From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.120; helo=mga04.intel.com; envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2BD932034AB19 for ; Wed, 1 Nov 2017 00:24:17 -0700 (PDT) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Nov 2017 00:28:10 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,327,1505804400"; d="scan'208";a="1238059960" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga002.fm.intel.com with ESMTP; 01 Nov 2017 00:28:10 -0700 Received: from fmsmsx118.amr.corp.intel.com (10.18.116.18) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 1 Nov 2017 00:28:10 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx118.amr.corp.intel.com (10.18.116.18) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 1 Nov 2017 00:28:09 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.213]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.159]) with mapi id 14.03.0319.002; Wed, 1 Nov 2017 15:28:07 +0800 From: "Wang, Jian J" To: "Long, Qin" , "edk2-devel@lists.01.org" CC: "Ye, Ting" , "lersek@redhat.com" Thread-Topic: [PATCH 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper Thread-Index: AQHTUiP3y5ZkjOLnhUGtef/5WMhhvaL/HWGg Date: Wed, 1 Nov 2017 07:28:07 +0000 Message-ID: References: <20171031083930.12800-1-qin.long@intel.com> <20171031083930.12800-2-qin.long@intel.com> In-Reply-To: <20171031083930.12800-2-qin.long@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYTE1ZWE3MjctZmE4Zi00YjRkLTgzNjEtZDc1MWNkZTA2NTc5IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJpRDRUdnpzaFo2eGRtRmZ4NFdlaXRZQm1wU3lEVkRZbTdaSWNsQkxZZ0RUXC9LV08xekRzd2d1bzZ4UEFuSVpocCJ9 x-ctpclassification: CTP_IC dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2017 07:24:18 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Qin, Thanks for fixing this issue. Please find my comments below. Besides that, the patch has been passed the boot validation. Validated-by: Jian J Wang Thanks, Jian > -----Original Message----- > From: Long, Qin > Sent: Tuesday, October 31, 2017 4:39 PM > To: edk2-devel@lists.01.org > Cc: Ye, Ting ; lersek@redhat.com; Wang, Jian J > ; Long, Qin > Subject: [PATCH 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in > realloc wrapper >=20 > There is one long-standing problem in CRT realloc wrapper, which will > cause the obvious buffer overflow issue when re-allocating one bigger > memory block: > void *realloc (void *ptr, size_t size) > { > // > // BUG: hardcode OldSize =3D=3D size! We have no any knowledge abou= t > // memory size of original pointer ptr. > // > return ReallocatePool ((UINTN) size, (UINTN) size, ptr); > } > This patch introduces one extra header to record the memory buffer size > information when allocating memory block from malloc routine, and re-wrap > the realloc() and free() routines to remove this BUG. >=20 > Cc: Laszlo Ersek > Cc: Ting Ye > Cc: Jian J Wang > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Qin Long > --- > .../BaseCryptLib/SysCall/BaseMemAllocation.c | 72 ++++++++++++++++= +++- > -- > 1 file changed, 65 insertions(+), 7 deletions(-) >=20 > diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c > b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c > index f390e0d449..ed37a0ff39 100644 > --- a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c > +++ b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c > @@ -16,6 +16,18 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY > KIND, EITHER EXPRESS OR IMPLIED. > #include > #include >=20 > +// > +// Extra header to record the memory buffer size from malloc routine. > +// > +#define CRYPTMEM_HEAD_SIGNATURE SIGNATURE_32('c','m','h','d') > +typedef struct { > + UINT32 Signature; > + UINT32 Reserved; > + UINTN Size; > +} CRYPTMEM_HEAD; > + > +#define CRYPTMEM_OVERHEAD sizeof(CRYPTMEM_HEAD) Any consideration of the "Reserved" field, Padding? Alignment? Future exten= dibility? > + > // > // -- Memory-Allocation Routines -- > // > @@ -23,27 +35,73 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY > KIND, EITHER EXPRESS OR IMPLIED. > /* Allocates memory blocks */ > void *malloc (size_t size) > { > - return AllocatePool ((UINTN) size); > + CRYPTMEM_HEAD *PoolHdr; > + UINTN NewSize; > + VOID *Data; > + > + // > + // Adjust the size by the buffer header overhead > + // > + NewSize =3D (UINTN)(size) + CRYPTMEM_OVERHEAD; > + > + Data =3D AllocatePool (NewSize); > + if (Data !=3D NULL) { > + PoolHdr =3D (CRYPTMEM_HEAD *)Data; > + // > + // Record the memory brief information > + // > + PoolHdr->Signature =3D CRYPTMEM_HEAD_SIGNATURE; > + PoolHdr->Size =3D size; > + } > + return (VOID *)(PoolHdr + 1); > } >=20 Although it's very rare, the logic of code above doesn't consider case of D= ata =3D=3D NULL. And above code might not pass GCC build because there's a chance that PoolH= dr is not initialized. > /* Reallocate memory blocks */ > void *realloc (void *ptr, size_t size) > { > - // > - // BUG: hardcode OldSize =3D=3D size! We have no any knowledge about > - // memory size of original pointer ptr. > - // > - return ReallocatePool ((UINTN) size, (UINTN) size, ptr); > + CRYPTMEM_HEAD *OldPoolHdr; > + CRYPTMEM_HEAD *NewPoolHdr; > + UINTN OldSize; > + UINTN NewSize; > + VOID *Data; > + > + NewSize =3D (UINTN)size + CRYPTMEM_OVERHEAD; > + Data =3D AllocatePool (NewSize); > + if (Data !=3D NULL) { > + NewPoolHdr =3D (CRYPTMEM_HEAD *)Data; > + NewPoolHdr->Signature =3D CRYPTMEM_HEAD_SIGNATURE; > + NewPoolHdr->Size =3D size; > + if (ptr !=3D NULL) { > + // > + // Retrieve the original size from the buffer header. > + // > + OldPoolHdr =3D (CRYPTMEM_HEAD *)ptr - 1; > + ASSERT (OldPoolHdr->Signature =3D=3D CRYPTMEM_HEAD_SIGNATURE); > + OldSize =3D OldPoolHdr->Size; > + > + // > + // Duplicate the buffer content. > + // > + CopyMem ((VOID *)(NewPoolHdr + 1), ptr, MIN (OldSize, size)); > + FreePool ((VOID *)OldPoolHdr); > + } > + } > + > + return (VOID *)(NewPoolHdr + 1); > } >=20 1. The same as above, the code logic doesn't consider the case of Data =3D= =3D NULL. 2. ptr should be better checked against NULL before allocating new pool > /* De-allocates or frees a memory block */ > void free (void *ptr) > { > + CRYPTMEM_HEAD *PoolHdr; > + > // > // In Standard C, free() handles a null pointer argument transparently= . This > // is not true of FreePool() below, so protect it. > // > if (ptr !=3D NULL) { > - FreePool (ptr); > + PoolHdr =3D (CRYPTMEM_HEAD *)ptr - 1; > + ASSERT (PoolHdr->Signature =3D=3D CRYPTMEM_HEAD_SIGNATURE); > + FreePool (PoolHdr); > } > } > -- > 2.14.1.windows.1