Hi Jan, > >> Memory allocated via AllocatePool() is not necessarily initialized > >> to zero. Hence, the buffer may contain random garbage after the > >> read custom FS label up to its \0-terminated end. > >> Explicitly use AllocateZeroPool() to avoid this issue. > >> > >> Signed-off-by: Christian Storm <[email protected]> > >> --- > >> utils.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/utils.c b/utils.c > >> index bd7b8d7..ba9239b 100644 > >> --- a/utils.c > >> +++ b/utils.c > >> @@ -82,7 +82,7 @@ CHAR16 *get_volume_custom_label(EFI_FILE_HANDLE fh) > >> { > >> EFI_STATUS status; > >> EFI_FILE_HANDLE tmp; > >> - CHAR16 *buffer = AllocatePool(64); > >> + CHAR16 *buffer = AllocateZeroPool(64); > >> UINTN buffsize = 63; > >> > >> status = uefi_call_wrapper( > >> > > > > This also obsoletes the "buffer[buffsize] = L'\0'", right?
Yes and no as this patch has fixed this bug's symptoms, not the cause, see below. > Hmm, not yet getting the full point of the change: Doesn't buffsize > contain on success the actually read amount of data? Yes. > And that line above will properly terminate after that. No. Read() returns the number of *bytes* read, so the above string termination proper has to read buffer[buffsize/2] = L'\0' as buffer is CHAR16 and we're indexing CHAR16 here, not CHAR8. > So where should the junk come from? The string is terminated at a wrong position, possibly even beyond its buffer length if the read string is long enough. In between the actual string's end and this wrong termination, there could be garbage if the allocated memory is not initialized to 0. This is why AllocateZeroPool() has fixed the symptoms ― but didn't fix the potential out-of-bounds indexing by buffer[buffsize] = L'\0'. I'll send a V2 with buffer[buffsize/2] = L'\0' or do you prefer the AllocateZeroPool() option? Kind regards, Christian -- Dr. Christian Storm Siemens AG, Technology, T RDA IOT SES-DE Otto-Hahn-Ring 6, 81739 München, Germany -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/20210816153247.kfvmcnn3lbgxi4ed%40MD1ZFJVC.ad001.siemens.net.
