From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jian.j.wang@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.100; helo=mga07.intel.com;
 envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 7FD572034AB1B
 for <edk2-devel@lists.01.org>; Sun,  5 Nov 2017 16:31:51 -0800 (PST)
Received: from orsmga003.jf.intel.com ([10.7.209.27])
 by orsmga105.jf.intel.com with ESMTP; 05 Nov 2017 16:35:49 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.44,350,1505804400"; d="scan'208";a="1033814593"
Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203])
 by orsmga003.jf.intel.com with ESMTP; 05 Nov 2017 16:35:48 -0800
Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by
 FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Sun, 5 Nov 2017 16:35:48 -0800
Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.213]) by
 SHSMSX151.ccr.corp.intel.com ([169.254.3.218]) with mapi id 14.03.0319.002;
 Mon, 6 Nov 2017 08:35:46 +0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "Ni, Ruiyu" <ruiyu.ni@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Carsey, Jaben" <jaben.carsey@intel.com>, "Bi, Dandan"
 <dandan.bi@intel.com>
Thread-Topic: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool
Thread-Index: AQHTVGBY/k4Ifk3HFkmxO/4jnsz+XaMCTnzAgAQ1//A=
Date: Mon, 6 Nov 2017 00:35:46 +0000
Message-ID: <D827630B58408649ACB04F44C510003624CA7F5C@SHSMSX103.ccr.corp.intel.com>
References: <20171103045759.26508-1-jian.j.wang@intel.com>
 <20171103045759.26508-3-jian.j.wang@intel.com>
 <734D49CCEBEEF84792F5B80ED585239D5BAB201A@SHSMSX104.ccr.corp.intel.com>
In-Reply-To: <734D49CCEBEEF84792F5B80ED585239D5BAB201A@SHSMSX104.ccr.corp.intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYzQ5NDM1YWYtNTQyMi00YTgzLWFlOWYtMGU2MWQzM2Q5MDFmIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJuOUhTYUZxWkc0aW04SlVFc2dQRFFmZitvalVVbmhuOU52RVVQZThLK0VZMzVqaUoxaGlFUXoyQW1CRzRXb1JyIn0=
x-ctpclassification: CTP_IC
dlp-product: dlpe-windows
dlp-version: 11.0.0.116
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 00:31:51 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Ruiyu,

Thanks for the comments.

> -----Original Message-----
> From: Ni, Ruiyu
> Sent: Friday, November 03, 2017 4:23 PM
> To: Wang, Jian J <jian.j.wang@intel.com>; edk2-devel@lists.01.org
> Cc: Carsey, Jaben <jaben.carsey@intel.com>; Bi, Dandan <dandan.bi@intel.c=
om>
> Subject: RE: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool
>=20
> 2 comments below.
>=20
> -----Original Message-----
> From: Wang, Jian J
> Sent: Friday, November 3, 2017 12:58 PM
> To: edk2-devel@lists.01.org
> Cc: Carsey, Jaben <jaben.carsey@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com=
>; Bi,
> Dandan <dandan.bi@intel.com>
> Subject: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool
>=20
> AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" byte=
s of
> memory from old "Buffer" to new allocated one. If "AllocationSize" is big=
ger
> than size of "Buffer", heap memory overflow occurs during copy.
>=20
> The solution is to allocate pool first then copy the necessary bytes to n=
ew
> memory. This can avoid copying extra bytes from unknown memory range.
>=20
> Cc: Jaben Carsey <jaben.carsey@intel.com>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Bi Dandan <dandan.bi@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> ---
>  ShellPkg/Application/Shell/Shell.c                                 | 4 +=
++-
>  ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c | 6
> ++++--
>  2 files changed, 7 insertions(+), 3 deletions(-)
>=20
> diff --git a/ShellPkg/Application/Shell/Shell.c b/ShellPkg/Application/Sh=
ell/Shell.c
> index 5471930ba1..24a04ca323 100644
> --- a/ShellPkg/Application/Shell/Shell.c
> +++ b/ShellPkg/Application/Shell/Shell.c
> @@ -1646,7 +1646,9 @@ ShellConvertVariables (
>    //
>    // now do the replacements...
>    //
> -  NewCommandLine1 =3D AllocateCopyPool(NewSize, OriginalCommandLine);
> +  NewCommandLine1 =3D AllocatePool(NewSize);
> +  ASSERT (NewCommandLine1 !=3D NULL);
> [Ray] 1. Please do not use assertion because there is NULL check in the b=
elow if-
> statement.
>     The rule in ShellPkg is avoid using assertion.
>=20

Got it. It'll be removed.

> +  CopyMem (NewCommandLine1, OriginalCommandLine, StrSize
> (OriginalCommandLine));
>    NewCommandLine2 =3D AllocateZeroPool(NewSize);
>    ItemTemp        =3D AllocateZeroPool(ItemSize+(2*sizeof(CHAR16)));
>    if (NewCommandLine1 =3D=3D NULL || NewCommandLine2 =3D=3D NULL || Item=
Temp
> =3D=3D NULL) {
> diff --git
> a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> index 1122c89b8b..5de62219b3 100644
> --- a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> +++ b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c
> @@ -143,10 +143,11 @@ UpdateOptionalData(
>      OriginalOptionDataSize +=3D (*(UINT16*)(OriginalData + sizeof(UINT32=
)));
>      OriginalOptionDataSize -=3D OriginalSize;
>      NewSize =3D OriginalSize - OriginalOptionDataSize + DataSize;
> -    NewData =3D AllocateCopyPool(NewSize, OriginalData);
> +    NewData =3D AllocatePool(NewSize);
>      if (NewData =3D=3D NULL) {
>        Status =3D EFI_OUT_OF_RESOURCES;
>      } else {
> +      CopyMem (NewData, OriginalData, OriginalSize - OriginalOptionDataS=
ize);
>        CopyMem(NewData + OriginalSize - OriginalOptionDataSize, Data, Dat=
aSize);
>      }
>    }
> @@ -1120,11 +1121,12 @@ BcfgAddOpt(
>          // Now we know how many EFI_INPUT_KEY structs we need to attach =
to
> the end of the EFI_KEY_OPTION struct.
>          // Re-allocate with the added information.
>          //
> -        KeyOptionBuffer =3D AllocateCopyPool(sizeof(EFI_KEY_OPTION) +
> (sizeof(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount),
> &NewKeyOption);
> +        KeyOptionBuffer =3D AllocatePool (sizeof(EFI_KEY_OPTION) +
> (sizeof(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount));
>          if (KeyOptionBuffer =3D=3D NULL) {
>            ShellPrintHiiEx(-1, -1, NULL, STRING_TOKEN (STR_GEN_NO_MEM),
> gShellBcfgHiiHandle, L"bcfg");
>            ShellStatus =3D SHELL_OUT_OF_RESOURCES;
>          }
> [Ray] 2. Should the above NULL check return?

It's original code not my change. But I think it should return if NULL is g=
ot.

> +        CopyMem (KeyOptionBuffer, &NewKeyOption, sizeof(EFI_KEY_OPTION))=
;
>        }
>        for (LoopCounter =3D 0 ; ShellStatus =3D=3D SHELL_SUCCESS && LoopC=
ounter <
> NewKeyOption.KeyData.Options.InputKeyCount; LoopCounter++) {
>          //
> --
> 2.14.1.windows.1