From nobody Mon May 6 01:49:41 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1505821127177891.1522929729471; Tue, 19 Sep 2017 04:38:47 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 73D2E21E945F4; Tue, 19 Sep 2017 04:35:37 -0700 (PDT) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 9A58421D046D0 for ; Tue, 19 Sep 2017 04:35:35 -0700 (PDT) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga105.fm.intel.com with ESMTP; 19 Sep 2017 04:38:40 -0700 Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by orsmga001.jf.intel.com with ESMTP; 19 Sep 2017 04:38:38 -0700 X-Original-To: edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,418,1500966000"; d="scan'208";a="1173700368" From: Hao Wu To: edk2-devel@lists.01.org Date: Tue, 19 Sep 2017 19:38:32 +0800 Message-Id: <20170919113833.14048-2-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170919113833.14048-1-hao.a.wu@intel.com> References: <20170919113833.14048-1-hao.a.wu@intel.com> Subject: [edk2] [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hao Wu , Ruiyu Ni , Jaben Carsey MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D690 Within function EfiShellGetDevicePathFromFilePath(), when the input parameter 'Path' string is like: "FS0:" It is possible for the below statement: "if (*(Path+StrLen(MapName)+1) =3D=3D CHAR_NULL) {" to read the content 1 byte beyond the string boundary (both 'Path' and 'MapName' will be FS0: in this case). This commit adds additional checks to avoid this. Cc: Ruiyu Ni Cc: Jaben Carsey Cc: Steven Shi Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu Reviewed-by: Jaben Carsey Reviewed-by: Ruiyu Ni --- ShellPkg/Application/Shell/ShellProtocol.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ShellPkg/Application/Shell/ShellProtocol.c b/ShellPkg/Applicat= ion/Shell/ShellProtocol.c index 40e5e653ae..5e34b8dad1 100644 --- a/ShellPkg/Application/Shell/ShellProtocol.c +++ b/ShellPkg/Application/Shell/ShellProtocol.c @@ -598,7 +598,8 @@ EfiShellGetDevicePathFromFilePath( // // build the full device path // - if (*(Path+StrLen(MapName)+1) =3D=3D CHAR_NULL) { + if ((*(Path+StrLen(MapName)) !=3D CHAR_NULL) && + (*(Path+StrLen(MapName)+1) =3D=3D CHAR_NULL)) { DevicePathForReturn =3D FileDevicePath(Handle, L"\\"); } else { DevicePathForReturn =3D FileDevicePath(Handle, Path+StrLen(MapName)); --=20 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon May 6 01:49:41 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1505821127796162.4613196556835; Tue, 19 Sep 2017 04:38:47 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id B7B1121E945F8; Tue, 19 Sep 2017 04:35:39 -0700 (PDT) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5D39721E945EF for ; Tue, 19 Sep 2017 04:35:37 -0700 (PDT) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga105.fm.intel.com with ESMTP; 19 Sep 2017 04:38:41 -0700 Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by orsmga001.jf.intel.com with ESMTP; 19 Sep 2017 04:38:40 -0700 X-Original-To: edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,418,1500966000"; d="scan'208";a="1173700392" From: Hao Wu To: edk2-devel@lists.01.org Date: Tue, 19 Sep 2017 19:38:33 +0800 Message-Id: <20170919113833.14048-3-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170919113833.14048-1-hao.a.wu@intel.com> References: <20170919113833.14048-1-hao.a.wu@intel.com> Subject: [edk2] [PATCH 2/2] MdePkg/BaseLib: Avoid reading content beyond string boundary X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hao Wu , Ruiyu Ni , Michael Kinney , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D705 As mentioned in the above Bugzilla link by Steven, within the function PathCleanUpDirectories(), when executing command: "cd ." under Shell, the input parameter 'Path' string will have string length less than 2. Hence, it is possible for the below statement: "if (StrCmp (Path + StrLen (Path) - 2, L"\\.") =3D=3D 0) {" to read contents before the string boundary. This commit adds additional checks to avoid this. Cc: Ruiyu Ni Cc: Steven Shi Cc: Michael Kinney Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu Reviewed-by: Ruiyu Ni --- MdePkg/Library/BaseLib/FilePaths.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MdePkg/Library/BaseLib/FilePaths.c b/MdePkg/Library/BaseLib/Fi= lePaths.c index 203045ccdc..d6f3758ecb 100644 --- a/MdePkg/Library/BaseLib/FilePaths.c +++ b/MdePkg/Library/BaseLib/FilePaths.c @@ -1,7 +1,7 @@ /** @file Defines file-path manipulation functions. =20 - Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BS= D License which accompanies this distribution. The full text of the license may b= e found at @@ -91,7 +91,7 @@ PathCleanUpDirectories( while ((TempString =3D StrStr (Path, L"\\.\\")) !=3D NULL) { CopyMem (TempString, TempString + 2, StrSize (TempString + 2)); } - if (StrCmp (Path + StrLen (Path) - 2, L"\\.") =3D=3D 0) { + if ((StrLen (Path) >=3D 2) && (StrCmp (Path + StrLen (Path) - 2, L"\\.")= =3D=3D 0)) { Path[StrLen (Path) - 1] =3D CHAR_NULL; } =20 --=20 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel