strcpy fails when strSource is closer than 4096 bytes after strDest.
This is caused by an overlap check in AsciiStrCpyS:
//
// 5. Copying shall not take place between objects that overlap.
//
SAFE_STRING_CONSTRAINT_CHECK (InternalSafeStringNoAsciiStrOverlap
(Destination, DestMax, (CHAR8 *)Source, SourceLen + 1), RETURN_ACCESS_DENIED);
Since DestMax is MAX_STRING_SIZE (0x1000) and with a Source
that is in this area behind Destination, AsciiStrCpyS will fail
and strcpy will do nothing.
When called by CRYPTO_strdup in openssl this leads to uninitialzed
memory that gets accessed instead of the copied string.
Signed-of-by: Sebastian Witt <sebastian.w...@siemens.com>
---
CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
index 37cdecc9bd..880ed140fd 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
@@ -271,7 +271,7 @@ strcpy (
const char *strSource
)
{
- AsciiStrCpyS (strDest, MAX_STRING_SIZE, strSource);
+ AsciiStrCpyS (strDest, AsciiStrnSizeS (strSource, MAX_STRING_SIZE),
strSource);
return strDest;
}
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119436): https://edk2.groups.io/g/devel/message/119436
Mute This Topic: https://groups.io/mt/106471263/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
