Page MenuHomeFreeBSD

libefivar: Fix a buffer overread.
ClosedPublic

Authored by jhb on Sep 29 2022, 10:36 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 17, 4:00 AM
Unknown Object (File)
Oct 1 2024, 1:13 AM
Unknown Object (File)
Sep 29 2024, 7:28 AM
Unknown Object (File)
Sep 21 2024, 9:34 AM
Unknown Object (File)
Sep 21 2024, 9:33 AM
Unknown Object (File)
Sep 21 2024, 9:33 AM
Unknown Object (File)
Sep 19 2024, 12:09 PM
Unknown Object (File)
Sep 19 2024, 11:53 AM
Subscribers
None

Details

Summary

DevPathToTextUsbWWID allocates a separate copy of the SerialNumber
string to append a null terminator if the original string is not
null terminated. However, by using AllocateCopyPool, it tries to
copy 'Length + 1' words from the existing string containing 'Length'
characters into the target string. Split the copy out to only
copy 'Length' characters instead.

Reported by: GCC 12 -Wstringop-overread

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 47640
Build 44527: arc lint + arc unit

Event Timeline

jhb requested review of this revision.Sep 29 2022, 10:36 PM
jhb created this revision.

Change looks good to me...

But this is 'upstream' code hiding here. It comes from edk2.

So this needs to be upstreamed to MdePkg/Library/UefiDevicePathLib/DevicePathToText.c

I'll bet that this code has never been called on freeBSD though :)

This revision is now accepted and ready to land.Sep 30 2022, 2:56 AM

Upstream PR: https://github.com/tianocore/edk2/pull/3437

Their docs claim I need to join a mailings list and mail the patch there. I'll try just doing a PR first as I don't want all that e-mail.

This revision was automatically updated to reflect the committed changes.