[tianocore/edk2] df8c61: CryptoPkg: Fix BaseCryptLib CrtWrapper strcpy

Fri, 07 Jun 2024 06:23:46 -0700 

  Branch: refs/heads/master
  Home:   https://github.com/tianocore/edk2
  Commit: df8c61e4c071d1c6ab04e3ebeeb07cf97fc893e0
      
https://github.com/tianocore/edk2/commit/df8c61e4c071d1c6ab04e3ebeeb07cf97fc893e0
  Author: Sebastian Witt <[email protected]>
  Date:   2024-06-07 (Fri, 07 Jun 2024)

  Changed paths:
    M CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c

  Log Message:
  -----------
  CryptoPkg: Fix BaseCryptLib CrtWrapper strcpy

strcpy fails when strSource is closer than 4096 bytes after strDest.

This is caused by an overlap check in AsciiStrCpyS:
  //
  // 5. Copying shall not take place between objects that overlap.
  //
  SAFE_STRING_CONSTRAINT_CHECK (InternalSafeStringNoAsciiStrOverlap
  (Destination, DestMax, (CHAR8 *)Source, SourceLen + 1),
  RETURN_ACCESS_DENIED);

Since DestMax is MAX_STRING_SIZE (0x1000) and with a Source
that is in this area behind Destination, AsciiStrCpyS will fail
and strcpy will do nothing.

When called by CRYPTO_strdup in openssl this leads to uninitialzed
memory that gets accessed instead of the copied string.

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2817

Signed-off-by: Sebastian Witt <[email protected]>


  Commit: 948f23417010309a5557d46195eae258f6105025
      
https://github.com/tianocore/edk2/commit/948f23417010309a5557d46195eae258f6105025
  Author: Sebastian Witt <[email protected]>
  Date:   2024-06-07 (Fri, 07 Jun 2024)

  Changed paths:
    M CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
    M CryptoPkg/Library/Include/CrtLibSupport.h

  Log Message:
  -----------
  CryptoPkg: Fix BaseCryptLib CrtWrapper strncpy and strcat

Following https://bugzilla.tianocore.org/show_bug.cgi?id=2817 this
bug could also apply to strncpy and strcat.

For strncpy use count+1 if smaller than MAX_STRING_SIZE. This still
restricts the destination size to MAX_STRING_SIZE as before but allows
a strncpy when the source is close after destination without triggering
the InternalSafeStringNoAsciiStrOverlap check in AsciiStrnCpyS.

For strcat use the destination string length + the size of the source
string including the terminator as destination size if smaller than
MAX_STRING_SIZE.

Also move both functions to CrtWrapper.c as they do not return the
correct return value. AsciiStrnCpyS and AsciiStrCatS return
RETURN_VALUE instead of a char * to the destination buffer.

Signed-off-by: Sebastian Witt <[email protected]>


Compare: https://github.com/tianocore/edk2/compare/8c826be35c73...948f23417010

To unsubscribe from these emails, change your notification settings at 
https://github.com/tianocore/edk2/settings/notifications


_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits

Reply via email to