From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.43; helo=mga05.intel.com; envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8A2E3210EFB0B for ; Thu, 16 Aug 2018 01:00:15 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Aug 2018 01:00:14 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,246,1531810800"; d="scan'208";a="66596798" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by orsmga006.jf.intel.com with ESMTP; 16 Aug 2018 00:59:49 -0700 Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 16 Aug 2018 00:59:48 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.240]) by shsmsx102.ccr.corp.intel.com ([169.254.2.226]) with mapi id 14.03.0319.002; Thu, 16 Aug 2018 15:58:52 +0800 From: "Wang, Jian J" To: "Ni, Ruiyu" , "edk2-devel@lists.01.org" CC: "Carsey, Jaben" Thread-Topic: [PATCH] ShellPkg/edit: Fix heap access out-of-bounds Thread-Index: AQHUNSsBWB32upg+dUeQPd0MOqS4a6TCAjBQ Date: Thu, 16 Aug 2018 07:58:52 +0000 Message-ID: References: <20180816063323.177852-1-ruiyu.ni@intel.com> In-Reply-To: <20180816063323.177852-1-ruiyu.ni@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNDk3NDdjYzQtZjBkNS00NWUwLWEyZjItOWY5Y2YxMDM0YjkxIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoieEhleEt2SVJuYXJmYXF3TzhcL1FlVUR4UFwvOU5cLzB1UENUQTd0eDNOYUlYN2RNK2xoTkFGYVBnVWxcL0NidVNPODcifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] ShellPkg/edit: Fix heap access out-of-bounds X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Aug 2018 08:00:15 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jian J Wang > -----Original Message----- > From: Ni, Ruiyu > Sent: Thursday, August 16, 2018 2:33 PM > To: edk2-devel@lists.01.org > Cc: Carsey, Jaben ; Wang, Jian J > > Subject: [PATCH] ShellPkg/edit: Fix heap access out-of-bounds >=20 > The issue was found when heap guard is turned on. > PrintLib somehow receives a non-null terminated string in var-arg. > When the PrintLib implementation reads the string it keeps > reading because no null-terminator is met, which triggers the page > fault set by the heap guard. >=20 > The issue is caused by a bug in FileBufferPrintLine(). > When "edit" opens a binary file, in FileBufferPrintLine(), > the Line->Buffer may start with \x00 \x00, but the Line->Size is > larger than MainEditor.ScreenSize.Column, it causes the PrintLine is > set to an empty string by below call: > StrnCpyS ( > PrintLine, BufLen/sizeof(CHAR16), Buffer, > MIN(Limit, MainEditor.ScreenSize.Column) > ); > But since Limit (equals to Line->Size) is larger than > MainEditor.ScreenSize.Column, below for-loop doesn't successfully > set the whole PrintLine to all-empty-space. > for (; Limit < MainEditor.ScreenSize.Column; Limit++) { > PrintLine[Limit] =3D L' '; > } > So after the for-loop, PrintLine is still an empty string. > Later in below call, the PrintLine2 is created based on PrintLine. > ShellCopySearchAndReplace ( > PrintLine, PrintLine2, > BufLen * 2, L"%", L"^%", FALSE, FALSE > ); > But due to the implementation of ShellCopySearchAndReplace(), > PrintLine2 is untouched and INVALID_PARAMETER is returned. > Finally an uninitialized string is passed to ShellPrintEx() > which causes the #PF exception. >=20 > The fix is to reset Limit to StrLen(PrintLine) before for-loop. > So that PrintLine can be converted from an empty string to a > string containing all spaces. >=20 > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Ruiyu Ni > Cc: Jaben Carsey > Cc: Jian Wang > --- > ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.= c > b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > index 56ccd399b0..39a5afb53f 100644 > --- a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > +++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > @@ -500,7 +500,7 @@ FileBufferPrintLine ( > PrintLine =3D AllocatePool (BufLen); > if (PrintLine !=3D NULL) { > StrnCpyS (PrintLine, BufLen/sizeof(CHAR16), Buffer, MIN(Limit, > MainEditor.ScreenSize.Column)); > - for (; Limit < MainEditor.ScreenSize.Column; Limit++) { > + for (Limit =3D StrLen (PrintLine); Limit < MainEditor.ScreenSize.Col= umn; Limit++) > { > PrintLine[Limit] =3D L' '; > } >=20 > -- > 2.16.1.windows.1