RH covscan justifiedly reports that accessing
"EFI_COMMON_SECTION_HEADER.Size", which is of type UINT8[3], through a
(UINT32*), is undefined behavior:
> Error: OVERRUN (CWE-119):
> edk2-
89910a39dcfd/OvmfPkg/Sec/SecMain.c:178: overrun-local: Overrunning
> array of 3 bytes at byte offset 3 by dereferencing pointer
> "(UINT32 *)((EFI_COMMON_SECTION_HEADER *)(UINTN)Section)->Size".
> # 176| Section = (EFI_COMMON_SECTION_HEADER*)(UINTN) CurrentAddress;
> # 177|
> # 178|-> Size = SECTION_SIZE (Section);
> # 179| if (Size < sizeof (*Section)) {
> # 180| return EFI_VOLUME_CORRUPTED;
Fix this by accessing the array elements individually.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1710
Issue: scan-1007.txt
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
CHAR16 VersionString[1];\r
} EFI_VERSION_SECTION2;\r
\r
-#define SECTION_SIZE(SectionHeaderPtr) \\r
- ((UINT32) (*((UINT32 *) ((EFI_COMMON_SECTION_HEADER *) (UINTN) SectionHeaderPtr)->Size) & 0x00ffffff))\r
+///\r
+/// The argument passed as the SectionHeaderPtr parameter to the SECTION_SIZE()\r
+/// and IS_SECTION2() function-like macros below must not have side effects:\r
+/// SectionHeaderPtr is evaluated multiple times.\r
+///\r
+#define SECTION_SIZE(SectionHeaderPtr) ((UINT32) ( \\r
+ (((EFI_COMMON_SECTION_HEADER *) (UINTN) (SectionHeaderPtr))->Size[0] ) | \\r
+ (((EFI_COMMON_SECTION_HEADER *) (UINTN) (SectionHeaderPtr))->Size[1] << 8) | \\r
+ (((EFI_COMMON_SECTION_HEADER *) (UINTN) (SectionHeaderPtr))->Size[2] << 16)))\r
\r
#define IS_SECTION2(SectionHeaderPtr) \\r
(SECTION_SIZE (SectionHeaderPtr) == 0x00ffffff)\r