Differential D36826

libefivar: Fix a buffer overread.
ClosedPublic
Actions

Authored by jhb on Sep 29 2022, 10:36 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, May 9, 10:32 AM

	Unknown Object (File)
	Wed, May 1, 10:28 PM

	Unknown Object (File)
	Wed, May 1, 10:28 PM

	Unknown Object (File)
	Wed, May 1, 10:28 PM

	Unknown Object (File)
	Thu, Apr 25, 1:31 PM

	Unknown Object (File)
	Apr 17 2024, 4:28 PM

	Unknown Object (File)
	Feb 14 2024, 11:24 AM

	Unknown Object (File)
	Feb 14 2024, 11:24 AM

View All 28 Files

Subscribers

None

Details

Reviewers

emaste
imp

Commits

rG42ed407622aa: libefivar: Fix a buffer overread.
rGd30a1689f5b3: libefivar: Fix a buffer overread.

Summary

DevPathToTextUsbWWID allocates a separate copy of the SerialNumber
string to append a null terminator if the original string is not
null terminated. However, by using AllocateCopyPool, it tries to
copy 'Length + 1' words from the existing string containing 'Length'
characters into the target string. Split the copy out to only
copy 'Length' characters instead.

Reported by: GCC 12 -Wstringop-overread

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhb requested review of this revision.Sep 29 2022, 10:36 PM

jhb created this revision.

Harbormaster completed remote builds in B47640: Diff 111246.Sep 29 2022, 10:36 PM

jhb added a parent revision: D36825: libfetch: Pass a zeroed digest to DigestCalcResponse..Sep 29 2022, 10:37 PM

Change looks good to me...

But this is 'upstream' code hiding here. It comes from edk2.

So this needs to be upstreamed to MdePkg/Library/UefiDevicePathLib/DevicePathToText.c

I'll bet that this code has never been called on freeBSD though :)

This revision is now accepted and ready to land.Sep 30 2022, 2:56 AM

https://github.com/tianocore/edk2/blob/master/MdePkg/Library/UefiDevicePathLib/DevicePathToText.c#L988

Upstream PR: https://github.com/tianocore/edk2/pull/3437

Their docs claim I need to join a mailings list and mail the patch there. I'll try just doing a PR first as I don't want all that e-mail.

Closed by commit rGd30a1689f5b3: libefivar: Fix a buffer overread. (authored by jhb). · Explain WhyOct 3 2022, 11:14 PM

This revision was automatically updated to reflect the committed changes.

jhb added a commit: rGd30a1689f5b3: libefivar: Fix a buffer overread..

jhb added a commit: rG42ed407622aa: libefivar: Fix a buffer overread..May 3 2023, 12:29 AM

Revision Contents
Changeset List

Path

Size

lib/

libefivar/

efivar-dp-format.c

3 lines

Diff 111396

lib/libefivar/efivar-dp-format.c

Loading...