Reviewed-by: Liming Gao <gaolim...@byosoft.com.cn>
> -----邮件原件-----
> 发件人: Pedro Falcato <pedro.falc...@gmail.com>
> 发送时间: 2022年11月3日 9:12
> 收件人: devel@edk2.groups.io
> 抄送: Pedro Falcato <pedro.falc...@gmail.com>; Vitaly Cheptsov
> <vit9...@protonmail.com>; Marvin Häuser <mhaeu...@posteo.de>;
> Michael D Kinney <michael.d.kin...@intel.com>; Liming Gao
> <gaolim...@byosoft.com.cn>; Zhiguang Liu <zhiguang....@intel.com>; Jiewen
> Yao <jiewen....@intel.com>
> 主题: [PATCH v3 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString
>
> There was a OOB access in *StrHexTo* functions, when passed strings like
> "XDEADBEEF".
>
> OpenCore folks established an ASAN-equipped project to fuzz Ext4Dxe,
> which was able to catch these (mostly harmless) issues.
>
> Cc: Vitaly Cheptsov <vit9...@protonmail.com>
> Cc: Marvin Häuser <mhaeu...@posteo.de>
> Cc: Michael D Kinney <michael.d.kin...@intel.com>
> Cc: Liming Gao <gaolim...@byosoft.com.cn>
> Cc: Zhiguang Liu <zhiguang....@intel.com>
> Signed-off-by: Pedro Falcato <pedro.falc...@gmail.com>
> Acked-by: Michael D Kinney <michael.d.kin...@intel.com>
> Reviewed-by: Jiewen Yao <jiewen....@intel.com>
> ---
> MdePkg/Library/BaseLib/SafeString.c | 25 +++++++++++++++++++++----
> 1 file changed, 21 insertions(+), 4 deletions(-)
>
> diff --git a/MdePkg/Library/BaseLib/SafeString.c
> b/MdePkg/Library/BaseLib/SafeString.c
> index f338a32a3a41..b75b33381732 100644
> --- a/MdePkg/Library/BaseLib/SafeString.c
> +++ b/MdePkg/Library/BaseLib/SafeString.c
> @@ -863,6 +863,9 @@ StrHexToUintnS (
> OUT UINTN *Data
> )
> {
> + BOOLEAN FoundLeadingZero;
> +
> + FoundLeadingZero = FALSE;
> ASSERT (((UINTN)String & BIT0) == 0);
>
> //
> @@ -892,12 +895,14 @@ StrHexToUintnS (
> //
> // Ignore leading Zeros after the spaces
> //
> +
> + FoundLeadingZero = *String == L'0';
> while (*String == L'0') {
> String++;
> }
>
> if (CharToUpper (*String) == L'X') {
> - if (*(String - 1) != L'0') {
> + if (!FoundLeadingZero) {
> *Data = 0;
> return RETURN_SUCCESS;
> }
> @@ -992,6 +997,9 @@ StrHexToUint64S (
> OUT UINT64 *Data
> )
> {
> + BOOLEAN FoundLeadingZero;
> +
> + FoundLeadingZero = FALSE;
> ASSERT (((UINTN)String & BIT0) == 0);
>
> //
> @@ -1021,12 +1029,13 @@ StrHexToUint64S (
> //
> // Ignore leading Zeros after the spaces
> //
> + FoundLeadingZero = *String == L'0';
> while (*String == L'0') {
> String++;
> }
>
> if (CharToUpper (*String) == L'X') {
> - if (*(String - 1) != L'0') {
> + if (!FoundLeadingZero) {
> *Data = 0;
> return RETURN_SUCCESS;
> }
> @@ -2393,6 +2402,9 @@ AsciiStrHexToUintnS (
> OUT UINTN *Data
> )
> {
> + BOOLEAN FoundLeadingZero;
> +
> + FoundLeadingZero = FALSE;
> //
> // 1. Neither String nor Data shall be a null pointer.
> //
> @@ -2420,12 +2432,13 @@ AsciiStrHexToUintnS (
> //
> // Ignore leading Zeros after the spaces
> //
> + FoundLeadingZero = *String == '0';
> while (*String == '0') {
> String++;
> }
>
> if (AsciiCharToUpper (*String) == 'X') {
> - if (*(String - 1) != '0') {
> + if (!FoundLeadingZero) {
> *Data = 0;
> return RETURN_SUCCESS;
> }
> @@ -2517,6 +2530,9 @@ AsciiStrHexToUint64S (
> OUT UINT64 *Data
> )
> {
> + BOOLEAN FoundLeadingZero;
> +
> + FoundLeadingZero = FALSE;
> //
> // 1. Neither String nor Data shall be a null pointer.
> //
> @@ -2544,12 +2560,13 @@ AsciiStrHexToUint64S (
> //
> // Ignore leading Zeros after the spaces
> //
> + FoundLeadingZero = *String == '0';
> while (*String == '0') {
> String++;
> }
>
> if (AsciiCharToUpper (*String) == 'X') {
> - if (*(String - 1) != '0') {
> + if (!FoundLeadingZero) {
> *Data = 0;
> return RETURN_SUCCESS;
> }
> --
> 2.38.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95935): https://edk2.groups.io/g/devel/message/95935
Mute This Topic: https://groups.io/mt/94797620/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
