From patchwork Thu Dec 31 10:26:46 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ilias Apalodimas <ilias.apalodimas@linaro.org>
X-Patchwork-Id: 1421525
X-Patchwork-Delegate: xypron.glpk@gmx.de
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256
 header.s=google header.b=p7V814p5;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4D648l419gz9sRN
	for <incoming@patchwork.ozlabs.org>; Thu, 31 Dec 2020 21:27:12 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 3F8E08002F;
	Thu, 31 Dec 2020 11:26:56 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org header.b="p7V814p5";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 91D7B824DE; Thu, 31 Dec 2020 11:26:54 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE
 autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com
 [IPv6:2a00:1450:4864:20::42e])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 3F0188000F
 for <u-boot@lists.denx.de>; Thu, 31 Dec 2020 11:26:51 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org
Received: by mail-wr1-x42e.google.com with SMTP id i9so19750949wrc.4
 for <u-boot@lists.denx.de>; Thu, 31 Dec 2020 02:26:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=LJ1JY+cOgn5573xDnHpuqmHr5RefcR9sNhK6YuWV0nY=;
 b=p7V814p57EWFm9q/U7O4mo+l9hVcVPliCPAmlHVBdwhRQ0X5BHy9iwRv7/7zHgu7QC
 J7Ey44/1AdzyRzHcS5vsUMe5+e7uxz78LlbWtBerrYmeGHbv7c1KJ5Kb+uzYJrwR3aak
 9qNuyTEiTPtKbA7OJ6pulK8xrGHRpk02DCp3rJre9l6rRew7A9csWPre9Di+5n81QtRq
 BGl1lTleimkPZk8kioGz3as2qcP+QFjya8PWL2DUMHNH+WVuqNDzmiXUbtUpnv11E81M
 5NfPzUHnq7niZOV7jlKfg0ielH1Q98YPsE6ETdNDxSRqQgysLswTMhBp3NGKVW9m6Bdf
 xVOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=LJ1JY+cOgn5573xDnHpuqmHr5RefcR9sNhK6YuWV0nY=;
 b=Z+0GGGWIZXSoAk+8cgzkZn6k6UAKuvBq4vFIKStJIKfoFLZii8uISa2Czh2CGZEehE
 xfpzGdesQP0yR/MVMTOaAmGmuRTv6P6W6Q+V0132dJs6BkkZLBHpJ89zP8jwQjlRF9R7
 krDU3Spy+LHtNy+CL2Fe1pXYgpSinJb8NssyztdcHl8qoV8lRqCbiNUgwfiGQP6l7ES5
 BNu+hUyJDVr6ndqOxzur/nV56+dJnTtdexhhNUZxloK8qsL4QfsWyH86efxR8LR+wceY
 6/mv1onzY0b0Bu7QJzCPT3cneBeQYLHzTLFG/vPPTXZ+KYpuDF1LteTe6tcnVJfwj3em
 DqSw==
X-Gm-Message-State: AOAM530Nh/1tGqRie4tJozBMMbhJxifHyc9fuKdcDmWetzsNovaihTga
 uDPZghWKZMcOddY19w3KR7Ivag==
X-Google-Smtp-Source: 
 ABdhPJx6oUI566waO8jnkS5cA+0Kx05qjVoSNiooYYyx9zOCvwKbGQifEc76TRgzfw56WoG1/XJq/w==
X-Received: by 2002:adf:bb0e:: with SMTP id
 r14mr65257414wrg.159.1609410410751;
 Thu, 31 Dec 2020 02:26:50 -0800 (PST)
Received: from localhost.localdomain (athedsl-4484548.home.otenet.gr.
 [94.71.57.204])
 by smtp.gmail.com with ESMTPSA id c20sm11917073wmb.38.2020.12.31.02.26.49
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 31 Dec 2020 02:26:50 -0800 (PST)
From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: xypron.glpk@gmx.de
Cc: takahiro.akashi@linaro.org,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Alexander Graf <agraf@csgraf.de>, u-boot@lists.denx.de
Subject: [PATCH] efi_loader: Add size checks to efi_create_indexed_name()
Date: Thu, 31 Dec 2020 12:26:46 +0200
Message-Id: <20201231102647.201318-1-ilias.apalodimas@linaro.org>
X-Mailer: git-send-email 2.30.0
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de
X-Virus-Status: Clean

Although the function description states the caller must provide a
sufficient buffer, it's better to have in function checks that the
destination buffer can hold the intended value.

So let's add an extra argument with the buffer size and check that
before doing any copying.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 include/efi_loader.h         |  3 ++-
 lib/efi_loader/efi_capsule.c |  7 ++++---
 lib/efi_loader/efi_string.c  | 10 ++++++++--
 test/unicode_ut.c            |  2 +-
 4 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/include/efi_loader.h b/include/efi_loader.h
index 365f3d01dc74..def0ab3a7954 100644
--- a/include/efi_loader.h
+++ b/include/efi_loader.h
@@ -822,7 +822,8 @@ bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp,
 void efi_memcpy_runtime(void *dest, const void *src, size_t n);
 
 /* commonly used helper function */
-u16 *efi_create_indexed_name(u16 *buffer, const char *name, unsigned int index);
+u16 *efi_create_indexed_name(u16 *buffer, size_t buffer_size, const char *name,
+			     unsigned int index);
 
 extern const struct efi_firmware_management_protocol efi_fmp_fit;
 extern const struct efi_firmware_management_protocol efi_fmp_raw;
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index ea22ee796843..4ef254626786 100644
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -73,8 +73,8 @@ void set_capsule_result(int index, struct efi_capsule_header *capsule,
 	struct efi_time time;
 	efi_status_t ret;
 
-	efi_create_indexed_name(variable_name16, "Capsule", index);
-
+	efi_create_indexed_name(variable_name16, sizeof(variable_name16),
+				"Capsule", index);
 	result.variable_total_size = sizeof(result);
 	result.capsule_guid = capsule->capsule_guid;
 	ret = EFI_CALL((*efi_runtime_services.get_time)(&time, NULL));
@@ -896,7 +896,8 @@ efi_status_t efi_launch_capsules(void)
 	free(files);
 
 	/* CapsuleLast */
-	efi_create_indexed_name(variable_name16, "Capsule", index - 1);
+	efi_create_indexed_name(variable_name16, sizeof(variable_name16),
+				"Capsule", index - 1);
 	efi_set_variable_int(L"CapsuleLast", &efi_guid_capsule_report,
 			     EFI_VARIABLE_READ_ONLY |
 			     EFI_VARIABLE_NON_VOLATILE |
diff --git a/lib/efi_loader/efi_string.c b/lib/efi_loader/efi_string.c
index 3de721f06c7f..962724228866 100644
--- a/lib/efi_loader/efi_string.c
+++ b/lib/efi_loader/efi_string.c
@@ -23,13 +23,19 @@
  * Return: A pointer to the next position after the created string
  *	   in @buffer, or NULL otherwise
  */
-u16 *efi_create_indexed_name(u16 *buffer, const char *name, unsigned int index)
+u16 *efi_create_indexed_name(u16 *buffer, size_t buffer_size, const char *name,
+			     unsigned int index)
 {
 	u16 *p = buffer;
 	char index_buf[5];
+	size_t size;
 
+	size = (utf8_utf16_strlen(name) * sizeof(u16) +
+		sizeof(index_buf) * sizeof(u16));
+	if (buffer_size < size)
+		return NULL;
 	utf8_utf16_strcpy(&p, name);
-	sprintf(index_buf, "%04X", index);
+	snprintf(index_buf, sizeof(index_buf), "%04X", index);
 	utf8_utf16_strcpy(&p, index_buf);
 
 	return p;
diff --git a/test/unicode_ut.c b/test/unicode_ut.c
index 33fc8b0ee1e2..6130ef0b5497 100644
--- a/test/unicode_ut.c
+++ b/test/unicode_ut.c
@@ -603,7 +603,7 @@ static int unicode_test_efi_create_indexed_name(struct unit_test_state *uts)
 	u16 *pos;
 
 	memset(buf, 0xeb, sizeof(buf));
-	pos = efi_create_indexed_name(buf, "Capsule", 0x0af9);
+	pos = efi_create_indexed_name(buf, sizeof(buf), "Capsule", 0x0af9);
 
 	ut_asserteq_mem(expected, buf, sizeof(expected));
 	ut_asserteq(pos - buf, u16_strnlen(buf, SIZE_MAX));