From nobody Sat May 4 11:27:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+67709+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+67709+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605786646; cv=none; d=zohomail.com; s=zohoarc; b=aMyX7o4LlxDO8k2KppRVZkFok7jRWALAlEPgOf9S38hNVgsgL1GYbNh1JrQ6Zr0kROmAx13rmoLiUdY+4WWMvkO2CoHWW+P9SSw+4Hdhinqc3Qn9G+NtzTkcVd9ZNOKcvmD/THYNmN4ziZpeQu/53ylDu5ElJppBgfA6Jrljzlw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605786646; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=xzFQTNq7Zvc5Oq0sLEcQFLgn1/AT0smjXttPWDGOA4c=; b=EyQ66Pjt2ZinsTho9oJEd1TiwTF5j7zL55/THGOoYUyIb2oYcHfcqFTSiES0CDn1U3/jXDMd7/w16OOzo//EYUhjrgTtihRYFUaiuaNUvMhKGwAv1fzom1cTRQQjqAigJXqVbcK3eQPETgZaZBnhJdR96pi9qMIPbNUFH7DOtag= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+67709+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 160578664639045.90739436201795; Thu, 19 Nov 2020 03:50:46 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id x51UYY1788612x6HV5kFGdMG; Thu, 19 Nov 2020 03:50:46 -0800 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web11.8237.1605786644857865998 for ; Thu, 19 Nov 2020 03:50:45 -0800 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-329-UOpq-WviOtG672WUyeMgBw-1; Thu, 19 Nov 2020 06:50:40 -0500 X-MC-Unique: UOpq-WviOtG672WUyeMgBw-1 X-Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 165BA801B17; Thu, 19 Nov 2020 11:50:39 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-236.ams2.redhat.com [10.36.112.236]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8EBCA60636; Thu, 19 Nov 2020 11:50:37 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Dandan Bi , Hao A Wu , Jian J Wang , Liming Gao , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [edk2-devel] [PATCH RESEND 1/1] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer sizes Date: Thu, 19 Nov 2020 12:50:34 +0100 Message-Id: <20201119115034.12897-2-lersek@redhat.com> In-Reply-To: <20201119115034.12897-1-lersek@redhat.com> References: <20201119115034.12897-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: xib7mXEuzXdRJoY2laf74vGFx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1605786646; bh=xzFQTNq7Zvc5Oq0sLEcQFLgn1/AT0smjXttPWDGOA4c=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=VTdvbtmICbDPf3Up8y5jD1zwqURs4tBE19seI8oox12jZA9fvt1Dzh8EA5/7g/q/lpJ JsxLEJGDZ0W5mvYP8FemT1j8hYjoP3yid1jsKS53+zBQkc4aZ0Z91m6eF0gkVWbhJ8If4 L35egrCizLPWy2y0koFSM7dJXXPQOUx3OiQ= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The LzmaUefiDecompressGetInfo() function [MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c] currently silently truncates the UINT64 "DecodedSize" property of the compressed blob to the UINT32 "DestinationSize" output parameter. If "DecodedSize" is 0x1_0000_0100, for example, then the subsequent memory allocation (for decompression) will likely succeed (allocating 0x100 bytes only), but then the LzmaUefiDecompress() function (which re-fetches the uncompressed buffer size from the same LZMA header into a "SizeT" variable) will overwrite the buffer. Catch (DecodedSize > MAX_UINT32) in LzmaUefiDecompressGetInfo() at once. This should not be a practical limitation. (The issue cannot be fixed for 32-bit systems without spec modifications anyway, given that the "OutputSize" output parameter of EFI_GUIDED_SECTION_EXTRACTION_PROTOCOL.ExtractSection() has type UINTN, not UINT64.) Cc: Dandan Bi Cc: Hao A Wu Cc: Jian J Wang Cc: Liming Gao Cc: Philippe Mathieu-Daud=C3=A9 Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1816 Signed-off-by: Laszlo Ersek Reviewed-by: Liming Gao Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h |= 5 +++++ MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c |= 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLib= Internal.h b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLib= Internal.h index 26f110ba2a12..fbafd5f10055 100644 --- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInterna= l.h +++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInterna= l.h @@ -9,6 +9,7 @@ #ifndef __LZMADECOMPRESSLIB_INTERNAL_H__ #define __LZMADECOMPRESSLIB_INTERNAL_H__ =20 +#include #include #include #include @@ -45,6 +46,10 @@ in DestinationSize and the size of the scratch buffer was returned in ScratchSize. =20 + @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the + uncompressed buffer size (in bytes) does not= fit + in a UINT32. Output parameters have not been + modified. **/ RETURN_STATUS EFIAPI diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c = b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c index c58912eb6a45..8f7c242dcaa8 100644 --- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c +++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c @@ -127,6 +127,10 @@ GetDecodedSizeOfBuf( in DestinationSize and the size of the scratch buffer was returned in ScratchSize. =20 + @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the + uncompressed buffer size (in bytes) does not= fit + in a UINT32. Output parameters have not been + modified. **/ RETURN_STATUS EFIAPI @@ -142,6 +146,9 @@ LzmaUefiDecompressGetInfo ( ASSERT(SourceSize >=3D LZMA_HEADER_SIZE); =20 DecodedSize =3D GetDecodedSizeOfBuf((UINT8*)Source); + if (DecodedSize > MAX_UINT32) { + return RETURN_UNSUPPORTED; + } =20 *DestinationSize =3D (UINT32)DecodedSize; *ScratchSize =3D SCRATCH_BUFFER_REQUEST_SIZE; --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#67709): https://edk2.groups.io/g/devel/message/67709 Mute This Topic: https://groups.io/mt/78362922/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-