String.c: Zero memory before free (CVE-2019-14558)

Wang, Jian J Wed, 12 Feb 2020 20:07:11 -0800


Reviewed-by: Jian J Wang <jian.j.w...@intel.com>


Regards,
Jian

> -----Original Message-----
> From: Bi, Dandan <dandan...@intel.com>
> Sent: Thursday, February 13, 2020 12:03 PM
> To: devel@edk2.groups.io
> Cc: Gao, Liming <liming....@intel.com>; Dong, Eric <eric.d...@intel.com>;
> Wang, Jian J <jian.j.w...@intel.com>
> Subject: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-
> 2019-14558)
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611
> 
> Cc: Liming Gao <liming....@intel.com>
> Cc: Eric Dong <eric.d...@intel.com>
> Cc: Jian J Wang <jian.j.w...@intel.com>
> Signed-off-by: Dandan Bi <dandan...@intel.com>
> ---
>  MdeModulePkg/Universal/HiiDatabaseDxe/String.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
> b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
> index 505e063d49..10a1e691a3 100644
> --- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
> +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
> @@ -1004,10 +1004,11 @@ SetStringWorker (
>        BlockPtr,
>        StringTextPtr + AsciiStrSize ((CHAR8 *)StringTextPtr),
>        TmpSize
>        );
> 
> +    ZeroMem (StringPackage->StringBlock, OldBlockSize);
>      FreePool (StringPackage->StringBlock);
>      StringPackage->StringBlock = Block;
>      StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize -
> OldBlockSize);
>      break;
> 
> @@ -1037,10 +1038,11 @@ SetStringWorker (
>        BlockPtr,
>        StringTextPtr + StringSize,
>        OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - 
> StringSize
>        );
> 
> +    ZeroMem (StringPackage->StringBlock, OldBlockSize);
>      FreePool (StringPackage->StringBlock);
>      StringPackage->StringBlock = Block;
>      StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize -
> OldBlockSize);
>      break;
> 
> @@ -1088,10 +1090,11 @@ SetStringWorker (
>      );
>    BlockPtr += StrSize (GlobalFont->FontInfo->FontName);
> 
>    CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize);
> 
> +  ZeroMem (StringPackage->StringBlock, OldBlockSize);
>    FreePool (StringPackage->StringBlock);
>    StringPackage->StringBlock = Block;
>    StringPackage->StringPkgHdr->Header.Length += Ext2.Length;
> 
>    return EFI_SUCCESS;
> @@ -1273,10 +1276,11 @@ HiiNewString (
> 
>        //
>        // Append a EFI_HII_SIBT_END block to the end.
>        //
>        *BlockPtr = EFI_HII_SIBT_END;
> +      ZeroMem (StringPackage->StringBlock, OldBlockSize);
>        FreePool (StringPackage->StringBlock);
>        StringPackage->StringBlock = StringBlock;
>        StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;
>        PackageListNode->PackageListHdr.PackageLength += Ucs2BlockSize;
>      }
> @@ -1404,10 +1408,11 @@ HiiNewString (
> 
>      //
>      // Append a EFI_HII_SIBT_END block to the end.
>      //
>      *BlockPtr = EFI_HII_SIBT_END;
> +    ZeroMem (StringPackage->StringBlock, OldBlockSize);
>      FreePool (StringPackage->StringBlock);
>      StringPackage->StringBlock = StringBlock;
>      StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;
>      PackageListNode->PackageListHdr.PackageLength += Ucs2BlockSize;
> 
> @@ -1446,10 +1451,11 @@ HiiNewString (
> 
>        //
>        // Append a EFI_HII_SIBT_END block to the end.
>        //
>        *BlockPtr = EFI_HII_SIBT_END;
> +      ZeroMem (StringPackage->StringBlock, OldBlockSize);
>        FreePool (StringPackage->StringBlock);
>        StringPackage->StringBlock = StringBlock;
>        StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize;
>        PackageListNode->PackageListHdr.PackageLength += Ucs2FontBlockSize;
> 
> @@ -1507,10 +1513,11 @@ HiiNewString (
> 
>        //
>        // Append a EFI_HII_SIBT_END block to the end.
>        //
>        *BlockPtr = EFI_HII_SIBT_END;
> +      ZeroMem (StringPackage->StringBlock, OldBlockSize);
>        FreePool (StringPackage->StringBlock);
>        StringPackage->StringBlock = StringBlock;
>        StringPackage->StringPkgHdr->Header.Length += FontBlockSize +
> Ucs2FontBlockSize;
>        PackageListNode->PackageListHdr.PackageLength += FontBlockSize +
> Ucs2FontBlockSize;
> 
> --
> 2.18.0.windows.1


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54336): https://edk2.groups.io/g/devel/message/54336
Mute This Topic: https://groups.io/mt/71232488/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558)

Reply via email to