project-lakitu/sys-boot/shim/files/shim-15-fix-vlogerror-arm64-crash.patch - cos/overlays/board-overlays - Git at Google

 From 344a8364cb05cdaafc43231d0f73d5217c4e118c Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 12 Feb 2019 18:04:49 -0500
 Subject: [PATCH] VLogError(): Avoid NULL pointer dereferences in (V)Sprint
  calls

 VLogError() calculates the size of format strings by using calls to
 SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer.
 Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize
 of "0" is special-cased to mean "there is no limit". So, we end up
 writing our string to address 0x0. This was discovered because it
 causes a crash on ARM where, unlike x86, it does not necessarily
 have memory mapped at 0x0.

 Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
 handles the size calculation and allocation for us.

 Signed-off-by: Peter Jones <pjones@redhat.com>
 Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
 [dannf: commit message ]
 Signed-off-by: dann frazier <dann.frazier@canonical.com>
 Upstream-commit-id: 20e731f423a
 ---
  errlog.c | 15 +++------------
  1 file changed, 3 insertions(+), 12 deletions(-)

 diff --git a/errlog.c b/errlog.c
 index 18be4822..eebb266d 100644
 --- a/errlog.c
 +++ b/errlog.c
 @@ -14,29 +14,20 @@ EFI_STATUS
  VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
  {
  	va_list args2;
 -	UINTN size = 0, size2;
  	CHAR16 **newerrs;

 -	size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
 -	va_copy(args2, args);
 -	size2 = VSPrint(NULL, 0, fmt, args2);
 -	va_end(args2);
 -
  	newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
  				       (nerrs + 3) * sizeof(*errs));
  	if (!newerrs)
  		return EFI_OUT_OF_RESOURCES;

 -	newerrs[nerrs] = AllocatePool(size*2+2);
 +	newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
  	if (!newerrs[nerrs])
  		return EFI_OUT_OF_RESOURCES;
 -	newerrs[nerrs+1] = AllocatePool(size2*2+2);
 +	va_copy(args2, args);
 +	newerrs[nerrs+1] = VPoolPrint(fmt, args2);
  	if (!newerrs[nerrs+1])
  		return EFI_OUT_OF_RESOURCES;
 -
 -	SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
 -	va_copy(args2, args);
 -	VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
  	va_end(args2);

  	nerrs += 2;
	From 344a8364cb05cdaafc43231d0f73d5217c4e118c Mon Sep 17 00:00:00 2001
	From: Peter Jones <pjones@redhat.com>
	Date: Tue, 12 Feb 2019 18:04:49 -0500
	Subject: [PATCH] VLogError(): Avoid NULL pointer dereferences in (V)Sprint
	calls

	VLogError() calculates the size of format strings by using calls to
	SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer.
	Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize
	of "0" is special-cased to mean "there is no limit". So, we end up
	writing our string to address 0x0. This was discovered because it
	causes a crash on ARM where, unlike x86, it does not necessarily
	have memory mapped at 0x0.

	Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
	handles the size calculation and allocation for us.

	Signed-off-by: Peter Jones <pjones@redhat.com>
	Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
	[dannf: commit message ]
	Signed-off-by: dann frazier <dann.frazier@canonical.com>
	Upstream-commit-id: 20e731f423a
	---
	errlog.c \| 15 +++------------
	1 file changed, 3 insertions(+), 12 deletions(-)

	diff --git a/errlog.c b/errlog.c
	index 18be4822..eebb266d 100644
	--- a/errlog.c
	+++ b/errlog.c
	@@ -14,29 +14,20 @@ EFI_STATUS
	VLogError(const char file, int line, const char func, CHAR16 *fmt, va_list args)
	{
	va_list args2;
	- UINTN size = 0, size2;
	CHAR16 **newerrs;

	- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
	- va_copy(args2, args);
	- size2 = VSPrint(NULL, 0, fmt, args2);
	- va_end(args2);
	-
	newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
	(nerrs + 3) * sizeof(*errs));
	if (!newerrs)
	return EFI_OUT_OF_RESOURCES;

	- newerrs[nerrs] = AllocatePool(size*2+2);
	+ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
	if (!newerrs[nerrs])
	return EFI_OUT_OF_RESOURCES;
	- newerrs[nerrs+1] = AllocatePool(size2*2+2);
	+ va_copy(args2, args);
	+ newerrs[nerrs+1] = VPoolPrint(fmt, args2);
	if (!newerrs[nerrs+1])
	return EFI_OUT_OF_RESOURCES;
	-
	- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
	- va_copy(args2, args);
	- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
	va_end(args2);

	nerrs += 2;