BaseLib: Fix out-of-bounds reads in SafeString

Marvin Häuser Thu, 27 Oct 2022 02:19:27 -0700

Comment inline.

> On 26. Oct 2022, at 15:35, Yao, Jiewen <jiewen....@intel.com> wrote:
> 
> That is good catch.
> 
> Reviewed-by: Jiewen Yao <jiewen....@intel.com>
> 
> 
>> -----Original Message-----
>> From: Kinney, Michael D <michael.d.kin...@intel.com>
>> Sent: Wednesday, October 26, 2022 12:23 AM
>> To: Pedro Falcato <pedro.falc...@gmail.com>; devel@edk2.groups.io
>> Cc: Vitaly Cheptsov <vit9...@protonmail.com>; Marvin Häuser
>> <mhaeu...@posteo.de>; Gao, Liming <gaolim...@byosoft.com.cn>; Liu,
>> Zhiguang <zhiguang....@intel.com>; Yao, Jiewen <jiewen....@intel.com>
>> Subject: RE: [PATCH v2 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in
>> SafeString
>> 
>> Adding Jiewen Yao.
>> 
>> Mike
>> 
>>> -----Original Message-----
>>> From: Pedro Falcato <pedro.falc...@gmail.com>
>>> Sent: Monday, October 24, 2022 3:43 PM
>>> To: devel@edk2.groups.io
>>> Cc: Pedro Falcato <pedro.falc...@gmail.com>; Vitaly Cheptsov
>> <vit9...@protonmail.com>; Marvin Häuser <mhaeu...@posteo.de>;
>>> Kinney, Michael D <michael.d.kin...@intel.com>; Gao, Liming
>> <gaolim...@byosoft.com.cn>; Liu, Zhiguang <zhiguang....@intel.com>
>>> Subject: [PATCH v2 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in
>> SafeString
>>> 
>>> OpenCore folks established an ASAN-equipped project to fuzz Ext4Dxe,
>>> which was able to catch these (mostly harmless) issues.
>>> 
>>> Signed-off-by: Pedro Falcato <pedro.falc...@gmail.com>
>>> Cc: Vitaly Cheptsov <vit9...@protonmail.com>
>>> Cc: Marvin Häuser <mhaeu...@posteo.de>
>>> Cc: Michael D Kinney <michael.d.kin...@intel.com>
>>> Cc: Liming Gao <gaolim...@byosoft.com.cn>
>>> Cc: Zhiguang Liu <zhiguang....@intel.com>
>>> ---
>>> MdePkg/Library/BaseLib/SafeString.c | 24 ++++++++++++++++++++----
>>> 1 file changed, 20 insertions(+), 4 deletions(-)
>>> 
>>> diff --git a/MdePkg/Library/BaseLib/SafeString.c
>> b/MdePkg/Library/BaseLib/SafeString.c
>>> index f338a32a3a41..77a2585ad56d 100644
>>> --- a/MdePkg/Library/BaseLib/SafeString.c
>>> +++ b/MdePkg/Library/BaseLib/SafeString.c
>>> @@ -863,6 +863,9 @@ StrHexToUintnS (
>>>   OUT       UINTN   *Data
>>>   )
>>> {
>>> +  BOOLEAN  FoundLeadingZero;
>>> +
>>> +  FoundLeadingZero = FALSE;
>>>   ASSERT (((UINTN)String & BIT0) == 0);
>>> 
>>>   //
>>> @@ -893,11 +896,12 @@ StrHexToUintnS (
>>>   // Ignore leading Zeros after the spaces
>>>   //
>>>   while (*String == L'0') {
>>> +    FoundLeadingZero = TRUE;


I would just assign these outside the loop. Simpler, easier to read and 
understand, might emit better bins.

Best regards,
Marvin

>>>     String++;
>>>   }
>>> 
>>>   if (CharToUpper (*String) == L'X') {
>>> -    if (*(String - 1) != L'0') {
>>> +    if (!FoundLeadingZero) {
>>>       *Data = 0;
>>>       return RETURN_SUCCESS;
>>>     }
>>> @@ -992,6 +996,9 @@ StrHexToUint64S (
>>>   OUT       UINT64  *Data
>>>   )
>>> {
>>> +  BOOLEAN  FoundLeadingZero;
>>> +
>>> +  FoundLeadingZero = FALSE;
>>>   ASSERT (((UINTN)String & BIT0) == 0);
>>> 
>>>   //
>>> @@ -1022,11 +1029,12 @@ StrHexToUint64S (
>>>   // Ignore leading Zeros after the spaces
>>>   //
>>>   while (*String == L'0') {
>>> +    FoundLeadingZero = TRUE;
>>>     String++;
>>>   }
>>> 
>>>   if (CharToUpper (*String) == L'X') {
>>> -    if (*(String - 1) != L'0') {
>>> +    if (!FoundLeadingZero) {
>>>       *Data = 0;
>>>       return RETURN_SUCCESS;
>>>     }
>>> @@ -2393,6 +2401,9 @@ AsciiStrHexToUintnS (
>>>   OUT       UINTN  *Data
>>>   )
>>> {
>>> +  BOOLEAN  FoundLeadingZero;
>>> +
>>> +  FoundLeadingZero = FALSE;
>>>   //
>>>   // 1. Neither String nor Data shall be a null pointer.
>>>   //
>>> @@ -2421,11 +2432,12 @@ AsciiStrHexToUintnS (
>>>   // Ignore leading Zeros after the spaces
>>>   //
>>>   while (*String == '0') {
>>> +    FoundLeadingZero = TRUE;
>>>     String++;
>>>   }
>>> 
>>>   if (AsciiCharToUpper (*String) == 'X') {
>>> -    if (*(String - 1) != '0') {
>>> +    if (!FoundLeadingZero) {
>>>       *Data = 0;
>>>       return RETURN_SUCCESS;
>>>     }
>>> @@ -2517,6 +2529,9 @@ AsciiStrHexToUint64S (
>>>   OUT       UINT64  *Data
>>>   )
>>> {
>>> +  BOOLEAN  FoundLeadingZero;
>>> +
>>> +  FoundLeadingZero = FALSE;
>>>   //
>>>   // 1. Neither String nor Data shall be a null pointer.
>>>   //
>>> @@ -2545,11 +2560,12 @@ AsciiStrHexToUint64S (
>>>   // Ignore leading Zeros after the spaces
>>>   //
>>>   while (*String == '0') {
>>> +    FoundLeadingZero = TRUE;
>>>     String++;
>>>   }
>>> 
>>>   if (AsciiCharToUpper (*String) == 'X') {
>>> -    if (*(String - 1) != '0') {
>>> +    if (!FoundLeadingZero) {
>>>       *Data = 0;
>>>       return RETURN_SUCCESS;
>>>     }
>>> --
>>> 2.38.1
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95635): https://edk2.groups.io/g/devel/message/95635
Mute This Topic: https://groups.io/mt/94546879/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v2 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString

Reply via email to