From nobody Wed Mar 11 03:19:04 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114261+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114261+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073635; cv=none; d=zohomail.com; s=zohoarc; b=Jdy7ZBJXUeQKzjZrRW9kF22vYaEvH/PLk6qg2c/JNDAb4d5CudzF8zwzZVoJfelVatBiVPg8EhXoWS0RK+Dgx6T3s2dH22QNE2eT1V9arR52O2dnzXqjm+mQN7aQlCDamkrFrrQ4e6rlaiu1JQpFHQLStLYrM3RJSGkFiIZCCRE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073635; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=hPnRb2nzfEuzpEgl6rz0rru8koBMqiItm22aglWbjTo=; b=BBmn2bo+aJpZB3Qd39Vad69eBgdjXio8ma0IfaqCvWECCgpXNszt0oBa5InQibaswevhLH6Aton9PE9GfBuaeKslPEeygfzhiz6Cr5THTdC8mEaRd4Q47MX6p8oZcjEzuAV3FtJVYAOj833FHVx2QDr4spwF0M7ybDOs2JxZJYg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114261+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073635231221.6626817756537; Tue, 23 Jan 2024 21:20:35 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=I9LV4kMmdtMP7fdWq/Y8WKsKcjdCQa+6NnEcnnNpwoE=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073634; v=1; b=INy0FSEiRcFPHVVPBZ+pokyxLDL89e5CqG5ajF7cnQTe9Ck0a0VOlnBwtNK/EaO9HwJGJdAq e4NpZ1DsQW8m6eWp6wGkGp0AaFeIV4s4wrSpnc8bDoKrOW/IC3pL0e3rTiGQPwg7MhKn/092XFg xLsF1tuZ9mKFRIMXrCthCDvY= X-Received: by 127.0.0.2 with SMTP id QIMbYY1788612xpijyjirTr3; Tue, 23 Jan 2024 21:20:34 -0800 X-Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web11.16108.1706073634296646450 for ; Tue, 23 Jan 2024 21:20:34 -0800 X-Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-5cdf76cde78so2681455a12.1 for ; Tue, 23 Jan 2024 21:20:34 -0800 (PST) X-Gm-Message-State: wBKsLbWpzhRWtcjERJOuoAmlx1787277AA= X-Google-Smtp-Source: AGHT+IGaTynq8lZtxB0/H5sZKvWl9yGxGBpwmDljySjT44pnQkXl4FqGBlNYmN10XS04qc4bLsntnQ== X-Received: by 2002:a05:6a20:a60c:b0:19c:32ad:4347 with SMTP id bb12-20020a056a20a60c00b0019c32ad4347mr173210pzb.95.1706073633373; Tue, 23 Jan 2024 21:20:33 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:32 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 09/14] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch Date: Tue, 23 Jan 2024 19:33:32 -0800 Message-ID: <38a84f68019d820e9284fbfc5f666bf64cbdd674.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073636275100033 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4539 SECURITY PATCH - Patch TCBZ4539 CVE-2023-45234 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 +++++++++++++++++++++++++--- 1 file changed, 65 insertions(+), 6 deletions(-) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe= /PxeBcDhcp6.c index 425e0cf8061d..2b2d372889a3 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c @@ -3,6 +3,7 @@ =20 (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+ Copyright (c) Microsoft Corporation =20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 @@ -1312,6 +1313,65 @@ PxeBcSelectDhcp6Offer ( } } =20 +/** + Cache the DHCPv6 DNS Server addresses + + @param[in] Private The pointer to PXEBC_PRIVATE_DATA. + @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE. + + @retval EFI_SUCCESS Cache the DHCPv6 DNS Server address suc= cessfully. + @retval EFI_OUT_OF_RESOURCES Failed to allocate resources. + @retval EFI_DEVICE_ERROR The DNS Server Address Length provided = by a untrusted + option is not a multiple of 16 bytes (s= izeof (EFI_IPv6_ADDRESS)). +**/ +EFI_STATUS +PxeBcCacheDnsServerAddresses ( + IN PXEBC_PRIVATE_DATA *Private, + IN PXEBC_DHCP6_PACKET_CACHE *Cache6 + ) +{ + UINT16 DnsServerLen; + + DnsServerLen =3D NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpL= en); + // + // Make sure that the number is nonzero + // + if (DnsServerLen =3D=3D 0) { + return EFI_DEVICE_ERROR; + } + + // + // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16) + // + if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) !=3D 0) { + return EFI_DEVICE_ERROR; + } + + // + // This code is currently written to only support a single DNS Server in= stead + // of multiple such as is spec defined (RFC3646, Section 3). The proper = behavior + // would be to allocate the full space requested, CopyMem all of the dat= a, + // and then add a DnsServerCount field to Private and update additional = code + // that depends on this. + // + // To support multiple DNS servers the `AllocationSize` would need to be= changed to DnsServerLen + // + // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=3D1= 886 + // + Private->DnsServer =3D AllocateZeroPool (sizeof (EFI_IPv6_ADDRESS)); + if (Private->DnsServer =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Intentionally only copy over the first server address. + // To support multiple DNS servers, the `Length` would need to be change= d to DnsServerLen + // + CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]= ->Data, sizeof (EFI_IPv6_ADDRESS)); + + return EFI_SUCCESS; +} + /** Handle the DHCPv6 offer packet. =20 @@ -1335,6 +1395,7 @@ PxeBcHandleDhcp6Offer ( UINT32 SelectIndex; UINT32 Index; =20 + ASSERT (Private !=3D NULL); ASSERT (Private->SelectIndex > 0); SelectIndex =3D (UINT32)(Private->SelectIndex - 1); ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM); @@ -1342,15 +1403,13 @@ PxeBcHandleDhcp6Offer ( Status =3D EFI_SUCCESS; =20 // - // First try to cache DNS server address if DHCP6 offer provides. + // First try to cache DNS server addresses if DHCP6 offer provides. // if (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] !=3D NULL) { - Private->DnsServer =3D AllocateZeroPool (NTOHS (Cache6->OptList[PXEBC_= DHCP6_IDX_DNS_SERVER]->OpLen)); - if (Private->DnsServer =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D PxeBcCacheDnsServerAddresses (Private, Cache6); + if (EFI_ERROR (Status)) { + return Status; } - - CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVE= R]->Data, sizeof (EFI_IPv6_ADDRESS)); } =20 if (Cache6->OfferType =3D=3D PxeOfferTypeDhcpBinl) { --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114261): https://edk2.groups.io/g/devel/message/114261 Mute This Topic: https://groups.io/mt/103926740/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-