From nobody Mon Feb 9 07:23:24 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39308+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39308+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1555609647; cv=none; d=zoho.com; s=zohoarc; b=mzndEgVWohhLRk4DXHWCIPNYJch3hVD2H9wE8nLqx7hBM3M226x9L70lMSkgMgSV0/w7vWy26hnnXjQozyLgVY9imxJWWpGat/6gmS/tKehwqjfAYF3ObnDr49uqEZUb/8PAIvdqVbDeMMWG6qvh5oJNYramDgGC6mUHJSnjq8s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1555609647; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=knVnSnPSVdFeiBqTQrb0Q5jHR+p4isbYb0q4iJfW1Jg=; b=mR6gBPCXWhkBVs86aXJBuW0+O9g9aCeagMpHwNzMP6xxFqZEIQP49SrnzO57Rutcty662o0WjYBS1F/kHuhu6OZYYhh/6SXErAFKs3NmTGFVSkiV6X1Rj3EXWHwpI08iNbFYCZpvW8W5bP1WENLNaJrcKJnjvDO0Nux5RN7JVN0= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39308+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1555609647289266.20882826318086; Thu, 18 Apr 2019 10:47:27 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Thu, 18 Apr 2019 10:47:26 -0700 X-Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D5DE088ABE; Thu, 18 Apr 2019 17:47:25 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-179.rdu2.redhat.com [10.10.120.179]) by smtp.corp.redhat.com (Postfix) with ESMTP id D086A600C1; Thu, 18 Apr 2019 17:47:24 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Liming Gao , Michael D Kinney Subject: [edk2-devel] [PATCH v2 2/5] MdePkg/PiFirmwareFile: fix undefined behavior in SECTION_SIZE Date: Thu, 18 Apr 2019 19:47:07 +0200 Message-Id: <20190418174710.12236-3-lersek@redhat.com> In-Reply-To: <20190418174710.12236-1-lersek@redhat.com> References: <20190418174710.12236-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Thu, 18 Apr 2019 17:47:25 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1555609646; bh=5zUgncPbDW8LFGkQbk0ETOnrwUZLz5qd0VJH23ZsgkA=; h=Cc:Date:From:Reply-To:Subject:To; b=k6ocnTWBS8QcNfO6MxsksAIwAKhHu+qh9g0go/xdTE9T8hVH3oiViQzFxVV7q+V4lLB bDoCd3FTzguqheEJMrZuoDbH0QJi4IY2WFrozKvsxoShcYcJfI9HyhZR3I3vdHUU4pO9/ rP+Tk6z6HpFURVm0St0Y/072zds4aGOldCs= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" RH covscan justifiedly reports that accessing "EFI_COMMON_SECTION_HEADER.Size", which is of type UINT8[3], through a (UINT32*), is undefined behavior: > Error: OVERRUN (CWE-119): > edk2-89910a39dcfd/OvmfPkg/Sec/SecMain.c:178: overrun-local: Overrunning > array of 3 bytes at byte offset 3 by dereferencing pointer > "(UINT32 *)((EFI_COMMON_SECTION_HEADER *)(UINTN)Section)->Size". > # 176| Section =3D (EFI_COMMON_SECTION_HEADER*)(UINTN) CurrentAddr= ess; > # 177| > # 178|-> Size =3D SECTION_SIZE (Section); > # 179| if (Size < sizeof (*Section)) { > # 180| return EFI_VOLUME_CORRUPTED; Fix this by accessing the array elements individually. Cc: Liming Gao Cc: Michael D Kinney Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1710 Issue: scan-1007.txt Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daude --- Notes: v2: =20 - replace EFI_COMMON_SECTION_HEADER_UNION with individual array element access [Jordan, Phil, Mike] MdePkg/Include/Pi/PiFirmwareFile.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/MdePkg/Include/Pi/PiFirmwareFile.h b/MdePkg/Include/Pi/PiFirmw= areFile.h index a9f3bcc4eb8e..05470538de42 100644 --- a/MdePkg/Include/Pi/PiFirmwareFile.h +++ b/MdePkg/Include/Pi/PiFirmwareFile.h @@ -480,8 +480,15 @@ typedef struct { CHAR16 VersionString[1]; } EFI_VERSION_SECTION2; =20 -#define SECTION_SIZE(SectionHeaderPtr) \ - ((UINT32) (*((UINT32 *) ((EFI_COMMON_SECTION_HEADER *) (UINTN) Section= HeaderPtr)->Size) & 0x00ffffff)) +/// +/// The argument passed as the SectionHeaderPtr parameter to the SECTION_S= IZE() +/// and IS_SECTION2() function-like macros below must not have side effect= s: +/// SectionHeaderPtr is evaluated multiple times. +/// +#define SECTION_SIZE(SectionHeaderPtr) ((UINT32) ( \ + (((EFI_COMMON_SECTION_HEADER *) (UINTN) (SectionHeaderPtr))->Size[0] = ) | \ + (((EFI_COMMON_SECTION_HEADER *) (UINTN) (SectionHeaderPtr))->Size[1] <= < 8) | \ + (((EFI_COMMON_SECTION_HEADER *) (UINTN) (SectionHeaderPtr))->Size[2] <= < 16))) =20 #define IS_SECTION2(SectionHeaderPtr) \ (SECTION_SIZE (SectionHeaderPtr) =3D=3D 0x00ffffff) --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39308): https://edk2.groups.io/g/devel/message/39308 Mute This Topic: https://groups.io/mt/31233850/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-