From nobody Tue Apr 30 21:06:37 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1495502375324522.4928735070167; Mon, 22 May 2017 18:19:35 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id A751421A0910B; Mon, 22 May 2017 18:19:32 -0700 (PDT) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 0ABE621A09104 for ; Mon, 22 May 2017 18:19:31 -0700 (PDT) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 May 2017 18:19:30 -0700 Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by orsmga003.jf.intel.com with ESMTP; 22 May 2017 18:19:29 -0700 X-Original-To: edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.38,379,1491289200"; d="scan'208";a="971868140" From: Hao Wu To: edk2-devel@lists.01.org Date: Tue, 23 May 2017 09:19:24 +0800 Message-Id: <20170523011925.6264-2-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170523011925.6264-1-hao.a.wu@intel.com> References: <20170523011925.6264-1-hao.a.wu@intel.com> Subject: [edk2] [PATCH 1/2] MdePkg/BasePrintLib: Avoid reading content beyond the format string X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hao Wu , Michael Kinney , Jiewen Yao , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" In function BasePrintLibSPrintMarker(), when processing ASCII format strings, if the format string walker pointer 'Format' is pointing at the end of the format string (i.e. '\0'), the following expression: *(Format + 1) will read an undefined value. Though this value won't affect the functionality, since it will be masked by variable 'FormatMask': (*(Format + 1) << 8)) & FormatMask (FormatMask is 0xff for ASCII format string) This commit adds additional logic to avoid reading undefined content. Cc: Jiewen Yao Cc: Liming Gao Cc: Michael Kinney Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- MdePkg/Library/BasePrintLib/PrintLibInternal.c | 48 ++++++++++++++++---- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/MdePkg/Library/BasePrintLib/PrintLibInternal.c b/MdePkg/Librar= y/BasePrintLib/PrintLibInternal.c index 9b15a07ac0..d665b7b1d2 100644 --- a/MdePkg/Library/BasePrintLib/PrintLibInternal.c +++ b/MdePkg/Library/BasePrintLib/PrintLibInternal.c @@ -653,7 +653,11 @@ BasePrintLibSPrintMarker ( // // Get the first character from the format string // - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMa= sk; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Format= Mask; + } =20 // // Loop until the end of the format string is reached or the output buff= er is full @@ -685,7 +689,11 @@ BasePrintLibSPrintMarker ( // for (Done =3D FALSE; !Done; ) { Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & = FormatMask; + } switch (FormatCharacter) { case '.':=20 Flags |=3D PRECISION;=20 @@ -738,7 +746,11 @@ BasePrintLibSPrintMarker ( for (Count =3D 0; ((FormatCharacter >=3D '0') && (FormatCharact= er <=3D '9')); ){ Count =3D (Count * 10) + FormatCharacter - '0'; Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) = & FormatMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)= ) & FormatMask; + } } Format -=3D BytesPerFormatCharacter; if ((Flags & PRECISION) =3D=3D 0) { @@ -1017,7 +1029,11 @@ BasePrintLibSPrintMarker ( =20 case '\r': Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & = FormatMask; + } if (FormatCharacter =3D=3D '\n') { // // Translate '\r\n' to '\r\n' @@ -1038,7 +1054,11 @@ BasePrintLibSPrintMarker ( // ArgumentString =3D "\r\n"; Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & = FormatMask; + } if (FormatCharacter !=3D '\r') { Format -=3D BytesPerFormatCharacter; } @@ -1057,7 +1077,11 @@ BasePrintLibSPrintMarker ( =20 case '\r': Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Form= atMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + } if (FormatCharacter =3D=3D '\n') { // // Translate '\r\n' to '\r\n' @@ -1078,7 +1102,11 @@ BasePrintLibSPrintMarker ( // ArgumentString =3D "\r\n"; Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Form= atMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + } if (FormatCharacter !=3D '\r') { Format -=3D BytesPerFormatCharacter; } @@ -1206,7 +1234,11 @@ BasePrintLibSPrintMarker ( // // Get the next character from the format string // - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Format= Mask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Form= atMask; + } } =20 if ((Flags & COUNT_ONLY_NO_PRINT) !=3D 0) { --=20 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Tue Apr 30 21:06:37 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1495502378019205.9192269587013; Mon, 22 May 2017 18:19:38 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id DB65821A0913B; Mon, 22 May 2017 18:19:32 -0700 (PDT) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 580AA21A09104 for ; Mon, 22 May 2017 18:19:32 -0700 (PDT) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 May 2017 18:19:32 -0700 Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by orsmga003.jf.intel.com with ESMTP; 22 May 2017 18:19:30 -0700 X-Original-To: edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.38,379,1491289200"; d="scan'208";a="971868147" From: Hao Wu To: edk2-devel@lists.01.org Date: Tue, 23 May 2017 09:19:25 +0800 Message-Id: <20170523011925.6264-3-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170523011925.6264-1-hao.a.wu@intel.com> References: <20170523011925.6264-1-hao.a.wu@intel.com> Subject: [edk2] [PATCH 2/2] MdeModulePkg/PrintLib: Avoid reading content beyond the format string X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hao Wu , Michael Kinney , Jiewen Yao , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" In functions DxePrintLibPrint2ProtocolVaListToBaseList() and InternalPrintLibSPrintMarker(), when processing ASCII format strings, if the format string walker pointer 'Format' is pointing at the end of the format string (i.e. '\0'), the following expression: *(Format + 1) will read an undefined value. Though this value won't affect the functionality, since it will be masked by variable 'FormatMask': (*(Format + 1) << 8)) & FormatMask (FormatMask is 0xff for ASCII format string) This commit adds additional logic to avoid reading undefined content. Cc: Jiewen Yao Cc: Liming Gao Cc: Michael Kinney Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c | 66 +++++++++++= +++++---- 1 file changed, 55 insertions(+), 11 deletions(-) diff --git a/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c b/Md= eModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c index 9f702c4fef..342eee42fc 100644 --- a/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c +++ b/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c @@ -130,7 +130,11 @@ DxePrintLibPrint2ProtocolVaListToBaseList ( // // Get the first character from the format string // - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMa= sk; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Format= Mask; + } =20 while (FormatCharacter !=3D 0) { if (FormatCharacter =3D=3D '%') { @@ -148,7 +152,11 @@ DxePrintLibPrint2ProtocolVaListToBaseList ( // // Get the next character from the format string // - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & = FormatMask; + } =20 switch (FormatCharacter) { case '.':=20 @@ -239,7 +247,11 @@ DxePrintLibPrint2ProtocolVaListToBaseList ( // // Get the next character from the format string // - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Format= Mask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Form= atMask; + } } return TRUE; } @@ -1596,7 +1608,11 @@ InternalPrintLibSPrintMarker ( // // Get the first character from the format string // - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMa= sk; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Format= Mask; + } =20 // // Loop until the end of the format string is reached or the output buff= er is full @@ -1628,7 +1644,11 @@ InternalPrintLibSPrintMarker ( // for (Done =3D FALSE; !Done; ) { Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & = FormatMask; + } switch (FormatCharacter) { case '.':=20 Flags |=3D PRECISION;=20 @@ -1681,7 +1701,11 @@ InternalPrintLibSPrintMarker ( for (Count =3D 0; ((FormatCharacter >=3D '0') && (FormatCharact= er <=3D '9')); ){ Count =3D (Count * 10) + FormatCharacter - '0'; Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) = & FormatMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)= ) & FormatMask; + } } Format -=3D BytesPerFormatCharacter; if ((Flags & PRECISION) =3D=3D 0) { @@ -1960,7 +1984,11 @@ InternalPrintLibSPrintMarker ( =20 case '\r': Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & = FormatMask; + } if (FormatCharacter =3D=3D '\n') { // // Translate '\r\n' to '\r\n' @@ -1981,7 +2009,11 @@ InternalPrintLibSPrintMarker ( // ArgumentString =3D "\r\n"; Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & = FormatMask; + } if (FormatCharacter !=3D '\r') { Format -=3D BytesPerFormatCharacter; } @@ -2000,7 +2032,11 @@ InternalPrintLibSPrintMarker ( =20 case '\r': Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Form= atMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + } if (FormatCharacter =3D=3D '\n') { // // Translate '\r\n' to '\r\n' @@ -2021,7 +2057,11 @@ InternalPrintLibSPrintMarker ( // ArgumentString =3D "\r\n"; Format +=3D BytesPerFormatCharacter; - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Form= atMask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Fo= rmatMask; + } if (FormatCharacter !=3D '\r') { Format -=3D BytesPerFormatCharacter; } @@ -2149,7 +2189,11 @@ InternalPrintLibSPrintMarker ( // // Get the next character from the format string // - FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Format= Mask; + if (BytesPerFormatCharacter =3D=3D 1) { + FormatCharacter =3D (*Format & 0xff) & FormatMask; + } else { + FormatCharacter =3D ((*Format & 0xff) | (*(Format + 1) << 8)) & Form= atMask; + } } =20 if ((Flags & COUNT_ONLY_NO_PRINT) !=3D 0) { --=20 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel