From nobody Mon Sep 16 19:39:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+101023+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+101023+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.microsoft.com
ARC-Seal: i=1; a=rsa-sha256; t=1678473914; cv=none;
	d=zohomail.com; s=zohoarc;
	b=AciaiPI/sojqqesm92Ijr5jZ7vnb0yFnzV+slg90yWURKtLeBxzRRQ7z+hen5gTEic1paBT1+3b8R4JGk+8xZ2ZwioeDT66pnvFm3ljHdnixUgzeFn8/E6a7OwC7B4ADgeqaZ6mA2ZtKS/R1zHI3ATaW1MIdbMIsMONsxQe7f+U=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1678473914;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=4UY0SLKRW75TzaszTmDGdIKEE3vMRycdHujgv4hR5fc=;
	b=JTQOrunJU8x09H+X6ExU/H2jVx5bfiKW4SE5UZo78BiO5SGPt2ot+gPZsJYyXoBS9P9kBPxcrPlp6gGAtGPXsWuEJ1H8wIveMWreaQWafbolAW/lQSrt/T/94sJ3C1bOYIuAA4YKfS03JlZS133ynt1yC4d81vuwd0YVgD4YExI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+101023+1787277+3901457@groups.io;
	dmarc=fail header.from=<mikuback@linux.microsoft.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1678473914190487.127622569992;
 Fri, 10 Mar 2023 10:45:14 -0800 (PST)
Return-Path: <bounce+27952+101023+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id B3VyYY1788612xDSWUpQMWms;
 Fri, 10 Mar 2023 10:45:13 -0800
X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by mx.groups.io with SMTP id smtpd.web11.27848.1678473912727554564
 for <devel@edk2.groups.io>;
 Fri, 10 Mar 2023 10:45:12 -0800
X-Received: from localhost.localdomain (unknown [47.201.8.94])
	by linux.microsoft.com (Postfix) with ESMTPSA id A0B4420C14D5;
	Fri, 10 Mar 2023 10:45:11 -0800 (PST)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com A0B4420C14D5
From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io
Cc: Bob Feng <bob.c.feng@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Michael D Kinney <michael.d.kinney@intel.com>,
	Sean Brogan <sean.brogan@microsoft.com>,
	Yuwei Chen <yuwei.chen@intel.com>
Subject: [edk2-devel] [PATCH v4 03/12] BaseTools/VfrCompile: Fix potential
 buffer overwrites
Date: Fri, 10 Mar 2023 13:42:29 -0500
Message-Id: <20230310184238.2999-4-mikuback@linux.microsoft.com>
In-Reply-To: <20230310184238.2999-1-mikuback@linux.microsoft.com>
References: <20230310184238.2999-1-mikuback@linux.microsoft.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com
X-Gm-Message-State: DpZlkEv0TbK5o98OE1GhaRZox1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1678473913;
 bh=q63tXhZcNZrcApMzxeBAk4FTrsCauQb7bwWHFyQsGBc=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=UrNkiGpZnUTz5W+edszqq6VaN6lCrg6bkFT7nXlma5xv2ePZgrtQcol1DV12Hy16E2P
 7DBQ6PPdYhkVKfCgVAZHYR2u+Qlyh2gjyM1+nPW+4QRPW4A1vxm5ZLb7zS2saBdspjjDm
 QjVYQJp4NcgtINUHCdW173/THZ1l3dBm78I=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1678473915897100002
Content-Type: text/plain; charset="utf-8"

From: Michael Kubacki <michael.kubacki@microsoft.com>

While more portable methods exist to handle these cases, this change
does not attempt to do more than fix the immediate problem and
follow the conventions already established in this code.

`snprintf()` is introduced as the minimum improvement apart from
making the buffers larger.

Fixes the following CodeQL alerts:

1. Failure on line 2339 in
   BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c

   - Type: Potentially overrunning write
   - Severity: Critical
   - Problem: This 'call to sprintf' operation requires 17 bytes but
     the destination is only 16 bytes.

2. Failure on line 2341 in
   BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c

   - Type: Potentially overrunning write
   - Severity: Critical
   - Problem: This 'call to sprintf' operation requires 17 bytes but
     the destination is only 16 bytes.

3. Failure on line 1309 in
   BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c

   - Type: Potentially overrunning write
   - Severity: Critical
   - Problem: This 'call to sprintf' operation requires 25 bytes but
     the destination is only 20 bytes.

Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
---
 BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c  | 10 +++++-----
 BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c b/BaseTools/So=
urce/C/VfrCompile/Pccts/antlr/gen.c
index 8e41239f4751..33d9cac4c7de 100644
--- a/BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c
+++ b/BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c
@@ -2331,14 +2331,14 @@ TokNode *p;
 			set_nameErrSet =3D bufErrSet;								/* MR23 */
 		}
 		else {					/* wild card */
-			static char buf[sizeof("zzerr")+10];
-			static char bufErrSet[sizeof("zzerr")+10];
+			static char buf[sizeof("zzerr")+11];
+			static char bufErrSet[sizeof("zzerr")+11];
 			int n =3D DefErrSet( &b, 0, NULL );
 			int nErrSet =3D DefErrSetWithSuffix(0, &bErrSet, 1, NULL, "_set");
-			if ( GenCC ) sprintf(buf, "err%d", n);
-			else sprintf(buf, "zzerr%d", n);
+			if ( GenCC ) snprintf(buf, 11, "err%d", n);
+			else snprintf(buf, 11, "zzerr%d", n);
 			if ( GenCC ) sprintf(bufErrSet, "err%d", nErrSet);
-			else sprintf(bufErrSet, "zzerr%d", nErrSet);
+			else snprintf(bufErrSet, 11, "zzerr%d", nErrSet);
 			set_name =3D buf;
 			set_nameErrSet =3D bufErrSet;
 		}
diff --git a/BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c b/BaseTools/S=
ource/C/VfrCompile/Pccts/antlr/main.c
index 051ee4ec5d28..488b4b90461c 100644
--- a/BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c
+++ b/BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c
@@ -1295,7 +1295,7 @@ int token;
 #endif
 {
 	int     j;
-        static    char    imag_name[20];
+        static    char    imag_name[25];
=20
 	/* look in all lexclasses for the token */
 	if ( TokenString(token) !=3D NULL ) return TokenString(token);
@@ -1306,7 +1306,7 @@ int token;
 	}
=20
     if (1) {
-      sprintf(imag_name,"UnknownToken#%d",token);           /* MR13 */
+      snprintf(imag_name, 25, "UnknownToken#%d", token);    /* MR13 */
       return imag_name;                                     /* MR13 */
     }
=20
--=20
2.39.2.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101023): https://edk2.groups.io/g/devel/message/101023
Mute This Topic: https://groups.io/mt/97526781/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-