[edk2] [PATCH 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper

Long Qin posted 2 patches 7 years, 1 month ago
There is a newer version of this series
[edk2] [PATCH 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
Posted by Long Qin 7 years, 1 month ago
There is one long-standing problem in CRT realloc wrapper, which will
cause the obvious buffer overflow issue when re-allocating one bigger
memory block:
    void *realloc (void *ptr, size_t size)
    {
      //
      // BUG: hardcode OldSize == size! We have no any knowledge about
      // memory size of original pointer ptr.
      //
      return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
    }
This patch introduces one extra header to record the memory buffer size
information when allocating memory block from malloc routine, and re-wrap
the realloc() and free() routines to remove this BUG.

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
 .../BaseCryptLib/SysCall/BaseMemAllocation.c       | 72 +++++++++++++++++++---
 1 file changed, 65 insertions(+), 7 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
index f390e0d449..ed37a0ff39 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
@@ -16,6 +16,18 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <CrtLibSupport.h>
 #include <Library/MemoryAllocationLib.h>
 
+//
+// Extra header to record the memory buffer size from malloc routine.
+//
+#define CRYPTMEM_HEAD_SIGNATURE    SIGNATURE_32('c','m','h','d')
+typedef struct {
+  UINT32    Signature;
+  UINT32    Reserved;
+  UINTN     Size;
+} CRYPTMEM_HEAD;
+
+#define CRYPTMEM_OVERHEAD      sizeof(CRYPTMEM_HEAD)
+
 //
 // -- Memory-Allocation Routines --
 //
@@ -23,27 +35,73 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 /* Allocates memory blocks */
 void *malloc (size_t size)
 {
-  return AllocatePool ((UINTN) size);
+  CRYPTMEM_HEAD  *PoolHdr;
+  UINTN          NewSize;
+  VOID           *Data;
+
+  //
+  // Adjust the size by the buffer header overhead
+  //
+  NewSize = (UINTN)(size) + CRYPTMEM_OVERHEAD;
+
+  Data  = AllocatePool (NewSize);
+  if (Data != NULL) {
+    PoolHdr = (CRYPTMEM_HEAD *)Data;
+    //
+    // Record the memory brief information
+    //
+    PoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
+    PoolHdr->Size      = size;
+  }
+  return (VOID *)(PoolHdr + 1);
 }
 
 /* Reallocate memory blocks */
 void *realloc (void *ptr, size_t size)
 {
-  //
-  // BUG: hardcode OldSize == size! We have no any knowledge about
-  // memory size of original pointer ptr.
-  //
-  return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
+  CRYPTMEM_HEAD  *OldPoolHdr;
+  CRYPTMEM_HEAD  *NewPoolHdr;
+  UINTN          OldSize;
+  UINTN          NewSize;
+  VOID           *Data;
+
+  NewSize = (UINTN)size + CRYPTMEM_OVERHEAD;
+  Data = AllocatePool (NewSize);
+  if (Data != NULL) {
+    NewPoolHdr = (CRYPTMEM_HEAD *)Data;
+    NewPoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
+    NewPoolHdr->Size      = size;
+    if (ptr != NULL) {
+      //
+      // Retrieve the original size from the buffer header.
+      //
+      OldPoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
+      ASSERT (OldPoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
+      OldSize = OldPoolHdr->Size;
+
+      //
+      // Duplicate the buffer content.
+      //
+      CopyMem ((VOID *)(NewPoolHdr + 1), ptr, MIN (OldSize, size));
+      FreePool ((VOID *)OldPoolHdr);
+    }
+  }
+
+  return (VOID *)(NewPoolHdr + 1);
 }
 
 /* De-allocates or frees a memory block */
 void free (void *ptr)
 {
+  CRYPTMEM_HEAD  *PoolHdr;
+
   //
   // In Standard C, free() handles a null pointer argument transparently. This
   // is not true of FreePool() below, so protect it.
   //
   if (ptr != NULL) {
-    FreePool (ptr);
+    PoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
+    ASSERT (PoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
+    FreePool (PoolHdr);
   }
 }
-- 
2.14.1.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
Posted by Wang, Jian J 7 years, 1 month ago
Hi Qin,

Thanks for fixing this issue. Please find my comments below.

Besides that, the patch has been passed the boot validation.

Validated-by: Jian J Wang <jian.j.wang@intel.com>

Thanks,
Jian

> -----Original Message-----
> From: Long, Qin
> Sent: Tuesday, October 31, 2017 4:39 PM
> To: edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; lersek@redhat.com; Wang, Jian J
> <jian.j.wang@intel.com>; Long, Qin <qin.long@intel.com>
> Subject: [PATCH 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in
> realloc wrapper
> 
> There is one long-standing problem in CRT realloc wrapper, which will
> cause the obvious buffer overflow issue when re-allocating one bigger
> memory block:
>     void *realloc (void *ptr, size_t size)
>     {
>       //
>       // BUG: hardcode OldSize == size! We have no any knowledge about
>       // memory size of original pointer ptr.
>       //
>       return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
>     }
> This patch introduces one extra header to record the memory buffer size
> information when allocating memory block from malloc routine, and re-wrap
> the realloc() and free() routines to remove this BUG.
> 
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ting Ye <ting.ye@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Qin Long <qin.long@intel.com>
> ---
>  .../BaseCryptLib/SysCall/BaseMemAllocation.c       | 72 +++++++++++++++++++-
> --
>  1 file changed, 65 insertions(+), 7 deletions(-)
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> index f390e0d449..ed37a0ff39 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> +++ b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> @@ -16,6 +16,18 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY
> KIND, EITHER EXPRESS OR IMPLIED.
>  #include <CrtLibSupport.h>
>  #include <Library/MemoryAllocationLib.h>
> 
> +//
> +// Extra header to record the memory buffer size from malloc routine.
> +//
> +#define CRYPTMEM_HEAD_SIGNATURE    SIGNATURE_32('c','m','h','d')
> +typedef struct {
> +  UINT32    Signature;
> +  UINT32    Reserved;
> +  UINTN     Size;
> +} CRYPTMEM_HEAD;
> +
> +#define CRYPTMEM_OVERHEAD      sizeof(CRYPTMEM_HEAD)

Any consideration of the "Reserved" field, Padding? Alignment? Future extendibility?

> +
>  //
>  // -- Memory-Allocation Routines --
>  //
> @@ -23,27 +35,73 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY
> KIND, EITHER EXPRESS OR IMPLIED.
>  /* Allocates memory blocks */
>  void *malloc (size_t size)
>  {
> -  return AllocatePool ((UINTN) size);
> +  CRYPTMEM_HEAD  *PoolHdr;
> +  UINTN          NewSize;
> +  VOID           *Data;
> +
> +  //
> +  // Adjust the size by the buffer header overhead
> +  //
> +  NewSize = (UINTN)(size) + CRYPTMEM_OVERHEAD;
> +
> +  Data  = AllocatePool (NewSize);
> +  if (Data != NULL) {
> +    PoolHdr = (CRYPTMEM_HEAD *)Data;
> +    //
> +    // Record the memory brief information
> +    //
> +    PoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
> +    PoolHdr->Size      = size;
> +  }
> +  return (VOID *)(PoolHdr + 1);
>  }
> 

Although it's very rare, the logic of code above doesn't consider case of Data == NULL.
And above code might not pass GCC build because there's a chance that PoolHdr is not
initialized.

>  /* Reallocate memory blocks */
>  void *realloc (void *ptr, size_t size)
>  {
> -  //
> -  // BUG: hardcode OldSize == size! We have no any knowledge about
> -  // memory size of original pointer ptr.
> -  //
> -  return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
> +  CRYPTMEM_HEAD  *OldPoolHdr;
> +  CRYPTMEM_HEAD  *NewPoolHdr;
> +  UINTN          OldSize;
> +  UINTN          NewSize;
> +  VOID           *Data;
> +
> +  NewSize = (UINTN)size + CRYPTMEM_OVERHEAD;
> +  Data = AllocatePool (NewSize);
> +  if (Data != NULL) {
> +    NewPoolHdr = (CRYPTMEM_HEAD *)Data;
> +    NewPoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
> +    NewPoolHdr->Size      = size;
> +    if (ptr != NULL) {
> +      //
> +      // Retrieve the original size from the buffer header.
> +      //
> +      OldPoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
> +      ASSERT (OldPoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
> +      OldSize = OldPoolHdr->Size;
> +
> +      //
> +      // Duplicate the buffer content.
> +      //
> +      CopyMem ((VOID *)(NewPoolHdr + 1), ptr, MIN (OldSize, size));
> +      FreePool ((VOID *)OldPoolHdr);
> +    }
> +  }
> +
> +  return (VOID *)(NewPoolHdr + 1);
>  }
> 

1. The same as above, the code logic doesn't consider the case of Data == NULL.
2. ptr should be better checked against NULL before allocating new pool

>  /* De-allocates or frees a memory block */
>  void free (void *ptr)
>  {
> +  CRYPTMEM_HEAD  *PoolHdr;
> +
>    //
>    // In Standard C, free() handles a null pointer argument transparently. This
>    // is not true of FreePool() below, so protect it.
>    //
>    if (ptr != NULL) {
> -    FreePool (ptr);
> +    PoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
> +    ASSERT (PoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
> +    FreePool (PoolHdr);
>    }
>  }
> --
> 2.14.1.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
Posted by Long, Qin 7 years, 1 month ago
Thanks, Jian. It's great to pass the validation. 
And exactly, the null data checking was missed. I will re-produce the V2 patch. 


Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: Wang, Jian J 
Sent: Wednesday, November 1, 2017 3:28 PM
To: Long, Qin <qin.long@intel.com>; edk2-devel@lists.01.org
Cc: Ye, Ting <ting.ye@intel.com>; lersek@redhat.com
Subject: RE: [PATCH 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper

Hi Qin,

Thanks for fixing this issue. Please find my comments below.

Besides that, the patch has been passed the boot validation.

Validated-by: Jian J Wang <jian.j.wang@intel.com>

Thanks,
Jian

> -----Original Message-----
> From: Long, Qin
> Sent: Tuesday, October 31, 2017 4:39 PM
> To: edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; lersek@redhat.com; Wang, Jian J 
> <jian.j.wang@intel.com>; Long, Qin <qin.long@intel.com>
> Subject: [PATCH 1/2] CryptoPkg/BaseCryptLib: Fix buffer overflow issue 
> in realloc wrapper
> 
> There is one long-standing problem in CRT realloc wrapper, which will 
> cause the obvious buffer overflow issue when re-allocating one bigger 
> memory block:
>     void *realloc (void *ptr, size_t size)
>     {
>       //
>       // BUG: hardcode OldSize == size! We have no any knowledge about
>       // memory size of original pointer ptr.
>       //
>       return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
>     }
> This patch introduces one extra header to record the memory buffer 
> size information when allocating memory block from malloc routine, and 
> re-wrap the realloc() and free() routines to remove this BUG.
> 
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ting Ye <ting.ye@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Qin Long <qin.long@intel.com>
> ---
>  .../BaseCryptLib/SysCall/BaseMemAllocation.c       | 72 +++++++++++++++++++-
> --
>  1 file changed, 65 insertions(+), 7 deletions(-)
> 
> diff --git 
> a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> index f390e0d449..ed37a0ff39 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> +++ b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
> @@ -16,6 +16,18 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, 
> EITHER EXPRESS OR IMPLIED.
>  #include <CrtLibSupport.h>
>  #include <Library/MemoryAllocationLib.h>
> 
> +//
> +// Extra header to record the memory buffer size from malloc routine.
> +//
> +#define CRYPTMEM_HEAD_SIGNATURE    SIGNATURE_32('c','m','h','d')
> +typedef struct {
> +  UINT32    Signature;
> +  UINT32    Reserved;
> +  UINTN     Size;
> +} CRYPTMEM_HEAD;
> +
> +#define CRYPTMEM_OVERHEAD      sizeof(CRYPTMEM_HEAD)

Any consideration of the "Reserved" field, Padding? Alignment? Future extendibility?
[Long, Qin] There is no special consideration on this field. 
	Just keep this style as other POOL_HEAD usage, and may be for possible future extension. 

> +
>  //
>  // -- Memory-Allocation Routines --
>  //
> @@ -23,27 +35,73 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, 
> EITHER EXPRESS OR IMPLIED.
>  /* Allocates memory blocks */
>  void *malloc (size_t size)
>  {
> -  return AllocatePool ((UINTN) size);
> +  CRYPTMEM_HEAD  *PoolHdr;
> +  UINTN          NewSize;
> +  VOID           *Data;
> +
> +  //
> +  // Adjust the size by the buffer header overhead  //  NewSize = 
> + (UINTN)(size) + CRYPTMEM_OVERHEAD;
> +
> +  Data  = AllocatePool (NewSize);
> +  if (Data != NULL) {
> +    PoolHdr = (CRYPTMEM_HEAD *)Data;
> +    //
> +    // Record the memory brief information
> +    //
> +    PoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
> +    PoolHdr->Size      = size;
> +  }
> +  return (VOID *)(PoolHdr + 1);
>  }
> 

Although it's very rare, the logic of code above doesn't consider case of Data == NULL.
And above code might not pass GCC build because there's a chance that PoolHdr is not initialized.

 [Long, Qin] Agree.


>  /* Reallocate memory blocks */
>  void *realloc (void *ptr, size_t size)  {
> -  //
> -  // BUG: hardcode OldSize == size! We have no any knowledge about
> -  // memory size of original pointer ptr.
> -  //
> -  return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
> +  CRYPTMEM_HEAD  *OldPoolHdr;
> +  CRYPTMEM_HEAD  *NewPoolHdr;
> +  UINTN          OldSize;
> +  UINTN          NewSize;
> +  VOID           *Data;
> +
> +  NewSize = (UINTN)size + CRYPTMEM_OVERHEAD;  Data = AllocatePool 
> + (NewSize);  if (Data != NULL) {
> +    NewPoolHdr = (CRYPTMEM_HEAD *)Data;
> +    NewPoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
> +    NewPoolHdr->Size      = size;
> +    if (ptr != NULL) {
> +      //
> +      // Retrieve the original size from the buffer header.
> +      //
> +      OldPoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
> +      ASSERT (OldPoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
> +      OldSize = OldPoolHdr->Size;
> +
> +      //
> +      // Duplicate the buffer content.
> +      //
> +      CopyMem ((VOID *)(NewPoolHdr + 1), ptr, MIN (OldSize, size));
> +      FreePool ((VOID *)OldPoolHdr);
> +    }
> +  }
> +
> +  return (VOID *)(NewPoolHdr + 1);
>  }
> 

1. The same as above, the code logic doesn't consider the case of Data == NULL.
2. ptr should be better checked against NULL before allocating new pool

 [Long, Qin] 1. Agree
	2. Looks it's not necessary. The logic is same as our ReallocatePool().

>  /* De-allocates or frees a memory block */  void free (void *ptr)  {
> +  CRYPTMEM_HEAD  *PoolHdr;
> +
>    //
>    // In Standard C, free() handles a null pointer argument transparently. This
>    // is not true of FreePool() below, so protect it.
>    //
>    if (ptr != NULL) {
> -    FreePool (ptr);
> +    PoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
> +    ASSERT (PoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
> +    FreePool (PoolHdr);
>    }
>  }
> --
> 2.14.1.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel