[edk2] [PATCH] ShellPkg/edit: Fix heap access out-of-bounds

Ruiyu Ni posted 1 patch 6 years, 2 months ago
Failed in applying to current master (apply log)
ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[edk2] [PATCH] ShellPkg/edit: Fix heap access out-of-bounds
Posted by Ruiyu Ni 6 years, 2 months ago
The issue was found when heap guard is turned on.
PrintLib somehow receives a non-null terminated string in var-arg.
When the PrintLib implementation reads the string it keeps
reading because no null-terminator is met, which triggers the page
fault set by the heap guard.

The issue is caused by a bug in FileBufferPrintLine().
When "edit" opens a binary file, in FileBufferPrintLine(),
the Line->Buffer may start with \x00 \x00, but the Line->Size is
larger than MainEditor.ScreenSize.Column, it causes the PrintLine is
set to an empty string by below call:
    StrnCpyS (
      PrintLine, BufLen/sizeof(CHAR16), Buffer,
      MIN(Limit, MainEditor.ScreenSize.Column)
      );
But since Limit (equals to Line->Size) is larger than
MainEditor.ScreenSize.Column, below for-loop doesn't successfully
set the whole PrintLine to all-empty-space.
    for (; Limit < MainEditor.ScreenSize.Column; Limit++) {
      PrintLine[Limit] = L' ';
    }
So after the for-loop, PrintLine is still an empty string.
Later in below call, the PrintLine2 is created based on PrintLine.
    ShellCopySearchAndReplace (
      PrintLine, PrintLine2,
      BufLen * 2, L"%", L"^%", FALSE, FALSE
      );
But due to the implementation of ShellCopySearchAndReplace(),
PrintLine2 is untouched and INVALID_PARAMETER is returned.
Finally an uninitialized string is passed to ShellPrintEx()
which causes the #PF exception.

The fix is to reset Limit to StrLen(PrintLine) before for-loop.
So that PrintLine can be converted from an empty string to a
string containing all spaces.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jaben Carsey <jaben.carsey@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
---
 ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
index 56ccd399b0..39a5afb53f 100644
--- a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
+++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
@@ -500,7 +500,7 @@ FileBufferPrintLine (
   PrintLine = AllocatePool (BufLen);
   if (PrintLine != NULL) {
     StrnCpyS (PrintLine, BufLen/sizeof(CHAR16), Buffer, MIN(Limit, MainEditor.ScreenSize.Column));
-    for (; Limit < MainEditor.ScreenSize.Column; Limit++) {
+    for (Limit = StrLen (PrintLine); Limit < MainEditor.ScreenSize.Column; Limit++) {
       PrintLine[Limit] = L' ';
     }
 
-- 
2.16.1.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH] ShellPkg/edit: Fix heap access out-of-bounds
Posted by Wang, Jian J 6 years, 2 months ago
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

> -----Original Message-----
> From: Ni, Ruiyu
> Sent: Thursday, August 16, 2018 2:33 PM
> To: edk2-devel@lists.01.org
> Cc: Carsey, Jaben <jaben.carsey@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>
> Subject: [PATCH] ShellPkg/edit: Fix heap access out-of-bounds
> 
> The issue was found when heap guard is turned on.
> PrintLib somehow receives a non-null terminated string in var-arg.
> When the PrintLib implementation reads the string it keeps
> reading because no null-terminator is met, which triggers the page
> fault set by the heap guard.
> 
> The issue is caused by a bug in FileBufferPrintLine().
> When "edit" opens a binary file, in FileBufferPrintLine(),
> the Line->Buffer may start with \x00 \x00, but the Line->Size is
> larger than MainEditor.ScreenSize.Column, it causes the PrintLine is
> set to an empty string by below call:
>     StrnCpyS (
>       PrintLine, BufLen/sizeof(CHAR16), Buffer,
>       MIN(Limit, MainEditor.ScreenSize.Column)
>       );
> But since Limit (equals to Line->Size) is larger than
> MainEditor.ScreenSize.Column, below for-loop doesn't successfully
> set the whole PrintLine to all-empty-space.
>     for (; Limit < MainEditor.ScreenSize.Column; Limit++) {
>       PrintLine[Limit] = L' ';
>     }
> So after the for-loop, PrintLine is still an empty string.
> Later in below call, the PrintLine2 is created based on PrintLine.
>     ShellCopySearchAndReplace (
>       PrintLine, PrintLine2,
>       BufLen * 2, L"%", L"^%", FALSE, FALSE
>       );
> But due to the implementation of ShellCopySearchAndReplace(),
> PrintLine2 is untouched and INVALID_PARAMETER is returned.
> Finally an uninitialized string is passed to ShellPrintEx()
> which causes the #PF exception.
> 
> The fix is to reset Limit to StrLen(PrintLine) before for-loop.
> So that PrintLine can be converted from an empty string to a
> string containing all spaces.
> 
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Jaben Carsey <jaben.carsey@intel.com>
> Cc: Jian Wang <jian.j.wang@intel.com>
> ---
>  ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
> b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
> index 56ccd399b0..39a5afb53f 100644
> --- a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
> +++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
> @@ -500,7 +500,7 @@ FileBufferPrintLine (
>    PrintLine = AllocatePool (BufLen);
>    if (PrintLine != NULL) {
>      StrnCpyS (PrintLine, BufLen/sizeof(CHAR16), Buffer, MIN(Limit,
> MainEditor.ScreenSize.Column));
> -    for (; Limit < MainEditor.ScreenSize.Column; Limit++) {
> +    for (Limit = StrLen (PrintLine); Limit < MainEditor.ScreenSize.Column; Limit++)
> {
>        PrintLine[Limit] = L' ';
>      }
> 
> --
> 2.16.1.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH] ShellPkg/edit: Fix heap access out-of-bounds
Posted by Carsey, Jaben 6 years, 2 months ago
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>

> -----Original Message-----
> From: Ni, Ruiyu
> Sent: Wednesday, August 15, 2018 11:33 PM
> To: edk2-devel@lists.01.org
> Cc: Carsey, Jaben <jaben.carsey@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>
> Subject: [PATCH] ShellPkg/edit: Fix heap access out-of-bounds
> Importance: High
> 
> The issue was found when heap guard is turned on.
> PrintLib somehow receives a non-null terminated string in var-arg.
> When the PrintLib implementation reads the string it keeps
> reading because no null-terminator is met, which triggers the page
> fault set by the heap guard.
> 
> The issue is caused by a bug in FileBufferPrintLine().
> When "edit" opens a binary file, in FileBufferPrintLine(),
> the Line->Buffer may start with \x00 \x00, but the Line->Size is
> larger than MainEditor.ScreenSize.Column, it causes the PrintLine is
> set to an empty string by below call:
>     StrnCpyS (
>       PrintLine, BufLen/sizeof(CHAR16), Buffer,
>       MIN(Limit, MainEditor.ScreenSize.Column)
>       );
> But since Limit (equals to Line->Size) is larger than
> MainEditor.ScreenSize.Column, below for-loop doesn't successfully
> set the whole PrintLine to all-empty-space.
>     for (; Limit < MainEditor.ScreenSize.Column; Limit++) {
>       PrintLine[Limit] = L' ';
>     }
> So after the for-loop, PrintLine is still an empty string.
> Later in below call, the PrintLine2 is created based on PrintLine.
>     ShellCopySearchAndReplace (
>       PrintLine, PrintLine2,
>       BufLen * 2, L"%", L"^%", FALSE, FALSE
>       );
> But due to the implementation of ShellCopySearchAndReplace(),
> PrintLine2 is untouched and INVALID_PARAMETER is returned.
> Finally an uninitialized string is passed to ShellPrintEx()
> which causes the #PF exception.
> 
> The fix is to reset Limit to StrLen(PrintLine) before for-loop.
> So that PrintLine can be converted from an empty string to a
> string containing all spaces.
> 
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Jaben Carsey <jaben.carsey@intel.com>
> Cc: Jian Wang <jian.j.wang@intel.com>
> ---
>  ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
> b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
> index 56ccd399b0..39a5afb53f 100644
> --- a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
> +++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
> @@ -500,7 +500,7 @@ FileBufferPrintLine (
>    PrintLine = AllocatePool (BufLen);
>    if (PrintLine != NULL) {
>      StrnCpyS (PrintLine, BufLen/sizeof(CHAR16), Buffer, MIN(Limit,
> MainEditor.ScreenSize.Column));
> -    for (; Limit < MainEditor.ScreenSize.Column; Limit++) {
> +    for (Limit = StrLen (PrintLine); Limit < MainEditor.ScreenSize.Column;
> Limit++) {
>        PrintLine[Limit] = L' ';
>      }
> 
> --
> 2.16.1.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel