mail archive of the barebox mailing list
 help / color / mirror / Atom feed
From: Sascha Hauer <s.hauer@pengutronix.de>
To: Barebox List <barebox@lists.infradead.org>
Subject: [PATCH 11/25] efi-stdio: Fix out of bounds error in puts
Date: Mon, 13 Dec 2021 22:08:51 +0100	[thread overview]
Message-ID: <20211213210905.3399551-12-s.hauer@pengutronix.de> (raw)
In-Reply-To: <20211213210905.3399551-1-s.hauer@pengutronix.de>

In efi_console_puts we use 'nbytes' as counter to break out of iterating
over the input string. An escape sequence consumes more than 1 input
character, still nbytes is only decremented by one. This results in
iterating past the end of the input string once an escape sequence is
in the buffer.
This patch introduces efi_console_add_char() to write a character in the
buffer and efi_console_flush() to print out the current buffer. This
fixes the issue and also allows us to prevent writing past the end of
the internal output buffer.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 drivers/serial/efi-stdio.c | 60 +++++++++++++++++++++++++-------------
 1 file changed, 39 insertions(+), 21 deletions(-)

diff --git a/drivers/serial/efi-stdio.c b/drivers/serial/efi-stdio.c
index b3a49eeec8..9cc2ca4196 100644
--- a/drivers/serial/efi-stdio.c
+++ b/drivers/serial/efi-stdio.c
@@ -64,7 +64,8 @@ struct efi_console_priv {
 	struct efi_simple_text_input_ex_protocol *inex;
 	struct console_device cdev;
 	int lastkey;
-	u16 efi_console_buffer[CONFIG_CBSIZE];
+	u16 efi_console_buffer[CONFIG_CBSIZE + 1];
+	int pos;
 
 	unsigned long columns, rows;
 
@@ -297,34 +298,51 @@ static int efi_process_escape(struct efi_console_priv *priv, const char *inp)
 	return 1;
 }
 
+static void efi_console_add_char(struct efi_console_priv *priv, int c)
+{
+	if (priv->pos >= CONFIG_CBSIZE)
+		return;
+
+	priv->efi_console_buffer[priv->pos] = c;
+	priv->pos++;
+}
+
+static void efi_console_flush(struct efi_console_priv *priv)
+{
+	priv->efi_console_buffer[priv->pos] = 0;
+
+	priv->out->output_string(priv->out, priv->efi_console_buffer);
+
+	priv->pos = 0;
+}
+
 static int efi_console_puts(struct console_device *cdev, const char *s,
 			    size_t nbytes)
 {
 	struct efi_console_priv *priv = to_efi(cdev);
-	int n = 0;
-
-	while (nbytes--) {
-		if (*s == 27) {
-			priv->efi_console_buffer[n] = 0;
-			priv->out->output_string(priv->out,
-					priv->efi_console_buffer);
-			n = 0;
-			s += efi_process_escape(priv, s);
-			continue;
-		}
+	int pos = 0;
 
-		if (*s == '\n')
-			priv->efi_console_buffer[n++] = '\r';
-		priv->efi_console_buffer[n] = *s;
-		s++;
-		n++;
+	while (pos < nbytes) {
+		switch (s[pos]) {
+		case 27:
+			efi_console_flush(priv);
+			pos += efi_process_escape(priv, s + pos);
+			break;
+		case '\n':
+			efi_console_add_char(priv, '\r');
+			efi_console_add_char(priv, '\n');
+			pos++;
+			break;
+		default:
+			efi_console_add_char(priv, s[pos]);
+			pos++;
+			break;
+		}
 	}
 
-	priv->efi_console_buffer[n] = 0;
-
-	priv->out->output_string(priv->out, priv->efi_console_buffer);
+	efi_console_flush(priv);
 
-	return n;
+	return nbytes;
 }
 
 static int efi_console_tstc(struct console_device *cdev)
-- 
2.30.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


  parent reply	other threads:[~2021-12-13 21:11 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-13 21:08 [PATCH 00/25] EFI improvements Sascha Hauer
2021-12-13 21:08 ` [PATCH 01/25] efi-devicepath: Make efi_device_path argument const Sascha Hauer
2021-12-13 21:08 ` [PATCH 02/25] efi: move device-path defines and types to header file Sascha Hauer
2021-12-13 21:08 ` [PATCH 03/25] efi: Implement device_path_to_subtype() Sascha Hauer
2021-12-13 21:08 ` [PATCH 04/25] efi: Do not register IPv[46] devices Sascha Hauer
2021-12-13 21:08 ` [PATCH 05/25] console: Fix message colours Sascha Hauer
2021-12-16 12:21   ` Jules Maselbas
2021-12-17 13:23     ` Sascha Hauer
2021-12-17 13:24       ` Jules Maselbas
2021-12-13 21:08 ` [PATCH 06/25] efi-stdio: remove unnecessary check Sascha Hauer
2021-12-13 21:08 ` [PATCH 07/25] efi-stdio: rename to efi_process_escape Sascha Hauer
2021-12-13 21:08 ` [PATCH 08/25] efi-stdio: return bytes actually consumed Sascha Hauer
2021-12-13 21:08 ` [PATCH 09/25] efi-stdio: fix escape sequence end detection Sascha Hauer
2021-12-13 21:08 ` [PATCH 10/25] efi-stdio: improve escape sequence parsing Sascha Hauer
2021-12-13 21:08 ` Sascha Hauer [this message]
2021-12-13 21:08 ` [PATCH 12/25] efi-stdio: Fix tab printing Sascha Hauer
2021-12-13 21:08 ` [PATCH 13/25] efi-stdio: Implement efi_console_putc() using efi_console_puts() Sascha Hauer
2021-12-15 11:04   ` Ahmad Fatoum
2021-12-13 21:08 ` [PATCH 14/25] efi-stdio: Fix '\b' handling Sascha Hauer
2021-12-13 21:08 ` [PATCH 15/25] efi-stdio: implement input buffering with a kfifo Sascha Hauer
2021-12-13 21:08 ` [PATCH 16/25] efi-stdio: limit set_cursor to screen size boundaries Sascha Hauer
2021-12-13 21:08 ` [PATCH 17/25] efi-stdio: implement getting the cursor position Sascha Hauer
2021-12-13 21:08 ` [PATCH 18/25] efi-stdio: Implement setting cursor visibility Sascha Hauer
2021-12-13 21:08 ` [PATCH 19/25] efi-stdio: Support different text modes Sascha Hauer
2021-12-13 21:09 ` [PATCH 20/25] edit: improve screen size detection Sascha Hauer
2021-12-13 21:09 ` [PATCH 21/25] edit: Improve behaviour on efi-stdio console Sascha Hauer
2021-12-16 12:41   ` Jules Maselbas
2021-12-17 13:29     ` Sascha Hauer
2021-12-13 21:09 ` [PATCH 22/25] edit: send escape sequence only for smartscroll Sascha Hauer
2021-12-13 21:09 ` [PATCH 23/25] net: efi-snp: Check for carrier before sending Sascha Hauer
2021-12-13 21:09 ` [PATCH 24/25] efi: add efi_device hook to be called before an image is started Sascha Hauer
2021-12-13 21:09 ` [PATCH 25/25] net: efi-snp: Open protocol exclusively Sascha Hauer
2021-12-15 11:07 ` [PATCH 00/25] EFI improvements Ahmad Fatoum
2021-12-18 12:07   ` Michael Graichen
2021-12-18 13:55     ` Sascha Hauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211213210905.3399551-12-s.hauer@pengutronix.de \
    --to=s.hauer@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox