From nobody Fri Apr 19 06:15:13 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+53837+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+53837+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1580953431901591.7462066742387; Wed, 5 Feb 2020 17:43:51 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id iEpOYY1788612xWZJeVckMcq; Wed, 05 Feb 2020 17:43:51 -0800 X-Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web11.5725.1580953430697982984 for ; Wed, 05 Feb 2020 17:43:51 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Feb 2020 17:43:49 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,407,1574150400"; d="scan'208";a="378927856" X-Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.8]) by orsmga004.jf.intel.com with ESMTP; 05 Feb 2020 17:43:48 -0800 From: "Wu, Hao A" To: devel@edk2.groups.io Cc: Hao A Wu , Eric Dong , Jian J Wang Subject: [edk2-devel] [PATCH v1] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric truncation (CVE-2019-14563) Date: Thu, 6 Feb 2020 09:43:47 +0800 Message-Id: <20200206014347.3792-1-hao.a.wu@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,hao.a.wu@intel.com X-Gm-Message-State: qYUzV0r2IrbN6KYYmPylECd7x1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1580953431; bh=cJc2Ilx6R/PuoZBbLXdCqD2S5DT0uXjZJ1mYhY9TJi8=; h=Cc:Date:From:Reply-To:Subject:To; b=qxj8z7R5CEoI7rX+qZfF+J0IU9iSub5Ggf6p9hpMsGeDLxoskcGmdKgeVtw+3zbb5JP +OB/6q+Ubn4Tf5qEmAh43aX9QnLbyqNQdoe4SkD7nMFP4H61ba80K0nJdgmHbhvEj1YCy vmP/fhmsEU+bHcO1YUejjqiBt3i5+7+zXuI= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D2001 For S3BootScriptLib APIs: S3BootScriptSaveIoWrite S3BootScriptSaveMemWrite S3BootScriptSavePciCfgWrite S3BootScriptSavePciCfg2Write S3BootScriptSaveSmbusExecute S3BootScriptSaveInformation S3BootScriptSaveInformationAsciiString S3BootScriptLabel (happen in S3BootScriptLabelInternal()) possible numeric truncations will happen that may lead to S3 boot script entry with improper size being returned to store the boot script data. This commit will add checks to prevent this kind of issue. Please note that the remaining S3BootScriptLib APIs: S3BootScriptSaveIoReadWrite S3BootScriptSaveMemReadWrite S3BootScriptSavePciCfgReadWrite S3BootScriptSavePciCfg2ReadWrite S3BootScriptSaveStall S3BootScriptSaveDispatch2 S3BootScriptSaveDispatch S3BootScriptSaveMemPoll S3BootScriptSaveIoPoll S3BootScriptSavePciPoll S3BootScriptSavePci2Poll S3BootScriptCloseTable S3BootScriptExecute S3BootScriptMoveLastOpcode S3BootScriptCompare are not affected by such numeric truncation. Cc: Eric Dong Cc: Jian J Wang Signed-off-by: Hao A Wu Reviewed-by: Laszlo Ersek Acked-by: Jian J Wang Reviewed-by: Eric Dong --- MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c | 52 ++++++++++= +++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c b/M= deModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c index 9106e7d0f9..9315fc9f01 100644 --- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c +++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c @@ -1,7 +1,7 @@ /** @file Save the S3 data to S3 boot script. =20 - Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
+ Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.
=20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 @@ -1006,6 +1006,14 @@ S3BootScriptSaveIoWrite ( EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite; =20 WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE)= )) { + return RETURN_OUT_OF_RESOURCES; + } Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Co= unt)); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); @@ -1102,6 +1110,14 @@ S3BootScriptSaveMemWrite ( EFI_BOOT_SCRIPT_MEM_WRITE ScriptMemWrite; =20 WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_MEM_WRITE= ))) { + return RETURN_OUT_OF_RESOURCES; + } Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * C= ount)); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); @@ -1206,6 +1222,14 @@ S3BootScriptSavePciCfgWrite ( } =20 WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFI= G_WRITE))) { + return RETURN_OUT_OF_RESOURCES; + } Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + (WidthInB= yte * Count)); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); @@ -1324,6 +1348,14 @@ S3BootScriptSavePciCfg2Write ( } =20 WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFI= G2_WRITE))) { + return RETURN_OUT_OF_RESOURCES; + } Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + (WidthIn= Byte * Count)); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); @@ -1549,6 +1581,12 @@ S3BootScriptSaveSmbusExecute ( return Status; } =20 + // + // Truncation check + // + if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) { + return RETURN_OUT_OF_RESOURCES; + } DataSize =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + BufferLeng= th); =20 Script =3D S3BootScriptGetEntryAddAddress (DataSize); @@ -1736,6 +1774,12 @@ S3BootScriptSaveInformation ( UINT8 *Script; EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; =20 + // + // Truncation check + // + if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)= ) { + return RETURN_OUT_OF_RESOURCES; + } Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLen= gth); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); @@ -2195,6 +2239,12 @@ S3BootScriptLabelInternal ( UINT8 *Script; EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; =20 + // + // Truncation check + // + if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)= ) { + return RETURN_OUT_OF_RESOURCES; + } Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLen= gth); =20 Script =3D S3BootScriptGetEntryAddAddress (Length); --=20 2.12.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#53837): https://edk2.groups.io/g/devel/message/53837 Mute This Topic: https://groups.io/mt/71012031/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-