From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: redhat.com, ip: 209.85.128.68, mailfrom: philmd@redhat.com)
Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com [209.85.128.68])
 by groups.io with SMTP; Tue, 23 Apr 2019 01:00:14 -0700
Received: by mail-wm1-f68.google.com with SMTP id j13so1787203wmh.2
        for <devel@edk2.groups.io>; Tue, 23 Apr 2019 01:00:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id
         :date:user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=urrlxSnCjQ1Rridru0PkSAavbPAjpJltMLA5/K39dlE=;
        b=mnz8r/1BGZK5KdAg1noZJhw6XriZC1cZLgOGyyNcVTK85zXHdEqV/1tAegp/0zzukF
         YqnbWP82SLErYE0XvwGNhsPuiDONRj1eCnz2yP3GOl1KoZUvjlcV77OiMz1wsiRVY8Ak
         ceO9iRwDPetGOjK4zQA9pz/7zAmhawbqNKQVnPbGfLvgjuTAKBv8cewQcoOpJLT/oW0c
         rSUK8tiA/aWvZXXmv/yTXuj+0dktwHwxnvkEXkTJRRGvD2q9aQ+kVn1/c79WQNuN6WMK
         HTTuapA7ohUpVfQkESCa8/mXFe1EmV7I0xkyVmsmr69ryFQHBhjXaoF1RPY4UZnBqmy+
         bWeA==
X-Gm-Message-State: APjAAAUkq1sNIOw/QnCrDO3KhBsLWgb4Q/SDA2QDQyyglgzW4Vb2GzX5
	2HY5fl26+MI4pyVGrG33nrxbkg==
X-Google-Smtp-Source: APXvYqyjRwA4RgqEQYC7Uu3VKx1VT2x894+nxGElLuNJXV+OQHD9z1ebqiIGrmZzQW+jalLgvCo1vg==
X-Received: by 2002:a1c:9e06:: with SMTP id h6mr729627wme.65.1556006411884;
        Tue, 23 Apr 2019 01:00:11 -0700 (PDT)
Return-Path: <philmd@redhat.com>
Received: from [192.168.1.25] (atoulouse-656-1-803-163.w86-221.abo.wanadoo.fr. [86.221.12.163])
        by smtp.gmail.com with ESMTPSA id a6sm16066631wrp.49.2019.04.23.01.00.10
        (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128);
        Tue, 23 Apr 2019 01:00:11 -0700 (PDT)
Subject: Re: [edk2-devel] [PATCH v2 2/5] MdePkg/PiFirmwareFile: fix undefined behavior in SECTION_SIZE
To: devel@edk2.groups.io, lersek@redhat.com
Cc: Liming Gao <liming.gao@intel.com>,
 Michael D Kinney <michael.d.kinney@intel.com>
References: <20190418174710.12236-1-lersek@redhat.com>
 <20190418174710.12236-3-lersek@redhat.com>
From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= <philmd@redhat.com>
Openpgp: id=89C1E78F601EE86C867495CBA2A3FD6EDEADC0DE;
 url=http://pgp.mit.edu/pks/lookup?op=get&search=0xA2A3FD6EDEADC0DE
Message-ID: <adc86ecd-acde-4b1d-5caa-7b18c7473cfc@redhat.com>
Date: Tue, 23 Apr 2019 10:00:10 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <20190418174710.12236-3-lersek@redhat.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 4/18/19 7:47 PM, Laszlo Ersek wrote:
> RH covscan justifiedly reports that accessing
> "EFI_COMMON_SECTION_HEADER.Size", which is of type UINT8[3], through a
> (UINT32*), is undefined behavior:
> 
>> Error: OVERRUN (CWE-119):
>> edk2-89910a39dcfd/OvmfPkg/Sec/SecMain.c:178: overrun-local: Overrunning
>> array of 3 bytes at byte offset 3 by dereferencing pointer
>> "(UINT32 *)((EFI_COMMON_SECTION_HEADER *)(UINTN)Section)->Size".
>> #  176|       Section = (EFI_COMMON_SECTION_HEADER*)(UINTN) CurrentAddress;
>> #  177|
>> #  178|->     Size = SECTION_SIZE (Section);
>> #  179|       if (Size < sizeof (*Section)) {
>> #  180|         return EFI_VOLUME_CORRUPTED;
> 
> Fix this by accessing the array elements individually.
> 
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1710
> Issue: scan-1007.txt
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> 
> Notes:
>     v2:
>     
>     - replace EFI_COMMON_SECTION_HEADER_UNION with individual array element
>       access [Jordan, Phil, Mike]
> 
>  MdePkg/Include/Pi/PiFirmwareFile.h | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/MdePkg/Include/Pi/PiFirmwareFile.h b/MdePkg/Include/Pi/PiFirmwareFile.h
> index a9f3bcc4eb8e..05470538de42 100644
> --- a/MdePkg/Include/Pi/PiFirmwareFile.h
> +++ b/MdePkg/Include/Pi/PiFirmwareFile.h
> @@ -480,8 +480,15 @@ typedef struct {
>    CHAR16                        VersionString[1];
>  } EFI_VERSION_SECTION2;
>  
> -#define SECTION_SIZE(SectionHeaderPtr) \
> -    ((UINT32) (*((UINT32 *) ((EFI_COMMON_SECTION_HEADER *) (UINTN) SectionHeaderPtr)->Size) & 0x00ffffff))
> +///
> +/// The argument passed as the SectionHeaderPtr parameter to the SECTION_SIZE()
> +/// and IS_SECTION2() function-like macros below must not have side effects:
> +/// SectionHeaderPtr is evaluated multiple times.
> +///
> +#define SECTION_SIZE(SectionHeaderPtr) ((UINT32) ( \
> +    (((EFI_COMMON_SECTION_HEADER *) (UINTN) (SectionHeaderPtr))->Size[0]      ) | \
> +    (((EFI_COMMON_SECTION_HEADER *) (UINTN) (SectionHeaderPtr))->Size[1] <<  8) | \
> +    (((EFI_COMMON_SECTION_HEADER *) (UINTN) (SectionHeaderPtr))->Size[2] << 16)))
>  
>  #define IS_SECTION2(SectionHeaderPtr) \
>      (SECTION_SIZE (SectionHeaderPtr) == 0x00ffffff)
> 

Thanks!

Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>