From nobody Mon Apr 29 01:21:43 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1518065100480441.49784404395984; Wed, 7 Feb 2018 20:45:00 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 564E522361E74; Wed, 7 Feb 2018 20:39:14 -0800 (PST) Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id EEA6C22361E44 for ; Wed, 7 Feb 2018 20:39:12 -0800 (PST) Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Feb 2018 20:44:57 -0800 Received: from ray-dev.ccr.corp.intel.com ([10.239.9.19]) by orsmga006.jf.intel.com with ESMTP; 07 Feb 2018 20:44:55 -0800 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.151; helo=mga17.intel.com; envelope-from=ruiyu.ni@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,476,1511856000"; d="scan'208";a="16858352" From: Ruiyu Ni To: edk2-devel@lists.01.org Date: Thu, 8 Feb 2018 12:44:54 +0800 Message-Id: <20180208044454.91652-1-ruiyu.ni@intel.com> X-Mailer: git-send-email 2.16.1.windows.1 Subject: [edk2] [PATCH] ShellPkg/hexedit: Fix a read-after-free bug X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jaben Carsey MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" HDiskImageSetDiskNameOffsetSize() and HFileImageSetFileName() may be called using the current disk name or file name. When this happens, today's implementation firstly frees the memory and then accesses the just-freed memory. The patch fixes this issue by doing nothing when the disk or file name is the current one. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni Cc: Jaben Carsey Reviewed-by: Jaben Carsey --- .../UefiShellDebug1CommandsLib/HexEdit/DiskImage.c | 22 +++++++++---------= --- .../UefiShellDebug1CommandsLib/HexEdit/FileImage.c | 23 +++++++++---------= ---- 2 files changed, 18 insertions(+), 27 deletions(-) diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.= c b/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c index 846b102975..8deb643f07 100644 --- a/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c +++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c @@ -1,7 +1,7 @@ /** @file Functions to deal with Disk buffer. =20 - Copyright (c) 2005 - 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BS= D License which accompanies this distribution. The full text of the license may b= e found at @@ -120,27 +120,23 @@ HDiskImageSetDiskNameOffsetSize ( IN UINTN Size ) { - UINTN Len; - UINTN Index; + if (Str =3D=3D HDiskImage.Name) { + // + // This function might be called using HDiskImage.FileName as Str. + // Directly return without updating HDiskImage.FileName. + // + return EFI_SUCCESS; + } =20 // // free the old file name // SHELL_FREE_NON_NULL (HDiskImage.Name); - - Len =3D StrLen (Str); - - HDiskImage.Name =3D AllocateZeroPool (2 * (Len + 1)); + HDiskImage.Name =3D AllocateCopyPool (StrSize (Str), Str); if (HDiskImage.Name =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } =20 - for (Index =3D 0; Index < Len; Index++) { - HDiskImage.Name[Index] =3D Str[Index]; - } - - HDiskImage.Name[Len] =3D L'\0'; - HDiskImage.Offset =3D Offset; HDiskImage.Size =3D Size; =20 diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/FileImage.= c b/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/FileImage.c index 2517a57f59..d9fd72cdd2 100644 --- a/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/FileImage.c +++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/FileImage.c @@ -1,7 +1,7 @@ /** @file Functions to deal with file buffer. =20 - Copyright (c) 2005 - 2015, Intel Corporation. All rights reserved.
+ Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BS= D License which accompanies this distribution. The full text of the license may b= e found at @@ -110,27 +110,22 @@ HFileImageSetFileName ( IN CONST CHAR16 *Str ) { - UINTN Size; - UINTN Index; - + if (Str =3D=3D HFileImage.FileName) { + // + // This function might be called using HFileImage.FileName as Str. + // Directly return without updating HFileImage.FileName. + // + return EFI_SUCCESS; + } // // free the old file name // SHELL_FREE_NON_NULL (HFileImage.FileName); - - Size =3D StrLen (Str); - - HFileImage.FileName =3D AllocateZeroPool (2 * (Size + 1)); + HFileImage.FileName =3D AllocateCopyPool (StrSize (Str), Str); if (HFileImage.FileName =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } =20 - for (Index =3D 0; Index < Size; Index++) { - HFileImage.FileName[Index] =3D Str[Index]; - } - - HFileImage.FileName[Size] =3D L'\0'; - return EFI_SUCCESS; } =20 --=20 2.16.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel