From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: devel@edk2.groups.io, michael.d.kinney@intel.com,
"lersek@redhat.com" <lersek@redhat.com>
Cc: "Gao, Liming" <liming.gao@intel.com>
Subject: Re: [edk2-devel] [PATCH 04/10] MdePkg/PiFirmwareFile: fix undefined behavior in FFS_FILE_SIZE
Date: Thu, 18 Apr 2019 19:20:03 +0200 [thread overview]
Message-ID: <fd543fed-026b-a377-f5b5-6593321bace8@redhat.com> (raw)
In-Reply-To: <E92EE9817A31E24EB0585FDF735412F5B9C9A45F@ORSMSX113.amr.corp.intel.com>
Hi Michael,
On 4/17/19 7:52 PM, Michael D Kinney wrote:
> Laszlo,
>
> I have been following this thread. I think the style
> used here to access the 3 array elements to build the
> 24-bit size value is the best approach. I prefer this
> over adding the union.
>
> I agree there is a read overrun issue when using UINT32 to
> read the Size[3] array contents.
>
> I do not think this is a real issue in practice, because the
> Size[3] array accessed is part of the larger
> EFI_COMMON_SECTION_HEADER structure. However, we always should
> clean up code to not do any read/write overruns without this
> type of analysis and the need to keep track of exceptions.
>
> There is a related set of code in the BaseLib for Read/Write
> Unaligned24().
>
> UINT32
> EFIAPI
> ReadUnaligned24 (
> IN CONST UINT32 *Buffer
> );
>
> UINT32
> EFIAPI
> WriteUnaligned24 (
> OUT UINT32 *Buffer,
> IN UINT32 Value
> );
>
> This API does not get flagged for read overrun issues because
> a UINT32 is passed in. However, for CPU archs that required aligned
> access, the 24-bit value must be read in pieces. This is why there
> are 2 different implementations:
>
> IA32/X64
> ========
> UINT32
> EFIAPI
> ReadUnaligned24 (
> IN CONST UINT32 *Buffer
> )
> {
> ASSERT (Buffer != NULL);
>
> return *Buffer & 0xffffff;
> }
>
>
> ARM/AARCH64
> ============
> UINT32
> EFIAPI
> ReadUnaligned24 (
> IN CONST UINT32 *Buffer
> )
> {
> ASSERT (Buffer != NULL);
>
> return (UINT32)(
> ReadUnaligned16 ((UINT16*)Buffer) |
> (((UINT8*)Buffer)[2] << 16)
> );
> }
>
> The ARM/ARCH64 implementation is clean because it does
> not do a read overrun of the 24-bit field. The IA32/X64
> implementation may have an issue because it reads a 32-bit
> value and strips the upper 8 bits.
>
> If we apply the same technique to the Size field of
> EFI_COMMON_SECTION_HEADER, then the 24-bit value would be
> built from reading only the 3 bytes of the array.
This ARM implementation assumes Buffer is halfword-aligned OR the
microarchitectures supports unaligned halfword access.
The 3x 8-bit accesses macro looks simpler than adding a 16-bit alignment
check on Buffer, such:
if (Buffer & 1) {
return (UINT32)(
((UINT8*)Buffer)[0] |
(ReadUnaligned16 ((UINT16*)&(((UINT8*)Buffer)[1])) << 8)
);
} else {
return (UINT32)(
ReadUnaligned16 ((UINT16*)Buffer) |
(((UINT8*)Buffer)[2] << 16)
);
}
> Best regards,
>
> Mike
>
>> -----Original Message-----
>> From: devel@edk2.groups.io [mailto:devel@edk2.groups.io]
>> On Behalf Of Laszlo Ersek
>> Sent: Friday, April 12, 2019 4:31 PM
>> To: edk2-devel-groups-io <devel@edk2.groups.io>
>> Cc: Gao, Liming <liming.gao@intel.com>; Kinney, Michael
>> D <michael.d.kinney@intel.com>
>> Subject: [edk2-devel] [PATCH 04/10]
>> MdePkg/PiFirmwareFile: fix undefined behavior in
>> FFS_FILE_SIZE
>>
>> Accessing "EFI_FFS_FILE_HEADER.Size", which is of type
>> UINT8[3], through a
>> (UINT32*), is undefined behavior. Fix it by accessing
>> the array elements
>> individually.
>>
>> (We can't use a union here, unfortunately, as easily as
>> with
>> "EFI_COMMON_SECTION_HEADER", given the fields in
>> "EFI_FFS_FILE_HEADER".)
>>
>> Cc: Liming Gao <liming.gao@intel.com>
>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>> Bugzilla:
>> https://bugzilla.tianocore.org/show_bug.cgi?id=1710
>> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
>> ---
>> MdePkg/Include/Pi/PiFirmwareFile.h | 10 +++++++++-
>> 1 file changed, 9 insertions(+), 1 deletion(-)
>>
>> diff --git a/MdePkg/Include/Pi/PiFirmwareFile.h
>> b/MdePkg/Include/Pi/PiFirmwareFile.h
>> index 4fce8298d1c0..0668f3fa9af4 100644
>> --- a/MdePkg/Include/Pi/PiFirmwareFile.h
>> +++ b/MdePkg/Include/Pi/PiFirmwareFile.h
>> @@ -174,18 +174,26 @@ typedef struct {
>> /// If FFS_ATTRIB_LARGE_FILE is not set then
>> EFI_FFS_FILE_HEADER is used.
>> ///
>> UINT64 ExtendedSize;
>> } EFI_FFS_FILE_HEADER2;
>>
>> #define IS_FFS_FILE2(FfsFileHeaderPtr) \
>> (((((EFI_FFS_FILE_HEADER *) (UINTN)
>> FfsFileHeaderPtr)->Attributes) & FFS_ATTRIB_LARGE_FILE)
>> == FFS_ATTRIB_LARGE_FILE)
>>
>> +#define FFS_FILE_SIZE_ARRAY(FfsFileHeaderPtr) \
>> + (((EFI_FFS_FILE_HEADER *) (UINTN)
>> (FfsFileHeaderPtr))->Size)
>> +
>> +#define FFS_FILE_SIZE_ELEMENT(FfsFileHeaderPtr, Index)
>> \
>> + ((UINT32) FFS_FILE_SIZE_ARRAY
>> (FfsFileHeaderPtr)[(Index)])
>> +
>> #define FFS_FILE_SIZE(FfsFileHeaderPtr) \
>> - ((UINT32) (*((UINT32 *) ((EFI_FFS_FILE_HEADER *)
>> (UINTN) FfsFileHeaderPtr)->Size) & 0x00ffffff))
>> + ((FFS_FILE_SIZE_ELEMENT ((FfsFileHeaderPtr), 0) <<
>> 0) | \
>> + (FFS_FILE_SIZE_ELEMENT ((FfsFileHeaderPtr), 1) <<
>> 8) | \
>> + (FFS_FILE_SIZE_ELEMENT ((FfsFileHeaderPtr), 2) <<
>> 16))
>>
>> #define FFS_FILE2_SIZE(FfsFileHeaderPtr) \
>> ((UINT32) (((EFI_FFS_FILE_HEADER2 *) (UINTN)
>> FfsFileHeaderPtr)->ExtendedSize))
>>
>> typedef UINT8 EFI_SECTION_TYPE;
>>
>> ///
>> /// Pseudo type. It is used as a wild card when
>> retrieving sections.
>> --
>> 2.19.1.3.g30247aa5d201
>>
>>
>>
>> -=-=-=-=-=-=
>> Groups.io Links: You receive all messages sent to this
>> group.
>>
>> View/Reply Online (#38989):
>> https://edk2.groups.io/g/devel/message/38989
>> Mute This Topic: https://groups.io/mt/31070304/1643496
>> Group Owner: devel+owner@edk2.groups.io
>> Unsubscribe: https://edk2.groups.io/g/devel/unsub
>> [michael.d.kinney@intel.com]
>> -=-=-=-=-=-=
>
>
>
>
next prev parent reply other threads:[~2019-04-18 17:20 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-12 23:31 [PATCH 00/10] patches for some warnings raised by "RH covscan" Laszlo Ersek
2019-04-12 23:31 ` [PATCH 01/10] MdePkg/PiFirmwareFile: express IS_SECTION2 in terms of SECTION_SIZE Laszlo Ersek
2019-04-15 17:01 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-12 23:31 ` [PATCH 02/10] MdePkg/PiFirmwareFile: fix undefined behavior in SECTION_SIZE Laszlo Ersek
2019-04-14 7:19 ` [edk2-devel] " Jordan Justen
2019-04-15 16:15 ` Laszlo Ersek
2019-04-16 8:28 ` Liming Gao
2019-04-16 9:04 ` Jordan Justen
2019-04-16 10:59 ` Laszlo Ersek
2019-04-16 16:50 ` Philippe Mathieu-Daudé
2019-04-17 10:08 ` Laszlo Ersek
2019-04-16 18:48 ` Jordan Justen
2019-04-16 23:25 ` Andrew Fish
2019-04-17 10:29 ` Laszlo Ersek
2019-04-17 11:44 ` Andrew Fish
2019-04-17 14:59 ` Laszlo Ersek
2019-04-17 19:35 ` Jordan Justen
2019-04-18 9:38 ` Laszlo Ersek
2019-04-18 15:18 ` Liming Gao
2019-04-17 10:01 ` Laszlo Ersek
2019-04-12 23:31 ` [PATCH 03/10] BaseTools/PiFirmwareFile: " Laszlo Ersek
2019-04-12 23:31 ` [PATCH 04/10] MdePkg/PiFirmwareFile: fix undefined behavior in FFS_FILE_SIZE Laszlo Ersek
2019-04-15 17:23 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-17 17:52 ` Michael D Kinney
2019-04-17 18:31 ` Michael D Kinney
2019-04-18 9:06 ` Laszlo Ersek
2019-04-17 18:31 ` Andrew Fish
2019-04-17 18:36 ` Michael D Kinney
2019-04-18 8:48 ` Laszlo Ersek
2019-04-18 8:45 ` Laszlo Ersek
2019-04-18 23:12 ` Laszlo Ersek
2019-04-18 17:20 ` Philippe Mathieu-Daudé [this message]
2019-04-18 17:59 ` Michael D Kinney
2019-04-18 18:12 ` Philippe Mathieu-Daudé
2019-04-12 23:31 ` [PATCH 05/10] OvmfPkg/Sec: fix out-of-bounds reads Laszlo Ersek
2019-04-15 17:24 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-12 23:31 ` [PATCH 06/10] OvmfPkg/QemuVideoDxe: avoid arithmetic on null pointer Laszlo Ersek
2019-04-12 23:31 ` [PATCH 07/10] OvmfPkg/AcpiPlatformDxe: suppress invalid "deref of undef pointer" warning Laszlo Ersek
2019-04-15 17:26 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-12 23:31 ` [PATCH 08/10] OvmfPkg: suppress "Value stored to ... is never read" analyzer warnings Laszlo Ersek
2019-04-14 8:03 ` [edk2-devel] " Jordan Justen
2019-04-15 16:25 ` Laszlo Ersek
2019-04-16 9:26 ` Jordan Justen
2019-04-16 11:44 ` Laszlo Ersek
2019-04-12 23:31 ` [PATCH 09/10] OvmfPkg/AcpiPlatformDxe: catch theoretical nullptr deref in Xen code Laszlo Ersek
2019-04-15 17:28 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-12 23:31 ` [PATCH 10/10] OvmfPkg/BasePciCapLib: suppress invalid "nullptr deref" warning Laszlo Ersek
2019-04-15 17:31 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-16 11:01 ` Laszlo Ersek
2019-04-12 23:36 ` [PATCH 00/10] patches for some warnings raised by "RH covscan" Ard Biesheuvel
2019-04-15 16:16 ` Laszlo Ersek
2019-04-18 14:20 ` [edk2-devel] " Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fd543fed-026b-a377-f5b5-6593321bace8@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox