From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
 by mx.groups.io with SMTP id smtpd.web10.1721.1581567097384530881
 for <devel@edk2.groups.io>;
 Wed, 12 Feb 2020 20:11:37 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jian.j.wang@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
  by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Feb 2020 20:11:35 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,434,1574150400"; 
   d="scan'208";a="281417659"
Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201])
  by FMSMGA003.fm.intel.com with ESMTP; 12 Feb 2020 20:11:37 -0800
Received: from fmsmsx111.amr.corp.intel.com (10.18.116.5) by
 FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Wed, 12 Feb 2020 20:11:36 -0800
Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by
 fmsmsx111.amr.corp.intel.com (10.18.116.5) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Wed, 12 Feb 2020 20:11:36 -0800
Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.46]) by
 SHSMSX101.ccr.corp.intel.com ([169.254.1.222]) with mapi id 14.03.0439.000;
 Thu, 13 Feb 2020 12:11:34 +0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "Bi, Dandan" <dandan.bi@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "Gao, Liming" <liming.gao@intel.com>, "Dong, Eric" <eric.dong@intel.com>
Subject: Re: [patch 2/2] MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)
Thread-Topic: [patch 2/2] MdeModulePkg/DisplayEngine: Zero memory before
 free (CVE-2019-14558)
Thread-Index: AQHV4iKWkrseLlIwfkqthESR7zF3sKgYgr2A
Date: Thu, 13 Feb 2020 04:11:34 +0000
Message-ID: <D827630B58408649ACB04F44C510003625A0D9DB@SHSMSX107.ccr.corp.intel.com>
References: <20200213040303.53336-1-dandan.bi@intel.com>
 <20200213040303.53336-3-dandan.bi@intel.com>
In-Reply-To: <20200213040303.53336-3-dandan.bi@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNTA3NmEyNTItOGU0Ny00OGU5LTg4NjQtNzIyOGViODRlOWE4IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiUWVrWkJKeHNoWDRtMCswdHJFZGIzYXJjMWVKZ0pJTnB4RGpaVDEwTXNhY1pEeVNtS1Z4NTc5eXp6XC85dlNGV2gifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Return-Path: jian.j.wang@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Please update copyright year for patch 1 and 2. With it addressed,

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Regards,
Jian

> -----Original Message-----
> From: Bi, Dandan <dandan.bi@intel.com>
> Sent: Thursday, February 13, 2020 12:03 PM
> To: devel@edk2.groups.io
> Cc: Gao, Liming <liming.gao@intel.com>; Dong, Eric <eric.dong@intel.com>;
> Wang, Jian J <jian.j.wang@intel.com>
> Subject: [patch 2/2] MdeModulePkg/DisplayEngine: Zero memory before free
> (CVE-2019-14558)
>=20
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1611
>=20
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Signed-off-by: Dandan Bi <dandan.bi@intel.com>
> ---
>  MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>=20
> diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
> b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
> index 7d9486112b..1087004939 100644
> --- a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
> +++ b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
> @@ -821,10 +821,11 @@ PasswordProcess (
>      //
>      // Old password exist, ask user for the old password
>      //
>      Status =3D ReadString (MenuOption, gPromptForPassword, StringPtr);
>      if (EFI_ERROR (Status)) {
> +      ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
>        FreePool (StringPtr);
>        return Status;
>      }
>=20
>      //
> @@ -838,11 +839,11 @@ PasswordProcess (
>          //
>          PasswordInvalid ();
>        } else {
>          Status =3D EFI_SUCCESS;
>        }
> -
> +      ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
>        FreePool (StringPtr);
>        return Status;
>      }
>    }
>=20
> @@ -854,10 +855,11 @@ PasswordProcess (
>    if (EFI_ERROR (Status)) {
>      //
>      // Reset state machine for password
>      //
>      Question->PasswordCheck (gFormData, Question, NULL);
> +    ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
>      FreePool (StringPtr);
>      return Status;
>    }
>=20
>    //
> @@ -869,10 +871,12 @@ PasswordProcess (
>    if (EFI_ERROR (Status)) {
>      //
>      // Reset state machine for password
>      //
>      Question->PasswordCheck (gFormData, Question, NULL);
> +    ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
> +    ZeroMem (TempString, (Maximum + 1) * sizeof (CHAR16));
>      FreePool (StringPtr);
>      FreePool (TempString);
>      return Status;
>    }
>=20
> --
> 2.18.0.windows.1