From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.81]) by mx.groups.io with SMTP id smtpd.web12.251.1598285942205918859 for ; Mon, 24 Aug 2020 09:19:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=C390OUEr; spf=pass (domain: redhat.com, ip: 207.211.31.81, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1598285941; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gEpR9GM1MuKg+aHptueDlPXsxr4sVmLoDgyJKO1I9Z0=; b=C390OUEr7jzXnU18mg7HW16SRMG0XjlLwcRshUiMsFBO4tpxy88iZYxlhkFS4DzJNytKXy o8sXdZfdGBwYI28e/zQIsHiCVjdeRHlMrcQyGyEkoVv4Ay7Al7bh/ASUsvrRS2nxFWHDgA fVIl/OCkZGy3n/YqpHdBOtkGKMJFWfg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-123-8DnqYmBZN_-N81hQIm7HWw-1; Mon, 24 Aug 2020 12:18:56 -0400 X-MC-Unique: 8DnqYmBZN_-N81hQIm7HWw-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A94AA425CD; Mon, 24 Aug 2020 16:18:55 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-186.ams2.redhat.com [10.36.112.186]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8431162AE0; Mon, 24 Aug 2020 16:18:54 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix buffer overrun in FileHandleReadLine() To: devel@edk2.groups.io, zhiguang.liu@intel.com, "vladimir.olovyannikov@broadcom.com" Cc: "Kinney, Michael D" , "Gao, Liming" References: <20200702023113.10517-1-vladimir.olovyannikov@broadcom.com> From: "Laszlo Ersek" Message-ID: Date: Mon, 24 Aug 2020 18:18:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0.002 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 07/03/20 04:30, Zhiguang Liu wrote: > Reviewed-by: Zhiguang Liu Merged as commit 4535fc312b76, via . Thanks, Laszlo > >> -----Original Message----- >> From: devel@edk2.groups.io On Behalf Of Vladimir >> Olovyannikov via groups.io >> Sent: Thursday, July 2, 2020 10:31 AM >> To: devel@edk2.groups.io >> Cc: Vladimir Olovyannikov ; Kinney, >> Michael D ; Gao, Liming >> ; Liu, Zhiguang >> Subject: [edk2-devel] [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix buffer >> overrun in FileHandleReadLine() >> >> If the size of the supplied buffer in FileHandleReadLine(), module >> UefiFileHandleLib.c, was not 0, but was not enough to fit in >> the line, the size is increased, and then the Buffer of the new >> size is zeroed. This size is always larger than the supplied buffer size, >> causing supplied buffer overrun. Fix the issue by using the >> supplied buffer size in ZeroMem(). >> >> Signed-off-by: Vladimir Olovyannikov >> >> Cc: Michael D Kinney >> Cc: Liming Gao >> Cc: Zhiguang Liu >> --- >> MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c >> b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c >> index 28e28e5f67d5..ab34e6ccd5f4 100644 >> --- a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c >> +++ b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c >> @@ -969,6 +969,7 @@ FileHandleReadLine( >> UINTN CharSize; >> >> UINTN CountSoFar; >> >> UINTN CrCount; >> >> + UINTN OldSize; >> >> UINT64 OriginalFilePosition; >> >> >> >> if (Handle == NULL >> >> @@ -1039,10 +1040,11 @@ FileHandleReadLine( >> // if we ran out of space tell when... >> >> // >> >> if ((CountSoFar+1-CrCount)*sizeof(CHAR16) > *Size){ >> >> + OldSize = *Size; >> >> *Size = (CountSoFar+1-CrCount)*sizeof(CHAR16); >> >> if (!Truncate) { >> >> - if (Buffer != NULL && *Size != 0) { >> >> - ZeroMem(Buffer, *Size); >> >> + if (Buffer != NULL && OldSize != 0) { >> >> + ZeroMem(Buffer, OldSize); >> >> } >> >> FileHandleSetPosition(Handle, OriginalFilePosition); >> >> return (EFI_BUFFER_TOO_SMALL); >> >> -- >> 2.26.2.266.ge870325ee8