From nobody Mon Sep 16 19:46:52 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114264+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114264+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073642; cv=none; d=zohomail.com; s=zohoarc; b=fIzh+CFkcmUEosyZdApmFWXhE+ME9/UxfJaI+YZreafF8+oShAcNsCo0bRuUxmefejBPYnX1rOLwzLR4ivxp8fGYTBo7zTjpYMU53bV7OAjodIpEr2qmevDUF/a1GbddVkBWTF2gZfKpkCW1/aBec72RHZWdFCact+qTSaMt0Sk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073642; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=4W+Wh7gyfxVe8ZA4Ih2UDi7ArYMCvOpYsbrEgjXJ9Wo=; b=URAhzX7aqZhQJfoEZSosVQlpr9TBIoC6cDsN3aYXrlKizSvUhHPtXyZ7uJO8QiTAK/C1UDLqCsBsPHhjQMkjhj5V6foeyR96mgQnRWvWz6MtLTf3TC1dQQ7k3/+3oY+ri6BhC+iV6lcTuxf/d5nbMW5oMO/RAKMs6pf3V8yQo6E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114264+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073642120402.13028639727213; Tue, 23 Jan 2024 21:20:42 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=2SWVe07eJL/W8zEevEaX4yGERB4uX5LTqA65Rq7mkRc=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073641; v=1; b=hsToXohEjVX4XgDydYVL83zaB388WV45a0vZ4+uywFPMdz+rkgmSQzL1nnWU+kKEo97GmDlO xr2zoQZmxxyRS6IM4H0GM5bgLYVz9MWdoPPBCulWs8nWKnr1J+vFoedADokHFSwTuL/yZNuI5Ak cGEPkk9wswdM83n5eRsJ1u4g= X-Received: by 127.0.0.2 with SMTP id et22YY1788612xWS28sjXKDT; Tue, 23 Jan 2024 21:20:41 -0800 X-Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.16111.1706073636260957922 for ; Tue, 23 Jan 2024 21:20:36 -0800 X-Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1d75c97ea6aso18771875ad.1 for ; Tue, 23 Jan 2024 21:20:36 -0800 (PST) X-Gm-Message-State: ohL9jk7hDh9bb8y61t1wXXsdx1787277AA= X-Google-Smtp-Source: AGHT+IE9t5WUPcUhu1wXxCFQeNjVEDzWpI1A5ssAISS10gdHBrZ7KDJ92cVqrlsWdEXzuOTXAryYAg== X-Received: by 2002:a17:902:ee15:b0:1d6:f17b:ecfc with SMTP id z21-20020a170902ee1500b001d6f17becfcmr429620plb.15.1706073635511; Tue, 23 Jan 2024 21:20:35 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:35 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 12/14] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch Date: Tue, 23 Jan 2024 19:33:35 -0800 Message-ID: <2276136eefe1d8080cfcdb5cdac3cf297a58aa3a.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073644368100001 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4540 SECURITY PATCH - Patch TCBZ4540 CVE-2023-45235 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | 17 ++++++ NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 77 ++++++++++++++++++++++------ 2 files changed, 78 insertions(+), 16 deletions(-) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h b/NetworkPkg/UefiPxeBcDxe= /PxeBcDhcp6.h index c86f6d391b80..6357d27faefd 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h @@ -34,6 +34,23 @@ #define PXEBC_ADDR_START_DELIMITER '[' #define PXEBC_ADDR_END_DELIMITER ']' =20 +// +// A DUID consists of a 2-octet type code represented in network byte +// order, followed by a variable number of octets that make up the +// actual identifier. The length of the DUID (not including the type +// code) is at least 1 octet and at most 128 octets. +// +#define PXEBC_MIN_SIZE_OF_DUID (sizeof(UINT16) + 1) +#define PXEBC_MAX_SIZE_OF_DUID (sizeof(UINT16) + 128) + +// +// This define represents the combineds code and length field from +// https://datatracker.ietf.org/doc/html/rfc3315#section-22.1 +// +#define PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN \ + (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode) + \ + sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen)) + #define GET_NEXT_DHCP6_OPTION(Opt) \ (EFI_DHCP6_PACKET_OPTION *) ((UINT8 *) (Opt) + \ sizeof (EFI_DHCP6_PACKET_OPTION) + (NTOHS ((Opt)->OpLen)) - 1) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe= /PxeBcDhcp6.c index 2b2d372889a3..7fd1281c1184 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c @@ -887,6 +887,7 @@ PxeBcRequestBootService ( EFI_STATUS Status; EFI_DHCP6_PACKET *IndexOffer; UINT8 *Option; + UINTN DiscoverLenNeeded; =20 PxeBc =3D &Private->PxeBc; Request =3D Private->Dhcp6Request; @@ -899,7 +900,8 @@ PxeBcRequestBootService ( return EFI_DEVICE_ERROR; } =20 - Discover =3D AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET)); + DiscoverLenNeeded =3D sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); + Discover =3D AllocateZeroPool (DiscoverLenNeeded); if (Discover =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } @@ -924,16 +926,34 @@ PxeBcRequestBootService ( DHCP6_OPT_SERVER_ID ); if (Option =3D=3D NULL) { - return EFI_NOT_FOUND; + Status =3D EFI_NOT_FOUND; + goto ON_ERROR; } =20 // // Add Server ID Option. // OpLen =3D NTOHS (((EFI_DHCP6_PACKET_OPTION *)Option)->OpLen); - CopyMem (DiscoverOpt, Option, OpLen + 4); - DiscoverOpt +=3D (OpLen + 4); - DiscoverLen +=3D (OpLen + 4); + + // + // Check that the minimum and maximum requirements are met + // + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUI= D)) { + Status =3D EFI_INVALID_PARAMETER; + goto ON_ERROR; + } + + // + // Check that the option length is valid. + // + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > = DiscoverLenNeeded) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; + } + + CopyMem (DiscoverOpt, Option, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_= AND_LEN); + DiscoverOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); + DiscoverLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } =20 while (RequestLen < Request->Length) { @@ -944,16 +964,24 @@ PxeBcRequestBootService ( (OpCode !=3D DHCP6_OPT_SERVER_ID) ) { + // + // Check that the option length is valid. + // + if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > = DiscoverLenNeeded) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; + } + // // Copy all the options except IA option and Server ID // - CopyMem (DiscoverOpt, RequestOpt, OpLen + 4); - DiscoverOpt +=3D (OpLen + 4); - DiscoverLen +=3D (OpLen + 4); + CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT= _CODE_AND_LEN); + DiscoverOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); + DiscoverLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } =20 - RequestOpt +=3D (OpLen + 4); - RequestLen +=3D (OpLen + 4); + RequestOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); + RequestLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } =20 // @@ -2154,6 +2182,7 @@ PxeBcDhcp6Discover ( UINT16 OpLen; UINT32 Xid; EFI_STATUS Status; + UINTN DiscoverLenNeeded; =20 PxeBc =3D &Private->PxeBc; Mode =3D PxeBc->Mode; @@ -2169,7 +2198,8 @@ PxeBcDhcp6Discover ( return EFI_DEVICE_ERROR; } =20 - Discover =3D AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET)); + DiscoverLenNeeded =3D sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); + Discover =3D AllocateZeroPool (DiscoverLenNeeded); if (Discover =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } @@ -2185,22 +2215,37 @@ PxeBcDhcp6Discover ( DiscoverLen =3D sizeof (EFI_DHCP6_HEADER); RequestLen =3D DiscoverLen; =20 + // + // The request packet is generated by the UEFI network stack. In the DHC= P4 DORA and DHCP6 SARR sequence, + // the first (discover in DHCP4 and solicit in DHCP6) and third (request= in both DHCP4 and DHCP6) are + // generated by the DHCP client (the UEFI network stack in this case). B= y the time this function executes, + // the DHCP sequence already has been executed once (see UEFI Specificat= ion Figures 24.2 and 24.3), with + // Private->Dhcp6Request being a cached copy of the DHCP6 request packet= that UEFI network stack previously + // generated and sent. + // + // Therefore while this code looks like it could overflow, in practice i= t's not possible. + // while (RequestLen < Request->Length) { OpCode =3D NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpCode); OpLen =3D NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpLen); if ((OpCode !=3D EFI_DHCP6_IA_TYPE_NA) && (OpCode !=3D EFI_DHCP6_IA_TYPE_TA)) { + if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > = DiscoverLenNeeded) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; + } + // // Copy all the options except IA option. // - CopyMem (DiscoverOpt, RequestOpt, OpLen + 4); - DiscoverOpt +=3D (OpLen + 4); - DiscoverLen +=3D (OpLen + 4); + CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT= _CODE_AND_LEN); + DiscoverOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); + DiscoverLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } =20 - RequestOpt +=3D (OpLen + 4); - RequestLen +=3D (OpLen + 4); + RequestOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); + RequestLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } =20 Status =3D PxeBc->UdpWrite ( --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114264): https://edk2.groups.io/g/devel/message/114264 Mute This Topic: https://groups.io/mt/103926743/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-