From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2E0A72117925A for ; Mon, 15 Oct 2018 22:01:49 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Oct 2018 22:01:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,387,1534834800"; d="scan'208";a="100573458" Received: from shzintpr02.sh.intel.com (HELO [10.7.209.21]) ([10.239.4.160]) by orsmga002.jf.intel.com with ESMTP; 15 Oct 2018 22:01:47 -0700 To: Ruiyu Ni , edk2-devel@lists.01.org Cc: Jiewen Yao , star.zeng@intel.com References: <20181015063833.61304-1-ruiyu.ni@intel.com> <20181015063833.61304-9-ruiyu.ni@intel.com> From: "Zeng, Star" Message-ID: Date: Tue, 16 Oct 2018 13:01:17 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20181015063833.61304-9-ruiyu.ni@intel.com> Subject: Re: [PATCH 08/11] MdeModulePkg/AbsPointer: Don't access key codes when length is wrong X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Oct 2018 05:01:49 -0000 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 2018/10/15 14:38, Ruiyu Ni wrote: > Per USB HID spec, the buffer holding key codes should at least 3-byte > long. > Today's code assumes that the key codes buffer length is longer than > 3-byte and unconditionally accesses the key codes buffer. > It's incorrect. > The patch fixes the issue by returning Device Error when the > length is less than 3-byte. > > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Ruiyu Ni > Cc: Star Zeng > Cc: Jiewen Yao > Cc: Steven Shi > --- > .../Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c b/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c > index 965195ca34..b4638961d9 100644 > --- a/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c > +++ b/MdeModulePkg/Bus/Usb/UsbMouseAbsolutePointerDxe/UsbMouseAbsolutePointer.c > @@ -813,8 +813,6 @@ OnMouseInterruptComplete ( > return EFI_SUCCESS; > } > > - UsbMouseAbsolutePointerDevice->StateChanged = TRUE; > - > // > // Check mouse Data > // USB HID Specification specifies following data format: > @@ -827,6 +825,12 @@ OnMouseInterruptComplete ( > // 2 0 to 7 Y displacement > // 3 to n 0 to 7 Device specific (optional) > // > + if ((Data != NULL) && (DataLength < 3)) { > + return EFI_DEVICE_ERROR; > + } Ray, Thanks for the patch. Data is impossible to be NULL here as the NULL check to Data has been done by code piece // // If no error and no data, just return EFI_SUCCESS. // if (DataLength == 0 || Data == NULL) { return EFI_SUCCESS; } Thanks, Star > + > + UsbMouseAbsolutePointerDevice->StateChanged = TRUE; > + > UsbMouseAbsolutePointerDevice->State.ActiveButtons = *(UINT8 *) Data & (BIT0 | BIT1 | BIT2); > > UsbMouseAbsolutePointerDevice->State.CurrentX = >