From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 by mx.groups.io with SMTP id smtpd.web11.1687.1581566789705674588
 for <devel@edk2.groups.io>;
 Wed, 12 Feb 2020 20:06:29 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: jian.j.wang@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Feb 2020 20:06:29 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,434,1574150400"; 
   d="scan'208";a="252146596"
Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203])
  by orsmga002.jf.intel.com with ESMTP; 12 Feb 2020 20:06:28 -0800
Received: from fmsmsx116.amr.corp.intel.com (10.18.116.20) by
 FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Wed, 12 Feb 2020 20:06:28 -0800
Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by
 fmsmsx116.amr.corp.intel.com (10.18.116.20) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Wed, 12 Feb 2020 20:06:28 -0800
Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.46]) by
 SHSMSX104.ccr.corp.intel.com ([169.254.5.5]) with mapi id 14.03.0439.000;
 Thu, 13 Feb 2020 12:06:26 +0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "Bi, Dandan" <dandan.bi@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "Gao, Liming" <liming.gao@intel.com>, "Dong, Eric" <eric.dong@intel.com>
Subject: Re: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558)
Thread-Topic: [patch 1/2] MdeModulePkg/String.c: Zero memory before free
 (CVE-2019-14558)
Thread-Index: AQHV4iKTqNweBcnkZEO/SsMN1TojPagYgZmg
Date: Thu, 13 Feb 2020 04:06:26 +0000
Message-ID: <D827630B58408649ACB04F44C510003625A0D9C3@SHSMSX107.ccr.corp.intel.com>
References: <20200213040303.53336-1-dandan.bi@intel.com>
 <20200213040303.53336-2-dandan.bi@intel.com>
In-Reply-To: <20200213040303.53336-2-dandan.bi@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZjRkNWE0YmMtNmQxNC00YmNiLTg3NWQtMzA4ZTA3NTAwODlkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiZkh0b05cL1JhV2NrZUNiS05EemQ1cXp0eitBM3RBejFETHJ1Nm95aWxHeDlzTXhxNjdPK0VoR29PXC93R2tnak5EIn0=
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Return-Path: jian.j.wang@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Regards,
Jian

> -----Original Message-----
> From: Bi, Dandan <dandan.bi@intel.com>
> Sent: Thursday, February 13, 2020 12:03 PM
> To: devel@edk2.groups.io
> Cc: Gao, Liming <liming.gao@intel.com>; Dong, Eric <eric.dong@intel.com>;
> Wang, Jian J <jian.j.wang@intel.com>
> Subject: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-
> 2019-14558)
>=20
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1611
>=20
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Signed-off-by: Dandan Bi <dandan.bi@intel.com>
> ---
>  MdeModulePkg/Universal/HiiDatabaseDxe/String.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>=20
> diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
> b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
> index 505e063d49..10a1e691a3 100644
> --- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
> +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
> @@ -1004,10 +1004,11 @@ SetStringWorker (
>        BlockPtr,
>        StringTextPtr + AsciiStrSize ((CHAR8 *)StringTextPtr),
>        TmpSize
>        );
>=20
> +    ZeroMem (StringPackage->StringBlock, OldBlockSize);
>      FreePool (StringPackage->StringBlock);
>      StringPackage->StringBlock =3D Block;
>      StringPackage->StringPkgHdr->Header.Length +=3D (UINT32) (BlockSize =
-
> OldBlockSize);
>      break;
>=20
> @@ -1037,10 +1038,11 @@ SetStringWorker (
>        BlockPtr,
>        StringTextPtr + StringSize,
>        OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - Stri=
ngSize
>        );
>=20
> +    ZeroMem (StringPackage->StringBlock, OldBlockSize);
>      FreePool (StringPackage->StringBlock);
>      StringPackage->StringBlock =3D Block;
>      StringPackage->StringPkgHdr->Header.Length +=3D (UINT32) (BlockSize =
-
> OldBlockSize);
>      break;
>=20
> @@ -1088,10 +1090,11 @@ SetStringWorker (
>      );
>    BlockPtr +=3D StrSize (GlobalFont->FontInfo->FontName);
>=20
>    CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize);
>=20
> +  ZeroMem (StringPackage->StringBlock, OldBlockSize);
>    FreePool (StringPackage->StringBlock);
>    StringPackage->StringBlock =3D Block;
>    StringPackage->StringPkgHdr->Header.Length +=3D Ext2.Length;
>=20
>    return EFI_SUCCESS;
> @@ -1273,10 +1276,11 @@ HiiNewString (
>=20
>        //
>        // Append a EFI_HII_SIBT_END block to the end.
>        //
>        *BlockPtr =3D EFI_HII_SIBT_END;
> +      ZeroMem (StringPackage->StringBlock, OldBlockSize);
>        FreePool (StringPackage->StringBlock);
>        StringPackage->StringBlock =3D StringBlock;
>        StringPackage->StringPkgHdr->Header.Length +=3D Ucs2BlockSize;
>        PackageListNode->PackageListHdr.PackageLength +=3D Ucs2BlockSize;
>      }
> @@ -1404,10 +1408,11 @@ HiiNewString (
>=20
>      //
>      // Append a EFI_HII_SIBT_END block to the end.
>      //
>      *BlockPtr =3D EFI_HII_SIBT_END;
> +    ZeroMem (StringPackage->StringBlock, OldBlockSize);
>      FreePool (StringPackage->StringBlock);
>      StringPackage->StringBlock =3D StringBlock;
>      StringPackage->StringPkgHdr->Header.Length +=3D Ucs2BlockSize;
>      PackageListNode->PackageListHdr.PackageLength +=3D Ucs2BlockSize;
>=20
> @@ -1446,10 +1451,11 @@ HiiNewString (
>=20
>        //
>        // Append a EFI_HII_SIBT_END block to the end.
>        //
>        *BlockPtr =3D EFI_HII_SIBT_END;
> +      ZeroMem (StringPackage->StringBlock, OldBlockSize);
>        FreePool (StringPackage->StringBlock);
>        StringPackage->StringBlock =3D StringBlock;
>        StringPackage->StringPkgHdr->Header.Length +=3D Ucs2FontBlockSize;
>        PackageListNode->PackageListHdr.PackageLength +=3D Ucs2FontBlockSi=
ze;
>=20
> @@ -1507,10 +1513,11 @@ HiiNewString (
>=20
>        //
>        // Append a EFI_HII_SIBT_END block to the end.
>        //
>        *BlockPtr =3D EFI_HII_SIBT_END;
> +      ZeroMem (StringPackage->StringBlock, OldBlockSize);
>        FreePool (StringPackage->StringBlock);
>        StringPackage->StringBlock =3D StringBlock;
>        StringPackage->StringPkgHdr->Header.Length +=3D FontBlockSize +
> Ucs2FontBlockSize;
>        PackageListNode->PackageListHdr.PackageLength +=3D FontBlockSize +
> Ucs2FontBlockSize;
>=20
> --
> 2.18.0.windows.1