|
 |
d1e1c8 |
From 344a8364cb05cdaafc43231d0f73d5217c4e118c Mon Sep 17 00:00:00 2001
|
|
|
5b2885 |
From: Peter Jones <pjones@redhat.com>
|
|
|
5b2885 |
Date: Tue, 12 Feb 2019 18:04:49 -0500
|
|
|
d1e1c8 |
Subject: [PATCH 28/62] VLogError(): Avoid NULL pointer dereferences in
|
|
|
d1e1c8 |
(V)Sprint calls
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
VLogError() calculates the size of format strings by using calls to
|
|
|
d1e1c8 |
SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer.
|
|
|
d1e1c8 |
Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize
|
|
|
d1e1c8 |
of "0" is special-cased to mean "there is no limit". So, we end up
|
|
|
d1e1c8 |
writing our string to address 0x0. This was discovered because it
|
|
|
d1e1c8 |
causes a crash on ARM where, unlike x86, it does not necessarily
|
|
|
d1e1c8 |
have memory mapped at 0x0.
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
|
|
|
d1e1c8 |
handles the size calculation and allocation for us.
|
|
|
5b2885 |
|
|
|
5b2885 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
d1e1c8 |
Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
|
|
|
d1e1c8 |
[dannf: commit message ]
|
|
|
d1e1c8 |
Signed-off-by: dann frazier <dann.frazier@canonical.com>
|
|
|
d1e1c8 |
Upstream-commit-id: 20e731f423a
|
|
|
5b2885 |
---
|
|
|
5b2885 |
errlog.c | 15 +++------------
|
|
|
5b2885 |
1 file changed, 3 insertions(+), 12 deletions(-)
|
|
|
5b2885 |
|
|
|
5b2885 |
diff --git a/errlog.c b/errlog.c
|
|
|
5b2885 |
index 18be4822d53..eebb266d396 100644
|
|
|
5b2885 |
--- a/errlog.c
|
|
|
5b2885 |
+++ b/errlog.c
|
|
|
5b2885 |
@@ -14,29 +14,20 @@ EFI_STATUS
|
|
|
5b2885 |
VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
|
|
|
5b2885 |
{
|
|
|
5b2885 |
va_list args2;
|
|
|
5b2885 |
- UINTN size = 0, size2;
|
|
|
5b2885 |
CHAR16 **newerrs;
|
|
|
5b2885 |
|
|
|
5b2885 |
- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
|
|
|
5b2885 |
- va_copy(args2, args);
|
|
|
5b2885 |
- size2 = VSPrint(NULL, 0, fmt, args2);
|
|
|
5b2885 |
- va_end(args2);
|
|
|
5b2885 |
-
|
|
|
5b2885 |
newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
|
|
|
5b2885 |
(nerrs + 3) * sizeof(*errs));
|
|
|
5b2885 |
if (!newerrs)
|
|
|
5b2885 |
return EFI_OUT_OF_RESOURCES;
|
|
|
5b2885 |
|
|
|
5b2885 |
- newerrs[nerrs] = AllocatePool(size*2+2);
|
|
|
5b2885 |
+ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
|
|
|
5b2885 |
if (!newerrs[nerrs])
|
|
|
5b2885 |
return EFI_OUT_OF_RESOURCES;
|
|
|
5b2885 |
- newerrs[nerrs+1] = AllocatePool(size2*2+2);
|
|
|
5b2885 |
+ va_copy(args2, args);
|
|
|
5b2885 |
+ newerrs[nerrs+1] = VPoolPrint(fmt, args2);
|
|
|
5b2885 |
if (!newerrs[nerrs+1])
|
|
|
5b2885 |
return EFI_OUT_OF_RESOURCES;
|
|
|
5b2885 |
-
|
|
|
5b2885 |
- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
|
|
|
5b2885 |
- va_copy(args2, args);
|
|
|
5b2885 |
- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
|
|
|
5b2885 |
va_end(args2);
|
|
|
5b2885 |
|
|
|
5b2885 |
nerrs += 2;
|
|
|
5b2885 |
--
|
|
|
d1e1c8 |
2.26.2
|
|
|
5b2885 |
|