1. posterid:1768733
  2. [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558)

Re: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558)

Dong, Eric
 

Reviewed-by: Eric Dong <eric.dong@...>

-----Original Message-----
From: Bi, Dandan <dandan.bi@...>
Sent: Thursday, February 13, 2020 12:03 PM
To: devel@edk2.groups.io
Cc: Gao, Liming <liming.gao@...>; Dong, Eric <eric.dong@...>; Wang, Jian J <jian.j.wang@...>
Subject: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611

Cc: Liming Gao <liming.gao@...>
Cc: Eric Dong <eric.dong@...>
Cc: Jian J Wang <jian.j.wang@...>
Signed-off-by: Dandan Bi <dandan.bi@...>
---
MdeModulePkg/Universal/HiiDatabaseDxe/String.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
index 505e063d49..10a1e691a3 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
@@ -1004,10 +1004,11 @@ SetStringWorker (
BlockPtr,
StringTextPtr + AsciiStrSize ((CHAR8 *)StringTextPtr),
TmpSize
);

+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = Block;
StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize);
break;

@@ -1037,10 +1038,11 @@ SetStringWorker (
BlockPtr,
StringTextPtr + StringSize,
OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - StringSize
);

+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = Block;
StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize);
break;

@@ -1088,10 +1090,11 @@ SetStringWorker (
);
BlockPtr += StrSize (GlobalFont->FontInfo->FontName);

CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize);

+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = Block;
StringPackage->StringPkgHdr->Header.Length += Ext2.Length;

return EFI_SUCCESS;
@@ -1273,10 +1276,11 @@ HiiNewString (

//
// Append a EFI_HII_SIBT_END block to the end.
//
*BlockPtr = EFI_HII_SIBT_END;
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;
PackageListNode->PackageListHdr.PackageLength += Ucs2BlockSize;
}
@@ -1404,10 +1408,11 @@ HiiNewString (

//
// Append a EFI_HII_SIBT_END block to the end.
//
*BlockPtr = EFI_HII_SIBT_END;
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;
PackageListNode->PackageListHdr.PackageLength += Ucs2BlockSize;

@@ -1446,10 +1451,11 @@ HiiNewString (

//
// Append a EFI_HII_SIBT_END block to the end.
//
*BlockPtr = EFI_HII_SIBT_END;
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize;
PackageListNode->PackageListHdr.PackageLength += Ucs2FontBlockSize;

@@ -1507,10 +1513,11 @@ HiiNewString (

//
// Append a EFI_HII_SIBT_END block to the end.
//
*BlockPtr = EFI_HII_SIBT_END;
+ ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += FontBlockSize + Ucs2FontBlockSize;
PackageListNode->PackageListHdr.PackageLength += FontBlockSize + Ucs2FontBlockSize;

--
2.18.0.windows.1
Join devel@edk2.groups.io to automatically receive all group messages.