<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Microsoft YaHei";
panose-1:2 11 5 3 2 2 4 2 2 4;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Microsoft YaHei";}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:DengXian;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=ZH-CN link=blue vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hi Zhichao,</span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US> I will update the detailed description according to your suggestions</span>,<span lang=EN-US>thanks.</span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Chao.</span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal>发送自<span lang=EN-US> Windows 10 </span>版<span lang=EN-US><a href="https://go.microsoft.com/fwlink/?LinkId=550986"><span lang=EN-US><span lang=EN-US>邮件</span></span></a></span>应用</p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:SimSun'><o:p> </o:p></span></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>发件人<span lang=EN-US>: </span></b><span lang=EN-US><a href="mailto:zhichao.gao@intel.com">Gao, Zhichao</a><br></span><b>发送时间<span lang=EN-US>: </span></b><span lang=EN-US>2021</span>年<span lang=EN-US>1</span>月<span lang=EN-US>14</span>日<span lang=EN-US> 10:06<br></span><b>收件人<span lang=EN-US>: </span></b><span lang=EN-US><a href="mailto:gechao@greatwall.com.cn">gechao</a>; <a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a><br></span><b>抄送<span lang=EN-US>: </span></b><span lang=EN-US><a href="mailto:ray.ni@intel.com">Ni, Ray</a><br></span><b>主题<span lang=EN-US>: </span></b><span lang=EN-US>RE: [PATCH] MdeModulePkg/TerminalDxe: Fix terminal fifobufferoverflow with UINT8 type</span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:SimSun'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Hi,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Now I understood. It is a bug fix. But the commit message is not clear.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>typedef struct {<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> UINT8 Head;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> UINT8 Tail;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> UINT8 Data[RAW_FIFO_MAX_NUMBER + 1];<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>} RAW_DATA_FIFO;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>RAW_FIFO_MAX_NUMBER is 256.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>the data buffer size is 257 (Index from 0 to 256), but the max value of the index, Head or Tail (UINT8), is 255. That means the last data of the data buffer would be always empty if we use Head/Tail to output/input the data correctly.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>And because of the incorrect buffer size the FIFO full check “((Tail + 1) % (RAW_FIFO_MAX_NUMBER + 1)) == Head” would never meet.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Zhichao<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal align=left style='text-align:left'><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> gechao <gechao@greatwall.com.cn> <br><b>Sent:</b> Wednesday, January 13, 2021 5:12 PM<br><b>To:</b> Gao, Zhichao <zhichao.gao@intel.com>; devel@edk2.groups.io<br><b>Cc:</b> Ni, Ray <ray.ni@intel.com><br><b>Subject:</b> </span><span style='font-size:11.0pt;font-family:"微软雅黑",sans-serif'>回复</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>: [PATCH] MdeModulePkg/TerminalDxe: Fix terminal fifo bufferoverflow with UINT8 type<o:p></o:p></span></p></div></div><p class=MsoNormal align=left style='text-align:left'><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>Hi Zhigao,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'> <span style='color:black;background:whitesmoke'>Let's take the following code as an example, as we know, The maximum data represented by the UINT8 type is 255, <o:p></o:p></span></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'>So the equation condition on line 812 will not be true under special circumstances in picture 1, because (RAW_FIFO_MAX_NUMBER + 1) = 257,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'>So when the fifo buffer is full with head = 0 and Tail = 255, the maximum value of (Tail + 1) % (RAW_FIFO_MAX_NUMBER + 1) is 256,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'>This function will return false, This situation will occur in rare cases.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'>This is a classic case we encountered in the project, our program will hang in picture 2 in this situation when the serial port does not respond.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'>File: <u>MdeModulePkg\Universal\Console\TerminalDxe\TerminalConIn.c<o:p></o:p></u></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'>picture 1:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><img border=0 width=515 height=314 style='width:5.3645in;height:3.2708in' id="图片_x0020_3" src="cid:image001.png@01D6EA58.3B80D990"></span><span lang=EN-US style='font-size:12.0pt'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'>picture 2:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><img border=0 width=512 height=322 style='width:5.3333in;height:3.3541in' id="图片_x0020_4" src="cid:image002.png@01D6EA58.3B80D990"></span><span lang=EN-US style='font-size:12.0pt;color:black;background:whitesmoke'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal>发送自<span lang=EN-US> Windows 10 </span>版<span lang=EN-US><a href="https://go.microsoft.com/fwlink/?LinkId=550986"><span lang=EN-US><span lang=EN-US>邮件</span></span></a></span>应用<span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:SimSun'><o:p> </o:p></span></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>发件人<span lang=EN-US>: </span></b><span lang=EN-US><a href="mailto:zhichao.gao@intel.com">Gao, Zhichao</a><br></span><b>发送时间<span lang=EN-US>: </span></b><span lang=EN-US>2021</span>年<span lang=EN-US>1</span>月<span lang=EN-US>13</span>日<span lang=EN-US> 14:57<br></span><b>收件人<span lang=EN-US>: </span></b><span lang=EN-US><a href="mailto:gechao@greatwall.com.cn">gechao@greatwall.com.cn</a>; <a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a><br></span><b>抄送<span lang=EN-US>: </span></b><span lang=EN-US><a href="mailto:ray.ni@intel.com">Ni, Ray</a><br></span><b>主题<span lang=EN-US>: </span></b><span lang=EN-US>RE: [PATCH] MdeModulePkg/TerminalDxe: Fix terminal fifo bufferoverflow with UINT8 type<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:SimSun'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Hi,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Sorry, I don't understand the patch. UINT8 type would have the value limitation. But why does it affect the buffer size?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Did you observed the overflow with the original value? If yes, can you share the example?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Zhichao<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>> -----Original Message-----<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> From: <a href="mailto:gechao@greatwall.com.cn">gechao@greatwall.com.cn</a> <<a href="mailto:gechao@greatwall.com.cn">gechao@greatwall.com.cn</a>><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> Sent: Tuesday, December 22, 2020 6:19 PM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> To: <a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a>; Gao, Zhichao <<a href="mailto:zhichao.gao@intel.com">zhichao.gao@intel.com</a>><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> Cc: Ni, Ray <<a href="mailto:ray.ni@intel.com">ray.ni@intel.com</a>>; gechao <<a href="mailto:gechao@greatwall.com.cn">gechao@greatwall.com.cn</a>><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> Subject: [PATCH] MdeModulePkg/TerminalDxe: Fix terminal fifo buffer<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> overflow with UINT8 type<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> From: gechao <<a href="mailto:gechao@greatwall.com.cn">gechao@greatwall.com.cn</a>><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> The maximum fifo buffer length is RAW_FIFO_MAX_NUMBER + 1 = 257, but<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> the maximum value of terminal fifo buffer index is sizeof(UINT8) - 1 = 255 with<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> UINT8 type, so check if fifo buffer is empty or full with below expression, ((Tail<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> + 1) % (RAW_FIFO_MAX_NUMBER + 1)) == Head, (Tail + 1) might be<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> sizeof(UINT8) + 1 = 256, for UINT8 type, it does not make any sense.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> Signed-off-by: gechao <<a href="mailto:gechao@greatwall.com.cn">gechao@greatwall.com.cn</a>><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> ---<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> MdeModulePkg/Universal/Console/TerminalDxe/Terminal.h | 2 +-<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> 1 file changed, 1 insertion(+), 1 deletion(-)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.h<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.h<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> index 378ace13ce..360e58e847 100644<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> --- a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.h<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> +++ b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.h<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> @@ -37,7 +37,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> #include <Library/BaseLib.h> -#define RAW_FIFO_MAX_NUMBER<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> 256+#define RAW_FIFO_MAX_NUMBER 255 #define FIFO_MAX_NUMBER<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> 128 typedef struct {--<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>> 2.25.1<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></body></html>
<div width="1" style="color:white;clear:both">_._,_._,_</div> <hr> Groups.io Links:<p> You receive all messages sent to this group. <p> <a target="_blank" href="https://edk2.groups.io/g/devel/message/70322">View/Reply Online (#70322)</a> | | <a target="_blank" href="https://groups.io/mt/79682585/1813853">Mute This Topic</a> | <a href="https://edk2.groups.io/g/devel/post">New Topic</a><br> <a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> | <a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> | <a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a> [edk2-devel-archive@redhat.com]<br> <div width="1" style="color:white;clear:both">_._,_._,_</div>