From: Laszlo Ersek <lersek@redhat.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
edk2-devel@ml01.01.org, leif.lindholm@linaro.org
Subject: Re: [PATCH 2/2] ArmPlatformPkg/BootMonFs: eliminate deprecated string functions
Date: Wed, 26 Oct 2016 13:26:32 +0200 [thread overview]
Message-ID: <e495e9b2-df3c-9bff-d51f-bc535401d401@redhat.com> (raw)
In-Reply-To: <1477419424-22235-3-git-send-email-ard.biesheuvel@linaro.org>
On 10/25/16 20:17, Ard Biesheuvel wrote:
> Get rid of functions that are no longer available when defining
> DISABLE_NEW_DEPRECATED_INTERFACES
>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsDir.c | 8 +++-----
> ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsEntryPoint.c | 3 ++-
> ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsOpenClose.c | 12 +++++-------
> 3 files changed, 10 insertions(+), 13 deletions(-)
>
> diff --git a/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsDir.c b/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsDir.c
> index 450a707f183c..2736d3e0d0bf 100644
> --- a/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsDir.c
> +++ b/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsDir.c
> @@ -304,7 +304,6 @@ SetFileName (
> IN CONST CHAR16 *FileName
> )
> {
> - CHAR16 TruncFileName[MAX_NAME_LENGTH];
> CHAR8 AsciiFileName[MAX_NAME_LENGTH];
> BOOTMON_FS_FILE *SameFile;
>
> @@ -314,9 +313,7 @@ SetFileName (
> FileName++;
> }
>
> - StrnCpy (TruncFileName, FileName, MAX_NAME_LENGTH - 1);
> - TruncFileName[MAX_NAME_LENGTH - 1] = 0;
> - UnicodeStrToAsciiStr (TruncFileName, AsciiFileName);
> + UnicodeStrToAsciiStrS (FileName, AsciiFileName, MAX_NAME_LENGTH);
>
> if (BootMonGetFileFromAsciiFileName (
> File->Instance,
Good.
> @@ -327,7 +324,8 @@ SetFileName (
> return EFI_ACCESS_DENIED;
> } else {
> // OK, change the filename.
> - AsciiStrToUnicodeStr (AsciiFileName, File->Info->FileName);
> + AsciiStrToUnicodeStrS (AsciiFileName, File->Info->FileName,
> + (File->Info->Size - sizeof *File->Info) / sizeof (CHAR16));
> return EFI_SUCCESS;
> }
> }
I think this is incorrect. The division is fine, but the dividend is off
by one CHAR16: the last member of EFI_FILE_INFO (that is, of *File->Info) is
///
/// The Null-terminated name of the file.
///
CHAR16 FileName[1];
If you subtract the entire EFI_FILE_INFO structure, then you remove the
first character from the file name as well.
Please add (sizeof (CHAR16)) to the dividend; or else, use
File->Info->Size - OFFSET_OF (EFI_FILE_INFO, FileName)
as the dividend.
Hey, wait a minute: look at the macro SIZE_OF_EFI_FILE_INFO in
"MdePkg/Include/Guid/FileInfo.h":
///
/// The FileName field of the EFI_FILE_INFO data structure is variable
/// length. Whenever code needs to know the size of the EFI_FILE_INFO
/// data structure, it needs to be the size of the data structure
/// without the FileName field. The following macro computes this size
/// correctly no matter how big the FileName array is declared. This is
/// required to make the EFI_FILE_INFO data structure ANSI compilant.
///
#define SIZE_OF_EFI_FILE_INFO OFFSET_OF (EFI_FILE_INFO, FileName)
So, for take-no-hostages pedantry, you should make the dividend
File->Info->Size - SIZE_OF_EFI_FILE_INFO
> diff --git a/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsEntryPoint.c b/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsEntryPoint.c
> index 3d71760fef99..a1150856f6ba 100644
> --- a/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsEntryPoint.c
> +++ b/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsEntryPoint.c
> @@ -98,7 +98,8 @@ BootMonGetFileFromAsciiFileName (
> {
> FileEntry = BOOTMON_FS_FILE_FROM_LINK_THIS (Entry);
> if (FileEntry->Info != NULL) {
> - UnicodeStrToAsciiStr (FileEntry->Info->FileName, OpenFileAsciiFileName);
> + UnicodeStrToAsciiStrS (FileEntry->Info->FileName, OpenFileAsciiFileName,
> + MAX_NAME_LENGTH);
> AsciiFileNameToCompare = OpenFileAsciiFileName;
> } else {
> AsciiFileNameToCompare = FileEntry->HwDescription.Footer.Filename;
okay
> diff --git a/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsOpenClose.c b/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsOpenClose.c
> index af2fe514f044..4927d987eccf 100644
> --- a/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsOpenClose.c
> +++ b/ArmPlatformPkg/FileSystem/BootMonFs/BootMonFsOpenClose.c
> @@ -101,7 +101,8 @@ WriteFileDescription (
> Description->Attributes = 1;
> Description->BlockStart = FileStart / BlockSize;
> Description->BlockEnd = Description->BlockStart + (FileSize / BlockSize);
> - AsciiStrCpy (Description->Footer.Filename, FileName);
> + AsciiStrCpyS (Description->Footer.Filename,
> + sizeof Description->Footer.Filename, FileName);
>
> #ifdef MDE_CPU_ARM
> Description->Footer.Offset = HW_IMAGE_FOOTER_OFFSET;
okay
> @@ -294,7 +295,7 @@ BootMonFsFlushFile (
> DiskIo = Instance->DiskIo;
> BlockSize = Media->BlockSize;
>
> - UnicodeStrToAsciiStr (Info->FileName, AsciiFileName);
> + UnicodeStrToAsciiStrS (Info->FileName, AsciiFileName, MAX_NAME_LENGTH);
>
> // If the file doesn't exist then find a space for it
> if (File->HwDescription.RegionCount == 0) {
okay
> @@ -626,10 +627,7 @@ BootMonFsOpenFile (
> Status = EFI_OUT_OF_RESOURCES;
> goto Error;
> }
> - UnicodeStrToAsciiStr (Path, AsciiFileName);
> - if (AsciiStrSize (AsciiFileName) > MAX_NAME_LENGTH) {
> - AsciiFileName[MAX_NAME_LENGTH - 1] = '\0';
> - }
> + UnicodeStrToAsciiStrS (Path, AsciiFileName, MAX_NAME_LENGTH);
>
> if ((AsciiFileName[0] == '\0') ||
> (AsciiFileName[0] == '.' ) ) {
This change is incorrect. Consider the case when StrLen (Path) == 1, for
example -- you won't have MAX_NAME_LENGTH (32) characters in the
dynamically allocated AsciiFileName array.
I realize that no buffer overflow could happen in reality -- that's
because the original code is already safe here, and the receiving ASCII
buffer has been sized for the UCS2 input -- but DestMax=MAX_NAME_LENGTH
is untrue, generally speaking.
I suggest to introduce
AsciiFileNameSize = StrLen (Path) + 1;
if (AsciiFileNameSize > MAX_NAME_LENGTH) {
AsciiFileNameSize = MAX_NAME_LENGTH;
}
and then use AsciiFileNameSize in both the allocation and the
UnicodeStrToAsciiStrS() call.
> @@ -688,7 +686,7 @@ BootMonFsOpenFile (
>
> Info->FileSize = BootMonFsGetImageLength (File);
> Info->PhysicalSize = BootMonFsGetPhysicalSize (File);
> - AsciiStrToUnicodeStr (AsciiFileName, Info->FileName);
> + AsciiStrToUnicodeStrS (AsciiFileName, Info->FileName, MAX_NAME_LENGTH);
>
> File->Info = Info;
> Info = NULL;
>
Info is allocated with:
Info = AllocateZeroPool (
SIZE_OF_EFI_FILE_INFO + (sizeof (CHAR16) * MAX_NAME_LENGTH));
-- see SIZE_OF_EFI_FILE_INFO above --, so this hunk is correct.
Thanks
Laszlo
prev parent reply other threads:[~2016-10-26 11:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-25 18:17 [PATCH 0/2] ArmPlatformPkg: remove deprecated string function calls Ard Biesheuvel
2016-10-25 18:17 ` [PATCH 1/2] ArmPlatformPkg/ArmVExpressFastBootDxe: eliminate deprecated string functions Ard Biesheuvel
2016-10-26 10:32 ` Laszlo Ersek
2016-10-26 10:34 ` Ard Biesheuvel
2016-10-26 11:28 ` Laszlo Ersek
2016-10-25 18:17 ` [PATCH 2/2] ArmPlatformPkg/BootMonFs: " Ard Biesheuvel
2016-10-26 11:26 ` Laszlo Ersek [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e495e9b2-df3c-9bff-d51f-bc535401d401@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox