From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.11196.1582114355617692732 for ; Wed, 19 Feb 2020 04:12:35 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: yunhuax.feng@intel.com) X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Feb 2020 04:12:34 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,459,1574150400"; d="dat'59?scan'59,208,59";a="228590792" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga007.fm.intel.com with ESMTP; 19 Feb 2020 04:12:34 -0800 Received: from shsmsx606.ccr.corp.intel.com (10.109.6.216) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 19 Feb 2020 04:12:34 -0800 Received: from shsmsx605.ccr.corp.intel.com (10.109.6.215) by SHSMSX606.ccr.corp.intel.com (10.109.6.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 19 Feb 2020 20:12:32 +0800 Received: from shsmsx605.ccr.corp.intel.com ([10.109.6.215]) by SHSMSX605.ccr.corp.intel.com ([10.109.6.215]) with mapi id 15.01.1713.004; Wed, 19 Feb 2020 20:12:32 +0800 From: "Feng, YunhuaX" To: "devel@edk2.groups.io" CC: "Gao, Liming" , "Feng, Bob C" Subject: [PATCH] Tools/FitGen: Check the input file path before open it Thread-Topic: [PATCH] Tools/FitGen: Check the input file path before open it Thread-Index: AdXnHdwLl0dFSAGLRfOFUrvSkP7G5g== Date: Wed, 19 Feb 2020 12:12:31 +0000 Message-ID: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.36] MIME-Version: 1.0 Return-Path: yunhuax.feng@intel.com X-Groupsio-MsgNum: 54634 Content-Type: multipart/mixed; boundary="_000_f10d62e938054cdd95f7d76c5e89a510intelcom_" Content-Language: en-US --_000_f10d62e938054cdd95f7d76c5e89a510intelcom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2117 avoid path traversal attack check. Cc: Bob Feng Cc: Liming Gao Signed-off-by: Yunhua Feng --- Silicon/Intel/Tools/FitGen/FitGen.c | 47 +++++++++++++++++++++++++++++++++= ++++ 1 file changed, 47 insertions(+) diff --git a/Silicon/Intel/Tools/FitGen/FitGen.c b/Silicon/Intel/Tools/FitG= en/FitGen.c index 8122c10ebb..42d10d85bc 100644 --- a/Silicon/Intel/Tools/FitGen/FitGen.c +++ b/Silicon/Intel/Tools/FitGen/FitGen.c @@ -401,10 +401,38 @@ SetMem ( *(Pointer++) =3D Value; } return Buffer; } =20 +BOOLEAN +CheckPath ( + IN CHAR8 * String +) +{ + // + //Return FLASE if input file path include % character or is NULL + // + CHAR8 *StrPtr; + + StrPtr =3D String; + if (StrPtr =3D=3D NULL) { + return FALSE; + } + + if (*StrPtr =3D=3D 0) { + return FALSE; + } + + while (*StrPtr !=3D '\0') { + if (*StrPtr =3D=3D '%') { + return FALSE; + } + StrPtr++; + } + return TRUE; +} + STATUS ReadInputFile ( IN CHAR8 *FileName, OUT UINT8 **FileData, OUT UINT32 *FileSize, @@ -433,10 +461,19 @@ Returns: { FILE *FpIn; UINT32 TempResult; =20 // + //Check the File Path + // + if (!CheckPath(FileName)) { + + Error (NULL, 0, 0, "File path is invalid!", NULL); + return STATUS_ERROR; + } + + // // Open the Input FvRecovery.fv file // if ((FpIn =3D fopen (FileName, "rb")) =3D=3D NULL) { // // Return WARNING, let caller make decision @@ -2759,10 +2796,19 @@ Returns: --*/ { FILE *FpOut; =20 // + //Check the File Path + // + if (!CheckPath(FileName)) { + + Error (NULL, 0, 0, "File path is invalid!", NULL); + return STATUS_ERROR; + } + + // // Open the output FvRecovery.fv file // if ((FpOut =3D fopen (FileName, "w+b")) =3D=3D NULL) { Error (NULL, 0, 0, "Unable to open file", "%s", FileName); return STATUS_ERROR; @@ -2980,10 +3026,11 @@ Returns: UINT8 *FdFileBuffer; UINT32 FdFileSize; =20 UINT8 *AcmBuffer; =20 + FileBufferRaw =3D NULL; // // Step 0: Check FV or FD // if (((strcmp (argv[1], "-D") =3D=3D 0) || (strcmp (argv[1], "-d") =3D=3D 0)) ) { --=20 2.12.2.windows.2 --_000_f10d62e938054cdd95f7d76c5e89a510intelcom_ Content-Disposition: attachment; filename="winmail.dat" Content-Transfer-Encoding: base64 Content-Type: application/ms-tnef; name="winmail.dat" eJ8+IvgkAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEJgAEAIQAAADA3QzQ0Mjg4 MTc2QTc1NEVBMDg5RTQwNEM4OEY4QTM1ABEHAQ2ABAACAAAAAgACAAEFgAMADgAAAOQHAgATAAwA DAAfAAMAOgEBIIADAA4AAADkBwIAEwAMAAwAHwADADoBAQiABwAYAAAASVBNLk1pY3Jvc29mdCBN YWlsLk5vdGUAMQgBBIABAD8AAABbUEFUQ0hdIFRvb2xzL0ZpdEdlbjogQ2hlY2sgdGhlIGlucHV0 IGZpbGUgcGF0aCBiZWZvcmUgb3BlbiBpdACdFQELgAEAIQAAADA3QzQ0Mjg4MTc2QTc1NEVBMDg5 RTQwNEM4OEY4QTM1ABEHAQOQBgAIFgAARAAAAAIBfwABAAAALQAAADxmMTBkNjJlOTM4MDU0Y2Rk OTVmN2Q3NmM1ZTg5YTUxMEBpbnRlbC5jb20+AAAAAAsAHw4AAAAAAgEJEAEAAADrBQAA5wUAABsN AABMWkZ1j4DXzmEACmZiaWQEAABjY8BwZzEyNTIA/gND8HRleHQB9wKkA+MCAARjaArAc2V0MCDv B20CgwBQEU0yCoAGtAKAln0KgAjIOwliMTkOwL8JwxZyCjIWcQKAFWIqCbBzCfAEkGF0BbIOUANg c6JvAYAgRXgRwW4YMF0GUnYEkBe2AhByAMB0fQhQbhoxECAFwAWgG2RkmiADUiAQIheyXHYIkOR3 awuAZDUdUwTwB0ANF3AwCnEX8mJrbWsGcwGQACAgQk1fQuBFR0lOfQr8AfEL8UEH8EVGOiBoAkBw AHM6Ly9idWd6kwMQC2AudAcwbm8FoQRlLgWwZy9zaG8Ed18icS5jZ2k/AQ3QPTIxMTdcbI0LgGUK gSU0YXZvDdByIAqwdGgcwBhwGjFzTQdAIBiAAZBjaxvQaEkFkGsuJSxDYyHQQhBvYiBGCfBnIDyl BuBiJGAuZimRQAuArRAgbCRgA3A+KJlMB3DjC4ApsEdhbynAJTAsApwuZyxgKo8UwGlnGFCEZC0Z MGYtYnkh0EBZdW5odWEpdXntL2N4Kj8lNC0yACUlBgAnAxAOUAIgL0kqoi9UAm8G8HMvRml0RwcJ 8DPlJGAgfCA0N7wgKzVPNl82gDI2MRxw5wMQGeAZlGQsNQILgBIAhQAgaQIgcygrKSUsOw3gASAg MgAkgAVAYS/3Mr8zzzTQYju/PM8kYCUlkx2xEDAgOA6QMmMekERlYioALjQyFmAwMGQ4NWI00B6R NjT+NDGYO58/D0AZNoE9/0SvCUAZQEA7MDQwMSzHHpA1MEmiMzggSWEGYGh0TWUcsCgyNkuyKiwo UCYgKqFyNoApIHg9IFYHQApQFiBLV1w3IEBLVwlwdAhwA6BCdR8BIBpBMjZN+EX2Qk9PUExFQU5F 9kMn0lAXJnJLNkaAICAgIENI9EFSSnAqBgAmsCwRRfa/OgY3gAAAUuciUFW6Uk7E4EZMQVNFOTA7 IDkxvHB1BUA4MyZjC4BjCkDZAQAgJThyGHBjG6IFseMEAAewVUxMVb9TI1Ol/VQhUCawTUY3hlNB XPRMwe9UJF1XWCE7IChehkzQWuLHTLBVmk6XRkFMV9Bfed9N913ZYCJc5WDCMGFPYl+zY29S9ndo OEJlJyFM0GAnXFwwJ2X+ZP0n/iVrD2bfZlhoaEuyXPQ2gMdnv1MUTrVUUlVnqGhvwQYAVEFUVVMy Nlcw/GFkR0BYYTPwadJLSFN3U0vSdoJOYQeALEtIT1BVVCBVICBUd/IqNXhDRBiAYXjfeeAzMpt4 JS5genjHSWMzM0nU+jZJwTlKglc0IjBPl1WmeUuxRklRYG30gR94MXBfR0BNSXvWg79LsVRLAHDx VzBzdWwdAFA9S7FWXP9SIxzAJ9ApcDhCUnJbL1/XaiFSJyh4Vill+mY6RbZyA2AFwCha4jjwMI3z 3iJ2g1j0BCALgHYHQA3QfCEiOPBhA28bTrV1FF/gRVJST1JxT12sVld7hqN5cHAJ8IgDdjMpcHbX VzAFoBoxeTCQdjgjhj//S5NgIosggmFMwQIQlUKLJ/GOUXJiIouxYN9LpJRKq5TjVzVXU8BOICBH OPC/HnAFQB5RHnAFwADAaxngDwWBBAA5oUj5Mjc1OXNJ06CQOTZ+XzJUMgAq75RXf8+kn4HnT1hw ha+Gv/+Hz4jfie+K/5MvjR+OL48//5BPkV+Sb5N/lI+o8QhgIhA/lf+XD5gepkGZP5pCdyvPmp9L Wa4fryFVbgGgOFEfGJBacJVCODKwoSIlcz+woawHTUmx37LqoFM5OOOu4EniMzAyoVE4EKGv74MG d/PGj3giZHaCTy2DLz/J+8fUfKKmf8XvgXxBY85tTy5S58f4UmEH4Lv0501JtR1UIGVwZdAh0KiE ZEZWWnJGRNG/mFgoLR9gcs6w03AoCsBndshbMV2vIS1Eu6Blpbx8fEtKS7HWX9dhZNemT0ywZflD cSUlMi4OkC7v3IAD8B3AJABz3MAlLBVCAd6gAB8AQgABAAAAHAAAAEYAZQBuAGcALAAgAFkAdQBu AGgAdQBhAFgAAAAfAGUAAQAAAC4AAAB5AHUAbgBoAHUAYQB4AC4AZgBlAG4AZwBAAGkAbgB0AGUA bAAuAGMAbwBtAAAAAAAfAGQAAQAAAAoAAABTAE0AVABQAAAAAAACAUEAAQAAAGwAAAAAAAAAgSsf pL6jEBmdbgDdAQ9UAgAAAIBGAGUAbgBnACwAIABZAHUAbgBoAHUAYQBYAAAAUwBNAFQAUAAAAHkA dQBuAGgAdQBhAHgALgBmAGUAbgBnAEAAaQBuAHQAZQBsAC4AYwBvAG0AAAAfAAJdAQAAAC4AAAB5 AHUAbgBoAHUAYQB4AC4AZgBlAG4AZwBAAGkAbgB0AGUAbAAuAGMAbwBtAAAAAAAfAOVfAQAAADYA AABzAGkAcAA6AHkAdQBuAGgAdQBhAHgALgBmAGUAbgBnAEAAaQBuAHQAZQBsAC4AYwBvAG0AAAAA AB8AGgwBAAAAHAAAAEYAZQBuAGcALAAgAFkAdQBuAGgAdQBhAFgAAAAfAB8MAQAAAC4AAAB5AHUA bgBoAHUAYQB4AC4AZgBlAG4AZwBAAGkAbgB0AGUAbAAuAGMAbwBtAAAAAAAfAB4MAQAAAAoAAABT AE0AVABQAAAAAAACARkMAQAAAGwAAAAAAAAAgSsfpL6jEBmdbgDdAQ9UAgAAAIBGAGUAbgBnACwA IABZAHUAbgBoAHUAYQBYAAAAUwBNAFQAUAAAAHkAdQBuAGgAdQBhAHgALgBmAGUAbgBnAEAAaQBu AHQAZQBsAC4AYwBvAG0AAAAfAAFdAQAAAC4AAAB5AHUAbgBoAHUAYQB4AC4AZgBlAG4AZwBAAGkA bgB0AGUAbAAuAGMAbwBtAAAAAAALAEA6AQAAAB8AGgABAAAAEgAAAEkAUABNAC4ATgBvAHQAZQAA AAAAAwDxPwkEAAALAEA6AQAAAAMA/T/kBAAAAgELMAEAAAAQAAAAB8RCiBdqdU6gieQEyI+KNQMA FwABAAAAQAA5AIAhGdwd59UBQAAIMOqmpNwd59UBCwApAAAAAAAfANk/AQAAAAACAABSAEUARgA6 ACAAaAB0AHQAcABzADoALwAvAGIAdQBnAHoAaQBsAGwAYQAuAHQAaQBhAG4AbwBjAG8AcgBlAC4A bwByAGcALwBzAGgAbwB3AF8AYgB1AGcALgBjAGcAaQA/AGkAZAA9ADIAMQAxADcADQAKAA0ACgBh AHYAbwBpAGQAIABwAGEAdABoACAAdAByAGEAdgBlAHIAcwBhAGwAIABhAHQAdABhAGMAawAgAGMA aABlAGMAawAuAA0ACgANAAoAQwBjADoAIABCAG8AYgAgAEYAZQBuAGcAIAA8AGIAbwBiAC4AYwAu AGYAZQBuAGcAQABpAG4AdABlAGwALgBjAG8AbQA+AA0ACgBDAGMAOgAgAEwAaQBtAGkAbgBnACAA RwBhAG8AIAA8AGwAaQBtAGkAbgBnAC4AZwBhAG8AQABpAG4AdABlAGwALgBjAG8AbQA+AA0ACgBT AGkAZwBuAGUAZAAtAG8AZgBmAC0AYgB5ADoAIABZAHUAbgBoAHUAYQAgAEYAZQBuAGcAIAA8AHkA dQBuAGgAdQBhAHgALgBmAGUAbgBnAEAAaQBuAHQAZQBsAC4AYwBvAG0APgANAAoALQAtAC0ADQAK ACAAUwBpAGwAaQBjAG8AbgAvAEkAbgB0AGUAbAAvAFQAbwBvAGwAcwAvAEYAaQAAAAsAAIAIIAYA AAAAAMAAAAAAAABGAAAAABSFAAABAAAAHwAAgIYDAgAAAAAAwAAAAAAAAEYBAAAAHgAAAGEAYwBj AGUAcAB0AGwAYQBuAGcAdQBhAGcAZQAAAAAAAQAAAAwAAABlAG4ALQBVAFMAAAADAACACCAGAAAA AADAAAAAAAAARgEAAAAyAAAARQB4AGMAaABhAG4AZwBlAEEAcABwAGwAaQBjAGEAdABpAG8AbgBG AGwAYQBnAHMAAAAAACAAAABIAACACCAGAAAAAADAAAAAAAAARgEAAAAiAAAATgBlAHQAdwBvAHIA awBNAGUAcwBzAGEAZwBlAEkAZAAAAAAAYL+5gygGQkCgXgjXtTT/Mx8AAIATj/JB9IMUQaWE7tta awv/AQAAABYAAABDAGwAaQBlAG4AdABJAG4AZgBvAAAAAAABAAAAKgAAAEMAbABpAGUAbgB0AD0A TQBTAEUAeABjAGgAYQBuAGcAZQBSAFAAQwAAAAAAHwD6PwEAAAAcAAAARgBlAG4AZwAsACAAWQB1 AG4AaAB1AGEAWAAAAB8ANwABAAAAfgAAAFsAUABBAFQAQwBIAF0AIABUAG8AbwBsAHMALwBGAGkA dABHAGUAbgA6ACAAQwBoAGUAYwBrACAAdABoAGUAIABpAG4AcAB1AHQAIABmAGkAbABlACAAcABh AHQAaAAgAGIAZQBmAG8AcgBlACAAbwBwAGUAbgAgAGkAdAAAAAAAHwA9AAEAAAACAAAAAAAAAAMA NgAAAAAAAgFxAAEAAAAWAAAAAdXnHdwLl0dFSAGLRfOFUrvSkP7G5gAAHwBwAAEAAAB+AAAAWwBQ AEEAVABDAEgAXQAgAFQAbwBvAGwAcwAvAEYAaQB0AEcAZQBuADoAIABDAGgAZQBjAGsAIAB0AGgA ZQAgAGkAbgBwAHUAdAAgAGYAaQBsAGUAIABwAGEAdABoACAAYgBlAGYAbwByAGUAIABvAHAAZQBu ACAAaQB0AAAAAAAfADUQAQAAAFoAAAA8AGYAMQAwAGQANgAyAGUAOQAzADgAMAA1ADQAYwBkAGQA OQA1AGYANwBkADcANgBjADUAZQA4ADkAYQA1ADEAMABAAGkAbgB0AGUAbAAuAGMAbwBtAD4AAAAA AAMA3j+fTgAAAwATEgAAAAACAQCAE4/yQfSDFEGlhO7bWmsL/wEAAAAuAAAASABlAGEAZABlAHIA QgBvAGQAeQBGAHIAYQBnAG0AZQBuAHQATABpAHMAdAAAAAAAAQAAACIAAAABAAoAAAAEAAAAAAAA ABQAAAAAAAAAAAAAAP////8AAAAAAAALAACAE4/yQfSDFEGlhO7bWmsL/wEAAAAcAAAASABhAHMA UQB1AG8AdABlAGQAVABlAHgAdAAAAAAAAAALAACAE4/yQfSDFEGlhO7bWmsL/wEAAAAoAAAASQBz AFEAdQBvAHQAZQBkAFQAZQB4AHQAQwBoAGEAbgBnAGUAZAAAAAAAAABAAAcwtPyg3B3n1QECAQsA AQAAABAAAAAHxEKIF2p1TqCJ5ATIj4o1AwAmAAAAAAALAAYMAAAAAAIBEDABAAAARgAAAAAAAAB1 82on2Z5KS5vMd0zKvNh7BwBHxkRCwIzNQIncQ7a15GvEAAAAfCsPAACv8mHZA6lhRZfVC8We/2Ug AA/Y5QOVAAAAAAIBEzABAAAAEAAAAJdHRUgBi0XzhVK70pD+xuYCARQwAQAAAAwAAADsAAAAdWKI OFIAAAAfAPg/AQAAABwAAABGAGUAbgBnACwAIABZAHUAbgBoAHUAYQBYAAAAHwAiQAEAAAAGAAAA RQBYAAAAAAAfACNAAQAAALwAAAAvAE8APQBJAE4AVABFAEwALwBPAFUAPQBFAFgAQwBIAEEATgBH AEUAIABBAEQATQBJAE4ASQBTAFQAUgBBAFQASQBWAEUAIABHAFIATwBVAFAAIAAoAEYAWQBEAEkA QgBPAEgARgAyADMAUwBQAEQATABUACkALwBDAE4APQBSAEUAQwBJAFAASQBFAE4AVABTAC8AQwBO AD0ARgBFAE4ARwAsACAAWQBVAE4ASABVAEEAWAA0AEUAMQAAAB8AJEABAAAABgAAAEUAWAAAAAAA HwAlQAEAAAC8AAAALwBPAD0ASQBOAFQARQBMAC8ATwBVAD0ARQBYAEMASABBAE4ARwBFACAAQQBE AE0ASQBOAEkAUwBUAFIAQQBUAEkAVgBFACAARwBSAE8AVQBQACAAKABGAFkARABJAEIATwBIAEYA MgAzAFMAUABEAEwAVAApAC8AQwBOAD0AUgBFAEMASQBQAEkARQBOAFQAUwAvAEMATgA9AEYARQBO AEcALAAgAFkAVQBOAEgAVQBBAFgANABFADEAAAAfADBAAQAAABwAAABGAGUAbgBnACwAIABZAHUA bgBoAHUAYQBYAAAAHwAxQAEAAAAcAAAARgBlAG4AZwAsACAAWQB1AG4AaAB1AGEAWAAAAB8AOEAB AAAAHAAAAEYAZQBuAGcALAAgAFkAdQBuAGgAdQBhAFgAAAAfADlAAQAAABwAAABGAGUAbgBnACwA IABZAHUAbgBoAHUAYQBYAAAAAwBZQAAAAAADAFpAAAAAAAMACVkBAAAAHwAKXQEAAAAuAAAAeQB1 AG4AaAB1AGEAeAAuAGYAZQBuAGcAQABpAG4AdABlAGwALgBjAG8AbQAAAAAAHwALXQEAAAAuAAAA eQB1AG4AaAB1AGEAeAAuAGYAZQBuAGcAQABpAG4AdABlAGwALgBjAG8AbQAAAAAAHwAAgB+k6zOo ei5Cvnt54amOVLMBAAAAOAAAAEMAbwBuAHYAZQByAHMAYQB0AGkAbwBuAEkAbgBkAGUAeABUAHIA YQBjAGsAaQBuAGcARQB4AAAAAQAAACQBAABJAEkAPQBbAEMASQBEAD0ANAA4ADQANQA0ADcAOQA3 AC0AOABiADAAMQAtAGYAMwA0ADUALQA4ADUANQAyAC0AYgBiAGQAMgA5ADAAZgBlAGMANgBlADYA OwBJAEQAWABIAEUAQQBEAD0ARAA1AEUANwAxAEQARABDADAAQgA7AEkARABYAEMATwBVAE4AVAA9 ADEAXQA7AFAAUwA9AFUAbgBrAG4AbwB3AG4AOwBWAGUAcgBzAGkAbwBuAD0AVgBlAHIAcwBpAG8A bgAgADEANQAuADEAIAAoAEIAdQBpAGwAZAAgADEANwAxADMALgAwACkALAAgAFMAdABhAGcAZQA9 AEgANAA7AFUAUAA9ADEAMAA7AEQAUAA9ADEAQwA1AAAACwAAgAggBgAAAAAAwAAAAAAAAEYAAAAA goUAAAAAAAADAA00/T8AAB8AAICGAwIAAAAAAMAAAAAAAABGAQAAACAAAAB4AC0AbQBzAC0AaABh AHMALQBhAHQAdABhAGMAaAAAAAEAAAACAAAAAAAAAB8AAICGAwIAAAAAAMAAAAAAAABGAQAAACIA AAB4AC0AbwByAGkAZwBpAG4AYQB0AGkAbgBnAC0AaQBwAAAAAAABAAAAIAAAAFsAMQAwAC4AMgAz ADkALgAxADIANwAuADMANgBdAAAA3cE= --_000_f10d62e938054cdd95f7d76c5e89a510intelcom_--