Differential D36826

libefivar: Fix a buffer overread.
ClosedPublic
Actions

Authored by jhb on Sep 29 2022, 10:36 PM.

Tags

None

Referenced Files

	F97435545: D36826.diff
	Sun, Sep 29, 7:28 AM

	Unknown Object (File)
	Sat, Sep 21, 9:34 AM

	Unknown Object (File)
	Sat, Sep 21, 9:33 AM

	Unknown Object (File)
	Sat, Sep 21, 9:33 AM

	Unknown Object (File)
	Thu, Sep 19, 12:09 PM

	Unknown Object (File)
	Thu, Sep 19, 11:53 AM

	Unknown Object (File)
	Thu, Sep 19, 1:56 AM

	Unknown Object (File)
	Thu, Sep 5, 7:31 PM

View All 50 Files

Subscribers

None

Details

Reviewers

emaste
imp

Commits

rG42ed407622aa: libefivar: Fix a buffer overread.
rGd30a1689f5b3: libefivar: Fix a buffer overread.

Summary

DevPathToTextUsbWWID allocates a separate copy of the SerialNumber
string to append a null terminator if the original string is not
null terminated. However, by using AllocateCopyPool, it tries to
copy 'Length + 1' words from the existing string containing 'Length'
characters into the target string. Split the copy out to only
copy 'Length' characters instead.

Reported by: GCC 12 -Wstringop-overread

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 47640
Build 44527: arc lint + arc unit

Event Timeline

jhb requested review of this revision.Sep 29 2022, 10:36 PM

jhb created this revision.

Harbormaster completed remote builds in B47640: Diff 111246.Sep 29 2022, 10:36 PM

jhb added a parent revision: D36825: libfetch: Pass a zeroed digest to DigestCalcResponse..Sep 29 2022, 10:37 PM

Change looks good to me...

But this is 'upstream' code hiding here. It comes from edk2.

So this needs to be upstreamed to MdePkg/Library/UefiDevicePathLib/DevicePathToText.c

I'll bet that this code has never been called on freeBSD though :)

This revision is now accepted and ready to land.Sep 30 2022, 2:56 AM

https://github.com/tianocore/edk2/blob/master/MdePkg/Library/UefiDevicePathLib/DevicePathToText.c#L988

Upstream PR: https://github.com/tianocore/edk2/pull/3437

Their docs claim I need to join a mailings list and mail the patch there. I'll try just doing a PR first as I don't want all that e-mail.

Closed by commit rGd30a1689f5b3: libefivar: Fix a buffer overread. (authored by jhb). · Explain WhyOct 3 2022, 11:14 PM

This revision was automatically updated to reflect the committed changes.

jhb added a commit: rGd30a1689f5b3: libefivar: Fix a buffer overread..

jhb added a commit: rG42ed407622aa: libefivar: Fix a buffer overread..May 3 2023, 12:29 AM

Revision Contents
Changeset List

Path

Size

lib/

libefivar/

efivar-dp-format.c

3 lines

Diff 111246

lib/libefivar/efivar-dp-format.c

Loading...