after the actual matter is resolved.
Regards,
Marvin
Am 15.05.2020 um 00:14 schrieb Michael D Kinney:
> Bret,
>
> I agree with all your points.Which is why I am asking if we should
> address this in the current patch under review.
>
> I will also point out that another way to get an off pointer address
> value for a CHAR16 is through use of packed structures.If a CHAR16
> string is in a packaged structure and starts at an odd byte offset, then
> directly passing the CHAR16 string field to one of these APIs will
> ASSERT() or generate an exception if the ASSERT()s are removed.When
> using packed structures, fields that are larger than 1-byte need to
> either be copied to an aligned location or accessed using the Unaligned
> Read/Write APIs.
>
> Mike
>
> *From:*devel@edk2.groups.io <devel@edk2.groups.io> *On Behalf Of *Bret
> Barkelew via groups.io
> *Sent:* Thursday, May 14, 2020 2:15 PM
> *To:* devel@edk2.groups.io; Kinney, Michael D
> <michael.d.kinney@intel.com>; cheptsov@ispras.ru
> *Cc:* Andrew Fish <afish@apple.com>; Ard Biesheuvel
> <ard.biesheuvel@linaro.org>; Brian J . Johnson <brian.johnson@hpe.com>;
> Chiu, Chasel <chasel.chiu@intel.com>; Justen, Jordan L
> <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@redhat.com>; Leif
> Lindholm <leif@nuviainc.com>; Gao, Liming <liming.gao@intel.com>; Marvin
> Häuser <mhaeuser@outlook.de>; Zimmer, Vincent
> <vincent.zimmer@intel.com>; Gao, Zhichao <zhichao.gao@intel.com>
> *Subject:* Re: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
> SafeString performing assertions on runtime checks
>
> Why isn’t that a failed return value?
>
> That would be unexpected behavior in RELEASE.
>
> Either that, or the function should take in a substitution character
> (e.g. ‘?’) for invalid characters.
>
> The prototype of this function is bad if it doesn’t allow for this
> possibility, and an ASSERT isn’t making code any better/safer by only
> ASSERTing.
>
> - Bret
>
> *From: *Michael D Kinney via groups.io
> <mailto:michael.d.kinney=intel.com@groups.io>
> *Sent: *Thursday, May 14, 2020 2:07 PM
> *To: *devel@edk2.groups.io <mailto:devel@edk2.groups.io>;
> cheptsov@ispras.ru <mailto:cheptsov@ispras.ru>; Kinney, Michael D
> <mailto:michael.d.kinney@intel.com>
> *Cc: *Andrew Fish <mailto:afish@apple.com>; Ard Biesheuvel
> <mailto:ard.biesheuvel@linaro.org>; Bret Barkelew
> <mailto:Bret.Barkelew@microsoft.com>; Brian J . Johnson
> <mailto:brian.johnson@hpe.com>; Chiu, Chasel
> <mailto:chasel.chiu@intel.com>; Justen, Jordan L
> <mailto:jordan.l.justen@intel.com>; Laszlo Ersek
> <mailto:lersek@redhat.com>; Leif Lindholm <mailto:leif@nuviainc.com>;
> liming.gao <mailto:liming.gao@intel.com>; Marvin Häuser
> <mailto:mhaeuser@outlook.de>; Zimmer, Vincent
> <mailto:vincent.zimmer@intel.com>; Gao, Zhichao
> <mailto:zhichao.gao@intel.com>
> *Subject: *[EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
> SafeString performing assertions on runtime checks
>
> Hi Vitaly,
>
> What about this ASSERT() in UnicodeStrnToAsciiStrS(). It is an ASSERT()
> on the data contents.
>
> //
>
> // Convert string
>
> //
>
> while ((*Source != 0) && (SourceLen > 0)) {
>
> //
>
> // If any Unicode characters in Source contain non-zero value in
> the upper
>
> // 8 bits, then ASSERT().
>
> //
>
> ASSERT (*Source < 0x100);
>
> *(Destination++) = (CHAR8) *(Source++);
>
> SourceLen--;
>
> (*DestinationLength)++;
>
> }
>
> *Destination = 0;
>
> Mike
>
> *From:* devel@edk2.groups.io <mailto:devel@edk2.groups.io>
> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> *On Behalf Of
> *Vitaly Cheptsov
> *Sent:* Thursday, May 14, 2020 11:59 AM
> *To:* Kinney, Michael D <michael.d.kinney@intel.com
> <mailto:michael.d.kinney@intel.com>>
> *Cc:* devel@edk2.groups.io <mailto:devel@edk2.groups.io>; Andrew Fish
> <afish@apple.com <mailto:afish@apple.com>>; Ard Biesheuvel
> <ard.biesheuvel@linaro.org <mailto:ard.biesheuvel@linaro.org>>; Bret
> Barkelew <bret.barkelew@microsoft.com
> <mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
> <brian.johnson@hpe.com <mailto:brian.johnson@hpe.com>>; Chiu, Chasel
> <chasel.chiu@intel.com <mailto:chasel.chiu@intel.com>>; Justen, Jordan L
> <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com>>; Laszlo
> Ersek <lersek@redhat.com <mailto:lersek@redhat.com>>; Leif Lindholm
> <leif@nuviainc.com <mailto:leif@nuviainc.com>>; Gao, Liming
> <liming.gao@intel.com <mailto:liming.gao@intel.com>>; Marvin Häuser
> <mhaeuser@outlook.de <mailto:mhaeuser@outlook.de>>; Zimmer, Vincent
> <vincent.zimmer@intel.com <mailto:vincent.zimmer@intel.com>>; Gao,
> Zhichao <zhichao.gao@intel.com <mailto:zhichao.gao@intel.com>>
> *Subject:* Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString
> performing assertions on runtime checks
>
> Mike,
>
> The code you posted may inflict undefined behaviour is not valid C for
> several reasons. The compiler is free to do whatever it desires. Please
> refer to ISO/IEC 9899 for more details.
>
> If applications cast raw pointers to typed pointers without checking
> their alignment, well, god bless them :)
>
> My opinion is both the compiler and the hardware are welcome to do the
> worst once your third line is discovered. On a number of CPUs such
> addresses cannot be even represented in the first place.
>
> Yet, once again it is out of the scope of the current problem.
>
> Best wishes,
>
> Vitaly
>
> 14 мая 2020 г., в 20:58, Kinney, Michael D
> <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>
> написал(а):
>
> Vitaly,
>
> Why do you think there is no way to craft an odd address
> without memory corruption.
>
> UINT8 ByteArray[100];
> CHAR16 *String
>
> String = (CHAR16 *)(&Array[3]);
>
> The reason I raised the question of these other ASSERT()s
> is that I thought the use case was using these safe string
> APIs from a UEFI App, and the UEFI App always wants to evaluate
> the return status to know if the operation was completed or
> not. In build that removes all ASSERT()s, an odd address
> will generate an exception on some CPU archs. Wouldn’t it
> be better for the UEFI App that is already designed to handle
> error return status to get an error code instead of an
> exception?
>
> Mike
>
> -----Original Message-----
> From:devel@edk2.groups.io
> <mailto:devel@edk2.groups.io><devel@edk2.groups.io
> <mailto:devel@edk2.groups.io>> On
> Behalf Of Vitaly Cheptsov
> Sent: Thursday, May 14, 2020 10:39 AM
> To: Kinney, Michael D <michael.d.kinney@intel.com
> <mailto:michael.d.kinney@intel.com>>
> Cc:devel@edk2.groups.io <mailto:devel@edk2.groups.io>; Andrew Fish
> <afish@apple.com <mailto:afish@apple.com>>; Ard Biesheuvel
> <ard.biesheuvel@linaro.org <mailto:ard.biesheuvel@linaro.org>>;
> Bret Barkelew
> <bret.barkelew@microsoft.com
> <mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
> <brian.johnson@hpe.com <mailto:brian.johnson@hpe.com>>; Chiu, Chasel
> <chasel.chiu@intel.com <mailto:chasel.chiu@intel.com>>; Justen,
> Jordan L
> <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com>>;
> Laszlo Ersek
> <lersek@redhat.com <mailto:lersek@redhat.com>>; Leif Lindholm
> <leif@nuviainc.com <mailto:leif@nuviainc.com>>;
> Gao, Liming <liming.gao@intel.com
> <mailto:liming.gao@intel.com>>; Marvin Häuser
> <mhaeuser@outlook.de <mailto:mhaeuser@outlook.de>>; Zimmer, Vincent
> <vincent.zimmer@intel.com <mailto:vincent.zimmer@intel.com>>;
> Gao, Zhichao
> <zhichao.gao@intel.com <mailto:zhichao.gao@intel.com>>
> Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
> SafeString performing assertions on runtime checks
>
> Mike,
>
> Firstly, NULL check and odd-address checks are
> essentially different things:
> — NULL address is basically «no object», «optional
> argument» (e.g. failed allocation).
> — Odd address is memory corruption, as there is no way
> to craft such address anyhow else.
> For this reason the implementation is allowed to treat
> them differently.
>
> Secondly, as I said in my cover letter there is no
> behaviour change here for RELEASE builds. Behaviour
> changes unrelated to the bugfix will have to go to a
> separate patch. I agree that we may want to reconsider
> the interface in the future, but that’s for a separate
> bugzilla and patch. Not discussing it currently is
> important to avoid diverting from the primary problem.
> Could create a bugzilla not to forget about it soon
> after the stable tag.
>
> Best wishes,
> Vitaly
>
> 14 мая 2020 г., в 19:38, Kinney, Michael D
>
> <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>
> написал(а):
>
>
> Why preserve the ASSERT()s for an a Unicode strings
> that are not aligned in a 16-bit boundary?
>
> This is essentially the same as an invalid pointer
>
> value
>
> just like NULL. If NULL pointer returns an error
>
> code,
>
> shouldn't and invalid pointer value?
>
> Thanks,
>
> Mike
>
> -----Original Message-----
> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io>
> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On
> Behalf Of Vitaly Cheptsov
> Sent: Thursday, May 14, 2020 2:26 AM
> To: devel@edk2.groups.io <mailto:devel@edk2.groups.io>
> Cc: Andrew Fish <afish@apple.com
> <mailto:afish@apple.com>>; Ard Biesheuvel
> <ard.biesheuvel@linaro.org
> <mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
> <bret.barkelew@microsoft.com
> <mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
> <brian.johnson@hpe.com <mailto:brian.johnson@hpe.com>>;
> Chiu, Chasel
> <chasel.chiu@intel.com <mailto:chasel.chiu@intel.com>>;
> Justen, Jordan L
> <jordan.l.justen@intel.com
> <mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
> <lersek@redhat.com <mailto:lersek@redhat.com>>; Leif
> Lindholm
>
> <leif@nuviainc.com <mailto:leif@nuviainc.com>>;
>
> Gao, Liming <liming.gao@intel.com
> <mailto:liming.gao@intel.com>>; Marvin Häuser
> <mhaeuser@outlook.de <mailto:mhaeuser@outlook.de>>;
> Kinney, Michael D
> <michael.d.kinney@intel.com
> <mailto:michael.d.kinney@intel.com>>; Zimmer, Vincent
> <vincent.zimmer@intel.com
> <mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
> <zhichao.gao@intel.com <mailto:zhichao.gao@intel.com>>
> Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
> SafeString performing assertions on runtime checks
>
> REF:
> https://bugzilla.tianocore.org/show_bug.cgi?id=2054
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2054&data=02%7C01%7CBret.Barkelew%40microsoft.com%7C854c0200e7ed412219a008d7f84ad4e5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637250872617792374&sdata=obXC2njAL18GchcPz1HyiGBSNcBYk8i2Q0ZhWDwICCQ%3D&reserved=0>
>
>
>
>
>
> Runtime checks returned via status return code
>
> should
>
> not work as
>
>
> assertions to permit parsing not trusted data with
> SafeString
>
>
> interfaces.
>
>
>
>
>
> CC: Andrew Fish <afish@apple.com <mailto:afish@apple.com>>
>
>
> CC: Ard Biesheuvel <ard.biesheuvel@linaro.org
> <mailto:ard.biesheuvel@linaro.org>>
>
>
> CC: Bret Barkelew <bret.barkelew@microsoft.com
> <mailto:bret.barkelew@microsoft.com>>
>
>
> CC: Brian J. Johnson <brian.johnson@hpe.com
> <mailto:brian.johnson@hpe.com>>
>
>
> CC: Chasel Chiu <chasel.chiu@intel.com
> <mailto:chasel.chiu@intel.com>>
>
>
> CC: Jordan Justen <jordan.l.justen@intel.com
> <mailto:jordan.l.justen@intel.com>>
>
>
> CC: Laszlo Ersek <lersek@redhat.com
> <mailto:lersek@redhat.com>>
>
>
> CC: Leif Lindholm <leif@nuviainc.com
> <mailto:leif@nuviainc.com>>
>
>
> CC: Liming Gao <liming.gao@intel.com
> <mailto:liming.gao@intel.com>>
>
>
> CC: Marvin Häuser <mhaeuser@outlook.de
> <mailto:mhaeuser@outlook.de>>
>
>
> CC: Mike Kinney <michael.d.kinney@intel.com
> <mailto:michael.d.kinney@intel.com>>
>
>
> CC: Vincent Zimmer <vincent.zimmer@intel.com
> <mailto:vincent.zimmer@intel.com>>
>
>
> CC: Zhichao Gao <zhichao.gao@intel.com
> <mailto:zhichao.gao@intel.com>>
>
>
> Signed-off-by: Vitaly Cheptsov
>
> <vit9696@protonmail.com <mailto:vit9696@protonmail.com>>
>
>
>
> ---
>
>
> MdePkg/Include/Library/BaseLib.h | 120 ++--------
>
> --
>
> --------
>
>
> MdePkg/Library/BaseLib/SafeString.c | 80 ----------
>
> --
>
> -
>
>
> 2 files changed, 7 insertions(+), 193 deletions(-)
>
>
>
>
>
> diff --git a/MdePkg/Include/Library/BaseLib.h
> b/MdePkg/Include/Library/BaseLib.h
>
>
> index ecadff8b23..62dc3151bc 100644
>
>
> --- a/MdePkg/Include/Library/BaseLib.h
>
>
> +++ b/MdePkg/Include/Library/BaseLib.h
>
>
> @@ -189,7 +189,6 @@ StrnSizeS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
>
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -225,7 +224,6 @@ StrCpyS (
>
>
>
>
>
> If Length > 0 and Destination is not aligned on a
> 16-bit boundary, then ASSERT().
>
>
> If Length > 0 and Source is not aligned on a 16-
>
> bit
>
> boundary, then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -263,7 +261,6 @@ StrnCpyS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
>
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -303,7 +300,6 @@ StrCatS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
>
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -350,12 +346,7 @@ StrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -406,12 +397,7 @@ StrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -467,12 +453,7 @@ StrDecimalToUint64S (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -528,12 +509,7 @@ StrHexToUintnS (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -622,8 +598,6 @@ AsciiStrnSizeS (
>
>
>
>
>
> This function is similar as strcpy_s defined in
>
> C11.
>
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -656,8 +630,6 @@ AsciiStrCpyS (
>
>
>
>
>
> This function is similar as strncpy_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -692,8 +664,6 @@ AsciiStrnCpyS (
>
>
>
>
>
> This function is similar as strcat_s defined in
>
> C11.
>
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -730,8 +700,6 @@ AsciiStrCatS (
>
>
>
>
>
> This function is similar as strncat_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -777,12 +745,6 @@ AsciiStrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -1506,16 +1450,8 @@ StrHexToUint64 (
>
>
> "::" can be used to compress one or more groups of
>
> X
>
> when X contains only 0.
>
>
> The "::" can only appear once in the String.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
>
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is
>
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
>
> at
>
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -1567,15 +1503,10 @@ StrToIpv6Address (
>
>
> When /P is in the String, the function stops at
>
> the
>
> first character that is not
>
>
> a valid decimal digit character after P is
> converted.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
>
>
>
> If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If EndPointer is not NULL and Address is
>
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
>
> at
>
> the location pointed to
>
>
> @@ -1640,8 +1571,6 @@ StrToIpv4Address (
>
>
> oo Data4[48:55]
>
>
> pp Data4[56:63]
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Guid is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
>
>
>
> @param String Pointer to a
>
> Null-
>
> terminated Unicode string.
>
>
> @@ -1676,17 +1605,6 @@ StrToGuid (
>
>
>
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Buffer is NULL, then ASSERT().
>
>
> -
>
>
> - If Length is not multiple of 2, then ASSERT().
>
>
> -
>
>
> - If PcdMaximumUnicodeStringLength is not zero and
> Length is greater than
>
>
> - PcdMaximumUnicodeStringLength, then ASSERT().
>
>
> -
>
>
> - If MaxBufferSize is less than (Length / 2), then
> ASSERT().
>
>
> -
>
>
> @param String Pointer to a
>
> Null-
>
> terminated Unicode string.
>
>
> @param Length The number of
> Unicode characters to decode.
>
>
> @param Buffer Pointer to the
> converted bytes array.
>
>
> @@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
>
>
> the upper 8 bits, then ASSERT().
>
>
>
>
>
> If Source is not aligned on a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
>
>
> bits of each Unicode character. The function
> terminates the Ascii string
>
>
> Destination by appending a Null-terminator
>
> character
>
> at the end.
>
>
>
>
>
> - The caller is responsible to make sure
>
> Destination
>
> points to a buffer with size
>
>
> - equal or greater than ((StrLen (Source) + 1) *
> sizeof (CHAR8)) in bytes.
>
>
> + The caller is responsible to make sure
>
> Destination
>
> points to a buffer with
>
>
> + size not smaller than ((MIN(StrLen(Source),
>
> Length)
>
> + 1) * sizeof (CHAR8))
>
>
> + in bytes.
>
>
>
>
>
> If any Unicode characters in Source contain non-
>
> zero
>
> value in the upper 8
>
>
> bits, then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> - If an error is returned, then the Destination is
> unmodified.
>
>
> + If an error is returned, then Destination and
> DestinationLength are
>
>
> + unmodified.
>
>
>
>
>
> @param Source The pointer to a Null-
> terminated Unicode string.
>
>
> @param Length The maximum number of
> Unicode characters to
>
>
> convert.
>
>
> @param Destination The pointer to a Null-
> terminated Ascii string.
>
>
> - @param DestMax The maximum number of
> Destination Ascii
>
>
> - char, including
> terminating null char.
>
>
> + @param DestMax The maximum number of
> Destination Ascii char,
>
>
> + including terminating
> null char.
>
>
> @param DestinationLength The number of Unicode
> characters converted.
>
>
>
>
>
> @retval RETURN_SUCCESS String is
> converted.
>
>
> @@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
>
>
> "::" can be used to compress one or more groups of
>
> X
>
> when X contains only 0.
>
>
> The "::" can only appear once in the String.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is
>
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
>
> at
>
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
>
>
> When /P is in the String, the function stops at
>
> the
>
> first character that is not
>
>
> a valid decimal digit character after P is
> converted.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is
>
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
>
> at
>
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
>
>
> oo Data4[48:55]
>
>
> pp Data4[56:63]
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Guid is NULL, then ASSERT().
>
>
> -
>
>
> @param String Pointer to a
>
> Null-
>
> terminated ASCII string.
>
>
> @param Guid Pointer to the
> converted GUID.
>
>
>
>
>
> @@ -2541,17 +2448,6 @@ AsciiStrToGuid (
>
>
> decoding stops after Length of characters and
> outputs Buffer containing
>
>
> (Length / 2) bytes.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Buffer is NULL, then ASSERT().
>
>
> -
>
>
> - If Length is not multiple of 2, then ASSERT().
>
>
> -
>
>
> - If PcdMaximumAsciiStringLength is not zero and
> Length is greater than
>
>
> - PcdMaximumAsciiStringLength, then ASSERT().
>
>
> -
>
>
> - If MaxBufferSize is less than (Length / 2), then
> ASSERT().
>
>
> -
>
>
> @param String Pointer to a
>
> Null-
>
> terminated ASCII string.
>
>
> @param Length The number of
>
> ASCII
>
> characters to decode.
>
>
> @param Buffer Pointer to the
> converted bytes array.
>
>
> @@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
>
>
> equal or greater than ((AsciiStrLen (Source) + 1)
>
> *
>
> sizeof (CHAR16)) in bytes.
>
>
>
>
>
> If Destination is not aligned on a 16-bit
>
> boundary,
>
> then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
>
>
> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
> (CHAR8)) in bytes.
>
>
>
>
>
> If Destination is not aligned on a 16-bit
>
> boundary,
>
> then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then Destination and
> DestinationLength are
>
>
> unmodified.
>
>
> diff --git a/MdePkg/Library/BaseLib/SafeString.c
> b/MdePkg/Library/BaseLib/SafeString.c
>
>
> index 7dc03d2caa..1db42abb05 100644
>
>
> --- a/MdePkg/Library/BaseLib/SafeString.c
>
>
> +++ b/MdePkg/Library/BaseLib/SafeString.c
>
>
> @@ -14,7 +14,6 @@
>
>
>
>
>
> #define SAFE_STRING_CONSTRAINT_CHECK(Expression,
> Status) \
>
>
> do { \
>
>
> - ASSERT (Expression); \
>
>
> if (!(Expression)) { \
>
>
> return Status; \
>
>
> } \
>
>
> @@ -197,7 +196,6 @@ StrnSizeS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
>
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -279,7 +277,6 @@ StrCpyS (
>
>
>
>
>
> If Length > 0 and Destination is not aligned on a
> 16-bit boundary, then ASSERT().
>
>
> If Length > 0 and Source is not aligned on a 16-
>
> bit
>
> boundary, then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -372,7 +369,6 @@ StrnCpyS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
>
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -473,7 +469,6 @@ StrCatS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
>
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -590,12 +585,7 @@ StrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -705,12 +695,7 @@ StrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -825,12 +810,7 @@ StrDecimalToUint64S (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -956,12 +936,7 @@ StrHexToUintnS (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -1856,8 +1831,6 @@ AsciiStrCpyS (
>
>
>
>
>
> This function is similar as strncpy_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
>
>
>
>
>
> This function is similar as strcat_s defined in
>
> C11.
>
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -2040,8 +2011,6 @@ AsciiStrCatS (
>
>
>
>
>
> This function is similar as strncat_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -2154,12 +2123,6 @@ AsciiStrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
>
>
> the upper 8 bits, then ASSERT().
>
>
>
>
>
> If Source is not aligned on a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
>
>
> If any Unicode characters in Source contain non-
>
> zero
>
> value in the upper 8
>
>
> bits, then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
>
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then Destination and
> DestinationLength are
>
>
> unmodified.
>
>
> @@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
>
>
> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
> (CHAR8)) in bytes.
>
>
>
>
>
> If Destination is not aligned on a 16-bit
>
> boundary,
>
> then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then Destination and
> DestinationLength are
>
>
> unmodified.
>
>
> @@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
>
>
> "::" can be used to compress one or more groups of
>
> X
>
> when X contains only 0.
>
>
> The "::" can only appear once in the String.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is
>
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
>
> at
>
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
>
>
> When /P is in the String, the function stops at
>
> the
>
> first character that is not
>
>
> a valid decimal digit character after P is
> converted.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is
>
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
>
> at
>
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
>
>
> oo Data4[48:55]
>
>
> pp Data4[56:63]
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Guid is NULL, then ASSERT().
>
>
> -
>
>
> @param String Pointer to a
>
> Null-
>
> terminated ASCII string.
>
>
> @param Guid Pointer to the
> converted GUID.
>
>
>
>
>
> @@ -3550,17 +3481,6 @@ AsciiStrToGuid (
>
>
> decoding stops after Length of characters and
> outputs Buffer containing
>
>
> (Length / 2) bytes.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Buffer is NULL, then ASSERT().
>
>
> -
>
>
> - If Length is not multiple of 2, then ASSERT().
>
>
> -
>
>
> - If PcdMaximumAsciiStringLength is not zero and
> Length is greater than
>
>
> - PcdMaximumAsciiStringLength, then ASSERT().
>
>
> -
>
>
> - If MaxBufferSize is less than (Length / 2), then
> ASSERT().
>
>
> -
>
>
> @param String Pointer to a
>
> Null-
>
> terminated ASCII string.
>
>
> @param Length The number of
>
> ASCII
>
> characters to decode.
>
>
> @param Buffer Pointer to the
> converted bytes array.
>
>
> --
>
>
> 2.24.2 (Apple Git-127)
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [EXTERNAL] [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-14 22:14 ` Michael D Kinney
2020-05-15 9:28 ` Marvin Häuser
@ 2020-05-15 9:30 ` Vitaly Cheptsov
2020-05-15 15:26 ` Bret Barkelew
1 sibling, 1 reply; 15+ messages in thread
From: Vitaly Cheptsov @ 2020-05-15 9:30 UTC (permalink / raw)
To: Kinney, Michael D, bret.barkelew@microsoft.com,
Marvin Häuser
Cc: devel@edk2.groups.io, Andrew Fish, Ard Biesheuvel,
Brian J . Johnson, Chiu, Chasel, Justen, Jordan L, Laszlo Ersek,
Leif Lindholm, Gao, Liming, Zimmer, Vincent, Gao, Zhichao
[-- Attachment #1.1: Type: text/plain, Size: 46033 bytes --]
Mike, Bret,
The assertion in UnicodeStrnToAsciiStrS is currently not a runtime check but a precondition. I.e. the function does not work with such sequences.
I fully agree that it is not right, and that we should actually update the documentation and change it to the following construction (0x80 instead of 0x100 for 7-bit ASCII and ‘?’ for invalid patch):
if (*Source < 0x80) {
*(Destination++) = (CHAR8) *(Source++);
} else {
*(Destination++) = ‘?';
}
However, it has to be out of the scope of this patch due to the nature of the change: function behaviour change for RELEASE instead of assertion removal for the runtime check as for all the rest. Should file a bugzilla as well.
As for alignment, I believe Marvin explained it well, and I have nothing to add there. There is no need to change the patch anyhow.
Best wishes,
Vitaly
> 15 мая 2020 г., в 01:14, Kinney, Michael D <michael.d.kinney@intel.com> написал(а):
>
> Bret,
>
> I agree with all your points. Which is why I am asking if we should address this in the current patch under review.
>
> I will also point out that another way to get an off pointer address value for a CHAR16 is through use of packed structures. If a CHAR16 string is in a packaged structure and starts at an odd byte offset, then directly passing the CHAR16 string field to one of these APIs will ASSERT() or generate an exception if the ASSERT()s are removed. When using packed structures, fields that are larger than 1-byte need to either be copied to an aligned location or accessed using the Unaligned Read/Write APIs.
>
> Mike
>
> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On Behalf Of Bret Barkelew via groups.io <http://groups.io/>
> Sent: Thursday, May 14, 2020 2:15 PM
> To: devel@edk2.groups.io <mailto:devel@edk2.groups.io>; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>; cheptsov@ispras.ru <mailto:cheptsov@ispras.ru>
> Cc: Andrew Fish <afish@apple.com <mailto:afish@apple.com>>; Ard Biesheuvel <ard.biesheuvel@linaro.org <mailto:ard.biesheuvel@linaro.org>>; Brian J . Johnson <brian.johnson@hpe.com <mailto:brian.johnson@hpe.com>>; Chiu, Chasel <chasel.chiu@intel.com <mailto:chasel.chiu@intel.com>>; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com>>; Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com <mailto:leif@nuviainc.com>>; Gao, Liming <liming.gao@intel.com <mailto:liming.gao@intel.com>>; Marvin Häuser <mhaeuser@outlook.de <mailto:mhaeuser@outlook.de>>; Zimmer, Vincent <vincent.zimmer@intel.com <mailto:vincent.zimmer@intel.com>>; Gao, Zhichao <zhichao.gao@intel.com <mailto:zhichao.gao@intel.com>>
> Subject: Re: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
>
> Why isn’t that a failed return value?
> That would be unexpected behavior in RELEASE.
>
> Either that, or the function should take in a substitution character (e.g. ‘?’) for invalid characters.
>
> The prototype of this function is bad if it doesn’t allow for this possibility, and an ASSERT isn’t making code any better/safer by only ASSERTing.
>
> - Bret
>
> From: Michael D Kinney via groups.io <mailto:michael.d.kinney=intel.com@groups.io>
> Sent: Thursday, May 14, 2020 2:07 PM
> To: devel@edk2.groups.io <mailto:devel@edk2.groups.io>; cheptsov@ispras.ru <mailto:cheptsov@ispras.ru>; Kinney, Michael D <mailto:michael.d.kinney@intel.com>
> Cc: Andrew Fish <mailto:afish@apple.com>; Ard Biesheuvel <mailto:ard.biesheuvel@linaro.org>; Bret Barkelew <mailto:Bret.Barkelew@microsoft.com>; Brian J . Johnson <mailto:brian.johnson@hpe.com>; Chiu, Chasel <mailto:chasel.chiu@intel.com>; Justen, Jordan L <mailto:jordan.l.justen@intel.com>; Laszlo Ersek <mailto:lersek@redhat.com>; Leif Lindholm <mailto:leif@nuviainc.com>; liming.gao <mailto:liming.gao@intel.com>; Marvin Häuser <mailto:mhaeuser@outlook.de>; Zimmer, Vincent <mailto:vincent.zimmer@intel.com>; Gao, Zhichao <mailto:zhichao.gao@intel.com>
> Subject: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
>
> Hi Vitaly,
>
> What about this ASSERT() in UnicodeStrnToAsciiStrS(). It is an ASSERT() on the data contents.
>
> //
> // Convert string
> //
> while ((*Source != 0) && (SourceLen > 0)) {
> //
> // If any Unicode characters in Source contain non-zero value in the upper
> // 8 bits, then ASSERT().
> //
> ASSERT (*Source < 0x100);
> *(Destination++) = (CHAR8) *(Source++);
> SourceLen--;
> (*DestinationLength)++;
> }
> *Destination = 0;
>
> Mike
>
> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On Behalf Of Vitaly Cheptsov
> Sent: Thursday, May 14, 2020 11:59 AM
> To: Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>
> Cc: devel@edk2.groups.io <mailto:devel@edk2.groups.io>; Andrew Fish <afish@apple.com <mailto:afish@apple.com>>; Ard Biesheuvel <ard.biesheuvel@linaro.org <mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew <bret.barkelew@microsoft.com <mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson <brian.johnson@hpe.com <mailto:brian.johnson@hpe.com>>; Chiu, Chasel <chasel.chiu@intel.com <mailto:chasel.chiu@intel.com>>; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com>>; Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com <mailto:leif@nuviainc.com>>; Gao, Liming <liming.gao@intel.com <mailto:liming.gao@intel.com>>; Marvin Häuser <mhaeuser@outlook.de <mailto:mhaeuser@outlook.de>>; Zimmer, Vincent <vincent.zimmer@intel.com <mailto:vincent.zimmer@intel.com>>; Gao, Zhichao <zhichao.gao@intel.com <mailto:zhichao.gao@intel.com>>
> Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
>
> Mike,
>
> The code you posted may inflict undefined behaviour is not valid C for several reasons. The compiler is free to do whatever it desires. Please refer to ISO/IEC 9899 for more details.
>
> If applications cast raw pointers to typed pointers without checking their alignment, well, god bless them :)
> My opinion is both the compiler and the hardware are welcome to do the worst once your third line is discovered. On a number of CPUs such addresses cannot be even represented in the first place.
>
> Yet, once again it is out of the scope of the current problem.
>
> Best wishes,
> Vitaly
>
>
>
> 14 мая 2020 г., в 20:58, Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>> написал(а):
>
> Vitaly,
>
> Why do you think there is no way to craft an odd address
> without memory corruption.
>
> UINT8 ByteArray[100];
> CHAR16 *String
>
> String = (CHAR16 *)(&Array[3]);
>
> The reason I raised the question of these other ASSERT()s
> is that I thought the use case was using these safe string
> APIs from a UEFI App, and the UEFI App always wants to evaluate
> the return status to know if the operation was completed or
> not. In build that removes all ASSERT()s, an odd address
> will generate an exception on some CPU archs. Wouldn’t it
> be better for the UEFI App that is already designed to handle
> error return status to get an error code instead of an
> exception?
>
> Mike
>
>
> -----Original Message-----
> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On
> Behalf Of Vitaly Cheptsov
> Sent: Thursday, May 14, 2020 10:39 AM
> To: Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>
> Cc: devel@edk2.groups.io <mailto:devel@edk2.groups.io>; Andrew Fish
> <afish@apple.com <mailto:afish@apple.com>>; Ard Biesheuvel
> <ard.biesheuvel@linaro.org <mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
> <bret.barkelew@microsoft.com <mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
> <brian.johnson@hpe.com <mailto:brian.johnson@hpe.com>>; Chiu, Chasel
> <chasel.chiu@intel.com <mailto:chasel.chiu@intel.com>>; Justen, Jordan L
> <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
> <lersek@redhat.com <mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com <mailto:leif@nuviainc.com>>;
> Gao, Liming <liming.gao@intel.com <mailto:liming.gao@intel.com>>; Marvin Häuser
> <mhaeuser@outlook.de <mailto:mhaeuser@outlook.de>>; Zimmer, Vincent
> <vincent.zimmer@intel.com <mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
> <zhichao.gao@intel.com <mailto:zhichao.gao@intel.com>>
> Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
> SafeString performing assertions on runtime checks
>
> Mike,
>
> Firstly, NULL check and odd-address checks are
> essentially different things:
> — NULL address is basically «no object», «optional
> argument» (e.g. failed allocation).
> — Odd address is memory corruption, as there is no way
> to craft such address anyhow else.
> For this reason the implementation is allowed to treat
> them differently.
>
> Secondly, as I said in my cover letter there is no
> behaviour change here for RELEASE builds. Behaviour
> changes unrelated to the bugfix will have to go to a
> separate patch. I agree that we may want to reconsider
> the interface in the future, but that’s for a separate
> bugzilla and patch. Not discussing it currently is
> important to avoid diverting from the primary problem.
> Could create a bugzilla not to forget about it soon
> after the stable tag.
>
> Best wishes,
> Vitaly
>
>
> 14 мая 2020 г., в 19:38, Kinney, Michael D
> <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>> написал(а):
>
>
> Why preserve the ASSERT()s for an a Unicode strings
> that are not aligned in a 16-bit boundary?
>
> This is essentially the same as an invalid pointer
> value
>
> just like NULL. If NULL pointer returns an error
> code,
>
> shouldn't and invalid pointer value?
>
> Thanks,
>
> Mike
>
>
> -----Original Message-----
> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On
> Behalf Of Vitaly Cheptsov
> Sent: Thursday, May 14, 2020 2:26 AM
> To: devel@edk2.groups.io <mailto:devel@edk2.groups.io>
> Cc: Andrew Fish <afish@apple.com <mailto:afish@apple.com>>; Ard Biesheuvel
> <ard.biesheuvel@linaro.org <mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
> <bret.barkelew@microsoft.com <mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
> <brian.johnson@hpe.com <mailto:brian.johnson@hpe.com>>; Chiu, Chasel
> <chasel.chiu@intel.com <mailto:chasel.chiu@intel.com>>; Justen, Jordan L
> <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
> <lersek@redhat.com <mailto:lersek@redhat.com>>; Leif Lindholm
> <leif@nuviainc.com <mailto:leif@nuviainc.com>>;
>
> Gao, Liming <liming.gao@intel.com <mailto:liming.gao@intel.com>>; Marvin Häuser
> <mhaeuser@outlook.de <mailto:mhaeuser@outlook.de>>; Kinney, Michael D
> <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>; Zimmer, Vincent
> <vincent.zimmer@intel.com <mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
> <zhichao.gao@intel.com <mailto:zhichao.gao@intel.com>>
> Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
> SafeString performing assertions on runtime checks
>
> REF:
> https://bugzilla.tianocore.org/show_bug.cgi?id=2054 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2054&data=02%7C01%7CBret.Barkelew%40microsoft.com%7C854c0200e7ed412219a008d7f84ad4e5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637250872617792374&sdata=obXC2njAL18GchcPz1HyiGBSNcBYk8i2Q0ZhWDwICCQ%3D&reserved=0>
>
>
>
>
>
> Runtime checks returned via status return code
> should
>
> not work as
>
>
> assertions to permit parsing not trusted data with
> SafeString
>
>
> interfaces.
>
>
>
>
>
> CC: Andrew Fish <afish@apple.com <mailto:afish@apple.com>>
>
>
> CC: Ard Biesheuvel <ard.biesheuvel@linaro.org <mailto:ard.biesheuvel@linaro.org>>
>
>
> CC: Bret Barkelew <bret.barkelew@microsoft.com <mailto:bret.barkelew@microsoft.com>>
>
>
> CC: Brian J. Johnson <brian.johnson@hpe.com <mailto:brian.johnson@hpe.com>>
>
>
> CC: Chasel Chiu <chasel.chiu@intel.com <mailto:chasel.chiu@intel.com>>
>
>
> CC: Jordan Justen <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com>>
>
>
> CC: Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>>
>
>
> CC: Leif Lindholm <leif@nuviainc.com <mailto:leif@nuviainc.com>>
>
>
> CC: Liming Gao <liming.gao@intel.com <mailto:liming.gao@intel.com>>
>
>
> CC: Marvin Häuser <mhaeuser@outlook.de <mailto:mhaeuser@outlook.de>>
>
>
> CC: Mike Kinney <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>
>
>
> CC: Vincent Zimmer <vincent.zimmer@intel.com <mailto:vincent.zimmer@intel.com>>
>
>
> CC: Zhichao Gao <zhichao.gao@intel.com <mailto:zhichao.gao@intel.com>>
>
>
> Signed-off-by: Vitaly Cheptsov
> <vit9696@protonmail.com <mailto:vit9696@protonmail.com>>
>
>
>
> ---
>
>
> MdePkg/Include/Library/BaseLib.h | 120 ++--------
> --
>
> --------
>
>
> MdePkg/Library/BaseLib/SafeString.c | 80 ----------
> --
>
> -
>
>
> 2 files changed, 7 insertions(+), 193 deletions(-)
>
>
>
>
>
> diff --git a/MdePkg/Include/Library/BaseLib.h
> b/MdePkg/Include/Library/BaseLib.h
>
>
> index ecadff8b23..62dc3151bc 100644
>
>
> --- a/MdePkg/Include/Library/BaseLib.h
>
>
> +++ b/MdePkg/Include/Library/BaseLib.h
>
>
> @@ -189,7 +189,6 @@ StrnSizeS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -225,7 +224,6 @@ StrCpyS (
>
>
>
>
>
> If Length > 0 and Destination is not aligned on a
> 16-bit boundary, then ASSERT().
>
>
> If Length > 0 and Source is not aligned on a 16-
> bit
>
> boundary, then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -263,7 +261,6 @@ StrnCpyS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -303,7 +300,6 @@ StrCatS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -350,12 +346,7 @@ StrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -406,12 +397,7 @@ StrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -467,12 +453,7 @@ StrDecimalToUint64S (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -528,12 +509,7 @@ StrHexToUintnS (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -622,8 +598,6 @@ AsciiStrnSizeS (
>
>
>
>
>
> This function is similar as strcpy_s defined in
> C11.
>
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -656,8 +630,6 @@ AsciiStrCpyS (
>
>
>
>
>
> This function is similar as strncpy_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -692,8 +664,6 @@ AsciiStrnCpyS (
>
>
>
>
>
> This function is similar as strcat_s defined in
> C11.
>
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -730,8 +700,6 @@ AsciiStrCatS (
>
>
>
>
>
> This function is similar as strncat_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -777,12 +745,6 @@ AsciiStrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -1506,16 +1450,8 @@ StrHexToUint64 (
>
>
> "::" can be used to compress one or more groups of
> X
>
> when X contains only 0.
>
>
> The "::" can only appear once in the String.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
>
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
> at
>
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -1567,15 +1503,10 @@ StrToIpv6Address (
>
>
> When /P is in the String, the function stops at
> the
>
> first character that is not
>
>
> a valid decimal digit character after P is
> converted.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
>
>
>
> If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If EndPointer is not NULL and Address is
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
> at
>
> the location pointed to
>
>
> @@ -1640,8 +1571,6 @@ StrToIpv4Address (
>
>
> oo Data4[48:55]
>
>
> pp Data4[56:63]
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Guid is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
>
>
>
> @param String Pointer to a
> Null-
>
> terminated Unicode string.
>
>
> @@ -1676,17 +1605,6 @@ StrToGuid (
>
>
>
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Buffer is NULL, then ASSERT().
>
>
> -
>
>
> - If Length is not multiple of 2, then ASSERT().
>
>
> -
>
>
> - If PcdMaximumUnicodeStringLength is not zero and
> Length is greater than
>
>
> - PcdMaximumUnicodeStringLength, then ASSERT().
>
>
> -
>
>
> - If MaxBufferSize is less than (Length / 2), then
> ASSERT().
>
>
> -
>
>
> @param String Pointer to a
> Null-
>
> terminated Unicode string.
>
>
> @param Length The number of
> Unicode characters to decode.
>
>
> @param Buffer Pointer to the
> converted bytes array.
>
>
> @@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
>
>
> the upper 8 bits, then ASSERT().
>
>
>
>
>
> If Source is not aligned on a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
>
>
> bits of each Unicode character. The function
> terminates the Ascii string
>
>
> Destination by appending a Null-terminator
> character
>
> at the end.
>
>
>
>
>
> - The caller is responsible to make sure
> Destination
>
> points to a buffer with size
>
>
> - equal or greater than ((StrLen (Source) + 1) *
> sizeof (CHAR8)) in bytes.
>
>
> + The caller is responsible to make sure
> Destination
>
> points to a buffer with
>
>
> + size not smaller than ((MIN(StrLen(Source),
> Length)
>
> + 1) * sizeof (CHAR8))
>
>
> + in bytes.
>
>
>
>
>
> If any Unicode characters in Source contain non-
> zero
>
> value in the upper 8
>
>
> bits, then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> - If an error is returned, then the Destination is
> unmodified.
>
>
> + If an error is returned, then Destination and
> DestinationLength are
>
>
> + unmodified.
>
>
>
>
>
> @param Source The pointer to a Null-
> terminated Unicode string.
>
>
> @param Length The maximum number of
> Unicode characters to
>
>
> convert.
>
>
> @param Destination The pointer to a Null-
> terminated Ascii string.
>
>
> - @param DestMax The maximum number of
> Destination Ascii
>
>
> - char, including
> terminating null char.
>
>
> + @param DestMax The maximum number of
> Destination Ascii char,
>
>
> + including terminating
> null char.
>
>
> @param DestinationLength The number of Unicode
> characters converted.
>
>
>
>
>
> @retval RETURN_SUCCESS String is
> converted.
>
>
> @@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
>
>
> "::" can be used to compress one or more groups of
> X
>
> when X contains only 0.
>
>
> The "::" can only appear once in the String.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
> at
>
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
>
>
> When /P is in the String, the function stops at
> the
>
> first character that is not
>
>
> a valid decimal digit character after P is
> converted.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
> at
>
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
>
>
> oo Data4[48:55]
>
>
> pp Data4[56:63]
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Guid is NULL, then ASSERT().
>
>
> -
>
>
> @param String Pointer to a
> Null-
>
> terminated ASCII string.
>
>
> @param Guid Pointer to the
> converted GUID.
>
>
>
>
>
> @@ -2541,17 +2448,6 @@ AsciiStrToGuid (
>
>
> decoding stops after Length of characters and
> outputs Buffer containing
>
>
> (Length / 2) bytes.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Buffer is NULL, then ASSERT().
>
>
> -
>
>
> - If Length is not multiple of 2, then ASSERT().
>
>
> -
>
>
> - If PcdMaximumAsciiStringLength is not zero and
> Length is greater than
>
>
> - PcdMaximumAsciiStringLength, then ASSERT().
>
>
> -
>
>
> - If MaxBufferSize is less than (Length / 2), then
> ASSERT().
>
>
> -
>
>
> @param String Pointer to a
> Null-
>
> terminated ASCII string.
>
>
> @param Length The number of
> ASCII
>
> characters to decode.
>
>
> @param Buffer Pointer to the
> converted bytes array.
>
>
> @@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
>
>
> equal or greater than ((AsciiStrLen (Source) + 1)
> *
>
> sizeof (CHAR16)) in bytes.
>
>
>
>
>
> If Destination is not aligned on a 16-bit
> boundary,
>
> then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
>
>
> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
> (CHAR8)) in bytes.
>
>
>
>
>
> If Destination is not aligned on a 16-bit
> boundary,
>
> then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then Destination and
> DestinationLength are
>
>
> unmodified.
>
>
> diff --git a/MdePkg/Library/BaseLib/SafeString.c
> b/MdePkg/Library/BaseLib/SafeString.c
>
>
> index 7dc03d2caa..1db42abb05 100644
>
>
> --- a/MdePkg/Library/BaseLib/SafeString.c
>
>
> +++ b/MdePkg/Library/BaseLib/SafeString.c
>
>
> @@ -14,7 +14,6 @@
>
>
>
>
>
> #define SAFE_STRING_CONSTRAINT_CHECK(Expression,
> Status) \
>
>
> do { \
>
>
> - ASSERT (Expression); \
>
>
> if (!(Expression)) { \
>
>
> return Status; \
>
>
> } \
>
>
> @@ -197,7 +196,6 @@ StrnSizeS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -279,7 +277,6 @@ StrCpyS (
>
>
>
>
>
> If Length > 0 and Destination is not aligned on a
> 16-bit boundary, then ASSERT().
>
>
> If Length > 0 and Source is not aligned on a 16-
> bit
>
> boundary, then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -372,7 +369,6 @@ StrnCpyS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -473,7 +469,6 @@ StrCatS (
>
>
>
>
>
> If Destination is not aligned on a 16-bit
> boundary,
>
> then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -590,12 +585,7 @@ StrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -705,12 +695,7 @@ StrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> @@ -825,12 +810,7 @@ StrDecimalToUint64S (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -956,12 +936,7 @@ StrHexToUintnS (
>
>
> the first character that is a not a valid
> hexadecimal character or NULL,
>
>
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> If String is not aligned in a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If PcdMaximumUnicodeStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumUnicodeStringLength Unicode characters,
> not including the
>
>
> - Null-terminator, then ASSERT().
>
>
>
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> @@ -1856,8 +1831,6 @@ AsciiStrCpyS (
>
>
>
>
>
> This function is similar as strncpy_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
>
>
>
>
>
> This function is similar as strcat_s defined in
> C11.
>
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -2040,8 +2011,6 @@ AsciiStrCatS (
>
>
>
>
>
> This function is similar as strncat_s defined in
> C11.
>
>
>
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
> -
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @param Destination A pointer to a
> Null-terminated Ascii string.
>
>
> @@ -2154,12 +2123,6 @@ AsciiStrnCatS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
>
>
> be ignored. Then, the function stops at the first
> character that is a not a
>
>
> valid decimal character or a Null-terminator,
> whichever one comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid decimal digits in the above
> format, then 0 is stored
>
>
> at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINTN, then
>
>
> @@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
>
>
> character that is a not a valid hexadecimal
> character or Null-terminator,
>
>
> whichever on comes first.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Data is NULL, then ASSERT().
>
>
> - If PcdMaximumAsciiStringLength is not zero, and
> String contains more than
>
>
> - PcdMaximumAsciiStringLength Ascii characters, not
> including the
>
>
> - Null-terminator, then ASSERT().
>
>
> -
>
>
> If String has no valid hexadecimal digits in the
> above format, then 0 is
>
>
> stored at the location pointed to by Data.
>
>
> If the number represented by String exceeds the
> range defined by UINT64, then
>
>
> @@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
>
>
> the upper 8 bits, then ASSERT().
>
>
>
>
>
> If Source is not aligned on a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then the Destination is
> unmodified.
>
>
>
>
>
> @@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
>
>
> If any Unicode characters in Source contain non-
> zero
>
> value in the upper 8
>
>
> bits, then ASSERT().
>
>
> If Source is not aligned on a 16-bit boundary,
> then
>
> ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then Destination and
> DestinationLength are
>
>
> unmodified.
>
>
> @@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
>
>
> ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
> (CHAR8)) in bytes.
>
>
>
>
>
> If Destination is not aligned on a 16-bit
> boundary,
>
> then ASSERT().
>
>
> - If an error would be returned, then the function
> will also ASSERT().
>
>
>
>
>
> If an error is returned, then Destination and
> DestinationLength are
>
>
> unmodified.
>
>
> @@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
>
>
> "::" can be used to compress one or more groups of
> X
>
> when X contains only 0.
>
>
> The "::" can only appear once in the String.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
> at
>
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
>
>
> When /P is in the String, the function stops at
> the
>
> first character that is not
>
>
> a valid decimal digit character after P is
> converted.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Address is NULL, then ASSERT().
>
>
> -
>
>
> If EndPointer is not NULL and Address is
> translated
>
> from String, a pointer
>
>
> to the character that stopped the scan is stored
> at
>
> the location pointed to
>
>
> by EndPointer.
>
>
> @@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
>
>
> oo Data4[48:55]
>
>
> pp Data4[56:63]
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> - If Guid is NULL, then ASSERT().
>
>
> -
>
>
> @param String Pointer to a
> Null-
>
> terminated ASCII string.
>
>
> @param Guid Pointer to the
> converted GUID.
>
>
>
>
>
> @@ -3550,17 +3481,6 @@ AsciiStrToGuid (
>
>
> decoding stops after Length of characters and
> outputs Buffer containing
>
>
> (Length / 2) bytes.
>
>
>
>
>
> - If String is NULL, then ASSERT().
>
>
> -
>
>
> - If Buffer is NULL, then ASSERT().
>
>
> -
>
>
> - If Length is not multiple of 2, then ASSERT().
>
>
> -
>
>
> - If PcdMaximumAsciiStringLength is not zero and
> Length is greater than
>
>
> - PcdMaximumAsciiStringLength, then ASSERT().
>
>
> -
>
>
> - If MaxBufferSize is less than (Length / 2), then
> ASSERT().
>
>
> -
>
>
> @param String Pointer to a
> Null-
>
> terminated ASCII string.
>
>
> @param Length The number of
> ASCII
>
> characters to decode.
>
>
> @param Buffer Pointer to the
> converted bytes array.
>
>
> --
>
>
> 2.24.2 (Apple Git-127)
>
>
>
>
>
>
>
>
>
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 136504 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [EXTERNAL] [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
2020-05-15 9:30 ` [EXTERNAL] " Vitaly Cheptsov
@ 2020-05-15 15:26 ` Bret Barkelew
0 siblings, 0 replies; 15+ messages in thread
From: Bret Barkelew @ 2020-05-15 15:26 UTC (permalink / raw)
To: Vitaly Cheptsov, Kinney, Michael D, Marvin Häuser
Cc: devel@edk2.groups.io, Andrew Fish, Ard Biesheuvel,
Brian J . Johnson, Chiu, Chasel, Justen, Jordan L, Laszlo Ersek,
Leif Lindholm, liming.gao, Zimmer, Vincent, Gao, Zhichao
[-- Attachment #1: Type: text/plain, Size: 42154 bytes --]
Agreed. This was more for discussion than a request to change. Sorry for the churn.
- Bret
________________________________
From: Vitaly Cheptsov <cheptsov@ispras.ru>
Sent: Friday, May 15, 2020 2:30:46 AM
To: Kinney, Michael D <michael.d.kinney@intel.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>; Marvin Häuser <mhaeuser@outlook.de>
Cc: devel@edk2.groups.io <devel@edk2.groups.io>; Andrew Fish <afish@apple.com>; Ard Biesheuvel <ard.biesheuvel@linaro.org>; Brian J . Johnson <brian.johnson@hpe.com>; Chiu, Chasel <chasel.chiu@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>; liming.gao <liming.gao@intel.com>; Zimmer, Vincent <vincent.zimmer@intel.com>; Gao, Zhichao <zhichao.gao@intel.com>
Subject: Re: [EXTERNAL] [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Mike, Bret,
The assertion in UnicodeStrnToAsciiStrS is currently not a runtime check but a precondition. I.e. the function does not work with such sequences.
I fully agree that it is not right, and that we should actually update the documentation and change it to the following construction (0x80 instead of 0x100 for 7-bit ASCII and ‘?’ for invalid patch):
if (*Source < 0x80) {
*(Destination++) = (CHAR8) *(Source++);
} else {
*(Destination++) = ‘?';
}
However, it has to be out of the scope of this patch due to the nature of the change: function behaviour change for RELEASE instead of assertion removal for the runtime check as for all the rest. Should file a bugzilla as well.
As for alignment, I believe Marvin explained it well, and I have nothing to add there. There is no need to change the patch anyhow.
Best wishes,
Vitaly
15 мая 2020 г., в 01:14, Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> написал(а):
Bret,
I agree with all your points. Which is why I am asking if we should address this in the current patch under review.
I will also point out that another way to get an off pointer address value for a CHAR16 is through use of packed structures. If a CHAR16 string is in a packaged structure and starts at an odd byte offset, then directly passing the CHAR16 string field to one of these APIs will ASSERT() or generate an exception if the ASSERT()s are removed. When using packed structures, fields that are larger than 1-byte need to either be copied to an aligned location or accessed using the Unaligned Read/Write APIs.
Mike
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Bret Barkelew via groups.io<http://groups.io/>
Sent: Thursday, May 14, 2020 2:15 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; cheptsov@ispras.ru<mailto:cheptsov@ispras.ru>
Cc: Andrew Fish <afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel <ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Brian J . Johnson <brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel <chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>; Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser <mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Zimmer, Vincent <vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao <zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: Re: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Why isn’t that a failed return value?
That would be unexpected behavior in RELEASE.
Either that, or the function should take in a substitution character (e.g. ‘?’) for invalid characters.
The prototype of this function is bad if it doesn’t allow for this possibility, and an ASSERT isn’t making code any better/safer by only ASSERTing.
- Bret
From: Michael D Kinney via groups.io<mailto:michael.d.kinney=intel.com@groups.io>
Sent: Thursday, May 14, 2020 2:07 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; cheptsov@ispras.ru<mailto:cheptsov@ispras.ru>; Kinney, Michael D<mailto:michael.d.kinney@intel.com>
Cc: Andrew Fish<mailto:afish@apple.com>; Ard Biesheuvel<mailto:ard.biesheuvel@linaro.org>; Bret Barkelew<mailto:Bret.Barkelew@microsoft.com>; Brian J . Johnson<mailto:brian.johnson@hpe.com>; Chiu, Chasel<mailto:chasel.chiu@intel.com>; Justen, Jordan L<mailto:jordan.l.justen@intel.com>; Laszlo Ersek<mailto:lersek@redhat.com>; Leif Lindholm<mailto:leif@nuviainc.com>; liming.gao<mailto:liming.gao@intel.com>; Marvin Häuser<mailto:mhaeuser@outlook.de>; Zimmer, Vincent<mailto:vincent.zimmer@intel.com>; Gao, Zhichao<mailto:zhichao.gao@intel.com>
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Hi Vitaly,
What about this ASSERT() in UnicodeStrnToAsciiStrS(). It is an ASSERT() on the data contents.
//
// Convert string
//
while ((*Source != 0) && (SourceLen > 0)) {
//
// If any Unicode characters in Source contain non-zero value in the upper
// 8 bits, then ASSERT().
//
ASSERT (*Source < 0x100);
*(Destination++) = (CHAR8) *(Source++);
SourceLen--;
(*DestinationLength)++;
}
*Destination = 0;
Mike
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 11:59 AM
To: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Andrew Fish <afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel <ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew <bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson <brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel <chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>; Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser <mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Zimmer, Vincent <vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao <zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Mike,
The code you posted may inflict undefined behaviour is not valid C for several reasons. The compiler is free to do whatever it desires. Please refer to ISO/IEC 9899 for more details.
If applications cast raw pointers to typed pointers without checking their alignment, well, god bless them :)
My opinion is both the compiler and the hardware are welcome to do the worst once your third line is discovered. On a number of CPUs such addresses cannot be even represented in the first place.
Yet, once again it is out of the scope of the current problem.
Best wishes,
Vitaly
14 мая 2020 г., в 20:58, Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> написал(а):
Vitaly,
Why do you think there is no way to craft an odd address
without memory corruption.
UINT8 ByteArray[100];
CHAR16 *String
String = (CHAR16 *)(&Array[3]);
The reason I raised the question of these other ASSERT()s
is that I thought the use case was using these safe string
APIs from a UEFI App, and the UEFI App always wants to evaluate
the return status to know if the operation was completed or
not. In build that removes all ASSERT()s, an odd address
will generate an exception on some CPU archs. Wouldn’t it
be better for the UEFI App that is already designed to handle
error return status to get an error code instead of an
exception?
Mike
-----Original Message-----
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On
Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 10:39 AM
To: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Andrew Fish
<afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel
<ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
<bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
<brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel
<chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L
<jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
<lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>;
Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser
<mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Zimmer, Vincent
<vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
<zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks
Mike,
Firstly, NULL check and odd-address checks are
essentially different things:
— NULL address is basically «no object», «optional
argument» (e.g. failed allocation).
— Odd address is memory corruption, as there is no way
to craft such address anyhow else.
For this reason the implementation is allowed to treat
them differently.
Secondly, as I said in my cover letter there is no
behaviour change here for RELEASE builds. Behaviour
changes unrelated to the bugfix will have to go to a
separate patch. I agree that we may want to reconsider
the interface in the future, but that’s for a separate
bugzilla and patch. Not discussing it currently is
important to avoid diverting from the primary problem.
Could create a bugzilla not to forget about it soon
after the stable tag.
Best wishes,
Vitaly
14 мая 2020 г., в 19:38, Kinney, Michael D
<michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> написал(а):
Why preserve the ASSERT()s for an a Unicode strings
that are not aligned in a 16-bit boundary?
This is essentially the same as an invalid pointer
value
just like NULL. If NULL pointer returns an error
code,
shouldn't and invalid pointer value?
Thanks,
Mike
-----Original Message-----
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On
Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 2:26 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Andrew Fish <afish@apple.com<mailto:afish@apple.com>>; Ard Biesheuvel
<ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>; Bret Barkelew
<bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>; Brian J . Johnson
<brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>; Chiu, Chasel
<chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>; Justen, Jordan L
<jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Laszlo Ersek
<lersek@redhat.com<mailto:lersek@redhat.com>>; Leif Lindholm
<leif@nuviainc.com<mailto:leif@nuviainc.com>>;
Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>; Marvin Häuser
<mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>; Kinney, Michael D
<michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Zimmer, Vincent
<vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>; Gao, Zhichao
<zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks
REF:
https://bugzilla.tianocore.org/show_bug.cgi?id=2054<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2054&data=02%7C01%7CBret.Barkelew%40microsoft.com%7C854c0200e7ed412219a008d7f84ad4e5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637250872617792374&sdata=obXC2njAL18GchcPz1HyiGBSNcBYk8i2Q0ZhWDwICCQ%3D&reserved=0>
Runtime checks returned via status return code
should
not work as
assertions to permit parsing not trusted data with
SafeString
interfaces.
CC: Andrew Fish <afish@apple.com<mailto:afish@apple.com>>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org<mailto:ard.biesheuvel@linaro.org>>
CC: Bret Barkelew <bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>
CC: Brian J. Johnson <brian.johnson@hpe.com<mailto:brian.johnson@hpe.com>>
CC: Chasel Chiu <chasel.chiu@intel.com<mailto:chasel.chiu@intel.com>>
CC: Jordan Justen <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>
CC: Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com>>
CC: Leif Lindholm <leif@nuviainc.com<mailto:leif@nuviainc.com>>
CC: Liming Gao <liming.gao@intel.com<mailto:liming.gao@intel.com>>
CC: Marvin Häuser <mhaeuser@outlook.de<mailto:mhaeuser@outlook.de>>
CC: Mike Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
CC: Vincent Zimmer <vincent.zimmer@intel.com<mailto:vincent.zimmer@intel.com>>
CC: Zhichao Gao <zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
Signed-off-by: Vitaly Cheptsov
<vit9696@protonmail.com<mailto:vit9696@protonmail.com>>
---
MdePkg/Include/Library/BaseLib.h | 120 ++--------
--
--------
MdePkg/Library/BaseLib/SafeString.c | 80 ----------
--
-
2 files changed, 7 insertions(+), 193 deletions(-)
diff --git a/MdePkg/Include/Library/BaseLib.h
b/MdePkg/Include/Library/BaseLib.h
index ecadff8b23..62dc3151bc 100644
--- a/MdePkg/Include/Library/BaseLib.h
+++ b/MdePkg/Include/Library/BaseLib.h
@@ -189,7 +189,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -225,7 +224,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a
16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-
bit
boundary, then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -263,7 +261,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -303,7 +300,6 @@ StrCatS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -350,12 +346,7 @@ StrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -406,12 +397,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -467,12 +453,7 @@ StrDecimalToUint64S (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -528,12 +509,7 @@ StrHexToUintnS (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -622,8 +598,6 @@ AsciiStrnSizeS (
This function is similar as strcpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -656,8 +630,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -692,8 +664,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -730,8 +700,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -777,12 +745,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -1506,16 +1450,8 @@ StrHexToUint64 (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -1567,15 +1503,10 @@ StrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary,
then
ASSERT().
If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
@@ -1640,8 +1571,6 @@ StrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
@param String Pointer to a
Null-
terminated Unicode string.
@@ -1676,17 +1605,6 @@ StrToGuid (
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumUnicodeStringLength is not zero and
Length is greater than
- PcdMaximumUnicodeStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated Unicode string.
@param Length The number of
Unicode characters to decode.
@param Buffer Pointer to the
converted bytes array.
@@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
bits of each Unicode character. The function
terminates the Ascii string
Destination by appending a Null-terminator
character
at the end.
- The caller is responsible to make sure
Destination
points to a buffer with size
- equal or greater than ((StrLen (Source) + 1) *
sizeof (CHAR8)) in bytes.
+ The caller is responsible to make sure
Destination
points to a buffer with
+ size not smaller than ((MIN(StrLen(Source),
Length)
+ 1) * sizeof (CHAR8))
+ in bytes.
If any Unicode characters in Source contain non-
zero
value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
- If an error is returned, then the Destination is
unmodified.
+ If an error is returned, then Destination and
DestinationLength are
+ unmodified.
@param Source The pointer to a Null-
terminated Unicode string.
@param Length The maximum number of
Unicode characters to
convert.
@param Destination The pointer to a Null-
terminated Ascii string.
- @param DestMax The maximum number of
Destination Ascii
- char, including
terminating null char.
+ @param DestMax The maximum number of
Destination Ascii char,
+ including terminating
null char.
@param DestinationLength The number of Unicode
characters converted.
@retval RETURN_SUCCESS String is
converted.
@@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Guid Pointer to the
converted GUID.
@@ -2541,17 +2448,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and
outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and
Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Length The number of
ASCII
characters to decode.
@param Buffer Pointer to the
converted bytes array.
@@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
equal or greater than ((AsciiStrLen (Source) + 1)
*
sizeof (CHAR16)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
diff --git a/MdePkg/Library/BaseLib/SafeString.c
b/MdePkg/Library/BaseLib/SafeString.c
index 7dc03d2caa..1db42abb05 100644
--- a/MdePkg/Library/BaseLib/SafeString.c
+++ b/MdePkg/Library/BaseLib/SafeString.c
@@ -14,7 +14,6 @@
#define SAFE_STRING_CONSTRAINT_CHECK(Expression,
Status) \
do { \
- ASSERT (Expression); \
if (!(Expression)) { \
return Status; \
} \
@@ -197,7 +196,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -279,7 +277,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a
16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-
bit
boundary, then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -372,7 +369,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -473,7 +469,6 @@ StrCatS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -590,12 +585,7 @@ StrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -705,12 +695,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -825,12 +810,7 @@ StrDecimalToUint64S (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -956,12 +936,7 @@ StrHexToUintnS (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -1856,8 +1831,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -2040,8 +2011,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -2154,12 +2123,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
If any Unicode characters in Source contain non-
zero
value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
@@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
@@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Guid Pointer to the
converted GUID.
@@ -3550,17 +3481,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and
outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and
Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Length The number of
ASCII
characters to decode.
@param Buffer Pointer to the
converted bytes array.
--
2.24.2 (Apple Git-127)
[-- Attachment #2: Type: text/html, Size: 137240 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2020-05-15 15:26 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-05-14 9:25 [PATCH V6 0/1] Disable safe string constraint assertions Vitaly Cheptsov
2020-05-14 9:25 ` [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks Vitaly Cheptsov
2020-05-14 13:35 ` Laszlo Ersek
2020-05-14 16:38 ` [edk2-devel] " Michael D Kinney
2020-05-14 17:39 ` Vitaly Cheptsov
2020-05-14 17:58 ` Michael D Kinney
2020-05-14 18:59 ` Vitaly Cheptsov
2020-05-14 19:45 ` Ard Biesheuvel
2020-05-14 21:07 ` Michael D Kinney
2020-05-14 21:15 ` [EXTERNAL] " Bret Barkelew
2020-05-14 22:14 ` Michael D Kinney
2020-05-15 9:28 ` Marvin Häuser
2020-05-15 9:30 ` [EXTERNAL] " Vitaly Cheptsov
2020-05-15 15:26 ` Bret Barkelew
2020-05-14 11:33 ` [edk2-devel] [PATCH V6 0/1] Disable safe string constraint assertions Ard Biesheuvel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox