Reviewed-by: Eric Dong <eric.d...@intel.com> -----Original Message----- From: Bi, Dandan <dandan...@intel.com> Sent: Thursday, February 13, 2020 12:03 PM To: devel@edk2.groups.io Cc: Gao, Liming <liming....@intel.com>; Dong, Eric <eric.d...@intel.com>; Wang, Jian J <jian.j.w...@intel.com> Subject: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611 Cc: Liming Gao <liming....@intel.com> Cc: Eric Dong <eric.d...@intel.com> Cc: Jian J Wang <jian.j.w...@intel.com> Signed-off-by: Dandan Bi <dandan...@intel.com> --- MdeModulePkg/Universal/HiiDatabaseDxe/String.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c index 505e063d49..10a1e691a3 100644 --- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c @@ -1004,10 +1004,11 @@ SetStringWorker ( BlockPtr, StringTextPtr + AsciiStrSize ((CHAR8 *)StringTextPtr), TmpSize ); + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = Block; StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize); break; @@ -1037,10 +1038,11 @@ SetStringWorker ( BlockPtr, StringTextPtr + StringSize, OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - StringSize ); + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = Block; StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize); break; @@ -1088,10 +1090,11 @@ SetStringWorker ( ); BlockPtr += StrSize (GlobalFont->FontInfo->FontName); CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize); + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = Block; StringPackage->StringPkgHdr->Header.Length += Ext2.Length; return EFI_SUCCESS; @@ -1273,10 +1276,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize; PackageListNode->PackageListHdr.PackageLength += Ucs2BlockSize; } @@ -1404,10 +1408,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize; PackageListNode->PackageListHdr.PackageLength += Ucs2BlockSize; @@ -1446,10 +1451,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize; PackageListNode->PackageListHdr.PackageLength += Ucs2FontBlockSize; @@ -1507,10 +1513,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += FontBlockSize + Ucs2FontBlockSize; PackageListNode->PackageListHdr.PackageLength += FontBlockSize + Ucs2FontBlockSize; -- 2.18.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54413): https://edk2.groups.io/g/devel/message/54413 Mute This Topic: https://groups.io/mt/71232488/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
