1. Patchew
  2. EDK2
  3. [edk2-devel] [PATCH v1 0/4] Bz4166: Integer Overflow in CreateHob()
  4. View patch

[edk2-devel] [PATCH v1 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()

Guo, Gua posted 4 patches 2 years, 1 month ago
There is a newer version of this series
[edk2-devel] [PATCH v1 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
Posted by Guo, Gua 2 years, 1 month ago 
From: Gerd Hoffmann <kraxel@redhat.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166

Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765

The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```

No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.

Reported-by: Marc Beatove <mbeatove@google.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: John Mathew <john.mathews@intel.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
index 1550e1babc..29ade2e4ef 100644
--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
+++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
@@ -34,6 +34,12 @@ CreateHob (
 
   HandOffHob = GetHobList ();
 
+  //
+  // Check Length to avoid data overflow.
+  //
+  if (HobLength > MAX_UINT16 - 0x7) {
+    return NULL;
+  }
   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
 
   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
-- 
2.39.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113578): https://edk2.groups.io/g/devel/message/113578
Mute This Topic: https://groups.io/mt/103657272/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
Posted by Ard Biesheuvel 2 years, 1 month ago 
On Thu, 11 Jan 2024 at 06:15, <gua.guo@intel.com> wrote:
>
> From: Gerd Hoffmann <kraxel@redhat.com>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
>
> Fix integer overflow in various CreateHob instances.
> Fixes: CVE-2022-36765
>
> The CreateHob() function aligns the requested size to 8
> performing the following operation:
> ```
> HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
> ```
>
> No checks are performed to ensure this value doesn't
> overflow, and could lead to CreateHob() returning a smaller
> HOB than requested, which could lead to OOB HOB accesses.
>
> Reported-by: Marc Beatove <mbeatove@google.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: John Mathew <john.mathews@intel.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Reviewed-by: Ard Biesheuvel <ardb@kernel.org>

> ---
>  .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c     | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> index 1550e1babc..29ade2e4ef 100644
> --- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> +++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> @@ -34,6 +34,12 @@ CreateHob (
>
>    HandOffHob = GetHobList ();
>
> +  //
> +  // Check Length to avoid data overflow.
> +  //
> +  if (HobLength > MAX_UINT16 - 0x7) {
> +    return NULL;
> +  }
>    HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
>
>    FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
> --
> 2.39.2.windows.1
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113581): https://edk2.groups.io/g/devel/message/113581
Mute This Topic: https://groups.io/mt/103657272/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
Posted by Ard Biesheuvel 2 years, 1 month ago 
On Thu, 11 Jan 2024 at 07:52, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> On Thu, 11 Jan 2024 at 06:15, <gua.guo@intel.com> wrote:
> >
> > From: Gerd Hoffmann <kraxel@redhat.com>
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
> >
> > Fix integer overflow in various CreateHob instances.
> > Fixes: CVE-2022-36765
> >
> > The CreateHob() function aligns the requested size to 8
> > performing the following operation:
> > ```
> > HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
> > ```
> >
> > No checks are performed to ensure this value doesn't
> > overflow, and could lead to CreateHob() returning a smaller
> > HOB than requested, which could lead to OOB HOB accesses.
> >
> > Reported-by: Marc Beatove <mbeatove@google.com>
> > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > Cc: Ray Ni <ray.ni@intel.com>
> > Cc: John Mathew <john.mathews@intel.com>
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
>
> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
>

Same as the other patch: this needs a signoff from the sender, not the
author of the patch.

> > ---
> >  .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c     | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> > index 1550e1babc..29ade2e4ef 100644
> > --- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> > +++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> > @@ -34,6 +34,12 @@ CreateHob (
> >
> >    HandOffHob = GetHobList ();
> >
> > +  //
> > +  // Check Length to avoid data overflow.
> > +  //
> > +  if (HobLength > MAX_UINT16 - 0x7) {
> > +    return NULL;
> > +  }
> >    HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
> >
> >    FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
> > --
> > 2.39.2.windows.1
> >


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113587): https://edk2.groups.io/g/devel/message/113587
Mute This Topic: https://groups.io/mt/103657272/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.