From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.24; helo=mga09.intel.com; envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id BEDE32034CF7C for ; Sun, 5 Nov 2017 16:51:32 -0800 (PST) Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Nov 2017 16:55:30 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,350,1505804400"; d="scan'208";a="917885916" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by FMSMGA003.fm.intel.com with ESMTP; 05 Nov 2017 16:55:29 -0800 Received: from fmsmsx111.amr.corp.intel.com (10.18.116.5) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.319.2; Sun, 5 Nov 2017 16:55:29 -0800 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx111.amr.corp.intel.com (10.18.116.5) with Microsoft SMTP Server (TLS) id 14.3.319.2; Sun, 5 Nov 2017 16:55:29 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.213]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.93]) with mapi id 14.03.0319.002; Mon, 6 Nov 2017 08:55:26 +0800 From: "Wang, Jian J" To: "Jim.Dailey@dell.com" , "Ni, Ruiyu" , "edk2-devel@lists.01.org" CC: "Carsey, Jaben" , "Bi, Dandan" Thread-Topic: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool Thread-Index: AQHTVGBY/k4Ifk3HFkmxO/4jnsz+XaMCTnzA//+0uoCABIcHcA== Date: Mon, 6 Nov 2017 00:55:26 +0000 Message-ID: References: <20171103045759.26508-1-jian.j.wang@intel.com> <20171103045759.26508-3-jian.j.wang@intel.com> <734D49CCEBEEF84792F5B80ED585239D5BAB201A@SHSMSX104.ccr.corp.intel.com> <1a406c1260494c08bba02f685e057916@ausx13mps339.AMER.DELL.COM> In-Reply-To: <1a406c1260494c08bba02f685e057916@ausx13mps339.AMER.DELL.COM> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYzQ5NDM1YWYtNTQyMi00YTgzLWFlOWYtMGU2MWQzM2Q5MDFmIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJuOUhTYUZxWkc0aW04SlVFc2dQRFFmZitvalVVbmhuOU52RVVQZThLK0VZMzVqaUoxaGlFUXoyQW1CRzRXb1JyIn0= x-ctpclassification: CTP_IC dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2017 00:51:32 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Jim, RellocatePool() will free old buffer but AllocateCopyPool() will not. So no= t all cases in which they can be replaced for each other. Thanks, Jian > -----Original Message----- > From: Jim.Dailey@dell.com [mailto:Jim.Dailey@dell.com] > Sent: Friday, November 03, 2017 7:44 PM > To: Ni, Ruiyu ; Wang, Jian J ; > edk2-devel@lists.01.org > Cc: Carsey, Jaben ; Bi, Dandan > Subject: RE: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool >=20 > Isn't ReallocatePool is the correct function to use in these cases? > For example: >=20 > NewCommandLine1 =3D ReallocatePool(NewSize, StrSize(OriginalCommandLi= ne), > OriginalCommandLine; >=20 > Regards, > Jim >=20 > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Ni= , > Ruiyu > Sent: Friday, November 3, 2017 3:23 AM > To: Wang, Jian J ; edk2-devel@lists.01.org > Cc: Carsey, Jaben ; Bi, Dandan > Subject: Re: [edk2] [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool >=20 > 2 comments below. >=20 > -----Original Message----- > From: Wang, Jian J > Sent: Friday, November 3, 2017 12:58 PM > To: edk2-devel@lists.01.org > Cc: Carsey, Jaben ; Ni, Ruiyu ; Bi, > Dandan > Subject: [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool >=20 > AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" byte= s of > memory from old "Buffer" to new allocated one. If "AllocationSize" is big= ger > than size of "Buffer", heap memory overflow occurs during copy. >=20 > The solution is to allocate pool first then copy the necessary bytes to n= ew > memory. This can avoid copying extra bytes from unknown memory range. >=20 > Cc: Jaben Carsey > Cc: Ruiyu Ni > Cc: Bi Dandan > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Jian J Wang > --- > ShellPkg/Application/Shell/Shell.c | 4 += ++- > ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c | 6 > ++++-- > 2 files changed, 7 insertions(+), 3 deletions(-) >=20 > diff --git a/ShellPkg/Application/Shell/Shell.c b/ShellPkg/Application/Sh= ell/Shell.c > index 5471930ba1..24a04ca323 100644 > --- a/ShellPkg/Application/Shell/Shell.c > +++ b/ShellPkg/Application/Shell/Shell.c > @@ -1646,7 +1646,9 @@ ShellConvertVariables ( > // > // now do the replacements... > // > - NewCommandLine1 =3D AllocateCopyPool(NewSize, OriginalCommandLine); > + NewCommandLine1 =3D AllocatePool(NewSize); > + ASSERT (NewCommandLine1 !=3D NULL); > [Ray] 1. Please do not use assertion because there is NULL check in the b= elow if- > statement. > The rule in ShellPkg is avoid using assertion. >=20 > + CopyMem (NewCommandLine1, OriginalCommandLine, StrSize > (OriginalCommandLine)); > NewCommandLine2 =3D AllocateZeroPool(NewSize); > ItemTemp =3D AllocateZeroPool(ItemSize+(2*sizeof(CHAR16))); > if (NewCommandLine1 =3D=3D NULL || NewCommandLine2 =3D=3D NULL || Item= Temp > =3D=3D NULL) { > diff --git > a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c > b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c > index 1122c89b8b..5de62219b3 100644 > --- a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c > +++ b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c > @@ -143,10 +143,11 @@ UpdateOptionalData( > OriginalOptionDataSize +=3D (*(UINT16*)(OriginalData + sizeof(UINT32= ))); > OriginalOptionDataSize -=3D OriginalSize; > NewSize =3D OriginalSize - OriginalOptionDataSize + DataSize; > - NewData =3D AllocateCopyPool(NewSize, OriginalData); > + NewData =3D AllocatePool(NewSize); > if (NewData =3D=3D NULL) { > Status =3D EFI_OUT_OF_RESOURCES; > } else { > + CopyMem (NewData, OriginalData, OriginalSize - OriginalOptionDataS= ize); > CopyMem(NewData + OriginalSize - OriginalOptionDataSize, Data, Dat= aSize); > } > } > @@ -1120,11 +1121,12 @@ BcfgAddOpt( > // Now we know how many EFI_INPUT_KEY structs we need to attach = to > the end of the EFI_KEY_OPTION struct. > // Re-allocate with the added information. > // > - KeyOptionBuffer =3D AllocateCopyPool(sizeof(EFI_KEY_OPTION) + > (sizeof(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount), > &NewKeyOption); > + KeyOptionBuffer =3D AllocatePool (sizeof(EFI_KEY_OPTION) + > (sizeof(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount)); > if (KeyOptionBuffer =3D=3D NULL) { > ShellPrintHiiEx(-1, -1, NULL, STRING_TOKEN (STR_GEN_NO_MEM), > gShellBcfgHiiHandle, L"bcfg"); > ShellStatus =3D SHELL_OUT_OF_RESOURCES; > } > [Ray] 2. Should the above NULL check return? > + CopyMem (KeyOptionBuffer, &NewKeyOption, sizeof(EFI_KEY_OPTION))= ; > } > for (LoopCounter =3D 0 ; ShellStatus =3D=3D SHELL_SUCCESS && LoopC= ounter < > NewKeyOption.KeyData.Options.InputKeyCount; LoopCounter++) { > // > -- > 2.14.1.windows.1 >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel