From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web11.1687.1581566789705674588 for ; Wed, 12 Feb 2020 20:06:29 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Feb 2020 20:06:29 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,434,1574150400"; d="scan'208";a="252146596" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga002.jf.intel.com with ESMTP; 12 Feb 2020 20:06:28 -0800 Received: from fmsmsx116.amr.corp.intel.com (10.18.116.20) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 12 Feb 2020 20:06:28 -0800 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by fmsmsx116.amr.corp.intel.com (10.18.116.20) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 12 Feb 2020 20:06:28 -0800 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.46]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.5]) with mapi id 14.03.0439.000; Thu, 13 Feb 2020 12:06:26 +0800 From: "Wang, Jian J" To: "Bi, Dandan" , "devel@edk2.groups.io" CC: "Gao, Liming" , "Dong, Eric" Subject: Re: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558) Thread-Topic: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558) Thread-Index: AQHV4iKTqNweBcnkZEO/SsMN1TojPagYgZmg Date: Thu, 13 Feb 2020 04:06:26 +0000 Message-ID: References: <20200213040303.53336-1-dandan.bi@intel.com> <20200213040303.53336-2-dandan.bi@intel.com> In-Reply-To: <20200213040303.53336-2-dandan.bi@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZjRkNWE0YmMtNmQxNC00YmNiLTg3NWQtMzA4ZTA3NTAwODlkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiZkh0b05cL1JhV2NrZUNiS05EemQ1cXp0eitBM3RBejFETHJ1Nm95aWxHeDlzTXhxNjdPK0VoR29PXC93R2tnak5EIn0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jian.j.wang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jian J Wang Regards, Jian > -----Original Message----- > From: Bi, Dandan > Sent: Thursday, February 13, 2020 12:03 PM > To: devel@edk2.groups.io > Cc: Gao, Liming ; Dong, Eric ; > Wang, Jian J > Subject: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE- > 2019-14558) >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1611 >=20 > Cc: Liming Gao > Cc: Eric Dong > Cc: Jian J Wang > Signed-off-by: Dandan Bi > --- > MdeModulePkg/Universal/HiiDatabaseDxe/String.c | 7 +++++++ > 1 file changed, 7 insertions(+) >=20 > diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c > b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c > index 505e063d49..10a1e691a3 100644 > --- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c > +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c > @@ -1004,10 +1004,11 @@ SetStringWorker ( > BlockPtr, > StringTextPtr + AsciiStrSize ((CHAR8 *)StringTextPtr), > TmpSize > ); >=20 > + ZeroMem (StringPackage->StringBlock, OldBlockSize); > FreePool (StringPackage->StringBlock); > StringPackage->StringBlock =3D Block; > StringPackage->StringPkgHdr->Header.Length +=3D (UINT32) (BlockSize = - > OldBlockSize); > break; >=20 > @@ -1037,10 +1038,11 @@ SetStringWorker ( > BlockPtr, > StringTextPtr + StringSize, > OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - Stri= ngSize > ); >=20 > + ZeroMem (StringPackage->StringBlock, OldBlockSize); > FreePool (StringPackage->StringBlock); > StringPackage->StringBlock =3D Block; > StringPackage->StringPkgHdr->Header.Length +=3D (UINT32) (BlockSize = - > OldBlockSize); > break; >=20 > @@ -1088,10 +1090,11 @@ SetStringWorker ( > ); > BlockPtr +=3D StrSize (GlobalFont->FontInfo->FontName); >=20 > CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize); >=20 > + ZeroMem (StringPackage->StringBlock, OldBlockSize); > FreePool (StringPackage->StringBlock); > StringPackage->StringBlock =3D Block; > StringPackage->StringPkgHdr->Header.Length +=3D Ext2.Length; >=20 > return EFI_SUCCESS; > @@ -1273,10 +1276,11 @@ HiiNewString ( >=20 > // > // Append a EFI_HII_SIBT_END block to the end. > // > *BlockPtr =3D EFI_HII_SIBT_END; > + ZeroMem (StringPackage->StringBlock, OldBlockSize); > FreePool (StringPackage->StringBlock); > StringPackage->StringBlock =3D StringBlock; > StringPackage->StringPkgHdr->Header.Length +=3D Ucs2BlockSize; > PackageListNode->PackageListHdr.PackageLength +=3D Ucs2BlockSize; > } > @@ -1404,10 +1408,11 @@ HiiNewString ( >=20 > // > // Append a EFI_HII_SIBT_END block to the end. > // > *BlockPtr =3D EFI_HII_SIBT_END; > + ZeroMem (StringPackage->StringBlock, OldBlockSize); > FreePool (StringPackage->StringBlock); > StringPackage->StringBlock =3D StringBlock; > StringPackage->StringPkgHdr->Header.Length +=3D Ucs2BlockSize; > PackageListNode->PackageListHdr.PackageLength +=3D Ucs2BlockSize; >=20 > @@ -1446,10 +1451,11 @@ HiiNewString ( >=20 > // > // Append a EFI_HII_SIBT_END block to the end. > // > *BlockPtr =3D EFI_HII_SIBT_END; > + ZeroMem (StringPackage->StringBlock, OldBlockSize); > FreePool (StringPackage->StringBlock); > StringPackage->StringBlock =3D StringBlock; > StringPackage->StringPkgHdr->Header.Length +=3D Ucs2FontBlockSize; > PackageListNode->PackageListHdr.PackageLength +=3D Ucs2FontBlockSi= ze; >=20 > @@ -1507,10 +1513,11 @@ HiiNewString ( >=20 > // > // Append a EFI_HII_SIBT_END block to the end. > // > *BlockPtr =3D EFI_HII_SIBT_END; > + ZeroMem (StringPackage->StringBlock, OldBlockSize); > FreePool (StringPackage->StringBlock); > StringPackage->StringBlock =3D StringBlock; > StringPackage->StringPkgHdr->Header.Length +=3D FontBlockSize + > Ucs2FontBlockSize; > PackageListNode->PackageListHdr.PackageLength +=3D FontBlockSize + > Ucs2FontBlockSize; >=20 > -- > 2.18.0.windows.1