From nobody Fri Oct 18 05:22:46 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+114472+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+114472+1787277+3901457@groups.io
ARC-Seal: i=1; a=rsa-sha256; t=1706223997; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jEfhmAZr3ihBKBczqL8MQw0JzNtj9vIJ1va2PAgtsy5FFL72VAzoYag7KE+Vjll+BmaqpVrV/jJAiQNYc7zsUW08gBK9fx+9xuQeGg4sLd9Dl6lZNfARqiXpn1ne61cDsVIagLN2R8gkI/JOUybyn2x1TTKR7C1IQnPf9sNvs9k=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1706223997;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id;
	bh=KYl2wIxMXi33G0O/QBzKMTlDRYL9+3WTFVOBzzXVQNo=;
	b=RofEMBUJJI20gHcgTRAD1Z6G75faMkaAIIjOjqcCJkHcElyA1OPGLsr167AZUZPyU9DSuIvH8kO3hexruHqgw9iedAkBRxkkg9MRNtPE12WjbzCb3f2Pl9gqq3yJrztpuNAi2WGTndLos0vySjOP0QUecn2yOXE6e/YqTlKe0s8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+114472+1787277+3901457@groups.io
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1706223997310408.4978646905157;
 Thu, 25 Jan 2024 15:06:37 -0800 (PST)
Return-Path: <bounce+27952+114472+1787277+3901457@groups.io>
DKIM-Signature: a=rsa-sha256; bh=kvub1716bQhICORSbRBqdPO0Oj0Wp8XivH8hBqulNVE=;
 c=relaxed/simple; d=groups.io;
 h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding;
 s=20140610; t=1706223996; v=1;
 b=scnFmj1bt+7rtpVBVlyC4JG6bHg6udm68i+3g2CSPnnXPwiI6Oe3R2RXAyorzu1oyYocPjD9
 kCl4Gt4RdtTn2qmMzgYtrylNHlM2EdtUbgDH51T6wrTS1LGMS2X2/peDN6az9x2VfMtlAnJpXML
 gm2oHnNPMRd+Nde6RGjYRXsM=
X-Received: by 127.0.0.2 with SMTP id aAbCYY1788612x9991NGwJrX;
 Thu, 25 Jan 2024 15:06:36 -0800
X-Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com
 [209.85.214.170])
 by mx.groups.io with SMTP id smtpd.web11.786.1706223996373798365
 for <devel@edk2.groups.io>;
 Thu, 25 Jan 2024 15:06:36 -0800
X-Received: by mail-pl1-f170.google.com with SMTP id
 d9443c01a7336-1d71cb97937so47980985ad.3
        for <devel@edk2.groups.io>; Thu, 25 Jan 2024 15:06:36 -0800 (PST)
X-Gm-Message-State: B05Ur2RWwSzPYeX4e2imtIRdx1787277AA=
X-Google-Smtp-Source: 
 AGHT+IHP1IaE4mLqHVeJfC3WyOCkK9zTohFQGfXbOoq+gQIrUfiTBPXIE+8oVElNM7cJstUml7PUuw==
X-Received: by 2002:a17:902:7688:b0:1d4:4621:fe8c with SMTP id
 m8-20020a170902768800b001d44621fe8cmr386937pll.64.1706223995664;
        Thu, 25 Jan 2024 15:06:35 -0800 (PST)
X-Received: from localhost.localdomain ([24.17.138.83])
        by smtp.gmail.com with ESMTPSA id
 jh1-20020a170903328100b001d752c4f180sm16779plb.94.2024.01.25.15.06.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 25 Jan 2024 15:06:35 -0800 (PST)
From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io>
To: devel@edk2.groups.io
Cc: Doug Flick <dougflick@microsoft.com>,
	Saloni Kasbekar <saloni.kasbekar@intel.com>,
	Zachary Clark-williams <zachary.clark-williams@intel.com>,
	"Doug Flick [MSFT]" <doug.edk2@gmail.com>
Subject: [edk2-devel] [PATCH v2 10/15] NetworkPkg: UefiPxeBcDxe: SECURITY
 PATCH CVE-2023-45234 Patch
Date: Thu, 25 Jan 2024 13:54:52 -0800
Message-ID: 
 <cfb02298674842a5f63dedf82e4b0610f440b284.1706219324.git.doug.edk2@gmail.com>
In-Reply-To: <cover.1706219324.git.doug.edk2@gmail.com>
References: <cover.1706219324.git.doug.edk2@gmail.com>
MIME-Version: 1.0
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dougflick@microsoft.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: 
 <https://edk2.groups.io/g/devel/leave/3901457/1787277/102458076/plugh>
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1706223997853100035
Content-Type: text/plain; charset="utf-8"

From: Doug Flick <dougflick@microsoft.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4539

Bug Details:
PixieFail Bug #6
CVE-2023-45234
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
 a Memory Buffer

Buffer overflow when processing DNS Servers option in a DHCPv6
Advertise message

Change Overview:

Introduces a function to cache the Dns Server and perform sanitizing
on the incoming DnsServerLen to ensure that the length is valid

> + EFI_STATUS
> + PxeBcCacheDnsServerAddresses (
> +  IN PXEBC_PRIVATE_DATA        *Private,
> +  IN PXEBC_DHCP6_PACKET_CACHE  *Cache6
> +  )

Additional code cleanup

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 +++++++++++++++++++++++++---
 1 file changed, 65 insertions(+), 6 deletions(-)

diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe=
/PxeBcDhcp6.c
index 425e0cf8061d..2b2d372889a3 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
@@ -3,6 +3,7 @@
=20
   (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation
=20
   SPDX-License-Identifier: BSD-2-Clause-Patent
=20
@@ -1312,6 +1313,65 @@ PxeBcSelectDhcp6Offer (
   }
 }
=20
+/**
+  Cache the DHCPv6 DNS Server addresses
+
+  @param[in] Private               The pointer to PXEBC_PRIVATE_DATA.
+  @param[in] Cache6                The pointer to PXEBC_DHCP6_PACKET_CACHE.
+
+  @retval    EFI_SUCCESS           Cache the DHCPv6 DNS Server address suc=
cessfully.
+  @retval    EFI_OUT_OF_RESOURCES  Failed to allocate resources.
+  @retval    EFI_DEVICE_ERROR      The DNS Server Address Length provided =
by a untrusted
+                                   option is not a multiple of 16 bytes (s=
izeof (EFI_IPv6_ADDRESS)).
+**/
+EFI_STATUS
+PxeBcCacheDnsServerAddresses (
+  IN PXEBC_PRIVATE_DATA        *Private,
+  IN PXEBC_DHCP6_PACKET_CACHE  *Cache6
+  )
+{
+  UINT16  DnsServerLen;
+
+  DnsServerLen =3D NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpL=
en);
+  //
+  // Make sure that the number is nonzero
+  //
+  if (DnsServerLen =3D=3D 0) {
+    return EFI_DEVICE_ERROR;
+  }
+
+  //
+  // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16)
+  //
+  if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) !=3D 0) {
+    return EFI_DEVICE_ERROR;
+  }
+
+  //
+  // This code is currently written to only support a single DNS Server in=
stead
+  // of multiple such as is spec defined (RFC3646, Section 3). The proper =
behavior
+  // would be to allocate the full space requested, CopyMem all of the dat=
a,
+  // and then add a DnsServerCount field to Private and update additional =
code
+  // that depends on this.
+  //
+  // To support multiple DNS servers the `AllocationSize` would need to be=
 changed to DnsServerLen
+  //
+  // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=3D1=
886
+  //
+  Private->DnsServer =3D AllocateZeroPool (sizeof (EFI_IPv6_ADDRESS));
+  if (Private->DnsServer =3D=3D NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  //
+  // Intentionally only copy over the first server address.
+  // To support multiple DNS servers, the `Length` would need to be change=
d to DnsServerLen
+  //
+  CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]=
->Data, sizeof (EFI_IPv6_ADDRESS));
+
+  return EFI_SUCCESS;
+}
+
 /**
   Handle the DHCPv6 offer packet.
=20
@@ -1335,6 +1395,7 @@ PxeBcHandleDhcp6Offer (
   UINT32                    SelectIndex;
   UINT32                    Index;
=20
+  ASSERT (Private !=3D NULL);
   ASSERT (Private->SelectIndex > 0);
   SelectIndex =3D (UINT32)(Private->SelectIndex - 1);
   ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM);
@@ -1342,15 +1403,13 @@ PxeBcHandleDhcp6Offer (
   Status =3D EFI_SUCCESS;
=20
   //
-  // First try to cache DNS server address if DHCP6 offer provides.
+  // First try to cache DNS server addresses if DHCP6 offer provides.
   //
   if (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] !=3D NULL) {
-    Private->DnsServer =3D AllocateZeroPool (NTOHS (Cache6->OptList[PXEBC_=
DHCP6_IDX_DNS_SERVER]->OpLen));
-    if (Private->DnsServer =3D=3D NULL) {
-      return EFI_OUT_OF_RESOURCES;
+    Status =3D PxeBcCacheDnsServerAddresses (Private, Cache6);
+    if (EFI_ERROR (Status)) {
+      return Status;
     }
-
-    CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVE=
R]->Data, sizeof (EFI_IPv6_ADDRESS));
   }
=20
   if (Cache6->OfferType =3D=3D PxeOfferTypeDhcpBinl) {
--=20
2.43.0



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#114472): https://edk2.groups.io/g/devel/message/114472
Mute This Topic: https://groups.io/mt/103964986/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-