VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls

Backport of upstream fix:

VLogError() calculates the size of format strings by using calls to
SPrint and VSPrint with a StrSize of 0 and NULL for an output
buffer. Unfortunately, this is an incorrect usage of (V)Sprint. A
StrSize of "0" is special-cased to mean "there is no limit". So, we
end up writing our string to address 0x0. This was discovered because
it causes a crash on ARM where, unlike x86, it does not necessarily
have memory mapped at 0x0.

Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
handles the size calculation and allocation for us.

Signed-off-by: Peter Jones <pjones@redhat.com>
Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
[dannf: commit message ]
Signed-off-by: dann frazier <dann.frazier@canonical.com>

3 files changed, 68 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 45eadbff..95d6dbc5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+shim (15+1533136590.3beb971-7) UNRELEASED; urgency=medium
+
+  [ Steve McIntyre ]
+  * Backport needed crash fixes:
+    + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
+
+ -- Steve McIntyre <93sam@debian.org>  Fri, 03 May 2019 01:39:34 +0100
+
 shim (15+1533136590.3beb971-6) unstable; urgency=medium
 
   [ Steve McIntyre ]
diff --git a/debian/patches/avoid_null_vsprint.patch b/debian/patches/avoid_null_vsprint.patch
new file mode 100644
index 00000000..cb056d6a
--- /dev/null
+++ b/debian/patches/avoid_null_vsprint.patch
@@ -0,0 +1,59 @@
+commit 20e731f423a438f53738de73af9ef3d67c4cba2f
+Author: Peter Jones <pjones@redhat.com>
+Date:   Tue Feb 12 18:04:49 2019 -0500
+
+    VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
+    
+    VLogError() calculates the size of format strings by using calls to
+    SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer.
+    Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize
+    of "0" is special-cased to mean "there is no limit". So, we end up
+    writing our string to address 0x0. This was discovered because it
+    causes a crash on ARM where, unlike x86, it does not necessarily
+    have memory mapped at 0x0.
+    
+    Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
+    handles the size calculation and allocation for us.
+    
+    Signed-off-by: Peter Jones <pjones@redhat.com>
+    Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
+    [dannf: commit message ]
+    Signed-off-by: dann frazier <dann.frazier@canonical.com>
+
+diff --git a/errlog.c b/errlog.c
+index 18be482..eebb266 100644
+--- a/errlog.c
++++ b/errlog.c
+@@ -14,29 +14,20 @@ EFI_STATUS
+ VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
+ {
+ 	va_list args2;
+-	UINTN size = 0, size2;
+ 	CHAR16 **newerrs;
+ 
+-	size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
+-	va_copy(args2, args);
+-	size2 = VSPrint(NULL, 0, fmt, args2);
+-	va_end(args2);
+-
+ 	newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
+ 				       (nerrs + 3) * sizeof(*errs));
+ 	if (!newerrs)
+ 		return EFI_OUT_OF_RESOURCES;
+ 
+-	newerrs[nerrs] = AllocatePool(size*2+2);
++	newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
+ 	if (!newerrs[nerrs])
+ 		return EFI_OUT_OF_RESOURCES;
+-	newerrs[nerrs+1] = AllocatePool(size2*2+2);
++	va_copy(args2, args);
++	newerrs[nerrs+1] = VPoolPrint(fmt, args2);
+ 	if (!newerrs[nerrs+1])
+ 		return EFI_OUT_OF_RESOURCES;
+-
+-	SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
+-	va_copy(args2, args);
+-	VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
+ 	va_end(args2);
+ 
+ 	nerrs += 2;
diff --git a/debian/patches/series b/debian/patches/series
index 01e6063f..9cae2bbf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 fixup_git.patch
 uname.patch
+avoid_null_vsprint.patch