ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The issue was found when heap guard is turned on.
PrintLib somehow receives a non-null terminated string in var-arg.
When the PrintLib implementation reads the string it keeps
reading because no null-terminator is met, which triggers the page
fault set by the heap guard.
The issue is caused by a bug in FileBufferPrintLine().
When "edit" opens a binary file, in FileBufferPrintLine(),
the Line->Buffer may start with \x00 \x00, but the Line->Size is
larger than MainEditor.ScreenSize.Column, it causes the PrintLine is
set to an empty string by below call:
StrnCpyS (
PrintLine, BufLen/sizeof(CHAR16), Buffer,
MIN(Limit, MainEditor.ScreenSize.Column)
);
But since Limit (equals to Line->Size) is larger than
MainEditor.ScreenSize.Column, below for-loop doesn't successfully
set the whole PrintLine to all-empty-space.
for (; Limit < MainEditor.ScreenSize.Column; Limit++) {
PrintLine[Limit] = L' ';
}
So after the for-loop, PrintLine is still an empty string.
Later in below call, the PrintLine2 is created based on PrintLine.
ShellCopySearchAndReplace (
PrintLine, PrintLine2,
BufLen * 2, L"%", L"^%", FALSE, FALSE
);
But due to the implementation of ShellCopySearchAndReplace(),
PrintLine2 is untouched and INVALID_PARAMETER is returned.
Finally an uninitialized string is passed to ShellPrintEx()
which causes the #PF exception.
The fix is to reset Limit to StrLen(PrintLine) before for-loop.
So that PrintLine can be converted from an empty string to a
string containing all spaces.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jaben Carsey <jaben.carsey@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
---
ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
index 56ccd399b0..39a5afb53f 100644
--- a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
+++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c
@@ -500,7 +500,7 @@ FileBufferPrintLine (
PrintLine = AllocatePool (BufLen);
if (PrintLine != NULL) {
StrnCpyS (PrintLine, BufLen/sizeof(CHAR16), Buffer, MIN(Limit, MainEditor.ScreenSize.Column));
- for (; Limit < MainEditor.ScreenSize.Column; Limit++) {
+ for (Limit = StrLen (PrintLine); Limit < MainEditor.ScreenSize.Column; Limit++) {
PrintLine[Limit] = L' ';
}
--
2.16.1.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Reviewed-by: Jian J Wang <jian.j.wang@intel.com> > -----Original Message----- > From: Ni, Ruiyu > Sent: Thursday, August 16, 2018 2:33 PM > To: edk2-devel@lists.01.org > Cc: Carsey, Jaben <jaben.carsey@intel.com>; Wang, Jian J > <jian.j.wang@intel.com> > Subject: [PATCH] ShellPkg/edit: Fix heap access out-of-bounds > > The issue was found when heap guard is turned on. > PrintLib somehow receives a non-null terminated string in var-arg. > When the PrintLib implementation reads the string it keeps > reading because no null-terminator is met, which triggers the page > fault set by the heap guard. > > The issue is caused by a bug in FileBufferPrintLine(). > When "edit" opens a binary file, in FileBufferPrintLine(), > the Line->Buffer may start with \x00 \x00, but the Line->Size is > larger than MainEditor.ScreenSize.Column, it causes the PrintLine is > set to an empty string by below call: > StrnCpyS ( > PrintLine, BufLen/sizeof(CHAR16), Buffer, > MIN(Limit, MainEditor.ScreenSize.Column) > ); > But since Limit (equals to Line->Size) is larger than > MainEditor.ScreenSize.Column, below for-loop doesn't successfully > set the whole PrintLine to all-empty-space. > for (; Limit < MainEditor.ScreenSize.Column; Limit++) { > PrintLine[Limit] = L' '; > } > So after the for-loop, PrintLine is still an empty string. > Later in below call, the PrintLine2 is created based on PrintLine. > ShellCopySearchAndReplace ( > PrintLine, PrintLine2, > BufLen * 2, L"%", L"^%", FALSE, FALSE > ); > But due to the implementation of ShellCopySearchAndReplace(), > PrintLine2 is untouched and INVALID_PARAMETER is returned. > Finally an uninitialized string is passed to ShellPrintEx() > which causes the #PF exception. > > The fix is to reset Limit to StrLen(PrintLine) before for-loop. > So that PrintLine can be converted from an empty string to a > string containing all spaces. > > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> > Cc: Jaben Carsey <jaben.carsey@intel.com> > Cc: Jian Wang <jian.j.wang@intel.com> > --- > ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > index 56ccd399b0..39a5afb53f 100644 > --- a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > +++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > @@ -500,7 +500,7 @@ FileBufferPrintLine ( > PrintLine = AllocatePool (BufLen); > if (PrintLine != NULL) { > StrnCpyS (PrintLine, BufLen/sizeof(CHAR16), Buffer, MIN(Limit, > MainEditor.ScreenSize.Column)); > - for (; Limit < MainEditor.ScreenSize.Column; Limit++) { > + for (Limit = StrLen (PrintLine); Limit < MainEditor.ScreenSize.Column; Limit++) > { > PrintLine[Limit] = L' '; > } > > -- > 2.16.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com> > -----Original Message----- > From: Ni, Ruiyu > Sent: Wednesday, August 15, 2018 11:33 PM > To: edk2-devel@lists.01.org > Cc: Carsey, Jaben <jaben.carsey@intel.com>; Wang, Jian J > <jian.j.wang@intel.com> > Subject: [PATCH] ShellPkg/edit: Fix heap access out-of-bounds > Importance: High > > The issue was found when heap guard is turned on. > PrintLib somehow receives a non-null terminated string in var-arg. > When the PrintLib implementation reads the string it keeps > reading because no null-terminator is met, which triggers the page > fault set by the heap guard. > > The issue is caused by a bug in FileBufferPrintLine(). > When "edit" opens a binary file, in FileBufferPrintLine(), > the Line->Buffer may start with \x00 \x00, but the Line->Size is > larger than MainEditor.ScreenSize.Column, it causes the PrintLine is > set to an empty string by below call: > StrnCpyS ( > PrintLine, BufLen/sizeof(CHAR16), Buffer, > MIN(Limit, MainEditor.ScreenSize.Column) > ); > But since Limit (equals to Line->Size) is larger than > MainEditor.ScreenSize.Column, below for-loop doesn't successfully > set the whole PrintLine to all-empty-space. > for (; Limit < MainEditor.ScreenSize.Column; Limit++) { > PrintLine[Limit] = L' '; > } > So after the for-loop, PrintLine is still an empty string. > Later in below call, the PrintLine2 is created based on PrintLine. > ShellCopySearchAndReplace ( > PrintLine, PrintLine2, > BufLen * 2, L"%", L"^%", FALSE, FALSE > ); > But due to the implementation of ShellCopySearchAndReplace(), > PrintLine2 is untouched and INVALID_PARAMETER is returned. > Finally an uninitialized string is passed to ShellPrintEx() > which causes the #PF exception. > > The fix is to reset Limit to StrLen(PrintLine) before for-loop. > So that PrintLine can be converted from an empty string to a > string containing all spaces. > > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> > Cc: Jaben Carsey <jaben.carsey@intel.com> > Cc: Jian Wang <jian.j.wang@intel.com> > --- > ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > index 56ccd399b0..39a5afb53f 100644 > --- a/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > +++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/Edit/FileBuffer.c > @@ -500,7 +500,7 @@ FileBufferPrintLine ( > PrintLine = AllocatePool (BufLen); > if (PrintLine != NULL) { > StrnCpyS (PrintLine, BufLen/sizeof(CHAR16), Buffer, MIN(Limit, > MainEditor.ScreenSize.Column)); > - for (; Limit < MainEditor.ScreenSize.Column; Limit++) { > + for (Limit = StrLen (PrintLine); Limit < MainEditor.ScreenSize.Column; > Limit++) { > PrintLine[Limit] = L' '; > } > > -- > 2.16.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
© 2016 - 2024 Red Hat, Inc.