Re: [patch 2/2] MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)

Wang, Jian J
 

Please update copyright year for patch 1 and 2. With it addressed,

Reviewed-by: Jian J Wang <jian.j.wang@...>

Regards,
Jian

-----Original Message-----
From: Bi, Dandan <dandan.bi@...>
Sent: Thursday, February 13, 2020 12:03 PM
To: devel@edk2.groups.io
Cc: Gao, Liming <liming.gao@...>; Dong, Eric <eric.dong@...>;
Wang, Jian J <jian.j.wang@...>
Subject: [patch 2/2] MdeModulePkg/DisplayEngine: Zero memory before free
(CVE-2019-14558)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611

Cc: Liming Gao <liming.gao@...>
Cc: Eric Dong <eric.dong@...>
Cc: Jian J Wang <jian.j.wang@...>
Signed-off-by: Dandan Bi <dandan.bi@...>
---
MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
index 7d9486112b..1087004939 100644
--- a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
+++ b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
@@ -821,10 +821,11 @@ PasswordProcess (
//
// Old password exist, ask user for the old password
//
Status = ReadString (MenuOption, gPromptForPassword, StringPtr);
if (EFI_ERROR (Status)) {
+ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
FreePool (StringPtr);
return Status;
}

//
@@ -838,11 +839,11 @@ PasswordProcess (
//
PasswordInvalid ();
} else {
Status = EFI_SUCCESS;
}
-
+ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
FreePool (StringPtr);
return Status;
}
}

@@ -854,10 +855,11 @@ PasswordProcess (
if (EFI_ERROR (Status)) {
//
// Reset state machine for password
//
Question->PasswordCheck (gFormData, Question, NULL);
+ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
FreePool (StringPtr);
return Status;
}

//
@@ -869,10 +871,12 @@ PasswordProcess (
if (EFI_ERROR (Status)) {
//
// Reset state machine for password
//
Question->PasswordCheck (gFormData, Question, NULL);
+ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
+ ZeroMem (TempString, (Maximum + 1) * sizeof (CHAR16));
FreePool (StringPtr);
FreePool (TempString);
return Status;
}

--
2.18.0.windows.1

Join devel@edk2.groups.io to automatically receive all group messages.