From nobody Wed Dec 25 13:10:25 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1509685091552384.57205232660544; Thu, 2 Nov 2017 21:58:11 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id DEAD7202E5E7E; Thu, 2 Nov 2017 21:54:11 -0700 (PDT) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 60533202E5E75 for ; Thu, 2 Nov 2017 21:54:10 -0700 (PDT) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Nov 2017 21:58:05 -0700 Received: from jwang36-mobl2.ccr.corp.intel.com ([10.239.192.100]) by fmsmga006.fm.intel.com with ESMTP; 02 Nov 2017 21:58:04 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,336,1505804400"; d="scan'208";a="171412435" From: Jian J Wang To: edk2-devel@lists.01.org Date: Fri, 3 Nov 2017 12:57:58 +0800 Message-Id: <20171103045759.26508-3-jian.j.wang@intel.com> X-Mailer: git-send-email 2.14.1.windows.1 In-Reply-To: <20171103045759.26508-1-jian.j.wang@intel.com> References: <20171103045759.26508-1-jian.j.wang@intel.com> Subject: [edk2] [PATCH 2/3] ShellPkg: Fix misuses of AllocateCopyPool X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jaben Carsey , Ruiyu Ni , Bi Dandan MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" bytes = of memory from old "Buffer" to new allocated one. If "AllocationSize" is bigger than size of "Buffer", heap memory overflow occurs during copy. The solution is to allocate pool first then copy the necessary bytes to new memory. This can avoid copying extra bytes from unknown memory range. Cc: Jaben Carsey Cc: Ruiyu Ni Cc: Bi Dandan Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang --- ShellPkg/Application/Shell/Shell.c | 4 +++- ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c | 6 +++= +-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ShellPkg/Application/Shell/Shell.c b/ShellPkg/Application/Shel= l/Shell.c index 5471930ba1..24a04ca323 100644 --- a/ShellPkg/Application/Shell/Shell.c +++ b/ShellPkg/Application/Shell/Shell.c @@ -1646,7 +1646,9 @@ ShellConvertVariables ( // // now do the replacements... // - NewCommandLine1 =3D AllocateCopyPool(NewSize, OriginalCommandLine); + NewCommandLine1 =3D AllocatePool(NewSize); + ASSERT (NewCommandLine1 !=3D NULL); + CopyMem (NewCommandLine1, OriginalCommandLine, StrSize (OriginalCommandL= ine)); NewCommandLine2 =3D AllocateZeroPool(NewSize); ItemTemp =3D AllocateZeroPool(ItemSize+(2*sizeof(CHAR16))); if (NewCommandLine1 =3D=3D NULL || NewCommandLine2 =3D=3D NULL || ItemTe= mp =3D=3D NULL) { diff --git a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandL= ib.c b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c index 1122c89b8b..5de62219b3 100644 --- a/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c +++ b/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c @@ -143,10 +143,11 @@ UpdateOptionalData( OriginalOptionDataSize +=3D (*(UINT16*)(OriginalData + sizeof(UINT32))= ); OriginalOptionDataSize -=3D OriginalSize; NewSize =3D OriginalSize - OriginalOptionDataSize + DataSize; - NewData =3D AllocateCopyPool(NewSize, OriginalData); + NewData =3D AllocatePool(NewSize); if (NewData =3D=3D NULL) { Status =3D EFI_OUT_OF_RESOURCES; } else { + CopyMem (NewData, OriginalData, OriginalSize - OriginalOptionDataSiz= e); CopyMem(NewData + OriginalSize - OriginalOptionDataSize, Data, DataS= ize); } } @@ -1120,11 +1121,12 @@ BcfgAddOpt( // Now we know how many EFI_INPUT_KEY structs we need to attach to= the end of the EFI_KEY_OPTION struct. =20 // Re-allocate with the added information. // - KeyOptionBuffer =3D AllocateCopyPool(sizeof(EFI_KEY_OPTION) + (siz= eof(EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount), &NewKeyOp= tion); + KeyOptionBuffer =3D AllocatePool (sizeof(EFI_KEY_OPTION) + (sizeof= (EFI_INPUT_KEY) * NewKeyOption.KeyData.Options.InputKeyCount)); if (KeyOptionBuffer =3D=3D NULL) { ShellPrintHiiEx(-1, -1, NULL, STRING_TOKEN (STR_GEN_NO_MEM), gSh= ellBcfgHiiHandle, L"bcfg"); =20 ShellStatus =3D SHELL_OUT_OF_RESOURCES; } + CopyMem (KeyOptionBuffer, &NewKeyOption, sizeof(EFI_KEY_OPTION)); } for (LoopCounter =3D 0 ; ShellStatus =3D=3D SHELL_SUCCESS && LoopCou= nter < NewKeyOption.KeyData.Options.InputKeyCount; LoopCounter++) { // --=20 2.14.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel