From nobody Sun Mar 15 09:40:06 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114259+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114259+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073633; cv=none; d=zohomail.com; s=zohoarc; b=VZlUz4bof9CwBtfRdZKUpVAGNrVJmDtT5OR01Qg6VXXkx4kJEtiMAUHNLZ+4LZx0T73ALj2eI3LCLo8PxptKaQhlrbpNeiSBcO8WLZARTF/kaJl88xDBg33GoIImuxA8mgBQe2eV23MvBnM7CJoZDpRaalXC5TCdbht0D98H93I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073633; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=njgte7grE5nzy1K1PtyHOWKbw+jW3qYnOOq8KSwDPaY=; b=YvuAtjygO43Zt1fJm70KEhpB5Liw3IzblM4UKGVYvYAZh2v51Cq5cxAQAGHYQPGCWbp/qgxuc9KyLrc6Vl0Krai4WJKi4R5jTuHuoSimL89ZsjaoSbx69sTKoRizRE37DcFSsAIf7N3cvpsG1sMqOVMSaNjKGnLC8OQbh1WK+Hk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114259+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073633453622.2702012875224; Tue, 23 Jan 2024 21:20:33 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=sywebht9rLXogLi14OuT/bj1RaPUt/eUNRh7L2ee4iw=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073633; v=1; b=XO5+dXFYeHwmQivFTaftvf3euGUH2l4TKBT/Q67vSiCKdkgukKusR5eQ0TZ+YjqPtCG1doMb lqRyWJXvBPLJD/e6MKrVtZgvWM8r+T+nhjuGV+V+0Mmo+jV6ffiihIAzylTYzAQ9ifmHIkIOwpY /qEufQEvAJddYO089KoaL5wU= X-Received: by 127.0.0.2 with SMTP id IoleYY1788612xWmQ60rVjJf; Tue, 23 Jan 2024 21:20:33 -0800 X-Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.16101.1706073632480551406 for ; Tue, 23 Jan 2024 21:20:32 -0800 X-Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1d780a392fdso3803325ad.3 for ; Tue, 23 Jan 2024 21:20:32 -0800 (PST) X-Gm-Message-State: fHSZVHlgRpXjUwJMeW8tVu3Yx1787277AA= X-Google-Smtp-Source: AGHT+IEKc8epC/wAF6lgyoOF0HMiAeaWRyZ0cYinTtss1v+A57HKdRfwZfuu45XZa/qnR1z/4h5+lw== X-Received: by 2002:a17:902:eccf:b0:1d3:f1ca:6a13 with SMTP id a15-20020a170902eccf00b001d3f1ca6a13mr426419plh.109.1706073631610; Tue, 23 Jan 2024 21:20:31 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:31 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 07/14] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch Date: Tue, 23 Jan 2024 19:33:30 -0800 Message-ID: <53d416e177a558d2d95e0fe7b2aecb52e6745bf3.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073634273100022 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4538 SECURITY PATCH - Patch TCBZ4537 CVE-2023-45232 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') TCBZ4538 CVE-2023-45233 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Ip6Dxe/Ip6Option.h | 89 +++++++++++++++++++++++++++++++++++ NetworkPkg/Ip6Dxe/Ip6Option.c | 76 +++++++++++++++++++++++++----- 2 files changed, 154 insertions(+), 11 deletions(-) diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.h b/NetworkPkg/Ip6Dxe/Ip6Option.h index bd8e223c8a67..5d786073ebcb 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.h +++ b/NetworkPkg/Ip6Dxe/Ip6Option.h @@ -12,6 +12,95 @@ =20 #define IP6_FRAGMENT_OFFSET_MASK (~0x3) =20 +// +// Per RFC8200 Section 4.2 +// +// Two of the currently-defined extension headers -- the Hop-by-Hop +// Options header and the Destination Options header -- carry a variable +// number of type-length-value (TLV) encoded "options", of the following +// format: +// +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - +// | Option Type | Opt Data Len | Option Data +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - +// +// Option Type 8-bit identifier of the type of option. +// +// Opt Data Len 8-bit unsigned integer. Length of the Option +// Data field of this option, in octets. +// +// Option Data Variable-length field. Option-Type-specific +// data. +// +#define IP6_SIZE_OF_OPT_TYPE (sizeof(UINT8)) +#define IP6_SIZE_OF_OPT_LEN (sizeof(UINT8)) +#define IP6_COMBINED_SIZE_OF_OPT_TAG_AND_LEN (IP6_SIZE_OF_OPT_TYPE + IP6_= SIZE_OF_OPT_LEN) +#define IP6_OFFSET_OF_OPT_LEN(a) (a + IP6_SIZE_OF_OPT_TYPE) +STATIC_ASSERT ( + IP6_OFFSET_OF_OPT_LEN (0) =3D=3D 1, + "The Length field should be 1 octet (8 bits) past the start of the optio= n" + ); + +#define IP6_NEXT_OPTION_OFFSET(offset, length) (offset + IP6_COMBINED_SIZ= E_OF_OPT_TAG_AND_LEN + length) +STATIC_ASSERT ( + IP6_NEXT_OPTION_OFFSET (0, 0) =3D=3D 2, + "The next option is minimally the combined size of the option tag and le= ngth" + ); + +// +// For more information see RFC 8200, Section 4.3, 4.4, and 4.6 +// +// This example format is from section 4.6 +// This does not apply to fragment headers +// +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | Next Header | Hdr Ext Len | | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +// | | +// . . +// . Header-Specific Data . +// . . +// | | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// +// Next Header 8-bit selector. Identifies the type of +// header immediately following the extension +// header. Uses the same values as the IPv4 +// Protocol field [IANA-PN]. +// +// Hdr Ext Len 8-bit unsigned integer. Length of the +// Destination Options header in 8-octet units, +// not including the first 8 octets. + +// +// These defines apply to the following: +// 1. Hop by Hop +// 2. Routing +// 3. Destination +// +#define IP6_SIZE_OF_EXT_NEXT_HDR (sizeof(UINT8)) +#define IP6_SIZE_OF_HDR_EXT_LEN (sizeof(UINT8)) + +#define IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN (IP6_SIZE_OF_EXT_NEXT_HDR += IP6_SIZE_OF_HDR_EXT_LEN) +STATIC_ASSERT ( + IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN =3D=3D 2, + "The combined size of Next Header and Len is two 8 bit fields" + ); + +// +// The "+ 1" in this calculation is because of the "not including the firs= t 8 octets" +// part of the definition (meaning the value of 0 represents 64 bits) +// +#define IP6_HDR_EXT_LEN(a) (((UINT16)(UINT8)(a) + 1) * 8) + +// This is the maxmimum length permissible by a extension header +// Length is UINT8 of 8 octets not including the first 8 octets +#define IP6_MAX_EXT_DATA_LENGTH (IP6_HDR_EXT_LEN (MAX_UINT8) - IP6_COMBIN= ED_SIZE_OF_NEXT_HDR_AND_LEN) +STATIC_ASSERT ( + IP6_MAX_EXT_DATA_LENGTH =3D=3D 2046, + "Maximum data length is ((MAX_UINT8 + 1) * 8) - 2" + ); + typedef struct _IP6_FRAGMENT_HEADER { UINT8 NextHeader; UINT8 Reserved; diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c index 8718d5d8756a..144f8d34dead 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.c +++ b/NetworkPkg/Ip6Dxe/Ip6Option.c @@ -17,7 +17,8 @@ @param[in] IpSb The IP6 service data. @param[in] Packet The to be validated packet. @param[in] Option The first byte of the option. - @param[in] OptionLen The length of the whole option. + @param[in] OptionLen The length of all options, expressed in by= te length of octets. + Maximum length is 2046 bytes or ((n + 1) *= 8) - 2 where n is 255. @param[in] Pointer Identifies the octet offset within the invoking packet where the error was de= tected. =20 @@ -31,12 +32,33 @@ Ip6IsOptionValid ( IN IP6_SERVICE *IpSb, IN NET_BUF *Packet, IN UINT8 *Option, - IN UINT8 OptionLen, + IN UINT16 OptionLen, IN UINT32 Pointer ) { - UINT8 Offset; - UINT8 OptionType; + UINT16 Offset; + UINT8 OptionType; + UINT8 OptDataLen; + + if (Option =3D=3D NULL) { + ASSERT (Option !=3D NULL); + return FALSE; + } + + if ((OptionLen <=3D 0) || (OptionLen > IP6_MAX_EXT_DATA_LENGTH)) { + ASSERT (OptionLen > 0 && OptionLen <=3D IP6_MAX_EXT_DATA_LENGTH); + return FALSE; + } + + if (Packet =3D=3D NULL) { + ASSERT (Packet !=3D NULL); + return FALSE; + } + + if (IpSb =3D=3D NULL) { + ASSERT (IpSb !=3D NULL); + return FALSE; + } =20 Offset =3D 0; =20 @@ -54,7 +76,8 @@ Ip6IsOptionValid ( // // It is a PadN option // - Offset =3D (UINT8)(Offset + *(Option + Offset + 1) + 2); + OptDataLen =3D *(IP6_OFFSET_OF_OPT_LEN (Option + Offset)); + Offset =3D IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); break; case Ip6OptionRouterAlert: // @@ -69,7 +92,8 @@ Ip6IsOptionValid ( // switch (OptionType & Ip6OptionMask) { case Ip6OptionSkip: - Offset =3D (UINT8)(Offset + *(Option + Offset + 1)); + OptDataLen =3D *(IP6_OFFSET_OF_OPT_LEN (Option + Offset)); + Offset =3D IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); break; case Ip6OptionDiscard: return FALSE; @@ -308,7 +332,7 @@ Ip6IsExtsValid ( UINT32 Pointer; UINT32 Offset; UINT8 *Option; - UINT8 OptionLen; + UINT16 OptionLen; BOOLEAN Flag; UINT8 CountD; UINT8 CountA; @@ -385,6 +409,36 @@ Ip6IsExtsValid ( // Fall through // case IP6_DESTINATION: + // + // See https://www.rfc-editor.org/rfc/rfc2460#section-4.2 page 23 + // + // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+ + // | Next Header | Hdr Ext Len | = | + // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ = + + // | = | + // . = . + // . Options = . + // . = . + // | = | + // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+ + // + // + // Next Header 8-bit selector. Identifies the type of header + // immediately following the Destination Options + // header. Uses the same values as the IPv4 + // Protocol field [RFC-1700 et seq.]. + // + // Hdr Ext Len 8-bit unsigned integer. Length of the + // Destination Options header in 8-octet units, n= ot + // including the first 8 octets. + // + // Options Variable-length field, of length such that the + // complete Destination Options header is an + // integer multiple of 8 octets long. Contains o= ne + // or more TLV-encoded options, as described in + // section 4.2. + // + if (*NextHeader =3D=3D IP6_DESTINATION) { CountD++; } @@ -398,7 +452,7 @@ Ip6IsExtsValid ( =20 Offset++; Option =3D ExtHdrs + Offset; - OptionLen =3D (UINT8)((*Option + 1) * 8 - 2); + OptionLen =3D IP6_HDR_EXT_LEN (*Option) - IP6_COMBINED_SIZE_OF_NEX= T_HDR_AND_LEN; Option++; Offset++; =20 @@ -430,7 +484,7 @@ Ip6IsExtsValid ( // // Ignore the routing header and proceed to process the next hea= der. // - Offset =3D Offset + (RoutingHead->HeaderLen + 1) * 8; + Offset =3D Offset + IP6_HDR_EXT_LEN (RoutingHead->HeaderLen); =20 if (UnFragmentLen !=3D NULL) { *UnFragmentLen =3D Offset; @@ -441,7 +495,7 @@ Ip6IsExtsValid ( // to the packet's source address, pointing to the unrecognized = routing // type. // - Pointer =3D Offset + 2 + sizeof (EFI_IP6_HEADER); + Pointer =3D Offset + IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN + siz= eof (EFI_IP6_HEADER); if ((IpSb !=3D NULL) && (Packet !=3D NULL) && !IP6_IS_MULTICAST (&Packet->Ip.Ip6->DestinationAddress)) { @@ -527,7 +581,7 @@ Ip6IsExtsValid ( // // RFC2402, Payload length is specified in 32-bit words, minus "2". // - OptionLen =3D (UINT8)((*Option + 2) * 4); + OptionLen =3D ((UINT16)(*Option + 2) * 4); Offset =3D Offset + OptionLen; break; =20 --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114259): https://edk2.groups.io/g/devel/message/114259 Mute This Topic: https://groups.io/mt/103926738/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-