.../SystemFirmwareUpdateDxe.c | 39 ++++++++++--------- 1 file changed, 21 insertions(+), 18 deletions(-)
Original code GetFmpImageDescriptors for OriginalFmpImageInfoBuf
pointer, if failed, return a NULL pointer. The OriginalFmpImageInfoBuf
should not be NULL and the NULL pointer dereference case
should be false positive.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Vin Xue <vinxue@outlook.com>
---
.../SystemFirmwareUpdateDxe.c | 39 ++++++++++---------
1 file changed, 21 insertions(+), 18 deletions(-)
diff --git a/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdateDxe.c b/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdateDxe.c
index bdb70bdb32..ea795cd7db 100644
--- a/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdateDxe.c
+++ b/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdateDxe.c
@@ -681,32 +681,35 @@ FindMatchingFmpHandles (
//
// Loop through the set of EFI_FIRMWARE_IMAGE_DESCRIPTORs.
//
- FmpImageInfoBuf = OriginalFmpImageInfoBuf;
MatchFound = FALSE;
- for (Index2 = 0; Index2 < FmpImageInfoCount; Index2++) {
- for (Index3 = 0; Index3 < mSystemFmpPrivate->DescriptorCount; Index3++) {
- MatchFound = CompareGuid (
- &FmpImageInfoBuf->ImageTypeId,
- &mSystemFmpPrivate->ImageDescriptor[Index3].ImageTypeId
- );
+ if (OriginalFmpImageInfoBuf != NULL) {
+ FmpImageInfoBuf = OriginalFmpImageInfoBuf;
+
+ for (Index2 = 0; Index2 < FmpImageInfoCount; Index2++) {
+ for (Index3 = 0; Index3 < mSystemFmpPrivate->DescriptorCount; Index3++) {
+ MatchFound = CompareGuid (
+ &FmpImageInfoBuf->ImageTypeId,
+ &mSystemFmpPrivate->ImageDescriptor[Index3].ImageTypeId
+ );
+ if (MatchFound) {
+ break;
+ }
+ }
if (MatchFound) {
break;
}
+ //
+ // Increment the buffer pointer ahead by the size of the descriptor
+ //
+ FmpImageInfoBuf = (EFI_FIRMWARE_IMAGE_DESCRIPTOR *)(((UINT8 *)FmpImageInfoBuf) + DescriptorSize);
}
if (MatchFound) {
- break;
+ HandleBuffer[*HandleCount] = HandleBuffer[Index];
+ (*HandleCount)++;
}
- //
- // Increment the buffer pointer ahead by the size of the descriptor
- //
- FmpImageInfoBuf = (EFI_FIRMWARE_IMAGE_DESCRIPTOR *)(((UINT8 *)FmpImageInfoBuf) + DescriptorSize);
- }
- if (MatchFound) {
- HandleBuffer[*HandleCount] = HandleBuffer[Index];
- (*HandleCount)++;
- }
- FreePool (OriginalFmpImageInfoBuf);
+ FreePool (OriginalFmpImageInfoBuf);
+ }
}
if ((*HandleCount) == 0) {
--
2.27.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#62485): https://edk2.groups.io/g/devel/message/62485
Mute This Topic: https://groups.io/mt/75474501/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> > -----Original Message----- > From: Vin Xue <vinxue@outlook.com> > Sent: Tuesday, July 14, 2020 10:10 AM > To: devel@edk2.groups.io > Cc: Vin Xue <vinxue@outlook.com>; Yao, Jiewen <jiewen.yao@intel.com>; > Zhang, Chao B <chao.b.zhang@intel.com> > Subject: [PATCH] SignedCapsulePkg: Address NULL pointer dereference case. > > Original code GetFmpImageDescriptors for OriginalFmpImageInfoBuf > pointer, if failed, return a NULL pointer. The OriginalFmpImageInfoBuf > should not be NULL and the NULL pointer dereference case > should be false positive. > > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Chao Zhang <chao.b.zhang@intel.com> > Signed-off-by: Vin Xue <vinxue@outlook.com> > --- > .../SystemFirmwareUpdateDxe.c | 39 ++++++++++--------- > 1 file changed, 21 insertions(+), 18 deletions(-) > > diff --git > a/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdate > Dxe.c > b/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdate > Dxe.c > index bdb70bdb32..ea795cd7db 100644 > --- > a/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdate > Dxe.c > +++ > b/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdate > Dxe.c > @@ -681,32 +681,35 @@ FindMatchingFmpHandles ( > // > > // Loop through the set of EFI_FIRMWARE_IMAGE_DESCRIPTORs. > > // > > - FmpImageInfoBuf = OriginalFmpImageInfoBuf; > > MatchFound = FALSE; > > - for (Index2 = 0; Index2 < FmpImageInfoCount; Index2++) { > > - for (Index3 = 0; Index3 < mSystemFmpPrivate->DescriptorCount; Index3++) { > > - MatchFound = CompareGuid ( > > - &FmpImageInfoBuf->ImageTypeId, > > - &mSystemFmpPrivate->ImageDescriptor[Index3].ImageTypeId > > - ); > > + if (OriginalFmpImageInfoBuf != NULL) { > > + FmpImageInfoBuf = OriginalFmpImageInfoBuf; > > + > > + for (Index2 = 0; Index2 < FmpImageInfoCount; Index2++) { > > + for (Index3 = 0; Index3 < mSystemFmpPrivate->DescriptorCount; Index3++) > { > > + MatchFound = CompareGuid ( > > + &FmpImageInfoBuf->ImageTypeId, > > + &mSystemFmpPrivate->ImageDescriptor[Index3].ImageTypeId > > + ); > > + if (MatchFound) { > > + break; > > + } > > + } > > if (MatchFound) { > > break; > > } > > + // > > + // Increment the buffer pointer ahead by the size of the descriptor > > + // > > + FmpImageInfoBuf = (EFI_FIRMWARE_IMAGE_DESCRIPTOR *)(((UINT8 > *)FmpImageInfoBuf) + DescriptorSize); > > } > > if (MatchFound) { > > - break; > > + HandleBuffer[*HandleCount] = HandleBuffer[Index]; > > + (*HandleCount)++; > > } > > - // > > - // Increment the buffer pointer ahead by the size of the descriptor > > - // > > - FmpImageInfoBuf = (EFI_FIRMWARE_IMAGE_DESCRIPTOR *)(((UINT8 > *)FmpImageInfoBuf) + DescriptorSize); > > - } > > - if (MatchFound) { > > - HandleBuffer[*HandleCount] = HandleBuffer[Index]; > > - (*HandleCount)++; > > - } > > > > - FreePool (OriginalFmpImageInfoBuf); > > + FreePool (OriginalFmpImageInfoBuf); > > + } > > } > > > > if ((*HandleCount) == 0) { > > -- > 2.27.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#62673): https://edk2.groups.io/g/devel/message/62673 Mute This Topic: https://groups.io/mt/75474501/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2024 Red Hat, Inc.