subject:"Re\: \[edk2\-devel\] \[PATCH v1 1\/1\] ShellPkg\: acpiview\: Prevent infinite loop if structure length is 0"

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

2020-02-18 Thread Gao, Zhichao

Please add the the BZ link to the commit message as blow format:
--
Pkg/Module: message title

REF: BZ_Link

Commit message.

Signed-off-by: Name 
--

With that done, Reviewed-by: Zhichao Gao 

Thanks,
Zhichao

> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Krzysztof
> Koch
> Sent: Monday, February 17, 2020 11:39 PM
> To: devel@edk2.groups.io; Krzysztof Koch ; Gao,
> Liming 
> Cc: Ni, Ray ; Gao, Zhichao ; Sami
> Mujawar ; Matteo Carlini
> ; nd 
> Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite
> loop if structure length is 0
> 
> Hi Liming,
> 
> The BZ is: https://bugzilla.tianocore.org/show_bug.cgi?id=2534
> Please let me know if I should change something.
> 
> Kind regards,
> Krzysztof
> 
> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Krzysztof
> Koch via Groups.Io
> Sent: Monday, February 17, 2020 15:23
> To: devel@edk2.groups.io; liming@intel.com
> Cc: Ni, Ray ; Gao, Zhichao ; Sami
> Mujawar ; Matteo Carlini
> ; nd 
> Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite
> loop if structure length is 0
> 
> Hi Liming,
> 
> I haven't created a BZ yet, shall I create one? It would be great if the patch
> makes it to the stable tag.
> 
> Over the last few months I added some security features to acpiview. They make
> this debug tool less sensitive to exploits from ACPI tables. This patch 
> completes
> my efforts in making the tool more reliable.
> 
> Kind regards,
> Krzysztof
> 
> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Liming Gao
> via Groups.Io
> Sent: Monday, February 17, 2020 15:11
> To: devel@edk2.groups.io; Krzysztof Koch 
> Cc: Ni, Ray ; Gao, Zhichao ; Sami
> Mujawar ; Matteo Carlini
> ; nd 
> Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite
> loop if structure length is 0
> 
> Krzysztof:
>   Is there one BZ for this issue? Does this patch catch to this edk2 stable 
> tag
> 202002?
> 
> Thanks
> Liming
> > -Original Message-
> > From: devel@edk2.groups.io  On Behalf Of
> > Krzysztof Koch
> > Sent: Friday, February 14, 2020 9:59 PM
> > To: devel@edk2.groups.io
> > Cc: Ni, Ray ; Gao, Zhichao ;
> > sami.muja...@arm.com; matteo.carl...@arm.com; n...@arm.com
> > Subject: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent
> > infinite loop if structure length is 0
> >
> > Extend validation of ACPI structure lengths which are read from the
> > ACPI table being parsed. Additionally check if the structure 'Length'
> > field value is positive. If not, stop parsing the faulting table.
> >
> > Some ACPI tables define internal structures of variable size. The
> > 'Length' field inside the substructure is used to update a pointer
> > used for table traversal. If the byte-length of the structure is equal
> > to 0, acpiview can enter an infinite loop. This condition can occur
> > if, for example, the zero-allocated ACPI table buffer is not fully 
> > populated.
> > This is typically a bug on the ACPI table writer side.
> >
> > In short, this method helps acpiview recover gracefully from a
> > zero-valued ACPI structure length.
> >
> > Signed-off-by: Krzysztof Koch 
> > ---
> >
> > Changes can be seen at:
> > https://github.com/KrzysztofKoch1/edk2/tree/612_acpiview_prevent_inf_l
> > oops_v1
> >
> > Notes:
> > v1:
> > - prevent infinite loops in acpiview parsers [Krzysztof]
> >
> >
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c
> > | 15 ++-
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c
> > | 13 -
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c
> > | 14 +-
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c
> > | 28 ++--
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c
> > | 15 ++-
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c
> > | 14 +-
> >  6 files changed, 47 insertions(+), 52 deletions(-)
> >
> > diff --git
> > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> > .c
> > b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> > .c index
> >
> 0f730a306a94329a23fbaf54b59f1833b44616ba..9df111ecaa7d7a703a13a39c24
> 3e
> > d78b9f12ee97 100644
> > ---
> > a/ShellPkg/Library/UefiShellAcpiViewCommandLib

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

2020-02-17 Thread Krzysztof Koch

Hi Liming,

The BZ is: https://bugzilla.tianocore.org/show_bug.cgi?id=2534
Please let me know if I should change something.

Kind regards,
Krzysztof

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Krzysztof Koch 
via Groups.Io
Sent: Monday, February 17, 2020 15:23
To: devel@edk2.groups.io; liming@intel.com
Cc: Ni, Ray ; Gao, Zhichao ; Sami 
Mujawar ; Matteo Carlini ; nd 

Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite 
loop if structure length is 0

Hi Liming,

I haven't created a BZ yet, shall I create one? It would be great if the patch 
makes it to the stable tag.

Over the last few months I added some security features to acpiview. They make 
this debug tool less sensitive to exploits from ACPI tables. This patch 
completes my efforts in making the tool more reliable.

Kind regards,
Krzysztof

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Liming Gao via 
Groups.Io
Sent: Monday, February 17, 2020 15:11
To: devel@edk2.groups.io; Krzysztof Koch 
Cc: Ni, Ray ; Gao, Zhichao ; Sami 
Mujawar ; Matteo Carlini ; nd 

Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite 
loop if structure length is 0

Krzysztof:
  Is there one BZ for this issue? Does this patch catch to this edk2 stable tag 
202002?

Thanks
Liming
> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of 
> Krzysztof Koch
> Sent: Friday, February 14, 2020 9:59 PM
> To: devel@edk2.groups.io
> Cc: Ni, Ray ; Gao, Zhichao ; 
> sami.muja...@arm.com; matteo.carl...@arm.com; n...@arm.com
> Subject: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent 
> infinite loop if structure length is 0
> 
> Extend validation of ACPI structure lengths which are read from the 
> ACPI table being parsed. Additionally check if the structure 'Length'
> field value is positive. If not, stop parsing the faulting table.
> 
> Some ACPI tables define internal structures of variable size. The 
> 'Length' field inside the substructure is used to update a pointer 
> used for table traversal. If the byte-length of the structure is equal 
> to 0, acpiview can enter an infinite loop. This condition can occur 
> if, for example, the zero-allocated ACPI table buffer is not fully populated.
> This is typically a bug on the ACPI table writer side.
> 
> In short, this method helps acpiview recover gracefully from a 
> zero-valued ACPI structure length.
> 
> Signed-off-by: Krzysztof Koch 
> ---
> 
> Changes can be seen at: 
> https://github.com/KrzysztofKoch1/edk2/tree/612_acpiview_prevent_inf_l
> oops_v1
> 
> Notes:
> v1:
> - prevent infinite loops in acpiview parsers [Krzysztof]
> 
>
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c
> | 15 ++-
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c
> | 13 -
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c
> | 14 +-
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c
> | 28 ++--
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c
> | 15 ++-
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c
> | 14 +-
>  6 files changed, 47 insertions(+), 52 deletions(-)
> 
> diff --git
> a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> .c
> b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> .c index
> 0f730a306a94329a23fbaf54b59f1833b44616ba..9df111ecaa7d7a703a13a39c243e
> d78b9f12ee97 100644
> ---
> a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> .c
> +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Pa
> +++ rser.c
> @@ -1,7 +1,7 @@
>  /** @file
>DBG2 table parser
> 
> -  Copyright (c) 2016 - 2019, ARM Limited. All rights reserved.
> +  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
>SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>@par Reference(s):
> @@ -282,15 +282,16 @@ ParseAcpiDbg2 (
>return;
>  }
> 
> -// Make sure the Debug Device Information structure lies inside the 
> table.
> -if ((Offset + *DbgDevInfoLen) > AcpiTableLength) {
> +// Validate Debug Device Information Structure length
> +if ((*DbgDevInfoLen == 0) ||
> +((Offset + (*DbgDevInfoLen)) > AcpiTableLength)) {
>IncrementErrorCount ();
>Print (
> -L"ERROR: Invalid Debug Device Information structure length. " \
> -  L"DbgDevInfoLen = %d. RemainingTableBufferLength = %d. " \
> -  L"DBG2 parsing aborted.\n",
> +L"ERROR: Invalid Debug Device Information Structure length. " \
>

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

2020-02-17 Thread Sami Mujawar

Reviewed-by: Sami Mujawar 

Regards,

Sami Mujawar

-Original Message-
From: Krzysztof Koch  
Sent: 14 February 2020 13:59
To: devel@edk2.groups.io
Cc: ray...@intel.com; zhichao@intel.com; Sami Mujawar 
; Matteo Carlini ; nd 

Subject: [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure 
length is 0

Extend validation of ACPI structure lengths which are read from the ACPI table 
being parsed. Additionally check if the structure 'Length'
field value is positive. If not, stop parsing the faulting table.

Some ACPI tables define internal structures of variable size. The 'Length' 
field inside the substructure is used to update a pointer used for table 
traversal. If the byte-length of the structure is equal to 0, acpiview can 
enter an infinite loop. This condition can occur if, for example, the 
zero-allocated ACPI table buffer is not fully populated.
This is typically a bug on the ACPI table writer side.

In short, this method helps acpiview recover gracefully from a zero-valued ACPI 
structure length.

Signed-off-by: Krzysztof Koch 
---

Changes can be seen at: 
https://github.com/KrzysztofKoch1/edk2/tree/612_acpiview_prevent_inf_loops_v1

Notes:
v1:
- prevent infinite loops in acpiview parsers [Krzysztof]

 ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c | 15 
++-  
ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c | 13 
-  
ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c | 14 
+-  
ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c | 28 
++--  
ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c | 15 
++-  
ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c | 14 
+-
 6 files changed, 47 insertions(+), 52 deletions(-)

diff --git 
a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c 
b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c
index 
0f730a306a94329a23fbaf54b59f1833b44616ba..9df111ecaa7d7a703a13a39c243ed78b9f12ee97
 100644
--- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c
+++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Pars
+++ er.c
@@ -1,7 +1,7 @@
 /** @file
   DBG2 table parser
 
-  Copyright (c) 2016 - 2019, ARM Limited. All rights reserved.
+  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
   @par Reference(s):
@@ -282,15 +282,16 @@ ParseAcpiDbg2 (
   return;
 }
 
-// Make sure the Debug Device Information structure lies inside the table.
-if ((Offset + *DbgDevInfoLen) > AcpiTableLength) {
+// Validate Debug Device Information Structure length
+if ((*DbgDevInfoLen == 0) ||
+((Offset + (*DbgDevInfoLen)) > AcpiTableLength)) {
   IncrementErrorCount ();
   Print (
-L"ERROR: Invalid Debug Device Information structure length. " \
-  L"DbgDevInfoLen = %d. RemainingTableBufferLength = %d. " \
-  L"DBG2 parsing aborted.\n",
+L"ERROR: Invalid Debug Device Information Structure length. " \
+  L"Length = %d. Offset = %d. AcpiTableLength = %d.\n",
 *DbgDevInfoLen,
-AcpiTableLength - Offset
+Offset,
+AcpiTableLength
 );
   return;
 }
diff --git 
a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c 
b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c
index 
699a55b549ec3fa61bbd156898821055dc019199..bdd30ff45c61142c071ead63a27babab8998721b
 100644
--- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c
+++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtPars
+++ er.c
@@ -1,7 +1,7 @@
 /** @file
   GTDT table parser
 
-  Copyright (c) 2016 - 2019, ARM Limited. All rights reserved.
+  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
   @par Reference(s):
@@ -327,15 +327,16 @@ ParseAcpiGtdt (
   return;
 }
 
-// Make sure the Platform Timer is inside the table.
-if ((Offset + *PlatformTimerLength) > AcpiTableLength) {
+// Validate Platform Timer Structure length
+if ((*PlatformTimerLength == 0) ||
+((Offset + (*PlatformTimerLength)) > AcpiTableLength)) {
   IncrementErrorCount ();
   Print (
 L"ERROR: Invalid Platform Timer Structure length. " \
-  L"PlatformTimerLength = %d. RemainingTableBufferLength = %d. " \
-  L"GTDT parsing aborted.\n",
+  L"Length = %d. Offset = %d. AcpiTableLength = %d.\n",
 *PlatformTimerLength,
-AcpiTableLength - Offset
+Offset,
+AcpiTableLength
 );
   return;
 }
diff --git 
a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c 
b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c
index

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

2020-02-17 Thread Liming Gao

Krzysztof:
  Yes. Please create one BZ for this issue. 

Thanks
Liming
> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Krzysztof Koch
> Sent: Monday, February 17, 2020 11:23 PM
> To: devel@edk2.groups.io; Gao, Liming 
> Cc: Ni, Ray ; Gao, Zhichao ; Sami 
> Mujawar ; Matteo Carlini
> ; nd 
> Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite 
> loop if structure length is 0
> 
> Hi Liming,
> 
> I haven't created a BZ yet, shall I create one? It would be great if the 
> patch makes it to the stable tag.
> 
> Over the last few months I added some security features to acpiview. They 
> make this debug tool less sensitive to exploits from ACPI
> tables. This patch completes my efforts in making the tool more reliable.
> 
> Kind regards,
> Krzysztof
> 
> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Liming Gao via 
> Groups.Io
> Sent: Monday, February 17, 2020 15:11
> To: devel@edk2.groups.io; Krzysztof Koch 
> Cc: Ni, Ray ; Gao, Zhichao ; Sami 
> Mujawar ; Matteo Carlini
> ; nd 
> Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite 
> loop if structure length is 0
> 
> Krzysztof:
>   Is there one BZ for this issue? Does this patch catch to this edk2 stable 
> tag 202002?
> 
> Thanks
> Liming
> > -Original Message-
> > From: devel@edk2.groups.io  On Behalf Of
> > Krzysztof Koch
> > Sent: Friday, February 14, 2020 9:59 PM
> > To: devel@edk2.groups.io
> > Cc: Ni, Ray ; Gao, Zhichao ;
> > sami.muja...@arm.com; matteo.carl...@arm.com; n...@arm.com
> > Subject: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent
> > infinite loop if structure length is 0
> >
> > Extend validation of ACPI structure lengths which are read from the
> > ACPI table being parsed. Additionally check if the structure 'Length'
> > field value is positive. If not, stop parsing the faulting table.
> >
> > Some ACPI tables define internal structures of variable size. The
> > 'Length' field inside the substructure is used to update a pointer
> > used for table traversal. If the byte-length of the structure is equal
> > to 0, acpiview can enter an infinite loop. This condition can occur
> > if, for example, the zero-allocated ACPI table buffer is not fully 
> > populated.
> > This is typically a bug on the ACPI table writer side.
> >
> > In short, this method helps acpiview recover gracefully from a
> > zero-valued ACPI structure length.
> >
> > Signed-off-by: Krzysztof Koch 
> > ---
> >
> > Changes can be seen at:
> > https://github.com/KrzysztofKoch1/edk2/tree/612_acpiview_prevent_inf_l
> > oops_v1
> >
> > Notes:
> > v1:
> > - prevent infinite loops in acpiview parsers [Krzysztof]
> >
> >
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c
> > | 15 ++-
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c
> > | 13 -
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c
> > | 14 +-
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c
> > | 28 ++--
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c
> > | 15 ++-
> > ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c
> > | 14 +-
> >  6 files changed, 47 insertions(+), 52 deletions(-)
> >
> > diff --git
> > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> > .c
> > b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> > .c index
> > 0f730a306a94329a23fbaf54b59f1833b44616ba..9df111ecaa7d7a703a13a39c243e
> > d78b9f12ee97 100644
> > ---
> > a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> > .c
> > +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Pa
> > +++ rser.c
> > @@ -1,7 +1,7 @@
> >  /** @file
> >DBG2 table parser
> >
> > -  Copyright (c) 2016 - 2019, ARM Limited. All rights reserved.
> > +  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
> >SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> >@par Reference(s):
> > @@ -282,15 +282,16 @@ ParseAcpiDbg2 (
> >return;
> >  }
> >
> > -// Make sure the Debug Device Information structure lies inside the 
> > table.
> > -if ((Offset + *DbgDevInfoLen) > AcpiTableLength) {
> > +// Validate Debug Device Information

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

2020-02-17 Thread Krzysztof Koch

Hi Liming,

I haven't created a BZ yet, shall I create one? It would be great if the patch 
makes it to the stable tag.

Over the last few months I added some security features to acpiview. They make 
this debug tool less sensitive to exploits from ACPI tables. This patch 
completes my efforts in making the tool more reliable.

Kind regards,
Krzysztof

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Liming Gao via 
Groups.Io
Sent: Monday, February 17, 2020 15:11
To: devel@edk2.groups.io; Krzysztof Koch 
Cc: Ni, Ray ; Gao, Zhichao ; Sami 
Mujawar ; Matteo Carlini ; nd 

Subject: Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite 
loop if structure length is 0

Krzysztof:
  Is there one BZ for this issue? Does this patch catch to this edk2 stable tag 
202002?

Thanks
Liming
> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of 
> Krzysztof Koch
> Sent: Friday, February 14, 2020 9:59 PM
> To: devel@edk2.groups.io
> Cc: Ni, Ray ; Gao, Zhichao ; 
> sami.muja...@arm.com; matteo.carl...@arm.com; n...@arm.com
> Subject: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent 
> infinite loop if structure length is 0
> 
> Extend validation of ACPI structure lengths which are read from the 
> ACPI table being parsed. Additionally check if the structure 'Length'
> field value is positive. If not, stop parsing the faulting table.
> 
> Some ACPI tables define internal structures of variable size. The 
> 'Length' field inside the substructure is used to update a pointer 
> used for table traversal. If the byte-length of the structure is equal 
> to 0, acpiview can enter an infinite loop. This condition can occur 
> if, for example, the zero-allocated ACPI table buffer is not fully populated.
> This is typically a bug on the ACPI table writer side.
> 
> In short, this method helps acpiview recover gracefully from a 
> zero-valued ACPI structure length.
> 
> Signed-off-by: Krzysztof Koch 
> ---
> 
> Changes can be seen at: 
> https://github.com/KrzysztofKoch1/edk2/tree/612_acpiview_prevent_inf_l
> oops_v1
> 
> Notes:
> v1:
> - prevent infinite loops in acpiview parsers [Krzysztof]
> 
>
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c 
> | 15 ++-
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c 
> | 13 -
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c 
> | 14 +-
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c 
> | 28 ++--
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c 
> | 15 ++-
> ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c 
> | 14 +-
>  6 files changed, 47 insertions(+), 52 deletions(-)
> 
> diff --git 
> a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> .c 
> b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> .c index 
> 0f730a306a94329a23fbaf54b59f1833b44616ba..9df111ecaa7d7a703a13a39c243e
> d78b9f12ee97 100644
> --- 
> a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser
> .c
> +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Pa
> +++ rser.c
> @@ -1,7 +1,7 @@
>  /** @file
>DBG2 table parser
> 
> -  Copyright (c) 2016 - 2019, ARM Limited. All rights reserved.
> +  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
>SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>@par Reference(s):
> @@ -282,15 +282,16 @@ ParseAcpiDbg2 (
>return;
>  }
> 
> -// Make sure the Debug Device Information structure lies inside the 
> table.
> -if ((Offset + *DbgDevInfoLen) > AcpiTableLength) {
> +// Validate Debug Device Information Structure length
> +if ((*DbgDevInfoLen == 0) ||
> +((Offset + (*DbgDevInfoLen)) > AcpiTableLength)) {
>IncrementErrorCount ();
>Print (
> -L"ERROR: Invalid Debug Device Information structure length. " \
> -  L"DbgDevInfoLen = %d. RemainingTableBufferLength = %d. " \
> -  L"DBG2 parsing aborted.\n",
> +L"ERROR: Invalid Debug Device Information Structure length. " \
> +  L"Length = %d. Offset = %d. AcpiTableLength = %d.\n",
>  *DbgDevInfoLen,
> -AcpiTableLength - Offset
> +Offset,
> +AcpiTableLength
>  );
>return;
>  }
> diff --git 
> a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser
> .c 
> b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser
> .c index 
> 699a55b549ec3fa61bbd156898821055dc019199..bdd30ff45c61142c

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

2020-02-17 Thread Liming Gao

Krzysztof:
  Is there one BZ for this issue? Does this patch catch to this edk2 stable tag 
202002?

Thanks
Liming
> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Krzysztof Koch
> Sent: Friday, February 14, 2020 9:59 PM
> To: devel@edk2.groups.io
> Cc: Ni, Ray ; Gao, Zhichao ; 
> sami.muja...@arm.com; matteo.carl...@arm.com;
> n...@arm.com
> Subject: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite 
> loop if structure length is 0
> 
> Extend validation of ACPI structure lengths which are read from the
> ACPI table being parsed. Additionally check if the structure 'Length'
> field value is positive. If not, stop parsing the faulting table.
> 
> Some ACPI tables define internal structures of variable size. The
> 'Length' field inside the substructure is used to update a pointer used
> for table traversal. If the byte-length of the structure is equal to 0,
> acpiview can enter an infinite loop. This condition can occur if, for
> example, the zero-allocated ACPI table buffer is not fully populated.
> This is typically a bug on the ACPI table writer side.
> 
> In short, this method helps acpiview recover gracefully from a
> zero-valued ACPI structure length.
> 
> Signed-off-by: Krzysztof Koch 
> ---
> 
> Changes can be seen at: 
> https://github.com/KrzysztofKoch1/edk2/tree/612_acpiview_prevent_inf_loops_v1
> 
> Notes:
> v1:
> - prevent infinite loops in acpiview parsers [Krzysztof]
> 
>  ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c | 15 
> ++-
>  ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c | 13 
> -
>  ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c | 14 
> +-
>  ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c | 28 
> ++--
>  ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Pptt/PpttParser.c | 15 
> ++-
>  ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c | 14 
> +-
>  6 files changed, 47 insertions(+), 52 deletions(-)
> 
> diff --git 
> a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c
> b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c
> index 
> 0f730a306a94329a23fbaf54b59f1833b44616ba..9df111ecaa7d7a703a13a39c243ed78b9f12ee97
>  100644
> --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c
> +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Dbg2/Dbg2Parser.c
> @@ -1,7 +1,7 @@
>  /** @file
>DBG2 table parser
> 
> -  Copyright (c) 2016 - 2019, ARM Limited. All rights reserved.
> +  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
>SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>@par Reference(s):
> @@ -282,15 +282,16 @@ ParseAcpiDbg2 (
>return;
>  }
> 
> -// Make sure the Debug Device Information structure lies inside the 
> table.
> -if ((Offset + *DbgDevInfoLen) > AcpiTableLength) {
> +// Validate Debug Device Information Structure length
> +if ((*DbgDevInfoLen == 0) ||
> +((Offset + (*DbgDevInfoLen)) > AcpiTableLength)) {
>IncrementErrorCount ();
>Print (
> -L"ERROR: Invalid Debug Device Information structure length. " \
> -  L"DbgDevInfoLen = %d. RemainingTableBufferLength = %d. " \
> -  L"DBG2 parsing aborted.\n",
> +L"ERROR: Invalid Debug Device Information Structure length. " \
> +  L"Length = %d. Offset = %d. AcpiTableLength = %d.\n",
>  *DbgDevInfoLen,
> -AcpiTableLength - Offset
> +Offset,
> +AcpiTableLength
>  );
>return;
>  }
> diff --git 
> a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c
> b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c
> index 
> 699a55b549ec3fa61bbd156898821055dc019199..bdd30ff45c61142c071ead63a27babab8998721b
>  100644
> --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c
> +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Gtdt/GtdtParser.c
> @@ -1,7 +1,7 @@
>  /** @file
>GTDT table parser
> 
> -  Copyright (c) 2016 - 2019, ARM Limited. All rights reserved.
> +  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
>SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>@par Reference(s):
> @@ -327,15 +327,16 @@ ParseAcpiGtdt (
>return;
>  }
> 
> -// Make sure the Platform Timer is inside the table.
> -if ((Offset + *PlatformTimerLength) > AcpiTableLength) {
> +// Validate Platform Timer Structure length
> +if ((*PlatformTimerLength == 0) ||
> +((Offset + (*PlatformTimerLength)) > AcpiTableLength)) {
>IncrementErrorCount ();
>Print (
>  L"ERROR: Invalid Platform Timer Structure length. " \
> -  L"PlatformTimerLength = %d. RemainingTableBufferLength = %d. " \
> -  L"GTDT parsing aborted.\n",
> +  L"Length = %d. Offset = %d.

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

Re: [edk2-devel] [PATCH v1 1/1] ShellPkg: acpiview: Prevent infinite loop if structure length is 0

6 matches

Site Navigation

Mail list logo

Footer information