From nobody Fri May 17 04:49:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+113609+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113609+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1704964498; cv=none; d=zohomail.com; s=zohoarc; b=cl8hAiJCpVXAD4Kv7M/vXSKhcvMo1h6teNOjLw8xviBT2DRj8Sd4o9k/I1IJCYvqkkhdH0+AHv3r73E111K4YafKi8c/czPX1Kd4cHVl++dMyxd81M7jXY4JqEhuTmD9OV4QKZHvjiWaQkzfDIrUjNto4zdxMh9Y/+c9WIogNaQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1704964498; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=Sg/cojVnOOXlQi4EhVektf0LrJu6lIlBrpYHfANnBQ4=; b=e7ZMcJ4H5p0A92dwZ3NyK5b6qacvtgo8KnQhYZ8HsentTwQV4E7ccdTLdRrPm5lxp8OKVSWc7d0ufokcyJag/Y2qUWRwwkgNbggZmSVsBV2bkGjKcJfK41RYiK+4wx+iD47EYzhbqsSvZrpfmFnusFcpFPgmVCeMs3PQdEmNyY4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113609+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1704964498009869.5894150760037; Thu, 11 Jan 2024 01:14:58 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=W5AHuFxzE5uyQRX8xMMX2TR2dbcn+6i4ejrLDiVoVJQ=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1704964497; v=1; b=SvDMimRqDQCe5/Y8ca2vkQI35bGvALqkt2P6ljhNzq5DInpGlyBOfw6t+eZ7FNiLlyH6uBF+ A+rHDPByOPZ3MkDpthx9H1sSPzRVdvVIN9gKNaTkui6xA18hSHriIfx3wFC+4KnrLsQthUBP+e1 jUfMrKnPh+Cw+tGiHR/WFbWs= X-Received: by 127.0.0.2 with SMTP id IMOXYY1788612xMn8pQXEvFP; Thu, 11 Jan 2024 01:14:57 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by mx.groups.io with SMTP id smtpd.web10.7839.1704964493931222782 for ; Thu, 11 Jan 2024 01:14:53 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10949"; a="20272640" X-IronPort-AV: E=Sophos;i="6.04,185,1695711600"; d="scan'208";a="20272640" X-Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 01:14:48 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.04,185,1695711600"; d="scan'208";a="16979415" X-Received: from gguo-desk.gar.corp.intel.com ([10.225.76.26]) by fmviesa002.fm.intel.com with ESMTP; 11 Jan 2024 01:14:46 -0800 From: "Guo, Gua" To: devel@edk2.groups.io Cc: gua.guo@intel.com, Marc Beatove , Guo Dong , Sean Rhodes , James Lu , John Mathew , Gerd Hoffmann Subject: [edk2-devel] [PATCH v2 1/4] UefiPayloadPkg/Hob: Integer Overflow in CreateHob() Date: Thu, 11 Jan 2024 17:14:36 +0800 Message-Id: <20240111091439.1767-2-gua.guo@intel.com> In-Reply-To: <20240111091439.1767-1-gua.guo@intel.com> References: <20240111091439.1767-1-gua.guo@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gua.guo@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: EmjIdzKiRx2APezPK5Fy6nX3x1787277AA= Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1704964499898100012 Content-Type: text/plain; charset="utf-8" From: Gua Guo REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove Cc: Guo Dong Cc: Sean Rhodes Cc: James Lu Reviewed-by: Gua Guo Cc: John Mathew Authored-by: Gerd Hoffmann Signed-off-by: Gua Guo Acked-by: Gerd Hoffmann --- UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c b/UefiPayloadP= kg/Library/PayloadEntryHobLib/Hob.c index 2c3acbbc19..39f07d1964 100644 --- a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c +++ b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c @@ -110,6 +110,13 @@ CreateHob ( =20 HandOffHob =3D GetHobList (); =20 + // + // Check Length to avoid data overflow. + // + if (HobLength > MAX_UINT16 - 0x7) { + return NULL; + } + HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); =20 FreeMemory =3D HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryB= ottom; --=20 2.39.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113609): https://edk2.groups.io/g/devel/message/113609 Mute This Topic: https://groups.io/mt/103658963/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 04:49:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+113606+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113606+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1704964494; cv=none; d=zohomail.com; s=zohoarc; b=Ef5UFwVdk3rMSikL6SOgMDrFzFwkRNqqUXZ4YLLbYrp6D1iNFrS5AkBblCR3MUgkOIG9uUHf9aDnf5w7D4fawTJA/Mi5M9RglDk+Vf3JrQjqsOzDXhaEgHOfHQ518PrLMwhTIQrBs7zEJwJrAc1s7E3iVcTsnALbxSjOmqW1TwY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1704964494; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=OytqutJPpB8ujYJqDx8I9VIv9A/facH58QCaN5fQsC8=; b=QRn2xe2Vuzzf0rUTZfOxUXaOCzYpF2vrqxkagCDg1XGc4Lch5YTJBYnFm9VcQYAqsYLeN/hCQbZJ3AgeVprK2RHpINCWm2l8PX0VG/4erf6pPUvw8jTKBfPtvgUrguKQDDWZmnmi3hIWrFDPbNoxh3EBdFmou1a97Qh1hwertFI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113606+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1704964494557340.24574263769784; Thu, 11 Jan 2024 01:14:54 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=7CNRQzgbkLC+dZZqAFaS9w8Q7QWyBA+3KqJdyhh/R0Y=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1704964494; v=1; b=XgSzoCfTGr7L87NfmccksvCYNCSGsFOj+IU6LdpO8OiIMjyT/ktOLrrSqbAh+D7HObDrp2uw BRRWqGXsLYT+kSDhOZsdlQOPe/4012bBsK1Q28sORZb/FSGyLBpTOwr7zadgGnHtcRmlLQTq3tL bUZevmsyxn2Qfp0sahWLw4hI= X-Received: by 127.0.0.2 with SMTP id 0HTSYY1788612xL7by2mjxYh; Thu, 11 Jan 2024 01:14:54 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by mx.groups.io with SMTP id smtpd.web10.7837.1704964493484827151 for ; Thu, 11 Jan 2024 01:14:53 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10949"; a="20272661" X-IronPort-AV: E=Sophos;i="6.04,185,1695711600"; d="scan'208";a="20272661" X-Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 01:14:50 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.04,185,1695711600"; d="scan'208";a="16979419" X-Received: from gguo-desk.gar.corp.intel.com ([10.225.76.26]) by fmviesa002.fm.intel.com with ESMTP; 11 Jan 2024 01:14:48 -0800 From: "Guo, Gua" To: devel@edk2.groups.io Cc: gua.guo@intel.com, Marc Beatove , Ard Biesheuvel , Sami Mujawar , Ray Ni , John Mathew , Gerd Hoffmann Subject: [edk2-devel] [PATCH v2 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob() Date: Thu, 11 Jan 2024 17:14:37 +0800 Message-Id: <20240111091439.1767-3-gua.guo@intel.com> In-Reply-To: <20240111091439.1767-1-gua.guo@intel.com> References: <20240111091439.1767-1-gua.guo@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gua.guo@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: tyZP6bol2KgW9ua8SXobAtzWx1787277AA= Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1704964495815100001 Content-Type: text/plain; charset="utf-8" From: Gua Guo REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove Reviewed-by: Ard Biesheuvel Cc: Sami Mujawar Cc: Ray Ni Cc: John Mathew Authored-by: Gerd Hoffmann Signed-off-by: Gua Guo Acked-by: Gerd Hoffmann Reported-by: Marc Beatove = > >>> Reported-by: Marc Beatove = >> Reported-by: Marc Beatove > Reviewed-by: Ard Biesheuvel > >>> Reviewed-by: Ard Biesheuvel >> Reviewed-by: Ard Biesheuvel > --- .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneM= mCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/Standalo= neMmCoreHobLib.c index 1550e1babc..bb8426dc0a 100644 --- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHo= bLib.c +++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHo= bLib.c @@ -34,6 +34,13 @@ CreateHob ( =20 HandOffHob =3D GetHobList (); =20 + // + // Check Length to avoid data overflow. + // + if (HobLength > MAX_UINT16 - 0x7) { + return NULL; + } + HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); =20 FreeMemory =3D HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryB= ottom; --=20 2.39.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113606): https://edk2.groups.io/g/devel/message/113606 Mute This Topic: https://groups.io/mt/103658960/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 04:49:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+113608+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113608+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1704964497; cv=none; d=zohomail.com; s=zohoarc; b=GIqY8RIQsohmb88oY47ozMOk1/syLy+IBscrWru81ByAwoUwfJkxYewCcwMAtWjayNzY6Cafp2j7RCuI3QXRBQCcONB1/Q2ZAPdQs73MoQ7U5Qc5V2BQ2jjxSkI6OvAwd31bwBTyhaU3sWwHq7V2hxhnrouhT9/R0TF5WgNiaTg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1704964497; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=402CsOt6yWCLyTyxbLNR79Nov821yc5a06bkwAYQyXo=; b=FY6cGTri42rXRKF7liJBG3BIwsNpBEexH4C6GYV/Wnru1i6ni166NoPdv6nEKAlc51oCdNiDT26mNutlupDb06xg3XhfkJtgb0UCjv07tOTSWx6ozAcEk6Au3UwybMF6nL9qiLpdx68Dlt85lIMoZS09Sh9t6qzYs18v6WI4ZgM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113608+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1704964497071345.15026354671113; Thu, 11 Jan 2024 01:14:57 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=O42wrWtRdQJO+IstihrU4IkHkbTo8Q8sMqoURCrotHQ=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1704964495; v=1; b=nVUPezZR9Ep9XkO4Yt4pnSxoQNeoA/9kkwdxA/ZO7x17hoCpAK0agTQ8g8c2PXoFBjEpwcDP DvyF1ZTL5DRC9ezy3h2LPoBIWNs4MR5GgTpnj3X2yYPwaKADYPHZ80b4deCbmlMDcn6jTdFynLC F1obb9o/g+WUJRrTAY92HycE= X-Received: by 127.0.0.2 with SMTP id FOnkYY1788612xp4cnvuVFed; Thu, 11 Jan 2024 01:14:55 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by mx.groups.io with SMTP id smtpd.web10.7837.1704964493484827151 for ; Thu, 11 Jan 2024 01:14:53 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10949"; a="20272684" X-IronPort-AV: E=Sophos;i="6.04,185,1695711600"; d="scan'208";a="20272684" X-Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 01:14:52 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.04,185,1695711600"; d="scan'208";a="16979437" X-Received: from gguo-desk.gar.corp.intel.com ([10.225.76.26]) by fmviesa002.fm.intel.com with ESMTP; 11 Jan 2024 01:14:50 -0800 From: "Guo, Gua" To: devel@edk2.groups.io Cc: gua.guo@intel.com, Marc Beatove , Leif Lindholm , Ard Biesheuvel , Abner Chang , John Mathew , Gerd Hoffmann Subject: [edk2-devel] [PATCH v2 3/4] EmbeddedPkg/Hob: Integer Overflow in CreateHob() Date: Thu, 11 Jan 2024 17:14:38 +0800 Message-Id: <20240111091439.1767-4-gua.guo@intel.com> In-Reply-To: <20240111091439.1767-1-gua.guo@intel.com> References: <20240111091439.1767-1-gua.guo@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gua.guo@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: YDXKn4i1bQ1mEoo3GYB6hznKx1787277AA= Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1704964497722100006 Content-Type: text/plain; charset="utf-8" From: Gua Guo REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove Cc: Leif Lindholm Reviewed-by: Ard Biesheuvel Cc: Abner Chang Cc: John Mathew Authored-by: Gerd Hoffmann Signed-off-by: Gua Guo Acked-by: Gerd Hoffmann --- EmbeddedPkg/Library/PrePiHobLib/Hob.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/Pr= ePiHobLib/Hob.c index 8eb175aa96..1fe3ea93e4 100644 --- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c +++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c @@ -110,6 +110,13 @@ CreateHob ( =20 HandOffHob =3D GetHobList (); =20 + // + // Check Length to avoid data overflow. + // + if (HobLength > MAX_UINT16 - 0x7) { + return NULL; + } + HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); =20 FreeMemory =3D HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryB= ottom; --=20 2.39.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113608): https://edk2.groups.io/g/devel/message/113608 Mute This Topic: https://groups.io/mt/103658962/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 04:49:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+113610+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113610+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1704964499; cv=none; d=zohomail.com; s=zohoarc; b=GrceHR9P/GTUp7N5tfXgWltCw2cN/9x4LAdsMTh+bzfFtn4Wm0q9FhxgAwx3Pp3ZWB7TC0XaXoHeBZcA4X1nAeoW7XBLyuUDd75nhjZQ2hVteJCaUmrXwC/f7N1oQdqL1/YSrl0Kjapx8sc2QENa4VluWkog4pxtz55baZriCzo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1704964499; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=cZ99Fy3fmfj+YjHZA2DFawHKUQc+zwiC4cfyUQh1WeA=; b=AsUrUOcEf8aArXwtZ2CARJKlGZkkktyWFyKwaRyu9+o2BXwO+66wGVAF6jOKM1opdU61OBycouPKiCfbnh/Uf8rcTz+bWFBOc9XiyIjwyTBBpm3a5b+VlLqBl0jIOKwZb6mpaBV5gJ20p0eIYjp0DmUsUaH51Yf5YCT2xFn9+js= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113610+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1704964499580245.590702426044; Thu, 11 Jan 2024 01:14:59 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=NaUO07HnrmEc8m28L9PNRClW7wnWsJ2HWZ4qtxm/KE0=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1704964498; v=1; b=GR2mwWwhqcpcT3QfiWPPWRiGOhOKtlhEpg/wHcTr97Uj9mkOuci3tGq5610N34MYZVWQYQ5K yc1r/uUqglk6q8tVVnpCrPFflLsQv9RDzyvoIXsmCnLKHNY0B5nDO9KRAcgk4bnXZXKGIFAEyyn bBKEkH3iXHBuZG2vadNuc5hY= X-Received: by 127.0.0.2 with SMTP id JYEfYY1788612xxMuKRzshk8; Thu, 11 Jan 2024 01:14:58 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by mx.groups.io with SMTP id smtpd.web10.7839.1704964493931222782 for ; Thu, 11 Jan 2024 01:14:54 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10949"; a="20272695" X-IronPort-AV: E=Sophos;i="6.04,185,1695711600"; d="scan'208";a="20272695" X-Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 01:14:54 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.04,185,1695711600"; d="scan'208";a="16979451" X-Received: from gguo-desk.gar.corp.intel.com ([10.225.76.26]) by fmviesa002.fm.intel.com with ESMTP; 11 Jan 2024 01:14:53 -0800 From: "Guo, Gua" To: devel@edk2.groups.io Cc: gua.guo@intel.com, Marc Beatove , Liming Gao , John Mathew , Gerd Hoffmann Subject: [edk2-devel] [PATCH v2 4/4] MdeModulePkg/Hob: Integer Overflow in CreateHob() Date: Thu, 11 Jan 2024 17:14:39 +0800 Message-Id: <20240111091439.1767-5-gua.guo@intel.com> In-Reply-To: <20240111091439.1767-1-gua.guo@intel.com> References: <20240111091439.1767-1-gua.guo@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gua.guo@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: GWPVs1fEaOiiffUf08FOZkbwx1787277AA= Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1704964501700100017 Content-Type: text/plain; charset="utf-8" From: Gua Guo REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove Cc: Liming Gao Cc: John Mathew Authored-by: Gerd Hoffmann Signed-off-by: Gua Guo Acked-by: Gerd Hoffmann --- MdeModulePkg/Core/Pei/Hob/Hob.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Pei/Hob/Hob.c b/MdeModulePkg/Core/Pei/Hob/Ho= b.c index c4882a23cd..985da50995 100644 --- a/MdeModulePkg/Core/Pei/Hob/Hob.c +++ b/MdeModulePkg/Core/Pei/Hob/Hob.c @@ -85,7 +85,7 @@ PeiCreateHob ( // // Check Length to avoid data overflow. // - if (0x10000 - Length <=3D 0x7) { + if (MAX_UINT16 - Length < 0x7) { return EFI_INVALID_PARAMETER; } =20 --=20 2.39.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113610): https://edk2.groups.io/g/devel/message/113610 Mute This Topic: https://groups.io/mt/103658964/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-