From nobody Fri May 10 12:59:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+113640+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113640+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1705026335; cv=none; d=zohomail.com; s=zohoarc; b=ERsCkjyRoTEHcPBOad9e6EhCMNLKZFBIsaKBxm2a0DUFcnVwKAHeBnwmPmeNggle5ydrF80JbC7e5BjU7A18tJHbsqlUe0MjhQ82qu/h55oJoOlcm8e3TxRBDrUSsYQfQp3kskJpxYpljx9g1P35ozcUtbd1K4naKsFqFlON0hY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1705026335; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=ajM08ktcBOCtTd/cd6QFSD6KRee+X1YlLRC69UdC5/8=; b=Erf+yKz1LhNiKziVyskq6z3IJkegYWbZuPDaGUlvtHk3wYlxMu4smH3muhAArpbjsN9BdgnTwIylDQd7Uej8Weg6EEUchA5Eu7uswGOUMj/IGFoWO/p8r7o/sdEtG6NdKkNlZ0SEdxUHkIgE7qL3mL/6abNH0Q61funlxRJCQjo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113640+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1705026335429433.53523550663454; Thu, 11 Jan 2024 18:25:35 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=UzalmX86v4R5fEoGNn7BHt0eQmB2/Z01J+KB/0yDc8k=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1705026335; v=1; b=kgrY5P583PlRlVBu8J8+HibIqNCNOoqUfivNB4fVaxZkvth0eCT9n4ylCBBG3Fothf35aW0l WiiLmz/8fyzfWd1eD6eSYJ7x636FYbVje5+SGTnOeXhqxNSza4TzowuVbDtwVFJQqWjsttK4iA2 PNNMS3dDvR4dRELaWElv8XtA= X-Received: by 127.0.0.2 with SMTP id Co8wYY1788612xb32sBTHdyk; Thu, 11 Jan 2024 18:25:35 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.10]) by mx.groups.io with SMTP id smtpd.web10.10549.1705026332442297960 for ; Thu, 11 Jan 2024 18:25:34 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="6423565" X-IronPort-AV: E=Sophos;i="6.04,188,1695711600"; d="scan'208";a="6423565" X-Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmvoesa104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 18:25:34 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="873233182" X-IronPort-AV: E=Sophos;i="6.04,188,1695711600"; d="scan'208";a="873233182" X-Received: from gguo-desk.gar.corp.intel.com ([10.225.76.26]) by FMSMGA003.fm.intel.com with ESMTP; 11 Jan 2024 18:25:28 -0800 From: "Guo, Gua" To: devel@edk2.groups.io Cc: gua.guo@intel.com, Marc Beatove , Guo Dong , Sean Rhodes , James Lu , John Mathew , Gerd Hoffmann Subject: [edk2-devel] [PATCH v3 1/4] UefiPayloadPkg/Hob: Integer Overflow in CreateHob() Date: Fri, 12 Jan 2024 10:25:17 +0800 Message-Id: <20240112022521.710-2-gua.guo@intel.com> In-Reply-To: <20240112022521.710-1-gua.guo@intel.com> References: <20240112022521.710-1-gua.guo@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gua.guo@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: Xdq9GYZ4354NLq1vp0rDo3mcx1787277AA= Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1705026336744100005 Content-Type: text/plain; charset="utf-8" From: Gua Guo REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove Cc: Guo Dong Cc: Sean Rhodes Cc: James Lu Reviewed-by: Gua Guo Cc: John Mathew Authored-by: Gerd Hoffmann Signed-off-by: Gua Guo --- .../Library/PayloadEntryHobLib/Hob.c | 43 +++++++++++++++++++ .../FitUniversalPayloadEntry.c | 8 ++-- .../UefiPayloadEntry/UniversalPayloadEntry.c | 8 ++-- 3 files changed, 53 insertions(+), 6 deletions(-) diff --git a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c b/UefiPayloadP= kg/Library/PayloadEntryHobLib/Hob.c index 2c3acbbc19..51c2e28d7d 100644 --- a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c +++ b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c @@ -110,6 +110,13 @@ CreateHob ( =20 HandOffHob =3D GetHobList (); =20 + // + // Check Length to avoid data overflow. + // + if (HobLength > MAX_UINT16 - 0x7) { + return NULL; + } + HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); =20 FreeMemory =3D HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryB= ottom; @@ -160,6 +167,9 @@ BuildResourceDescriptorHob ( =20 Hob =3D CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RES= OURCE_DESCRIPTOR)); ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->ResourceType =3D ResourceType; Hob->ResourceAttribute =3D ResourceAttribute; @@ -330,6 +340,10 @@ BuildModuleHob ( ); =20 Hob =3D CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMOR= Y_ALLOCATION_MODULE)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModule= Guid); Hob->MemoryAllocationHeader.MemoryBaseAddress =3D MemoryAllocationModule; @@ -378,6 +392,11 @@ BuildGuidHob ( ASSERT (DataLength <=3D (0xffff - sizeof (EFI_HOB_GUID_TYPE))); =20 Hob =3D CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB= _GUID_TYPE) + DataLength)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return NULL; + } + CopyGuid (&Hob->Name, Guid); return Hob + 1; } @@ -441,6 +460,10 @@ BuildFvHob ( EFI_HOB_FIRMWARE_VOLUME *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->BaseAddress =3D BaseAddress; Hob->Length =3D Length; @@ -472,6 +495,10 @@ BuildFv2Hob ( EFI_HOB_FIRMWARE_VOLUME2 *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->BaseAddress =3D BaseAddress; Hob->Length =3D Length; @@ -513,6 +540,10 @@ BuildFv3Hob ( EFI_HOB_FIRMWARE_VOLUME3 *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->BaseAddress =3D BaseAddress; Hob->Length =3D Length; @@ -546,6 +577,10 @@ BuildCpuHob ( EFI_HOB_CPU *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->SizeOfMemorySpace =3D SizeOfMemorySpace; Hob->SizeOfIoSpace =3D SizeOfIoSpace; @@ -583,6 +618,10 @@ BuildStackHob ( ); =20 Hob =3D CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMOR= Y_ALLOCATION_STACK)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid); Hob->AllocDescriptor.MemoryBaseAddress =3D BaseAddress; @@ -664,6 +703,10 @@ BuildMemoryAllocationHob ( ); =20 Hob =3D CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMOR= Y_ALLOCATION)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); Hob->AllocDescriptor.MemoryBaseAddress =3D BaseAddress; diff --git a/UefiPayloadPkg/UefiPayloadEntry/FitUniversalPayloadEntry.c b/U= efiPayloadPkg/UefiPayloadEntry/FitUniversalPayloadEntry.c index d2e7df4fbe..eb0b325369 100644 --- a/UefiPayloadPkg/UefiPayloadEntry/FitUniversalPayloadEntry.c +++ b/UefiPayloadPkg/UefiPayloadEntry/FitUniversalPayloadEntry.c @@ -207,10 +207,12 @@ AddNewHob ( } =20 NewHob.Header =3D CreateHob (Hob->Header->HobType, Hob->Header->HobLengt= h); - - if (NewHob.Header !=3D NULL) { - CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - = sizeof (EFI_HOB_GENERIC_HEADER)); + ASSERT (NewHob.Header !=3D NULL); + if (NewHob.Header =3D=3D NULL) { + return; } + + CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - si= zeof (EFI_HOB_GENERIC_HEADER)); } =20 /** diff --git a/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c b/Uefi= PayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c index f8939efe70..f37c00fad7 100644 --- a/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c +++ b/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c @@ -111,10 +111,12 @@ AddNewHob ( } =20 NewHob.Header =3D CreateHob (Hob->Header->HobType, Hob->Header->HobLengt= h); - - if (NewHob.Header !=3D NULL) { - CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - = sizeof (EFI_HOB_GENERIC_HEADER)); + ASSERT (NewHob.Header !=3D NULL); + if (NewHob.Header =3D=3D NULL) { + return; } + + CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - si= zeof (EFI_HOB_GENERIC_HEADER)); } =20 /** --=20 2.39.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113640): https://edk2.groups.io/g/devel/message/113640 Mute This Topic: https://groups.io/mt/103675960/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 12:59:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+113641+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113641+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1705026341; cv=none; d=zohomail.com; s=zohoarc; b=OHKPjBVW5Q4AYAP4yfhDuRr2MNowb1kYc++Y5duDsEe+/7s1Z2LDEJW+0Up5/kmCklchQAmXn68owHWUxJaZ2t4+PCFovVy7OXtFjK7Lxtes0+V+rzDsufqO1y44NiXAyrmQm7RVSJW/BtDzeMAqBclnoelpZoGeHYkFbTMIXT0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1705026341; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=JOoTjsgEeO1umeHsowxjNoALdG2AgSfzv6zcDw4JuS4=; b=H68lbLW0F6MTyrvauSa+gpj3c1RRdRdEtqH8UmhWDAxv+oNtLZdJ0DRbWFLYB1r31BN9UAuHqInYltlaTZ+jbFq+aK3lIrUbE+ixqwT65LwPmi8D2Tr85gDFQxOlQz1FExxg8x6yiG5Z96lUwLPgn6+dXe+CRFDMPZv7T+3IbDg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113641+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1705026341365974.2282731805366; Thu, 11 Jan 2024 18:25:41 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=OkCKexh467h/SX0iEsxSut0w4j0s2cf6ldYHrqWM5iQ=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1705026341; v=1; b=AKx723lYGVtYgutXd35Gre4hND6xNc1VNSrwY6OgnG2X4gyZBHtCvKgG6h0+FmJYO2tU6SbV HBqrs4MpkadFJrbLLCRHpwFt1T5rlrhDL63FvV/ZsfJcizkIHTgcvdQwXlvF8k35VwC75fq5GE+ MsDQWEWQJa1eXt0wW3cuAcbw= X-Received: by 127.0.0.2 with SMTP id 8UoGYY1788612xwzjPZndMJn; Thu, 11 Jan 2024 18:25:41 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.10]) by mx.groups.io with SMTP id smtpd.web10.10551.1705026335263380174 for ; Thu, 11 Jan 2024 18:25:35 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="6423572" X-IronPort-AV: E=Sophos;i="6.04,188,1695711600"; d="scan'208";a="6423572" X-Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmvoesa104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 18:25:34 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="873233195" X-IronPort-AV: E=Sophos;i="6.04,188,1695711600"; d="scan'208";a="873233195" X-Received: from gguo-desk.gar.corp.intel.com ([10.225.76.26]) by FMSMGA003.fm.intel.com with ESMTP; 11 Jan 2024 18:25:31 -0800 From: "Guo, Gua" To: devel@edk2.groups.io Cc: gua.guo@intel.com, Marc Beatove , Ard Biesheuvel , Sami Mujawar , Ray Ni , John Mathew , Gerd Hoffmann Subject: [edk2-devel] [PATCH v3 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob() Date: Fri, 12 Jan 2024 10:25:18 +0800 Message-Id: <20240112022521.710-3-gua.guo@intel.com> In-Reply-To: <20240112022521.710-1-gua.guo@intel.com> References: <20240112022521.710-1-gua.guo@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gua.guo@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: sA4MiUkHk3Q6cxEAt1qKuw8Xx1787277AA= Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1705026342492100017 Content-Type: text/plain; charset="utf-8" From: Gua Guo REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove Reviewed-by: Ard Biesheuvel Cc: Sami Mujawar Cc: Ray Ni Cc: John Mathew Authored-by: Gerd Hoffmann Signed-off-by: Gua Guo Reviewed-by: Ray Ni --- .../Arm/StandaloneMmCoreHobLib.c | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneM= mCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/Standalo= neMmCoreHobLib.c index 1550e1babc..59473e28fe 100644 --- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHo= bLib.c +++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHo= bLib.c @@ -34,6 +34,13 @@ CreateHob ( =20 HandOffHob =3D GetHobList (); =20 + // + // Check Length to avoid data overflow. + // + if (HobLength > MAX_UINT16 - 0x7) { + return NULL; + } + HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); =20 FreeMemory =3D HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryB= ottom; @@ -89,6 +96,10 @@ BuildModuleHob ( ); =20 Hob =3D CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMOR= Y_ALLOCATION_MODULE)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModule= Guid); Hob->MemoryAllocationHeader.MemoryBaseAddress =3D MemoryAllocationModule; @@ -129,6 +140,9 @@ BuildResourceDescriptorHob ( =20 Hob =3D CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RES= OURCE_DESCRIPTOR)); ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->ResourceType =3D ResourceType; Hob->ResourceAttribute =3D ResourceAttribute; @@ -167,6 +181,11 @@ BuildGuidHob ( ASSERT (DataLength <=3D (0xffff - sizeof (EFI_HOB_GUID_TYPE))); =20 Hob =3D CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB= _GUID_TYPE) + DataLength)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return NULL; + } + CopyGuid (&Hob->Name, Guid); return Hob + 1; } @@ -226,6 +245,10 @@ BuildFvHob ( EFI_HOB_FIRMWARE_VOLUME *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->BaseAddress =3D BaseAddress; Hob->Length =3D Length; @@ -255,6 +278,10 @@ BuildFv2Hob ( EFI_HOB_FIRMWARE_VOLUME2 *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->BaseAddress =3D BaseAddress; Hob->Length =3D Length; @@ -282,6 +309,10 @@ BuildCpuHob ( EFI_HOB_CPU *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->SizeOfMemorySpace =3D SizeOfMemorySpace; Hob->SizeOfIoSpace =3D SizeOfIoSpace; @@ -319,6 +350,10 @@ BuildMemoryAllocationHob ( ); =20 Hob =3D CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMOR= Y_ALLOCATION)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); Hob->AllocDescriptor.MemoryBaseAddress =3D BaseAddress; --=20 2.39.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113641): https://edk2.groups.io/g/devel/message/113641 Mute This Topic: https://groups.io/mt/103675962/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 12:59:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+113642+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113642+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1705026338; cv=none; d=zohomail.com; s=zohoarc; b=RWK/R4sBF9fyKqGUp7cNiUR7eOOPoUmH/cXQ81nMk6XTD7ntEOVvEJTc9HlNOUteCanZo5FT+jGzC6zGrkFYOCljgXaGvXRWS6AMtMmrcX413neLY6A/vpjtYe7VP5ZqaIfww0/89FK05UTEVGAE5jf6l1qv3ab0vww+F2ixMI0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1705026338; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=iwWOknlGd2vhlHic+kbq7Um7Z0wsyUNHHRQ1HHYwQKw=; b=cTuZKWeEd7merw3BmR2B3G2Oq7jaZ9jvUDxQZzcGIGGJWEmaRhkZd6oLb1PQp5kvD9+sy7inwgsWJOafoiK+bZ/QbxGqWnGn61qIXOkM+9hu+vZTRpnsjsno526b9/lbMrfgKo2pQac9LckteIdGLVdl3VAjdTcmfFk3xB4ezQ8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113642+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1705026338387356.7192872984259; Thu, 11 Jan 2024 18:25:38 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=dNYfDNnl+d1PaBdFEToffVlMoJr0RoAsp9lxSwyeFss=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1705026338; v=1; b=LjSMMsjN9XCPEjtE8aoWFCYWgDtxktkOgnt84Uok0pANlI1T9XQAYN9mdZGhAfC0a8Nmd49O DudZ/85r+WABBgZp2T5SbD62t3FdNPyGoxDc/3lKF36sJ8Ah5PaD2jr4Ueug7qDu2BY/q8JjWZr oHSfEQ1J1Fkgw62dwFWTWj1o= X-Received: by 127.0.0.2 with SMTP id sck0YY1788612xEIdj2Mefd0; Thu, 11 Jan 2024 18:25:38 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.10]) by mx.groups.io with SMTP id smtpd.web11.10547.1705026337473623558 for ; Thu, 11 Jan 2024 18:25:37 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="6423576" X-IronPort-AV: E=Sophos;i="6.04,188,1695711600"; d="scan'208";a="6423576" X-Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmvoesa104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 18:25:36 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="873233204" X-IronPort-AV: E=Sophos;i="6.04,188,1695711600"; d="scan'208";a="873233204" X-Received: from gguo-desk.gar.corp.intel.com ([10.225.76.26]) by FMSMGA003.fm.intel.com with ESMTP; 11 Jan 2024 18:25:33 -0800 From: "Guo, Gua" To: devel@edk2.groups.io Cc: gua.guo@intel.com, Marc Beatove , Leif Lindholm , Ard Biesheuvel , Abner Chang , John Mathew , Gerd Hoffmann Subject: [edk2-devel] [PATCH v3 3/4] EmbeddedPkg/Hob: Integer Overflow in CreateHob() Date: Fri, 12 Jan 2024 10:25:19 +0800 Message-Id: <20240112022521.710-4-gua.guo@intel.com> In-Reply-To: <20240112022521.710-1-gua.guo@intel.com> References: <20240112022521.710-1-gua.guo@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gua.guo@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: tLSk2bb3g4LUWJChlh7vXBMAx1787277AA= Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1705026340506100011 Content-Type: text/plain; charset="utf-8" From: Gua Guo REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove Cc: Leif Lindholm Reviewed-by: Ard Biesheuvel Cc: Abner Chang Cc: John Mathew Authored-by: Gerd Hoffmann Signed-off-by: Gua Guo --- EmbeddedPkg/Library/PrePiHobLib/Hob.c | 43 +++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/Pr= ePiHobLib/Hob.c index 8eb175aa96..cbc35152cc 100644 --- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c +++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c @@ -110,6 +110,13 @@ CreateHob ( =20 HandOffHob =3D GetHobList (); =20 + // + // Check Length to avoid data overflow. + // + if (HobLength > MAX_UINT16 - 0x7) { + return NULL; + } + HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); =20 FreeMemory =3D HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryB= ottom; @@ -160,6 +167,9 @@ BuildResourceDescriptorHob ( =20 Hob =3D CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RES= OURCE_DESCRIPTOR)); ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->ResourceType =3D ResourceType; Hob->ResourceAttribute =3D ResourceAttribute; @@ -401,6 +411,10 @@ BuildModuleHob ( ); =20 Hob =3D CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMOR= Y_ALLOCATION_MODULE)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModule= Guid); Hob->MemoryAllocationHeader.MemoryBaseAddress =3D MemoryAllocationModule; @@ -449,6 +463,11 @@ BuildGuidHob ( ASSERT (DataLength <=3D (0xffff - sizeof (EFI_HOB_GUID_TYPE))); =20 Hob =3D CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB= _GUID_TYPE) + DataLength)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return NULL; + } + CopyGuid (&Hob->Name, Guid); return Hob + 1; } @@ -512,6 +531,10 @@ BuildFvHob ( EFI_HOB_FIRMWARE_VOLUME *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->BaseAddress =3D BaseAddress; Hob->Length =3D Length; @@ -543,6 +566,10 @@ BuildFv2Hob ( EFI_HOB_FIRMWARE_VOLUME2 *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->BaseAddress =3D BaseAddress; Hob->Length =3D Length; @@ -584,6 +611,10 @@ BuildFv3Hob ( EFI_HOB_FIRMWARE_VOLUME3 *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->BaseAddress =3D BaseAddress; Hob->Length =3D Length; @@ -639,6 +670,10 @@ BuildCpuHob ( EFI_HOB_CPU *Hob; =20 Hob =3D CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 Hob->SizeOfMemorySpace =3D SizeOfMemorySpace; Hob->SizeOfIoSpace =3D SizeOfIoSpace; @@ -676,6 +711,10 @@ BuildStackHob ( ); =20 Hob =3D CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMOR= Y_ALLOCATION_STACK)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid); Hob->AllocDescriptor.MemoryBaseAddress =3D BaseAddress; @@ -756,6 +795,10 @@ BuildMemoryAllocationHob ( ); =20 Hob =3D CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMOR= Y_ALLOCATION)); + ASSERT (Hob !=3D NULL); + if (Hob =3D=3D NULL) { + return; + } =20 ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); Hob->AllocDescriptor.MemoryBaseAddress =3D BaseAddress; --=20 2.39.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113642): https://edk2.groups.io/g/devel/message/113642 Mute This Topic: https://groups.io/mt/103675964/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 12:59:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+113643+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113643+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1705026339; cv=none; d=zohomail.com; s=zohoarc; b=MEHLJIq5CWIMD1aHAMBEwXlHdD+UQ7qMPhqOjcGVdxCmUu3KdGN6q9efaO+F3c1EhgTPWuhk8kcrS/S+mS1NgijtW7CmC0QKY3OYttzddM3FfsBp4slXh4MBtQRPnoaoJVMr/LLpamxsEWbQmdEwjCXUGiXIk6TPrhYyciPavdQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1705026339; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=M+dlTSpkGkL1Y858sZ0lhuij11g61pYi1QfNDLLC8A0=; b=n91+5O3S/EWBdPq4WKgmoDvzjG+UGfwP9Sudk1sJOeqYVOthEBfBc7TAWvIEKRXGgcBP6S9jXWf83qWu6vIfD9g62gBMYea8er+ndKqH8hrS8r5pk+r1jnUvWYOiA4OlgMNwpl0vNFkBqED9TQ7t4eYlAxu/8rG9wggv+5/iqW4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+113643+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1705026339179961.2879417729641; Thu, 11 Jan 2024 18:25:39 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=cN8+L+mik0QH9hGHizo6ZZgPufjBHhd3qlLE0hzlp/0=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1705026338; v=1; b=oINrRIwrwNF9NCgHh8dj6DxL7bGsM0VBd0jLZ3USg+jghcG+5JPS3M8zhZPIvFOaMLb+SeQT 94gYUh89yMhZ61eepsLAGOMblEfziumd20tEDSua0ltsDh8lwV2pPcc32ci3rut4pZnC0TQoEvL 7+ELmpIZIxHTHJxytJaoBHXM= X-Received: by 127.0.0.2 with SMTP id Gr7rYY1788612xvCSt57PAoa; Thu, 11 Jan 2024 18:25:38 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.10]) by mx.groups.io with SMTP id smtpd.web11.10547.1705026337473623558 for ; Thu, 11 Jan 2024 18:25:38 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="6423582" X-IronPort-AV: E=Sophos;i="6.04,188,1695711600"; d="scan'208";a="6423582" X-Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmvoesa104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 18:25:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="873233210" X-IronPort-AV: E=Sophos;i="6.04,188,1695711600"; d="scan'208";a="873233210" X-Received: from gguo-desk.gar.corp.intel.com ([10.225.76.26]) by FMSMGA003.fm.intel.com with ESMTP; 11 Jan 2024 18:25:36 -0800 From: "Guo, Gua" To: devel@edk2.groups.io Cc: gua.guo@intel.com, Marc Beatove , Liming Gao , John Mathew , Gerd Hoffmann Subject: [edk2-devel] [PATCH v3 4/4] MdeModulePkg/Hob: Integer Overflow in CreateHob() Date: Fri, 12 Jan 2024 10:25:20 +0800 Message-Id: <20240112022521.710-5-gua.guo@intel.com> In-Reply-To: <20240112022521.710-1-gua.guo@intel.com> References: <20240112022521.710-1-gua.guo@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gua.guo@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: pkQef95Abr6jyKiV2vWioI8Ix1787277AA= Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1705026341060100015 Content-Type: text/plain; charset="utf-8" From: Gua Guo REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove Cc: Liming Gao Cc: John Mathew Authored-by: Gerd Hoffmann Signed-off-by: Gua Guo --- MdeModulePkg/Core/Pei/Hob/Hob.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Pei/Hob/Hob.c b/MdeModulePkg/Core/Pei/Hob/Ho= b.c index c4882a23cd..985da50995 100644 --- a/MdeModulePkg/Core/Pei/Hob/Hob.c +++ b/MdeModulePkg/Core/Pei/Hob/Hob.c @@ -85,7 +85,7 @@ PeiCreateHob ( // // Check Length to avoid data overflow. // - if (0x10000 - Length <=3D 0x7) { + if (MAX_UINT16 - Length < 0x7) { return EFI_INVALID_PARAMETER; } =20 --=20 2.39.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113643): https://edk2.groups.io/g/devel/message/113643 Mute This Topic: https://groups.io/mt/103675965/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-