debian/patches/avoid_null_vsprint.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

commit 20e731f423a438f53738de73af9ef3d67c4cba2f
Author: Peter Jones <pjones@redhat.com>
Date:   Tue Feb 12 18:04:49 2019 -0500

    VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
    
    VLogError() calculates the size of format strings by using calls to
    SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer.
    Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize
    of "0" is special-cased to mean "there is no limit". So, we end up
    writing our string to address 0x0. This was discovered because it
    causes a crash on ARM where, unlike x86, it does not necessarily
    have memory mapped at 0x0.
    
    Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
    handles the size calculation and allocation for us.
    
    Signed-off-by: Peter Jones <pjones@redhat.com>
    Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
    [dannf: commit message ]
    Signed-off-by: dann frazier <dann.frazier@canonical.com>

diff --git a/errlog.c b/errlog.c
index 18be482..eebb266 100644
--- a/errlog.c
+++ b/errlog.c
@@ -14,29 +14,20 @@ EFI_STATUS
 VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
 {
 	va_list args2;
-	UINTN size = 0, size2;
 	CHAR16 **newerrs;
 
-	size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
-	va_copy(args2, args);
-	size2 = VSPrint(NULL, 0, fmt, args2);
-	va_end(args2);
-
 	newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
 				       (nerrs + 3) * sizeof(*errs));
 	if (!newerrs)
 		return EFI_OUT_OF_RESOURCES;
 
-	newerrs[nerrs] = AllocatePool(size*2+2);
+	newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
 	if (!newerrs[nerrs])
 		return EFI_OUT_OF_RESOURCES;
-	newerrs[nerrs+1] = AllocatePool(size2*2+2);
+	va_copy(args2, args);
+	newerrs[nerrs+1] = VPoolPrint(fmt, args2);
 	if (!newerrs[nerrs+1])
 		return EFI_OUT_OF_RESOURCES;
-
-	SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
-	va_copy(args2, args);
-	VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
 	va_end(args2);
 
 	nerrs += 2;