Merged PR 11375621: Fix outstanding Prefast warnings

+ Fixing various Prefast warnings to get us clean w.r.t. Prefast
  + Enable Prefast failures to break PR builds
+ Reduce noisy build warnings
+ Unpin Windows container images as using old images

Related work items: #52514550, #52514551, #52514554, #52514555, #52514556, #52514557, #52514559, #52514560, #52514561, #52514562, #52514632, #52514633, #52514634, #53004108, #53004109, #53130817

Author: samuel-lee-msft

.pipelines/OneBranch.Official.yml

@@ -29,7 +29,7 @@ schedules:
 variables:
   CDP_DEFINITION_BUILD_COUNT: $[counter('', 0)] # needed for onebranch.pipeline.version task https://aka.ms/obpipelines/versioning
   LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2004:latest' # Docker image which is used to build the project https://aka.ms/obpipelines/containers
-  WindowsContainerImage: 'onebranch.azurecr.io/windows/ltsc2019/vse2022@sha256:a3083215a4675bad774ec88005dcf57436b3423584d0db3e82b6de3f780213ba'
+  WindowsContainerImage: 'onebranch.azurecr.io/windows/ltsc2019/vse2022:latest'
 
 resources:
   repositories:

.pipelines/OneBranch.WindowsUndocked.Official.yml

@@ -58,7 +58,7 @@ parameters:
 
 variables:
   # https://aka.ms/obpipelines/containers
-  WindowsContainerImage: 'onebranch.azurecr.io/windows/ltsc2022/vse2022@sha256:394ae836d8bbb5f5f7659744b85796ac823ab1410527ac26d143837bdecbde2a'
+  WindowsContainerImage: 'onebranch.azurecr.io/windows/ltsc2022/vse2022:latest'
 
 resources:
   repositories:

.pipelines/OneBranch.WindowsUndocked.PullRequest.yml

@@ -19,7 +19,7 @@ pr:
 
 variables:
   # https://aka.ms/obpipelines/containers
-  WindowsContainerImage: 'onebranch.azurecr.io/windows/ltsc2022/vse2022@sha256:394ae836d8bbb5f5f7659744b85796ac823ab1410527ac26d143837bdecbde2a'
+  WindowsContainerImage: 'onebranch.azurecr.io/windows/ltsc2022/vse2022:latest'
 
 resources:
   repositories:

.pipelines/templates/build-windows-undocked.yml

@@ -8,7 +8,7 @@ parameters:
   config: 'Debug,Release'
   platform: 'x86,x64,arm64'
   nativeCompiler: true
-  buildType: 'private'
+  buildType: 'pr'
   sign: false # Only signs UM binaries, for external (to Windows repo) release
   # Packaging args
   package: false
@@ -94,10 +94,15 @@ jobs:
     ob_outputDirectory: $(Build.SourcesDirectory)\build\bin\$(ob_build_platform_win)$(ob_build_config_win)
     ob_artifactSuffix: _$(ob_build_platform_win)$(ob_build_config_win)
     # https://aka.ms/obpipelines/sdl
-    ob_sdl_tsa_enabled: true # When TSA is disabled all SDL tools will forced into 'break' build mode.
+    # When TSA is enabled bugs are filed on SDL errors. When TSA is disabled, most SDL tools break the build.
+    # Make official builds file bugs but PR builds just break the build.
+    ${{ if eq(parameters.buildType, 'official') }}:
+      ob_sdl_tsa_enabled: true 
+    ${{ if eq(parameters.buildType, 'pr') }}:
+      ob_sdl_tsa_enabled: false
     ob_sdl_binskim_break: true
     ob_sdl_policheck_break: true
-    ob_sdl_prefast_break: false
+    ob_sdl_prefast_break: true
     ${{ if eq(parameters.sign, true) }}:
       ob_sdl_codeSignValidation_excludes: -|**\*.sys # Signing is not supported for KM drivers
     ${{ if eq(parameters.sign, false) }}:
@@ -137,7 +142,7 @@ jobs:
       userProvideBuildInfo: auto
       rulesetName: Custom
       customRuleset: '$(Build.SourcesDirectory)\tvs.ruleset'
-      excludedPaths: 'c:/program files (x86)/windows kits/'
+      excludedPaths: 'c:/program files (x86)/windows kits/#c:/__w/1/s/unittest/symcryptdependencies/inc/'
     env:
       SYSTEM_ACCESSTOKEN: $(System.AccessToken)
 

inc/symcrypt.h

@@ -8511,7 +8511,7 @@ SymCryptXmsskeyGenerate(
 SYMCRYPT_ERROR
 SYMCRYPT_CALL
 SymCryptXmsskeySetValue(
-    _In_reads_bytes_( cbSrc )   PCBYTE                  pbInput,
+    _In_reads_bytes_( cbInput ) PCBYTE                  pbInput,
                                 SIZE_T                  cbInput,
                                 SYMCRYPT_XMSSKEY_TYPE   keyType,
                                 UINT32                  flags,
@@ -8583,11 +8583,11 @@ SymCryptXmsskeySetValue(
 SYMCRYPT_ERROR
 SYMCRYPT_CALL
 SymCryptXmsskeyGetValue(
-    _In_                        PCSYMCRYPT_XMSS_KEY     pKey,
-                                SYMCRYPT_XMSSKEY_TYPE   keyType,
-                                UINT32                  flags,
-    _Out_writes_bytes_( cbKey ) PBYTE                   pbOutput,
-                                SIZE_T                  cbOutput );
+    _In_                            PCSYMCRYPT_XMSS_KEY     pKey,
+                                    SYMCRYPT_XMSSKEY_TYPE   keyType,
+                                    UINT32                  flags,
+    _Out_writes_bytes_( cbOutput )  PBYTE                   pbOutput,
+                                    SIZE_T                  cbOutput );
 //
 //  Get public/private key value from an XMSS/XMSS^MT key object
 //

inc/symcrypt_internal.h

@@ -2100,6 +2100,14 @@ typedef const SYMCRYPT_ECPOINT * PCSYMCRYPT_ECPOINT;
 
 #define SYMCRYPT_BYTES_FROM_BITS(bits)          ( ( (bits) + 7 ) / 8 )
 
+// The maximum number of bits in any integer value that the library supports. If the
+// caller's input exceed this bound then the the integer object will not be created.
+// The caller either must ensure the bound is not exceeded, or check for NULL before
+// using created SymCrypt objects.
+// The primary purpose of this limit is to avoid integer overlows in size computations.
+// Having a reasonable upper bound avoids all size overflows, even on 32-bit CPUs
+#define SYMCRYPT_INT_MAX_BITS       ((UINT32)(1 << 20))
+
 //
 // Upper bound for the number of digits: this MUST be enforced on runtime
 // on all Allocate, SizeOf, and Create calls which take as input a digit number.

inc/symcrypt_low_level.h

@@ -273,14 +273,6 @@ a ModElement object.
 // General functions for integers
 //
 
-// The maximum number of bits in any integer value that the library supports. If the
-// caller's input exceed this bound then the the integer object will not be created.
-// The caller either must ensure the bound is not exceeded, or check for NULL before
-// using created SymCrypt objects.
-// The primary purpose of this limit is to avoid integer overlows in size computations.
-// Having a reasonable upper bound avoids all size overflows, even on 32-bit CPUs
-#define SYMCRYPT_INT_MAX_BITS               ((UINT32)(1 << 20))
-
 UINT32
 SymCryptDigitsFromBits( UINT32 nBits );
 //

lib/aes-asm.c

@@ -15,19 +15,12 @@ SymCryptAesEcbEncryptAsm(
     _Out_writes_( cbData )                      PBYTE                       pbDst,
                                                 SIZE_T                      cbData )
 {
-    SIZE_T cbToDo = cbData & ~(SYMCRYPT_AES_BLOCK_SIZE - 1);
-    SIZE_T i;
-
-    //
-    // This loop condition is slightly strange.
-    // If I use i < cbToDo (which is correct) then Prefast complains about buffer overflows.
-    // Even using SYMCRYPT_ASSERT which does an _Analysis_assume_ I can't fix the Prefast issue.
-    // The +15 in the code is slightly slower but it solves the Prefast issue.
-    //
-
-    for( i=0; (i+SYMCRYPT_AES_BLOCK_SIZE-1) < cbToDo; i+= SYMCRYPT_AES_BLOCK_SIZE )
+    while( cbData >= SYMCRYPT_AES_BLOCK_SIZE )
     {
-        SymCryptAesEncryptAsm( pExpandedKey, pbSrc + i, pbDst + i );
+        SymCryptAesEncryptAsm( pExpandedKey, pbSrc, pbDst );
+        pbSrc += SYMCRYPT_AES_BLOCK_SIZE;
+        pbDst += SYMCRYPT_AES_BLOCK_SIZE;
+        cbData -= SYMCRYPT_AES_BLOCK_SIZE;
     }
 }
 
@@ -39,18 +32,11 @@ SymCryptAesEcbDecryptAsm(
     _Out_writes_( cbData )                      PBYTE                       pbDst,
                                                 SIZE_T                      cbData )
 {
-    SIZE_T cbToDo = cbData & ~(SYMCRYPT_AES_BLOCK_SIZE - 1);
-    SIZE_T i;
-
-    //
-    // This loop condition is slightly strange.
-    // If I use i < cbToDo (which is correct) then Prefast complains about buffer overflows.
-    // Even using SYMCRYPT_ASSERT which does an _Analysis_assume_ I can't fix the Prefast issue.
-    // The +15 in the code is slightly slower but it solves the Prefast issue.
-    //
-
-    for( i=0; (i+SYMCRYPT_AES_BLOCK_SIZE-1) < cbToDo; i+= SYMCRYPT_AES_BLOCK_SIZE )
+    while( cbData >= SYMCRYPT_AES_BLOCK_SIZE )
     {
-        SymCryptAesDecryptAsm( pExpandedKey, pbSrc + i, pbDst + i );
+        SymCryptAesDecryptAsm( pExpandedKey, pbSrc, pbDst );
+        pbSrc += SYMCRYPT_AES_BLOCK_SIZE;
+        pbDst += SYMCRYPT_AES_BLOCK_SIZE;
+        cbData -= SYMCRYPT_AES_BLOCK_SIZE;
     }
 }

lib/aes-c.c

@@ -364,19 +364,12 @@ SymCryptAesEcbEncryptC(
     _Out_writes_( cbData )                      PBYTE                       pbDst,
                                                 SIZE_T                      cbData )
 {
-    SIZE_T cbToDo = cbData & ~(SYMCRYPT_AES_BLOCK_SIZE - 1);
-    SIZE_T i;
-
-    //
-    // This loop condition is slightly strange.
-    // If I use i < cbToDo (which is correct) then Prefast complains about buffer overflows.
-    // Even using SYMCRYPT_ASSERT which does an _Analysis_assume_ I can't fix the Prefast issue.
-    // The +15 in the code is slightly slower but it solves the Prefast issue.
-    //
-
-    for( i=0; (i+SYMCRYPT_AES_BLOCK_SIZE-1) < cbToDo; i+= SYMCRYPT_AES_BLOCK_SIZE )
+    while( cbData >= SYMCRYPT_AES_BLOCK_SIZE )
     {
-        SymCryptAesEncryptC( pExpandedKey, pbSrc + i, pbDst + i );
+        SymCryptAesEncryptC( pExpandedKey, pbSrc, pbDst );
+        pbSrc += SYMCRYPT_AES_BLOCK_SIZE;
+        pbDst += SYMCRYPT_AES_BLOCK_SIZE;
+        cbData -= SYMCRYPT_AES_BLOCK_SIZE;
     }
 }
 
@@ -388,19 +381,12 @@ SymCryptAesEcbDecryptC(
     _Out_writes_( cbData )                      PBYTE                       pbDst,
                                                 SIZE_T                      cbData )
 {
-    SIZE_T cbToDo = cbData & ~(SYMCRYPT_AES_BLOCK_SIZE - 1);
-    SIZE_T i;
-
-    //
-    // This loop condition is slightly strange.
-    // If I use i < cbToDo (which is correct) then Prefast complains about buffer overflows.
-    // Even using SYMCRYPT_ASSERT which does an _Analysis_assume_ I can't fix the Prefast issue.
-    // The +15 in the code is slightly slower but it solves the Prefast issue.
-    //
-
-    for( i=0; (i+SYMCRYPT_AES_BLOCK_SIZE-1) < cbToDo; i+= SYMCRYPT_AES_BLOCK_SIZE )
+    while( cbData >= SYMCRYPT_AES_BLOCK_SIZE )
     {
-        SymCryptAesDecryptC( pExpandedKey, pbSrc + i, pbDst + i );
+        SymCryptAesDecryptC( pExpandedKey, pbSrc, pbDst );
+        pbSrc += SYMCRYPT_AES_BLOCK_SIZE;
+        pbDst += SYMCRYPT_AES_BLOCK_SIZE;
+        cbData -= SYMCRYPT_AES_BLOCK_SIZE;
     }
 }
 

lib/aes-default.c

@@ -303,19 +303,12 @@ SymCryptAesEcbDecrypt(
     _Out_writes_( cbData )                      PBYTE                       pbDst,
                                                 SIZE_T                      cbData )
 {
-    SIZE_T cbToDo = cbData & ~(SYMCRYPT_AES_BLOCK_SIZE - 1);
-    SIZE_T i;
-
-    //
-    // This loop condition is slightly strange.
-    // If I use i < cbToDo (which is correct) then Prefast complains about buffer overflows.
-    // Even using SYMCRYPT_ASSERT which does an _Analysis_assume_ I can't fix the Prefast issue.
-    // The +15 in the code is slightly slower but it solves the Prefast issue.
-    //
-
-    for( i=0; (i+SYMCRYPT_AES_BLOCK_SIZE-1) < cbToDo; i+= SYMCRYPT_AES_BLOCK_SIZE )
+    while( cbData >= SYMCRYPT_AES_BLOCK_SIZE )
     {
-        SymCryptAesDecrypt( pExpandedKey, pbSrc + i, pbDst + i );
+        SymCryptAesDecrypt( pExpandedKey, pbSrc, pbDst );
+        pbSrc += SYMCRYPT_AES_BLOCK_SIZE;
+        pbDst += SYMCRYPT_AES_BLOCK_SIZE;
+        cbData -= SYMCRYPT_AES_BLOCK_SIZE;
     }
 }