From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.20; helo=mga02.intel.com; envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D00A221C913CA for ; Wed, 1 Nov 2017 01:45:00 -0700 (PDT) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Nov 2017 01:48:52 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,327,1505804400"; d="scan'208";a="1212733928" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga001.fm.intel.com with ESMTP; 01 Nov 2017 01:48:52 -0700 Received: from fmsmsx101.amr.corp.intel.com (10.18.124.199) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 1 Nov 2017 01:48:52 -0700 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by fmsmsx101.amr.corp.intel.com (10.18.124.199) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 1 Nov 2017 01:48:51 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.213]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.152]) with mapi id 14.03.0319.002; Wed, 1 Nov 2017 16:48:49 +0800 From: "Wang, Jian J" To: "Long, Qin" , "edk2-devel@lists.01.org" CC: "Ye, Ting" , "lersek@redhat.com" Thread-Topic: [PATCH v2 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper Thread-Index: AQHTUuo6nKW7mxOa00iYA7/uLfiQEKL/NMiQ Date: Wed, 1 Nov 2017 08:48:49 +0000 Message-ID: References: <20171101081927.12160-1-qin.long@intel.com> <20171101081927.12160-2-qin.long@intel.com> In-Reply-To: <20171101081927.12160-2-qin.long@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNTE0YTA5ZmMtMGNjNC00N2YwLWIwMTMtOTY0YTMxMmVmMGEwIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJLK09HNUtkenJsVTFCXC84SDBqNzdOb3VcL2F0Q3JGSFNkN2xwbThjeUFPWStscmRySWkrb28zT2d2bEtjNWFWdG8ifQ== x-ctpclassification: CTP_IC dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2017 08:45:01 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jian J Wang > -----Original Message----- > From: Long, Qin > Sent: Wednesday, November 01, 2017 4:19 PM > To: edk2-devel@lists.01.org > Cc: Wang, Jian J ; Ye, Ting ; > lersek@redhat.com; Long, Qin > Subject: [PATCH v2 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue= in > realloc wrapper >=20 > There is one long-standing problem in CRT realloc wrapper, which will > cause the obvious buffer overflow issue when re-allocating one bigger > memory block: > void *realloc (void *ptr, size_t size) > { > // > // BUG: hardcode OldSize =3D=3D size! We have no any knowledge abou= t > // memory size of original pointer ptr. > // > return ReallocatePool ((UINTN) size, (UINTN) size, ptr); > } > This patch introduces one extra header to record the memory buffer size > information when allocating memory block from malloc routine, and re-wrap > the realloc() and free() routines to remove this BUG. >=20 > Cc: Laszlo Ersek > Cc: Ting Ye > Cc: Jian J Wang > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Qin Long > --- > .../BaseCryptLib/SysCall/BaseMemAllocation.c | 83 > ++++++++++++++++++++-- > 1 file changed, 76 insertions(+), 7 deletions(-) >=20 > diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c > b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c > index f390e0d449..19c071e2bf 100644 > --- a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c > +++ b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c > @@ -16,6 +16,18 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY > KIND, EITHER EXPRESS OR IMPLIED. > #include > #include >=20 > +// > +// Extra header to record the memory buffer size from malloc routine. > +// > +#define CRYPTMEM_HEAD_SIGNATURE SIGNATURE_32('c','m','h','d') > +typedef struct { > + UINT32 Signature; > + UINT32 Reserved; > + UINTN Size; > +} CRYPTMEM_HEAD; > + > +#define CRYPTMEM_OVERHEAD sizeof(CRYPTMEM_HEAD) > + > // > // -- Memory-Allocation Routines -- > // > @@ -23,27 +35,84 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY > KIND, EITHER EXPRESS OR IMPLIED. > /* Allocates memory blocks */ > void *malloc (size_t size) > { > - return AllocatePool ((UINTN) size); > + CRYPTMEM_HEAD *PoolHdr; > + UINTN NewSize; > + VOID *Data; > + > + // > + // Adjust the size by the buffer header overhead > + // > + NewSize =3D (UINTN)(size) + CRYPTMEM_OVERHEAD; > + > + Data =3D AllocatePool (NewSize); > + if (Data !=3D NULL) { > + PoolHdr =3D (CRYPTMEM_HEAD *)Data; > + // > + // Record the memory brief information > + // > + PoolHdr->Signature =3D CRYPTMEM_HEAD_SIGNATURE; > + PoolHdr->Size =3D size; > + > + return (VOID *)(PoolHdr + 1); > + } else { > + // > + // The buffer allocation failed. > + // > + return NULL; > + } > } >=20 > /* Reallocate memory blocks */ > void *realloc (void *ptr, size_t size) > { > - // > - // BUG: hardcode OldSize =3D=3D size! We have no any knowledge about > - // memory size of original pointer ptr. > - // > - return ReallocatePool ((UINTN) size, (UINTN) size, ptr); > + CRYPTMEM_HEAD *OldPoolHdr; > + CRYPTMEM_HEAD *NewPoolHdr; > + UINTN OldSize; > + UINTN NewSize; > + VOID *Data; > + > + NewSize =3D (UINTN)size + CRYPTMEM_OVERHEAD; > + Data =3D AllocatePool (NewSize); > + if (Data !=3D NULL) { > + NewPoolHdr =3D (CRYPTMEM_HEAD *)Data; > + NewPoolHdr->Signature =3D CRYPTMEM_HEAD_SIGNATURE; > + NewPoolHdr->Size =3D size; > + if (ptr !=3D NULL) { > + // > + // Retrieve the original size from the buffer header. > + // > + OldPoolHdr =3D (CRYPTMEM_HEAD *)ptr - 1; > + ASSERT (OldPoolHdr->Signature =3D=3D CRYPTMEM_HEAD_SIGNATURE); > + OldSize =3D OldPoolHdr->Size; > + > + // > + // Duplicate the buffer content. > + // > + CopyMem ((VOID *)(NewPoolHdr + 1), ptr, MIN (OldSize, size)); > + FreePool ((VOID *)OldPoolHdr); > + } > + > + return (VOID *)(NewPoolHdr + 1); > + } else { > + // > + // The buffer allocation failed. > + // > + return NULL; > + } > } >=20 > /* De-allocates or frees a memory block */ > void free (void *ptr) > { > + CRYPTMEM_HEAD *PoolHdr; > + > // > // In Standard C, free() handles a null pointer argument transparently= . This > // is not true of FreePool() below, so protect it. > // > if (ptr !=3D NULL) { > - FreePool (ptr); > + PoolHdr =3D (CRYPTMEM_HEAD *)ptr - 1; > + ASSERT (PoolHdr->Signature =3D=3D CRYPTMEM_HEAD_SIGNATURE); > + FreePool (PoolHdr); > } > } > -- > 2.14.1.windows.1