From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <star.zeng@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.65; helo=mga03.intel.com;
 envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 7253621179256
 for <edk2-devel@lists.01.org>; Mon, 15 Oct 2018 21:53:16 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
 by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 15 Oct 2018 21:53:15 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,387,1534834800"; d="scan'208";a="100571732"
Received: from shzintpr01.sh.intel.com (HELO [10.7.209.21]) ([10.239.4.80])
 by orsmga002.jf.intel.com with ESMTP; 15 Oct 2018 21:53:14 -0700
To: Ruiyu Ni <ruiyu.ni@intel.com>, edk2-devel@lists.01.org
Cc: Jiewen Yao <jiewen.yao@intel.com>, star.zeng@intel.com
References: <20181015063833.61304-1-ruiyu.ni@intel.com>
 <20181015063833.61304-8-ruiyu.ni@intel.com>
From: "Zeng, Star" <star.zeng@intel.com>
Message-ID: <cca20638-cb01-e20f-ab52-83ac4ec5fb46@intel.com>
Date: Tue, 16 Oct 2018 12:52:44 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20181015063833.61304-8-ruiyu.ni@intel.com>
Subject: Re: [PATCH 07/11] MdeModulePkg/UsbKb: Don't access key codes when length is wrong
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 04:53:16 -0000
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 2018/10/15 14:38, Ruiyu Ni wrote:
> Per USB HID spec, the buffer holding key codes should be 8-byte
> long.
> Today's code assumes that the key codes buffer length is 8-byte
> long and unconditionally accesses the key codes buffer.
> It's incorrect.
> The patch fixes the issue by returning Device Error when the
> length is less than 8-byte.
> 
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Steven Shi <steven.shi@intel.com>
> ---
>   MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
> index 9cb4b5db6b..384d7e2f07 100644
> --- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
> +++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
> @@ -1059,6 +1059,10 @@ KeyboardHandler (
>     // Byte 1 is reserved.
>     // Bytes 2 to 7 are keycodes.
>     //
> +  if ((Data != NULL) && (DataLength < 8)) {
> +    return EFI_DEVICE_ERROR;
> +  }

Ray,

Thanks for the patch.
The NULL check to Data has been done by code piece

   //
   // If no error and no data, just return EFI_SUCCESS.
   //
   if (DataLength == 0 || Data == NULL) {
     return EFI_SUCCESS;
   }

And do you think whether the code can use DataLength != 8 instead of 
DataLength < 8?

Thanks,
Star

> +
>     CurKeyCodeBuffer  = (UINT8 *) Data;
>     OldKeyCodeBuffer  = UsbKeyboardDevice->LastKeyCodeArray;
>   
>