From 697cb1880b624f83bc9e926c3614d070eb365f06 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Mon, 2 Dec 2019 12:31:47 +0100 Subject: [PATCH 3/9] CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Laszlo Ersek Message-id: <20191117220052.15700-4-lersek@redhat.com> Patchwork-id: 92458 O-Subject: [RHEL-8.2.0 edk2 PATCH 3/9] CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553) Bugzilla: 1536624 RH-Acked-by: Philippe Mathieu-Daudé RH-Acked-by: Vitaly Kuznetsov According to the ISO C standard, strchr() is a function. We #define it as a macro. Unfortunately, our macro evaluates the first argument ("str") twice. If the expression passed for "str" has side effects, the behavior may be undefined. In a later patch in this series, we're going to resurrect "inet_pton.c" (originally from the StdLib package), which calls strchr() just like that: strchr((xdigits = xdigits_l), ch) strchr((xdigits = xdigits_u), ch) To enable this kind of function call, turn strchr() into a function. Cc: David Woodhouse Cc: Jian J Wang Cc: Jiaxin Wu Cc: Sivaraman Nainar Cc: Xiaoyu Lu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960 CVE: CVE-2019-14553 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daude Reviewed-by: Jian J Wang Reviewed-by: Jiaxin Wu (cherry picked from commit eb520d94dba7369d1886cd5522d5a2c36fb02209) --- CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 5 +++++ CryptoPkg/Library/Include/CrtLibSupport.h | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c index 71a2ef3..42235ab 100644 --- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c +++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c @@ -115,6 +115,11 @@ QuickSortWorker ( // -- String Manipulation Routines -- // +char *strchr(const char *str, int ch) +{ + return ScanMem8 (str, AsciiStrSize (str), (UINT8)ch); +} + /* Scan a string for the last occurrence of a character */ char *strrchr (const char *str, int c) { diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h index 5806f50..b90da20 100644 --- a/CryptoPkg/Library/Include/CrtLibSupport.h +++ b/CryptoPkg/Library/Include/CrtLibSupport.h @@ -147,6 +147,7 @@ int isupper (int); int tolower (int); int strcmp (const char *, const char *); int strncasecmp (const char *, const char *, size_t); +char *strchr (const char *, int); char *strrchr (const char *, int); unsigned long strtoul (const char *, char **, int); long strtol (const char *, char **, int); @@ -188,7 +189,6 @@ void abort (void); #define strcpy(strDest,strSource) AsciiStrCpyS(strDest,MAX_STRING_SIZE,strSource) #define strncpy(strDest,strSource,count) AsciiStrnCpyS(strDest,MAX_STRING_SIZE,strSource,(UINTN)count) #define strcat(strDest,strSource) AsciiStrCatS(strDest,MAX_STRING_SIZE,strSource) -#define strchr(str,ch) ScanMem8((VOID *)(str),AsciiStrSize(str),(UINT8)ch) #define strncmp(string1,string2,count) (int)(AsciiStrnCmp(string1,string2,(UINTN)(count))) #define strcasecmp(str1,str2) (int)AsciiStriCmp(str1,str2) #define sprintf(buf,...) AsciiSPrint(buf,MAX_STRING_SIZE,__VA_ARGS__) -- 1.8.3.1