Re: [edk2] [PATCH 02/11] MdeModulePkg/UsbMass: Fix integer overflow when BlockSize is 1
On 10/16/2018 11:19 AM, Zeng, Star wrote: On 2018/10/15 14:38, Ruiyu Ni wrote: UsbBootReadWriteBlocks() and UsbBootReadWriteBlocks16() use a UINT16 local variable to hold the value of USB_BOOT_MAX_CARRY_SIZE (=0x1) / BlockSize. When BlockSize is 1, the UINT16 local variable is set to 0x1 Ray, Thanks for the patch. Is it possible that the BlockSize == 0 or > USB_BOOT_MAX_CARRY_SIZE? With a buggy HW, everything is possible:( I will re-post V2 patch to handle this case. Thanks, Star ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel -- Thanks, Ray ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 02/11] MdeModulePkg/UsbMass: Fix integer overflow when BlockSize is 1
On 2018/10/15 14:38, Ruiyu Ni wrote: UsbBootReadWriteBlocks() and UsbBootReadWriteBlocks16() use a UINT16 local variable to hold the value of USB_BOOT_MAX_CARRY_SIZE (=0x1) / BlockSize. When BlockSize is 1, the UINT16 local variable is set to 0x1 Ray, Thanks for the patch. Is it possible that the BlockSize == 0 or > USB_BOOT_MAX_CARRY_SIZE? Thanks, Star but the high-16 bits are truncated resulting the final value be 0. It causes the while-loop in the two functions accesses 0 block in each loop, resulting the loop never ends. The patch fixes the two functions to make sure no integer overflow happens. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni Cc: Star Zeng Cc: Steven Shi --- .../Bus/Usb/UsbMassStorageDxe/UsbMassBoot.c| 27 +++--- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassBoot.c b/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassBoot.c index 581571ab45..37fbeedbeb 100644 --- a/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassBoot.c +++ b/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassBoot.c @@ -815,14 +815,14 @@ UsbBootReadWriteBlocks ( { USB_BOOT_READ_WRITE_10_CMD Cmd; EFI_STATUS Status; - UINT16 Count; - UINT16 CountMax; + UINT32 Count; + UINT32 CountMax; UINT32 BlockSize; UINT32 ByteSize; UINT32 Timeout; BlockSize = UsbMass->BlockIoMedia.BlockSize; - CountMax = (UINT16)(USB_BOOT_MAX_CARRY_SIZE / BlockSize); + CountMax = USB_BOOT_MAX_CARRY_SIZE / BlockSize; Status= EFI_SUCCESS; while (TotalBlock > 0) { @@ -831,8 +831,9 @@ UsbBootReadWriteBlocks ( // on the device. We must split the total block because the READ10 // command only has 16 bit transfer length (in the unit of block). // -Count = (UINT16)((TotalBlock < CountMax) ? TotalBlock : CountMax); -ByteSize = (UINT32)Count * BlockSize; +Count= (UINT32)MIN (TotalBlock, CountMax); +Count= MIN (MAX_UINT16, Count); +ByteSize = Count * BlockSize; // // USB command's upper limit timeout is 5s. [USB2.0-9.2.6.1] @@ -847,7 +848,7 @@ UsbBootReadWriteBlocks ( Cmd.OpCode = Write ? USB_BOOT_WRITE10_OPCODE : USB_BOOT_READ10_OPCODE; Cmd.Lun = (UINT8) (USB_BOOT_LUN (UsbMass->Lun)); WriteUnaligned32 ((UINT32 *) Cmd.Lba, SwapBytes32 (Lba)); -WriteUnaligned16 ((UINT16 *) Cmd.TransferLen, SwapBytes16 (Count)); +WriteUnaligned16 ((UINT16 *) Cmd.TransferLen, SwapBytes16 ((UINT16)Count)); Status = UsbBootExecCmdWithRetry ( UsbMass, @@ -867,7 +868,7 @@ UsbBootReadWriteBlocks ( Lba, Count )); Lba+= Count; -Buffer += Count * BlockSize; +Buffer += ByteSize; TotalBlock -= Count; } @@ -897,22 +898,22 @@ UsbBootReadWriteBlocks16 ( { UINT8 Cmd[16]; EFI_STATUSStatus; - UINT16Count; - UINT16CountMax; + UINT32Count; + UINT32CountMax; UINT32BlockSize; UINT32ByteSize; UINT32Timeout; BlockSize = UsbMass->BlockIoMedia.BlockSize; - CountMax = (UINT16)(USB_BOOT_MAX_CARRY_SIZE / BlockSize); + CountMax = USB_BOOT_MAX_CARRY_SIZE / BlockSize; Status= EFI_SUCCESS; while (TotalBlock > 0) { // // Split the total blocks into smaller pieces. // -Count = (UINT16)((TotalBlock < CountMax) ? TotalBlock : CountMax); -ByteSize = (UINT32)Count * BlockSize; +Count= (UINT32)MIN (TotalBlock, CountMax); +ByteSize = Count * BlockSize; // // USB command's upper limit timeout is 5s. [USB2.0-9.2.6.1] @@ -947,7 +948,7 @@ UsbBootReadWriteBlocks16 ( Lba, Count )); Lba+= Count; -Buffer += Count * BlockSize; +Buffer += ByteSize; TotalBlock -= Count; } ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 02/11] MdeModulePkg/UsbMass: Fix integer overflow when BlockSize is 1
UsbBootReadWriteBlocks() and UsbBootReadWriteBlocks16() use a UINT16 local variable to hold the value of USB_BOOT_MAX_CARRY_SIZE (=0x1) / BlockSize. When BlockSize is 1, the UINT16 local variable is set to 0x1 but the high-16 bits are truncated resulting the final value be 0. It causes the while-loop in the two functions accesses 0 block in each loop, resulting the loop never ends. The patch fixes the two functions to make sure no integer overflow happens. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni Cc: Star Zeng Cc: Steven Shi --- .../Bus/Usb/UsbMassStorageDxe/UsbMassBoot.c| 27 +++--- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassBoot.c b/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassBoot.c index 581571ab45..37fbeedbeb 100644 --- a/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassBoot.c +++ b/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassBoot.c @@ -815,14 +815,14 @@ UsbBootReadWriteBlocks ( { USB_BOOT_READ_WRITE_10_CMD Cmd; EFI_STATUS Status; - UINT16 Count; - UINT16 CountMax; + UINT32 Count; + UINT32 CountMax; UINT32 BlockSize; UINT32 ByteSize; UINT32 Timeout; BlockSize = UsbMass->BlockIoMedia.BlockSize; - CountMax = (UINT16)(USB_BOOT_MAX_CARRY_SIZE / BlockSize); + CountMax = USB_BOOT_MAX_CARRY_SIZE / BlockSize; Status= EFI_SUCCESS; while (TotalBlock > 0) { @@ -831,8 +831,9 @@ UsbBootReadWriteBlocks ( // on the device. We must split the total block because the READ10 // command only has 16 bit transfer length (in the unit of block). // -Count = (UINT16)((TotalBlock < CountMax) ? TotalBlock : CountMax); -ByteSize = (UINT32)Count * BlockSize; +Count= (UINT32)MIN (TotalBlock, CountMax); +Count= MIN (MAX_UINT16, Count); +ByteSize = Count * BlockSize; // // USB command's upper limit timeout is 5s. [USB2.0-9.2.6.1] @@ -847,7 +848,7 @@ UsbBootReadWriteBlocks ( Cmd.OpCode = Write ? USB_BOOT_WRITE10_OPCODE : USB_BOOT_READ10_OPCODE; Cmd.Lun = (UINT8) (USB_BOOT_LUN (UsbMass->Lun)); WriteUnaligned32 ((UINT32 *) Cmd.Lba, SwapBytes32 (Lba)); -WriteUnaligned16 ((UINT16 *) Cmd.TransferLen, SwapBytes16 (Count)); +WriteUnaligned16 ((UINT16 *) Cmd.TransferLen, SwapBytes16 ((UINT16)Count)); Status = UsbBootExecCmdWithRetry ( UsbMass, @@ -867,7 +868,7 @@ UsbBootReadWriteBlocks ( Lba, Count )); Lba+= Count; -Buffer += Count * BlockSize; +Buffer += ByteSize; TotalBlock -= Count; } @@ -897,22 +898,22 @@ UsbBootReadWriteBlocks16 ( { UINT8 Cmd[16]; EFI_STATUSStatus; - UINT16Count; - UINT16CountMax; + UINT32Count; + UINT32CountMax; UINT32BlockSize; UINT32ByteSize; UINT32Timeout; BlockSize = UsbMass->BlockIoMedia.BlockSize; - CountMax = (UINT16)(USB_BOOT_MAX_CARRY_SIZE / BlockSize); + CountMax = USB_BOOT_MAX_CARRY_SIZE / BlockSize; Status= EFI_SUCCESS; while (TotalBlock > 0) { // // Split the total blocks into smaller pieces. // -Count = (UINT16)((TotalBlock < CountMax) ? TotalBlock : CountMax); -ByteSize = (UINT32)Count * BlockSize; +Count= (UINT32)MIN (TotalBlock, CountMax); +ByteSize = Count * BlockSize; // // USB command's upper limit timeout is 5s. [USB2.0-9.2.6.1] @@ -947,7 +948,7 @@ UsbBootReadWriteBlocks16 ( Lba, Count )); Lba+= Count; -Buffer += Count * BlockSize; +Buffer += ByteSize; TotalBlock -= Count; } -- 2.16.1.windows.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel