From 697cb1880b624f83bc9e926c3614d070eb365f06 Mon Sep 17 00:00:00 2001

From: Laszlo Ersek <lersek@redhat.com>

Date: Mon, 2 Dec 2019 12:31:47 +0100

Subject: [PATCH 3/9] CryptoPkg/Crt: turn strchr() into a function

 (CVE-2019-14553)

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Laszlo Ersek <lersek@redhat.com>

Message-id: <20191117220052.15700-4-lersek@redhat.com>

Patchwork-id: 92458

O-Subject: [RHEL-8.2.0 edk2 PATCH 3/9] CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553)

Bugzilla: 1536624

RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>

According to the ISO C standard, strchr() is a function. We #define it as

a macro. Unfortunately, our macro evaluates the first argument ("str")

twice. If the expression passed for "str" has side effects, the behavior

may be undefined.

In a later patch in this series, we're going to resurrect "inet_pton.c"

(originally from the StdLib package), which calls strchr() just like that:

  strchr((xdigits = xdigits_l), ch)

  strchr((xdigits = xdigits_u), ch)

To enable this kind of function call, turn strchr() into a function.

Cc: David Woodhouse <dwmw2@infradead.org>

Cc: Jian J Wang <jian.j.wang@intel.com>

Cc: Jiaxin Wu <jiaxin.wu@intel.com>

Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>

Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960

CVE: CVE-2019-14553

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>

(cherry picked from commit eb520d94dba7369d1886cd5522d5a2c36fb02209)

---

 CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 5 +++++

 CryptoPkg/Library/Include/CrtLibSupport.h           | 2 +-

 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c

index 71a2ef3..42235ab 100644

--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c

+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c

@@ -115,6 +115,11 @@ QuickSortWorker (

 // -- String Manipulation Routines --

 //

+char *strchr(const char *str, int ch)

+{

+  return ScanMem8 (str, AsciiStrSize (str), (UINT8)ch);

+}

+

 /* Scan a string for the last occurrence of a character */

 char *strrchr (const char *str, int c)

 {

diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h

index 5806f50..b90da20 100644

--- a/CryptoPkg/Library/Include/CrtLibSupport.h

+++ b/CryptoPkg/Library/Include/CrtLibSupport.h

@@ -147,6 +147,7 @@ int            isupper     (int);

 int            tolower     (int);

 int            strcmp      (const char *, const char *);

 int            strncasecmp (const char *, const char *, size_t);

+char           *strchr     (const char *, int);

 char           *strrchr    (const char *, int);

 unsigned long  strtoul     (const char *, char **, int);

 long           strtol      (const char *, char **, int);

@@ -188,7 +189,6 @@ void           abort       (void);

 #define strcpy(strDest,strSource)         AsciiStrCpyS(strDest,MAX_STRING_SIZE,strSource)

 #define strncpy(strDest,strSource,count)  AsciiStrnCpyS(strDest,MAX_STRING_SIZE,strSource,(UINTN)count)

 #define strcat(strDest,strSource)         AsciiStrCatS(strDest,MAX_STRING_SIZE,strSource)

-#define strchr(str,ch)                    ScanMem8((VOID *)(str),AsciiStrSize(str),(UINT8)ch)

 #define strncmp(string1,string2,count)    (int)(AsciiStrnCmp(string1,string2,(UINTN)(count)))

 #define strcasecmp(str1,str2)             (int)AsciiStriCmp(str1,str2)

 #define sprintf(buf,...)                  AsciiSPrint(buf,MAX_STRING_SIZE,__VA_ARGS__)

-- 

1.8.3.1