From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.81])
 by mx.groups.io with SMTP id smtpd.web12.251.1598285942205918859
 for <devel@edk2.groups.io>;
 Mon, 24 Aug 2020 09:19:02 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=C390OUEr;
 spf=pass (domain: redhat.com, ip: 207.211.31.81, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1598285941;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=gEpR9GM1MuKg+aHptueDlPXsxr4sVmLoDgyJKO1I9Z0=;
	b=C390OUEr7jzXnU18mg7HW16SRMG0XjlLwcRshUiMsFBO4tpxy88iZYxlhkFS4DzJNytKXy
	o8sXdZfdGBwYI28e/zQIsHiCVjdeRHlMrcQyGyEkoVv4Ay7Al7bh/ASUsvrRS2nxFWHDgA
	fVIl/OCkZGy3n/YqpHdBOtkGKMJFWfg=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-123-8DnqYmBZN_-N81hQIm7HWw-1; Mon, 24 Aug 2020 12:18:56 -0400
X-MC-Unique: 8DnqYmBZN_-N81hQIm7HWw-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A94AA425CD;
	Mon, 24 Aug 2020 16:18:55 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-186.ams2.redhat.com [10.36.112.186])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 8431162AE0;
	Mon, 24 Aug 2020 16:18:54 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix buffer overrun in FileHandleReadLine()
To: devel@edk2.groups.io, zhiguang.liu@intel.com,
 "vladimir.olovyannikov@broadcom.com" <vladimir.olovyannikov@broadcom.com>
Cc: "Kinney, Michael D" <michael.d.kinney@intel.com>,
 "Gao, Liming" <liming.gao@intel.com>
References: <20200702023113.10517-1-vladimir.olovyannikov@broadcom.com>
 <CY4PR11MB16873F1AAF3A67DB15059EE7906A0@CY4PR11MB1687.namprd11.prod.outlook.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <b5ec7a24-b481-1231-d248-6da845db3fa1@redhat.com>
Date: Mon, 24 Aug 2020 18:18:53 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Firefox/52.0 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CY4PR11MB16873F1AAF3A67DB15059EE7906A0@CY4PR11MB1687.namprd11.prod.outlook.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com
X-Mimecast-Spam-Score: 0.002
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

On 07/03/20 04:30, Zhiguang Liu wrote:
> Reviewed-by: Zhiguang Liu <zhiguang.liu@intel.com>

Merged as commit 4535fc312b76, via
<https://github.com/tianocore/edk2/pull/896>.

Thanks,
Laszlo

> 
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vladimir
>> Olovyannikov via groups.io
>> Sent: Thursday, July 2, 2020 10:31 AM
>> To: devel@edk2.groups.io
>> Cc: Vladimir Olovyannikov <vladimir.olovyannikov@broadcom.com>; Kinney,
>> Michael D <michael.d.kinney@intel.com>; Gao, Liming
>> <liming.gao@intel.com>; Liu, Zhiguang <zhiguang.liu@intel.com>
>> Subject: [edk2-devel] [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix buffer
>> overrun in FileHandleReadLine()
>>
>> If the size of the supplied buffer in FileHandleReadLine(), module
>> UefiFileHandleLib.c, was not 0, but was not enough to fit in
>> the line, the size is increased, and then the Buffer of the new
>> size is zeroed. This size is always larger than the supplied buffer size,
>> causing supplied buffer overrun. Fix the issue by using the
>> supplied buffer size in ZeroMem().
>>
>> Signed-off-by: Vladimir Olovyannikov
>> <vladimir.olovyannikov@broadcom.com>
>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>> Cc: Liming Gao <liming.gao@intel.com>
>> Cc: Zhiguang Liu <zhiguang.liu@intel.com>
>> ---
>>  MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
>> b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
>> index 28e28e5f67d5..ab34e6ccd5f4 100644
>> --- a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
>> +++ b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
>> @@ -969,6 +969,7 @@ FileHandleReadLine(
>>    UINTN       CharSize;
>>
>>    UINTN       CountSoFar;
>>
>>    UINTN       CrCount;
>>
>> +  UINTN       OldSize;
>>
>>    UINT64      OriginalFilePosition;
>>
>>
>>
>>    if (Handle == NULL
>>
>> @@ -1039,10 +1040,11 @@ FileHandleReadLine(
>>    // if we ran out of space tell when...
>>
>>    //
>>
>>    if ((CountSoFar+1-CrCount)*sizeof(CHAR16) > *Size){
>>
>> +    OldSize = *Size;
>>
>>      *Size = (CountSoFar+1-CrCount)*sizeof(CHAR16);
>>
>>      if (!Truncate) {
>>
>> -      if (Buffer != NULL && *Size != 0) {
>>
>> -        ZeroMem(Buffer, *Size);
>>
>> +      if (Buffer != NULL && OldSize != 0) {
>>
>> +        ZeroMem(Buffer, OldSize);
>>
>>        }
>>
>>        FileHandleSetPosition(Handle, OriginalFilePosition);
>>
>>        return (EFI_BUFFER_TOO_SMALL);
>>
>> --
>> 2.26.2.266.ge870325ee8