From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"lersek@redhat.com" <lersek@redhat.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>
Cc: "Gao, Liming" <liming.gao@intel.com>
Subject: Re: [edk2-devel] [PATCH 04/10] MdePkg/PiFirmwareFile: fix undefined behavior in FFS_FILE_SIZE
Date: Thu, 18 Apr 2019 17:59:49 +0000 [thread overview]
Message-ID: <E92EE9817A31E24EB0585FDF735412F5B9C9ADD1@ORSMSX113.amr.corp.intel.com> (raw)
In-Reply-To: <fd543fed-026b-a377-f5b5-6593321bace8@redhat.com>
Philippe,
Comments below.
Thanks,
Mike
> -----Original Message-----
> From: Philippe Mathieu-Daudé [mailto:philmd@redhat.com]
> Sent: Thursday, April 18, 2019 10:20 AM
> To: devel@edk2.groups.io; Kinney, Michael D
> <michael.d.kinney@intel.com>; lersek@redhat.com
> Cc: Gao, Liming <liming.gao@intel.com>
> Subject: Re: [edk2-devel] [PATCH 04/10]
> MdePkg/PiFirmwareFile: fix undefined behavior in
> FFS_FILE_SIZE
>
> Hi Michael,
>
> On 4/17/19 7:52 PM, Michael D Kinney wrote:
> > Laszlo,
> >
> > I have been following this thread. I think the style
> > used here to access the 3 array elements to build the
> > 24-bit size value is the best approach. I prefer
> this
> > over adding the union.
> >
> > I agree there is a read overrun issue when using
> UINT32 to
> > read the Size[3] array contents.
> >
> > I do not think this is a real issue in practice,
> because the
> > Size[3] array accessed is part of the larger
> > EFI_COMMON_SECTION_HEADER structure. However, we
> always should
> > clean up code to not do any read/write overruns
> without this
> > type of analysis and the need to keep track of
> exceptions.
> >
> > There is a related set of code in the BaseLib for
> Read/Write
> > Unaligned24().
> >
> > UINT32
> > EFIAPI
> > ReadUnaligned24 (
> > IN CONST UINT32 *Buffer
> > );
> >
> > UINT32
> > EFIAPI
> > WriteUnaligned24 (
> > OUT UINT32 *Buffer,
> > IN UINT32 Value
> > );
> >
> > This API does not get flagged for read overrun issues
> because
> > a UINT32 is passed in. However, for CPU archs that
> required aligned
> > access, the 24-bit value must be read in pieces.
> This is why there
> > are 2 different implementations:
> >
> > IA32/X64
> > ========
> > UINT32
> > EFIAPI
> > ReadUnaligned24 (
> > IN CONST UINT32 *Buffer
> > )
> > {
> > ASSERT (Buffer != NULL);
> >
> > return *Buffer & 0xffffff;
> > }
> >
> >
> > ARM/AARCH64
> > ============
> > UINT32
> > EFIAPI
> > ReadUnaligned24 (
> > IN CONST UINT32 *Buffer
> > )
> > {
> > ASSERT (Buffer != NULL);
> >
> > return (UINT32)(
> > ReadUnaligned16 ((UINT16*)Buffer) |
> > (((UINT8*)Buffer)[2] << 16)
> > );
> > }
> >
> > The ARM/ARCH64 implementation is clean because it
> does
> > not do a read overrun of the 24-bit field. The
> IA32/X64
> > implementation may have an issue because it reads a
> 32-bit
> > value and strips the upper 8 bits.
> >
> > If we apply the same technique to the Size field of
> > EFI_COMMON_SECTION_HEADER, then the 24-bit value
> would be
> > built from reading only the 3 bytes of the array.
>
> This ARM implementation assumes Buffer is halfword-
> aligned OR the
> microarchitectures supports unaligned halfword access.
>
> The 3x 8-bit accesses macro looks simpler than adding a
> 16-bit alignment
> check on Buffer, such:
>
> if (Buffer & 1) {
> return (UINT32)(
> ((UINT8*)Buffer)[0] |
> (ReadUnaligned16
> ((UINT16*)&(((UINT8*)Buffer)[1])) << 8)
> );
> } else {
> return (UINT32)(
> ReadUnaligned16 ((UINT16*)Buffer) |
> (((UINT8*)Buffer)[2] << 16)
> );
> }
>
The ARM/AARCH64 implementation of ReadUnaligned16() just
does the byte access which will always work. So not need
to do the 2 modes you suggest above.
UINT16
EFIAPI
ReadUnaligned16 (
IN CONST UINT16 *Buffer
)
{
volatile UINT8 LowerByte;
volatile UINT8 HigherByte;
ASSERT (Buffer != NULL);
LowerByte = ((UINT8*)Buffer)[0];
HigherByte = ((UINT8*)Buffer)[1];
return (UINT16)(LowerByte | (HigherByte << 8));
}
> > Best regards,
> >
> > Mike
> >
> >> -----Original Message-----
> >> From: devel@edk2.groups.io
> [mailto:devel@edk2.groups.io]
> >> On Behalf Of Laszlo Ersek
> >> Sent: Friday, April 12, 2019 4:31 PM
> >> To: edk2-devel-groups-io <devel@edk2.groups.io>
> >> Cc: Gao, Liming <liming.gao@intel.com>; Kinney,
> Michael
> >> D <michael.d.kinney@intel.com>
> >> Subject: [edk2-devel] [PATCH 04/10]
> >> MdePkg/PiFirmwareFile: fix undefined behavior in
> >> FFS_FILE_SIZE
> >>
> >> Accessing "EFI_FFS_FILE_HEADER.Size", which is of
> type
> >> UINT8[3], through a
> >> (UINT32*), is undefined behavior. Fix it by
> accessing
> >> the array elements
> >> individually.
> >>
> >> (We can't use a union here, unfortunately, as easily
> as
> >> with
> >> "EFI_COMMON_SECTION_HEADER", given the fields in
> >> "EFI_FFS_FILE_HEADER".)
> >>
> >> Cc: Liming Gao <liming.gao@intel.com>
> >> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> >> Bugzilla:
> >> https://bugzilla.tianocore.org/show_bug.cgi?id=1710
> >> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> >> ---
> >> MdePkg/Include/Pi/PiFirmwareFile.h | 10 +++++++++-
> >> 1 file changed, 9 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/MdePkg/Include/Pi/PiFirmwareFile.h
> >> b/MdePkg/Include/Pi/PiFirmwareFile.h
> >> index 4fce8298d1c0..0668f3fa9af4 100644
> >> --- a/MdePkg/Include/Pi/PiFirmwareFile.h
> >> +++ b/MdePkg/Include/Pi/PiFirmwareFile.h
> >> @@ -174,18 +174,26 @@ typedef struct {
> >> /// If FFS_ATTRIB_LARGE_FILE is not set then
> >> EFI_FFS_FILE_HEADER is used.
> >> ///
> >> UINT64 ExtendedSize;
> >> } EFI_FFS_FILE_HEADER2;
> >>
> >> #define IS_FFS_FILE2(FfsFileHeaderPtr) \
> >> (((((EFI_FFS_FILE_HEADER *) (UINTN)
> >> FfsFileHeaderPtr)->Attributes) &
> FFS_ATTRIB_LARGE_FILE)
> >> == FFS_ATTRIB_LARGE_FILE)
> >>
> >> +#define FFS_FILE_SIZE_ARRAY(FfsFileHeaderPtr) \
> >> + (((EFI_FFS_FILE_HEADER *) (UINTN)
> >> (FfsFileHeaderPtr))->Size)
> >> +
> >> +#define FFS_FILE_SIZE_ELEMENT(FfsFileHeaderPtr,
> Index)
> >> \
> >> + ((UINT32) FFS_FILE_SIZE_ARRAY
> >> (FfsFileHeaderPtr)[(Index)])
> >> +
> >> #define FFS_FILE_SIZE(FfsFileHeaderPtr) \
> >> - ((UINT32) (*((UINT32 *) ((EFI_FFS_FILE_HEADER
> *)
> >> (UINTN) FfsFileHeaderPtr)->Size) & 0x00ffffff))
> >> + ((FFS_FILE_SIZE_ELEMENT ((FfsFileHeaderPtr), 0)
> <<
> >> 0) | \
> >> + (FFS_FILE_SIZE_ELEMENT ((FfsFileHeaderPtr), 1)
> <<
> >> 8) | \
> >> + (FFS_FILE_SIZE_ELEMENT ((FfsFileHeaderPtr), 2)
> <<
> >> 16))
> >>
> >> #define FFS_FILE2_SIZE(FfsFileHeaderPtr) \
> >> ((UINT32) (((EFI_FFS_FILE_HEADER2 *) (UINTN)
> >> FfsFileHeaderPtr)->ExtendedSize))
> >>
> >> typedef UINT8 EFI_SECTION_TYPE;
> >>
> >> ///
> >> /// Pseudo type. It is used as a wild card when
> >> retrieving sections.
> >> --
> >> 2.19.1.3.g30247aa5d201
> >>
> >>
> >>
> >> -=-=-=-=-=-=
> >> Groups.io Links: You receive all messages sent to
> this
> >> group.
> >>
> >> View/Reply Online (#38989):
> >> https://edk2.groups.io/g/devel/message/38989
> >> Mute This Topic:
> https://groups.io/mt/31070304/1643496
> >> Group Owner: devel+owner@edk2.groups.io
> >> Unsubscribe: https://edk2.groups.io/g/devel/unsub
> >> [michael.d.kinney@intel.com]
> >> -=-=-=-=-=-=
> >
> >
> >
> >
next prev parent reply other threads:[~2019-04-18 17:59 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-12 23:31 [PATCH 00/10] patches for some warnings raised by "RH covscan" Laszlo Ersek
2019-04-12 23:31 ` [PATCH 01/10] MdePkg/PiFirmwareFile: express IS_SECTION2 in terms of SECTION_SIZE Laszlo Ersek
2019-04-15 17:01 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-12 23:31 ` [PATCH 02/10] MdePkg/PiFirmwareFile: fix undefined behavior in SECTION_SIZE Laszlo Ersek
2019-04-14 7:19 ` [edk2-devel] " Jordan Justen
2019-04-15 16:15 ` Laszlo Ersek
2019-04-16 8:28 ` Liming Gao
2019-04-16 9:04 ` Jordan Justen
2019-04-16 10:59 ` Laszlo Ersek
2019-04-16 16:50 ` Philippe Mathieu-Daudé
2019-04-17 10:08 ` Laszlo Ersek
2019-04-16 18:48 ` Jordan Justen
2019-04-16 23:25 ` Andrew Fish
2019-04-17 10:29 ` Laszlo Ersek
2019-04-17 11:44 ` Andrew Fish
2019-04-17 14:59 ` Laszlo Ersek
2019-04-17 19:35 ` Jordan Justen
2019-04-18 9:38 ` Laszlo Ersek
2019-04-18 15:18 ` Liming Gao
2019-04-17 10:01 ` Laszlo Ersek
2019-04-12 23:31 ` [PATCH 03/10] BaseTools/PiFirmwareFile: " Laszlo Ersek
2019-04-12 23:31 ` [PATCH 04/10] MdePkg/PiFirmwareFile: fix undefined behavior in FFS_FILE_SIZE Laszlo Ersek
2019-04-15 17:23 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-17 17:52 ` Michael D Kinney
2019-04-17 18:31 ` Michael D Kinney
2019-04-18 9:06 ` Laszlo Ersek
2019-04-17 18:31 ` Andrew Fish
2019-04-17 18:36 ` Michael D Kinney
2019-04-18 8:48 ` Laszlo Ersek
2019-04-18 8:45 ` Laszlo Ersek
2019-04-18 23:12 ` Laszlo Ersek
2019-04-18 17:20 ` Philippe Mathieu-Daudé
2019-04-18 17:59 ` Michael D Kinney [this message]
2019-04-18 18:12 ` Philippe Mathieu-Daudé
2019-04-12 23:31 ` [PATCH 05/10] OvmfPkg/Sec: fix out-of-bounds reads Laszlo Ersek
2019-04-15 17:24 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-12 23:31 ` [PATCH 06/10] OvmfPkg/QemuVideoDxe: avoid arithmetic on null pointer Laszlo Ersek
2019-04-12 23:31 ` [PATCH 07/10] OvmfPkg/AcpiPlatformDxe: suppress invalid "deref of undef pointer" warning Laszlo Ersek
2019-04-15 17:26 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-12 23:31 ` [PATCH 08/10] OvmfPkg: suppress "Value stored to ... is never read" analyzer warnings Laszlo Ersek
2019-04-14 8:03 ` [edk2-devel] " Jordan Justen
2019-04-15 16:25 ` Laszlo Ersek
2019-04-16 9:26 ` Jordan Justen
2019-04-16 11:44 ` Laszlo Ersek
2019-04-12 23:31 ` [PATCH 09/10] OvmfPkg/AcpiPlatformDxe: catch theoretical nullptr deref in Xen code Laszlo Ersek
2019-04-15 17:28 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-12 23:31 ` [PATCH 10/10] OvmfPkg/BasePciCapLib: suppress invalid "nullptr deref" warning Laszlo Ersek
2019-04-15 17:31 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-16 11:01 ` Laszlo Ersek
2019-04-12 23:36 ` [PATCH 00/10] patches for some warnings raised by "RH covscan" Ard Biesheuvel
2019-04-15 16:16 ` Laszlo Ersek
2019-04-18 14:20 ` [edk2-devel] " Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E92EE9817A31E24EB0585FDF735412F5B9C9ADD1@ORSMSX113.amr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox