From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 by mx.groups.io with SMTP id smtpd.web12.23403.1664151885130981728
 for <devel@edk2.groups.io>;
 Sun, 25 Sep 2022 17:24:45 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=hYHGSuXY;
 spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: yi1.li@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1664151885; x=1695687885;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=dIZKfnGBh9W5RQr8X8FXpLtpds3LvseIrzlRHpSYeOU=;
  b=hYHGSuXYwSqk6ZkYcFYXQvlEAxlPr1JVEgN4LFjajjGXSHSqs9jPCNVQ
   rDpk8Bnwk4fYHljGn43mlleoWlTIFFyqmEkcXm/xotFTJQknEU/83xM64
   d+0uKJXwfw34B4paPbd+kr5mm8zLcbX5nT6SemnX654TGDqVriBGescwB
   kl8kLOM27L3qERZYPu4D0oGiiiHhZpnXL0uYZJbLs/Y/BZ45o7HGcKrzA
   CszYBk8BUiJFEpwfuwlXcP0m9w0ZRXIiA5+iTART3cYLlYfoXbCpA8xY8
   FaY/KTsKYDjXLGSbGpBzRHEqL+DLoTx7QQ0/E+ieAnmNoAe/WhPog+Bo7
   A==;
X-IronPort-AV: E=McAfee;i="6500,9779,10481"; a="301806809"
X-IronPort-AV: E=Sophos;i="5.93,345,1654585200"; 
   d="scan'208";a="301806809"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2022 17:24:43 -0700
X-IronPort-AV: E=Sophos;i="5.93,345,1654585200"; 
   d="scan'208";a="796134399"
Received: from liyi4-desktop.ccr.corp.intel.com ([10.239.153.82])
  by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2022 17:24:41 -0700
From: "yi1 li" <yi1.li@intel.com>
To: devel@edk2.groups.io
Cc: Yi Li <yi1.li@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Xiaoyu Lu <xiaoyu1.lu@intel.com>,
	Guomin Jiang <guomin.jiang@intel.com>,
	Jiewen Yao <Jiewen.yao@intel.com>
Subject: [PATCH V2 1/1] CryptoPkg: Fix pem heap-buffer-overflow due to BIO_snprintf()
Date: Mon, 26 Sep 2022 08:24:33 +0800
Message-Id: <cf36a91a2609cd6643e19d0dde458de63092ebd4.1664121031.git.yi1.li@intel.com>
X-Mailer: git-send-email 2.31.1.windows.1
In-Reply-To: <cover.1664121031.git.yi1.li@intel.com>
References: <cover.1664121031.git.yi1.li@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4075

Fake BIO_snprintf() does not actually print anything to buf,
it should return -1 as error.
0 will be considered a correct return value, the consumer may think that
the buf is valid and parse the buffer.
please refer to bugzilla link for details.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>

Signed-off-by: Yi Li <yi1.li@intel.com>
reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
---
 CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
index c1fc33538f..b65d29485b 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
@@ -494,7 +494,9 @@ BIO_snprintf (
   ...
   )
 {
-  return 0;
+  // Because the function does not actually print anything to buf, it returns -1 as error.
+  // Otherwise, the consumer may think that the buf is valid and parse the buffer.
+  return -1;
 }
 
 #ifdef __GNUC__
-- 
2.31.1.windows.1