From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114253+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114253+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073629; cv=none; d=zohomail.com; s=zohoarc; b=FBCusTA+Mbim2CnCtNKzvnd8SO/JjfBL+H/AWG/h6Ut/RD8yGrp0QCjN/XA6ryX+Xd1iizpu6H2UfBHohW/iqp4+GoBeJL+bXvJems9kfWdg875+F06tX+B4lZdVbYpaYXgB/uhWPQmaxWQuEtedRXQLucCE8Z/GPTp8hWVvxvk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073629; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=M9T8NoS3EcOqSw5fWnoqLd0cC1PdCSauHXlfUjsp2mk=; b=e1bdC0JuJHvuFmzXHAPBL8B0MzqfUcn5dFenybZcEoCVv5dmGx6FXV/ih4d+3L3L79JN9Hc17FbmtwzQHch8dE838DvzWTzTE7M5u4o0nSbFA/mhQjC/DhlQ6NzCiIc4A6S373AoYF4UsBJF/RUtZOAB2jRI5/BxoNY7s3uKBqg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114253+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073629499875.8532753176837; Tue, 23 Jan 2024 21:20:29 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=yJi5DlI3FjN7Vc0gnLt6Wo+OGMBVLkeYcxUKXwwOVlI=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073629; v=1; b=s46rrpEX0D6UPRpNQL9KH0kSvQegYHTHIrXHWLTJ383fpil52FFuHFoCvxSojxCHL6upYVM0 ofciO/SCGkpb6OPTbJYRlhSJ2zq7xBEN7wKx/cNjU64aVmj6qKyDsfb1wDgP2avkQUC7blw5+D/ 78o5O1FTFCKFiMJzHULwslWI= X-Received: by 127.0.0.2 with SMTP id SOSTYY1788612xSOlhoaB1Du; Tue, 23 Jan 2024 21:20:29 -0800 X-Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web11.16101.1706073628391534454 for ; Tue, 23 Jan 2024 21:20:28 -0800 X-Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1d711d7a940so44268975ad.1 for ; Tue, 23 Jan 2024 21:20:28 -0800 (PST) X-Gm-Message-State: WjDk0Jk9qTgTguxiqtNp3HaJx1787277AA= X-Google-Smtp-Source: AGHT+IFSUJKsE4y/qOok4OiQ/HvoIm3WofFG6TclgstVPmPTtU/IWjEFeKg+J178hU5cQZBbwyiM9w== X-Received: by 2002:a17:903:264b:b0:1d7:6301:96d7 with SMTP id je11-20020a170903264b00b001d7630196d7mr337972plb.115.1706073627177; Tue, 23 Jan 2024 21:20:27 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:26 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: "Douglas Flick [MSFT]" , Saloni Kasbekar , Zachary Clark-williams Subject: [edk2-devel] [PATCH 01/14] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch Date: Tue, 23 Jan 2024 19:33:24 -0800 Message-ID: <931c86114b8f62b633f92aeb8573d2559c66c0f0.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073630304100001 Content-Type: text/plain; charset="utf-8" REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4535 SECURITY PATCH - Patch TCBZ4535 CVE-2023-45230 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 43 +++ NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h | 78 +++--- NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 409 +++++++++++++++++++---------- NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 373 +++++++++++++++++++++----- 4 files changed, 666 insertions(+), 237 deletions(-) diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Imp= l.h index 0eb9c669b5a1..f2422c2f2827 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h @@ -45,6 +45,49 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; #define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S') #define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I') =20 +// +// For more information on DHCP options see RFC 8415, Section 21.1 +// +// The format of DHCP options is: +// +// 0 1 2 3 +// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | option-code | option-len | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | option-data | +// | (option-len octets) | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// +#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16)) +#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16)) + +// +// Combined size of Code and Length +// +#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \ + DHCP6_SIZE_OF_OPT_LEN) + +STATIC_ASSERT ( + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN =3D=3D 4, + "Combined size of Code and Length must be 4 per RFC 8415" + ); + +// +// Offset to the length is just past the code +// +#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE) +STATIC_ASSERT ( + DHCP6_OPT_LEN_OFFSET (0) =3D=3D 2, + "Offset of length is + 2 past start of option" + ); + +#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) +STATIC_ASSERT ( + DHCP6_OPT_DATA_OFFSET (0) =3D=3D 4, + "Offset to option data should be +4 from start of option" + ); + #define DHCP6_PACKET_ALL 0 #define DHCP6_PACKET_STATEFUL 1 #define DHCP6_PACKET_STATELESS 2 diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h b/NetworkPkg/Dhcp6Dxe/Dhcp6= Utility.h index 046454ff4ac2..06947f6c1fcf 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h @@ -160,69 +160,85 @@ Dhcp6OnTransmitted ( ); =20 /** - Append the appointed option to the buf, and move the buf to the end. + Append the option to Buf, update the length of packet, and move Buf to t= he end. =20 - @param[in, out] Buf The pointer to buffer. - @param[in] OptType The option type. - @param[in] OptLen The length of option content.s - @param[in] Data The pointer to the option content. - - @return Buf The position to append the next option. + @param[in, out] Packet A pointer to the packet, on success Packe= t->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success Pac= ketCursor + will be moved to the end of the option. + @param[in] OptType The option type. + @param[in] OptLen The length of option contents. + @param[in] Data The pointer to the option content. =20 + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendOption ( - IN OUT UINT8 *Buf, - IN UINT16 OptType, - IN UINT16 OptLen, - IN UINT8 *Data + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN UINT16 OptType, + IN UINT16 OptLen, + IN UINT8 *Data ); =20 /** - Append the Ia option to Buf, and move Buf to the end. - - @param[in, out] Buf The pointer to the position to append. + Append the appointed Ia option to Buf, update the Ia option length, and = move Buf + to the end of the option. + @param[in, out] Packet A pointer to the packet, on success Packet= ->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success Pac= ketCursor + will be moved to the end of the option. @param[in] Ia The pointer to the Ia. @param[in] T1 The time of T1. @param[in] T2 The time of T2. @param[in] MessageType Message type of DHCP6 package. =20 - @return Buf The position to append the next Ia option. - + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendIaOption ( - IN OUT UINT8 *Buf, - IN EFI_DHCP6_IA *Ia, - IN UINT32 T1, - IN UINT32 T2, - IN UINT32 MessageType + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN EFI_DHCP6_IA *Ia, + IN UINT32 T1, + IN UINT32 T2, + IN UINT32 MessageType ); =20 /** Append the appointed Elapsed time option to Buf, and move Buf to the end. =20 - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet= ->Length + @param[in, out] PacketCursor The pointer in the packet, on success Pac= ketCursor + will be moved to the end of the option. @param[in] Instance The pointer to the Dhcp6 instance. @param[out] Elapsed The pointer to the elapsed time value in the generated packet. =20 - @return Buf The position to append the next Ia option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. =20 **/ -UINT8 * +EFI_STATUS Dhcp6AppendETOption ( - IN OUT UINT8 *Buf, - IN DHCP6_INSTANCE *Instance, - OUT UINT16 **Elapsed + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN DHCP6_INSTANCE *Instance, + OUT UINT16 **Elapsed ); =20 /** Set the elapsed time based on the given instance and the pointer to the elapsed time option. =20 - @param[in] Elapsed The pointer to the position to append. - @param[in] Instance The pointer to the Dhcp6 instance. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. **/ VOID SetElapsedTime ( diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c index dcd01e6268b1..bf5aa7a769de 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -3,9 +3,9 @@ =20 (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+ Copyright (c) Microsoft Corporation =20 SPDX-License-Identifier: BSD-2-Clause-Patent - **/ =20 #include "Dhcp6Impl.h" @@ -930,7 +930,8 @@ Dhcp6SendSolicitMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE + UserLen; @@ -944,54 +945,64 @@ Dhcp6SendSolicitMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption ( - Cursor, + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 // // Append user-defined when configurate Dhcp6 service. // for (Index =3D 0; Index < Instance->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->OptionList[Index]; - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // // Callback to user with the packet to be sent and check the user's feed= back. // Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendSolicit, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1005,10 +1016,8 @@ Dhcp6SendSolicitMsg ( Instance->StartTime =3D 0; =20 Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1020,6 +1029,14 @@ Dhcp6SendSolicitMsg ( Elapsed, Instance->Config->SolicitRetransmission ); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1110,7 +1127,8 @@ Dhcp6SendRequestMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1124,51 +1142,67 @@ Dhcp6SendRequestMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption ( - Cursor, + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 // // Append user-defined when configurate Dhcp6 service. // for (Index =3D 0; Index < Instance->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->OptionList[Index]; - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // @@ -1177,8 +1211,7 @@ Dhcp6SendRequestMsg ( Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendRequest, &Packet); =20 if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1194,14 +1227,21 @@ Dhcp6SendRequestMsg ( Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); =20 if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1266,7 +1306,8 @@ Dhcp6SendDeclineMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE; @@ -1280,42 +1321,58 @@ Dhcp6SendDeclineMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption (Cursor, DecIa, 0, 0, Packet->Dhcp6.Heade= r.MessageType); + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, + DecIa, + 0, + 0, + Packet->Dhcp6.Header.MessageType + ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // // Callback to user with the packet to be sent and check the user's feed= back. // Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendDecline, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1329,16 +1386,22 @@ Dhcp6SendDeclineMsg ( Instance->StartTime =3D 0; =20 Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1399,7 +1462,8 @@ Dhcp6SendReleaseMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE; @@ -1413,45 +1477,61 @@ Dhcp6SendReleaseMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 // // ServerId is extracted from packet, it's network order. // - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption (Cursor, RelIa, 0, 0, Packet->Dhcp6.Heade= r.MessageType); + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, + RelIa, + 0, + 0, + Packet->Dhcp6.Header.MessageType + ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - // - // Determine the size/length of packet - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // // Callback to user with the packet to be sent and check the user's feed= back. // Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendRelease, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1461,16 +1541,22 @@ Dhcp6SendReleaseMsg ( Instance->IaCb.Ia->State =3D Dhcp6Releasing; =20 Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1529,7 +1615,8 @@ Dhcp6SendRenewRebindMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1543,26 +1630,38 @@ Dhcp6SendRenewRebindMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption ( - Cursor, + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 if (!RebindRequest) { // @@ -1578,18 +1677,22 @@ Dhcp6SendRenewRebindMsg ( Dhcp6OptServerId ); if (Option =3D=3D NULL) { - FreePool (Packet); - return EFI_DEVICE_ERROR; + Status =3D EFI_DEVICE_ERROR; + goto ON_ERROR; } =20 ServerId =3D (EFI_DHCP6_DUID *)(Option + 2); =20 - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 // @@ -1597,18 +1700,18 @@ Dhcp6SendRenewRebindMsg ( // for (Index =3D 0; Index < Instance->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->OptionList[Index]; - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // @@ -1618,10 +1721,8 @@ Dhcp6SendRenewRebindMsg ( Event =3D (RebindRequest) ? Dhcp6EnterRebinding : Dhcp6EnterRenewing; =20 Status =3D Dhcp6CallbackUser (Instance, Event, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1638,16 +1739,22 @@ Dhcp6SendRenewRebindMsg ( Instance->StartTime =3D 0; =20 Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1811,7 +1918,8 @@ Dhcp6SendInfoRequestMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1828,44 +1936,56 @@ Dhcp6SendInfoRequestMsg ( =20 if (SendClientId) { Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, OptionRequest->OpCode, OptionRequest->OpLen, OptionRequest->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 // // Append user-defined when configurate Dhcp6 service. // for (Index =3D 0; Index < OptionCount; Index++) { UserOpt =3D OptionList[Index]; - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // @@ -1877,16 +1997,22 @@ Dhcp6SendInfoRequestMsg ( // Send info-request packet with no state. // Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, Retransmission); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1937,7 +2063,8 @@ Dhcp6SendConfirmMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1951,54 +2078,64 @@ Dhcp6SendConfirmMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption ( - Cursor, + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 // // Append user-defined when configurate Dhcp6 service. // for (Index =3D 0; Index < Instance->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->OptionList[Index]; - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // // Callback to user with the packet to be sent and check the user's feed= back. // Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendConfirm, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -2012,16 +2149,22 @@ Dhcp6SendConfirmMsg ( Instance->StartTime =3D 0; =20 Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6= Utility.c index e6368b5b1c6c..705c665c519d 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c @@ -577,24 +577,33 @@ Dhcp6OnTransmitted ( } =20 /** - Append the option to Buf, and move Buf to the end. + Append the option to Buf, update the length of packet, and move Buf to t= he end. =20 - @param[in, out] Buf The pointer to the buffer. - @param[in] OptType The option type. - @param[in] OptLen The length of option contents. - @param[in] Data The pointer to the option content. + @param[in, out] Packet A pointer to the packet, on success Packe= t->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success Pac= ketCursor + will be moved to the end of the option. + @param[in] OptType The option type. + @param[in] OptLen The length of option contents. + @param[in] Data The pointer to the option content. =20 - @return Buf The position to append the next option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. =20 **/ -UINT8 * +EFI_STATUS Dhcp6AppendOption ( - IN OUT UINT8 *Buf, - IN UINT16 OptType, - IN UINT16 OptLen, - IN UINT8 *Data + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN UINT16 OptType, + IN UINT16 OptLen, + IN UINT8 *Data ) { + UINT32 Length; + UINT32 BytesNeeded; + // // The format of Dhcp6 option: // @@ -607,35 +616,95 @@ Dhcp6AppendOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // =20 - ASSERT (OptLen !=3D 0); + // + // Verify the arguments are valid + // + if (Packet =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } =20 - WriteUnaligned16 ((UINT16 *)Buf, OptType); - Buf +=3D 2; - WriteUnaligned16 ((UINT16 *)Buf, OptLen); - Buf +=3D 2; - CopyMem (Buf, Data, NTOHS (OptLen)); - Buf +=3D NTOHS (OptLen); + if ((PacketCursor =3D=3D NULL) || (*PacketCursor =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } =20 - return Buf; + if (Data =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + if (OptLen =3D=3D 0) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof = (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + // + // Calculate the bytes needed for the option + // + BytesNeeded =3D DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + NTOHS (OptLen); + + // + // Space remaining in the packet + // + Length =3D Packet->Size - Packet->Length; + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof = (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_CODE; + WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN; + CopyMem (*PacketCursor, Data, NTOHS (OptLen)); + *PacketCursor +=3D NTOHS (OptLen); + + // Update the packet length by the length of the option + 4 bytes + Packet->Length +=3D BytesNeeded; + + return EFI_SUCCESS; } =20 /** Append the appointed IA Address option to Buf, and move Buf to the end. =20 - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet= ->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success Pack= etCursor + will be moved to the end of the option. @param[in] IaAddr The pointer to the IA Address. @param[in] MessageType Message type of DHCP6 package. =20 - @return Buf The position to append the next option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. =20 **/ -UINT8 * +EFI_STATUS Dhcp6AppendIaAddrOption ( - IN OUT UINT8 *Buf, + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, IN EFI_DHCP6_IA_ADDRESS *IaAddr, IN UINT32 MessageType ) { + UINT32 BytesNeeded; + UINT32 Length; + // The format of the IA Address option is: // // 0 1 2 3 @@ -657,17 +726,60 @@ Dhcp6AppendIaAddrOption ( // . . // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ =20 + // + // Verify the arguments are valid + // + if (Packet =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((PacketCursor =3D=3D NULL) || (*PacketCursor =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (IaAddr =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof = (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + BytesNeeded =3D DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; + BytesNeeded +=3D sizeof (EFI_IPv6_ADDRESS); + // + // Even if the preferred-lifetime is 0, it still needs to store it. + // + BytesNeeded +=3D sizeof (IaAddr->PreferredLifetime); + // + // Even if the valid-lifetime is 0, it still needs to store it. + // + BytesNeeded +=3D sizeof (IaAddr->ValidLifetime); + + // + // Space remaining in the packet + // + Length =3D Packet->Size - Packet->Length; + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + // // Fill the value of Ia Address option type // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptIaAddr)); - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptIaAddr)); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_CODE; =20 - WriteUnaligned16 ((UINT16 *)Buf, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS))); - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (sizeof (EFI_DHCP6_IA_A= DDRESS))); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN; =20 - CopyMem (Buf, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS)); - Buf +=3D sizeof (EFI_IPv6_ADDRESS); + CopyMem (*PacketCursor, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS)); + *PacketCursor +=3D sizeof (EFI_IPv6_ADDRESS); =20 // // Fill the value of preferred-lifetime and valid-lifetime. @@ -675,44 +787,58 @@ Dhcp6AppendIaAddrOption ( // should set to 0 when initiate a Confirm message. // if (MessageType !=3D Dhcp6MsgConfirm) { - WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->PreferredLifetime)); + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->PreferredLif= etime)); } =20 - Buf +=3D 4; + *PacketCursor +=3D sizeof (IaAddr->PreferredLifetime); =20 if (MessageType !=3D Dhcp6MsgConfirm) { - WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->ValidLifetime)); + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->ValidLifetim= e)); } =20 - Buf +=3D 4; + *PacketCursor +=3D sizeof (IaAddr->ValidLifetime); =20 - return Buf; + // + // Update the packet length + // + Packet->Length +=3D BytesNeeded; + + return EFI_SUCCESS; } =20 /** Append the appointed Ia option to Buf, and move Buf to the end. =20 - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet= ->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success Pack= etCursor + will be moved to the end of the option. @param[in] Ia The pointer to the Ia. @param[in] T1 The time of T1. @param[in] T2 The time of T2. @param[in] MessageType Message type of DHCP6 package. =20 - @return Buf The position to append the next Ia option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. =20 **/ -UINT8 * +EFI_STATUS Dhcp6AppendIaOption ( - IN OUT UINT8 *Buf, - IN EFI_DHCP6_IA *Ia, - IN UINT32 T1, - IN UINT32 T2, - IN UINT32 MessageType + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN EFI_DHCP6_IA *Ia, + IN UINT32 T1, + IN UINT32 T2, + IN UINT32 MessageType ) { - UINT8 *AddrOpt; - UINT16 *Len; - UINTN Index; + UINT8 *AddrOpt; + UINT16 *Len; + UINTN Index; + UINT32 BytesNeeded; + UINT32 Length; + EFI_STATUS Status; =20 // // The format of IA_NA and IA_TA option: @@ -733,32 +859,74 @@ Dhcp6AppendIaOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // =20 + // + // Verify the arguments are valid + // + if (Packet =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((PacketCursor =3D=3D NULL) || (*PacketCursor =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (Ia =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof = (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + BytesNeeded =3D DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; + BytesNeeded +=3D sizeof (Ia->Descriptor.IaId); + // + // + N for the IA_NA-options/IA_TA-options + // Dhcp6AppendIaAddrOption will need to check the length for each address + // + if (Ia->Descriptor.Type =3D=3D Dhcp6OptIana) { + BytesNeeded +=3D sizeof (T1) + sizeof (T2); + } + + // + // Space remaining in the packet + // + Length =3D (UINT16)(Packet->Size - Packet->Length); + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + // // Fill the value of Ia option type // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (Ia->Descriptor.Type)); - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Ia->Descriptor.Type)); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_CODE; =20 // // Fill the len of Ia option later, keep the pointer first // - Len =3D (UINT16 *)Buf; - Buf +=3D 2; + Len =3D (UINT16 *)*PacketCursor; + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN; =20 // // Fill the value of iaid // - WriteUnaligned32 ((UINT32 *)Buf, HTONL (Ia->Descriptor.IaId)); - Buf +=3D 4; + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (Ia->Descriptor.IaId)); + *PacketCursor +=3D sizeof (Ia->Descriptor.IaId); =20 // // Fill the value of t1 and t2 if iana, keep it 0xffffffff if no specifi= ed. // if (Ia->Descriptor.Type =3D=3D Dhcp6OptIana) { - WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T1 !=3D 0) ? T1 : 0xffffffff)= ); - Buf +=3D 4; - WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T2 !=3D 0) ? T2 : 0xffffffff)= ); - Buf +=3D 4; + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T1 !=3D 0) ? T1 : 0= xffffffff)); + *PacketCursor +=3D sizeof (T1); + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T2 !=3D 0) ? T2 : 0= xffffffff)); + *PacketCursor +=3D sizeof (T2); } =20 // @@ -766,35 +934,51 @@ Dhcp6AppendIaOption ( // for (Index =3D 0; Index < Ia->IaAddressCount; Index++) { AddrOpt =3D (UINT8 *)Ia->IaAddress + Index * sizeof (EFI_DHCP6_IA_ADDR= ESS); - Buf =3D Dhcp6AppendIaAddrOption (Buf, (EFI_DHCP6_IA_ADDRESS *)Addr= Opt, MessageType); + Status =3D Dhcp6AppendIaAddrOption (Packet, PacketCursor, (EFI_DHCP6_= IA_ADDRESS *)AddrOpt, MessageType); + if (EFI_ERROR (Status)) { + return Status; + } } =20 // // Fill the value of Ia option length // - *Len =3D HTONS ((UINT16)(Buf - (UINT8 *)Len - 2)); + *Len =3D HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2)); =20 - return Buf; + // + // Update the packet length + // + Packet->Length +=3D BytesNeeded; + + return EFI_SUCCESS; } =20 /** Append the appointed Elapsed time option to Buf, and move Buf to the end. =20 - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet= ->Length + @param[in, out] PacketCursor The pointer in the packet, on success Pack= etCursor + will be moved to the end of the option. @param[in] Instance The pointer to the Dhcp6 instance. @param[out] Elapsed The pointer to the elapsed time value in - the generated packet. + the generated packet. =20 - @return Buf The position to append the next Ia option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. =20 **/ -UINT8 * +EFI_STATUS Dhcp6AppendETOption ( - IN OUT UINT8 *Buf, - IN DHCP6_INSTANCE *Instance, - OUT UINT16 **Elapsed + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN DHCP6_INSTANCE *Instance, + OUT UINT16 **Elapsed ) { + UINT32 BytesNeeded; + UINT32 Length; + // // The format of elapsed time option: // @@ -806,27 +990,70 @@ Dhcp6AppendETOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // =20 + // + // Verify the arguments are valid + // + if (Packet =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((PacketCursor =3D=3D NULL) || (*PacketCursor =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (Instance =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((Elapsed =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof = (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + BytesNeeded =3D DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; + // + // + 2 for elapsed-time + // + BytesNeeded +=3D sizeof (UINT16); + // + // Space remaining in the packet + // + Length =3D Packet->Size - Packet->Length; + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + // // Fill the value of elapsed-time option type. // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptElapsedTime)); - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptElapsedTime)); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_CODE; =20 // // Fill the len of elapsed-time option, which is fixed. // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (2)); - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (2)); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN; =20 // // Fill in elapsed time value with 0 value for now. The actual value is // filled in later just before the packet is transmitted. // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (0)); - *Elapsed =3D (UINT16 *)Buf; - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (0)); + *Elapsed =3D (UINT16 *)*PacketCursor; + *PacketCursor +=3D sizeof (UINT16); =20 - return Buf; + Packet->Length +=3D BytesNeeded; + + return EFI_SUCCESS; } =20 /** --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114253): https://edk2.groups.io/g/devel/message/114253 Mute This Topic: https://groups.io/mt/103926731/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114254+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114254+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073629; cv=none; d=zohomail.com; s=zohoarc; b=VM/S5bDKKbk7/QUldjH6v4mj32nJooZtX/65KOscyzLlklW0LKvALNoTUY1gF7HRn/1+xP+sjB/SLu9CvaY0Gzi6TVcj3FlSx0ln9YxlbajQwSNMFLk3kUbs6/Kd61wIu0SdEWXRsHnr4ILWykpyWrgWxGHWd7uqYinsn7+H5BU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073629; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=odwIwSxxBq+K7lD+ZPAJykPSlVAchBGRbBl7Lc1o66Y=; b=KYgk/OYvYW7aq26KwlgqolJwvzSi+aJ0zXoEFUxyVfmtgkCjCCDo3gzRUHbboLoHoKKXa4fy3gBA/VFhk0+NtFh32SnLYysbIiAo/sBIhE+y10OSSYa0ngNGLVWGQOTMF14VLNz8jv9MMHqRqHALUNfcDe22/CHKwt+epCg0kFI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114254+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073629983153.7472816640502; Tue, 23 Jan 2024 21:20:29 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=NhxJ1PKTAQBIfelU7GBi39loKbxC+dbt+gENMyfag1I=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073629; v=1; b=LDPJVM4ty1nbY8CvbBmbDRQWAjiByil1gzPVBaFSMywKZX01Ipk6iIVo68QkRPktQnpJn3Mf sLrPGelllF/jULK623Ps3i1S4DqL+CjMI3FrS540MvomG0J+pb9aaK+0OtRxtyiwxjcRfqbRLb4 OFDtp5UqGiGkqPI2gXLZOdLw= X-Received: by 127.0.0.2 with SMTP id 8M40YY1788612xwVGrYGo8VK; Tue, 23 Jan 2024 21:20:29 -0800 X-Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.16102.1706073628781303782 for ; Tue, 23 Jan 2024 21:20:28 -0800 X-Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1d780a392fdso3803085ad.3 for ; Tue, 23 Jan 2024 21:20:28 -0800 (PST) X-Gm-Message-State: UTULPi5Auu7EK8FBk4HRq0Ocx1787277AA= X-Google-Smtp-Source: AGHT+IF5De8vvOyL0gQQiLVCbwpeNgzZGSME2kaZ642Q8BtyMQybV8oU2uXH1MKuUUB+lujDk4puyA== X-Received: by 2002:a17:902:ec81:b0:1d7:6c3f:78e6 with SMTP id x1-20020a170902ec8100b001d76c3f78e6mr426594plg.48.1706073627796; Tue, 23 Jan 2024 21:20:27 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:27 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: "Douglas Flick [MSFT]" , Saloni Kasbekar , Zachary Clark-williams Subject: [edk2-devel] [PATCH 02/14] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests Date: Tue, 23 Jan 2024 19:33:25 -0800 Message-ID: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073630315100002 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4535 SECURITY PATCH - Unit Tests TCBZ4535 CVE-2023-45230 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Test/NetworkPkgHostTest.dsc | 99 ++++ .../GoogleTest/Dhcp6DxeGoogleTest.inf | 43 ++ .../GoogleTest/Dhcp6DxeGoogleTest.cpp | 20 + .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 478 ++++++++++++++++++ NetworkPkg/NetworkPkg.ci.yaml | 118 ++--- 5 files changed, 695 insertions(+), 63 deletions(-) create mode 100644 NetworkPkg/Test/NetworkPkgHostTest.dsc create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/Netwo= rkPkgHostTest.dsc new file mode 100644 index 000000000000..20bc90b1728d --- /dev/null +++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc @@ -0,0 +1,99 @@ +## @file +# NetworkPkgHostTest DSC file used to build host-based unit tests. +# +# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## +[Defines] + PLATFORM_NAME =3D NetworkPkgHostTest + PLATFORM_GUID =3D 3b68324e-fc07-4d49-9520-9347ede65879 + PLATFORM_VERSION =3D 0.1 + DSC_SPECIFICATION =3D 0x00010005 + OUTPUT_DIRECTORY =3D Build/NetworkPkg/HostTest + SUPPORTED_ARCHITECTURES =3D IA32|X64|AARCH64 + BUILD_TARGETS =3D NOOPT + SKUID_IDENTIFIER =3D DEFAULT + +!include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc +[Packages] + MdePkg/MdePkg.dec + UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec + +[Components] + # + # Build HOST_APPLICATION that tests NetworkPkg + # + NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf + +# Despite these library classes being listed in [LibraryClasses] below, th= ey are not needed for the host-based unit tests. +[LibraryClasses] + NetLib|NetworkPkg/Library/DxeNetLib/DxeNetLib.inf + DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf + BaseLib|MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf + MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAll= ocationLib.inf + PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf + UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntry= Point.inf + UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiA= pplicationEntryPoint.inf + UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBoo= tServicesTableLib.inf + UefiLib|MdePkg/Library/UefiLib/UefiLib.inf + UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/U= efiRuntimeServicesTableLib.inf + UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServic= esLib.inf + UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManag= erLib.inf + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplat= e.inf + PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibN= ull.inf + PeCoffGetEntryPointLib|MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeC= offGetEntryPointLib.inf + DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf + DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableL= ib.inf + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var= iablePolicyHelperLib.inf +!ifdef CONTINUOUS_INTEGRATION + BaseCryptLib|CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf + TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf +!else + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf +!endif + DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD= ebugPrintErrorLevelLib.inf + FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf + FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf + SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + +!if $(TOOL_CHAIN_TAG) =3D=3D VS2019 or $(TOOL_CHAIN_TAG) =3D=3D VS2022 +[LibraryClasses.X64] + # Provide StackCookie support lib so that we can link to /GS exports for= VS builds + RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf +!endif + +[LibraryClasses.common.UEFI_DRIVER] + HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf + ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeRepor= tStatusCodeLib.inf + DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf +[LibraryClasses.common.UEFI_APPLICATION] + DebugLib|MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf + ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf +[LibraryClasses.ARM, LibraryClasses.AARCH64] + # + # It is not possible to prevent ARM compiler calls to generic intrinsic = functions. + # This library provides the instrinsic functions generated by a given co= mpiler. + # [LibraryClasses.ARM] and NULL mean link this library into all ARM imag= es. + # +!if $(TOOL_CHAIN_TAG) !=3D VS2017 and $(TOOL_CHAIN_TAG) !=3D VS2015 and $(= TOOL_CHAIN_TAG) !=3D VS2019 + NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf +!endif + NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf +[LibraryClasses.ARM] + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf +[LibraryClasses.RISCV64] + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf + +[PcdsFixedAtBuild] + gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2 + gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType|0x4 diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/Networ= kPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf new file mode 100644 index 000000000000..8e9119a37158 --- /dev/null +++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf @@ -0,0 +1,43 @@ +## @file +# Unit test suite for the Dhcp6Dxe using Google Test +# +# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +## +[Defines] + INF_VERSION =3D 0x00010017 + BASE_NAME =3D Dhcp6DxeGoogleTest + FILE_GUID =3D 1D2A4C65-38C8-4C2F-BB60-B5FA49625AA9 + VERSION_STRING =3D 1.0 + MODULE_TYPE =3D HOST_APPLICATION +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# +[Sources] + Dhcp6DxeGoogleTest.cpp + Dhcp6IoGoogleTest.cpp + ../Dhcp6Io.c + ../Dhcp6Utility.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec + NetworkPkg/NetworkPkg.dec + +[LibraryClasses] + GoogleTestLib + DebugLib + NetLib + PcdLib + +[Protocols] + gEfiDhcp6ServiceBindingProtocolGuid + +[Pcd] + gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType + +[Guids] + gZeroGuid diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp b/Networ= kPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp new file mode 100644 index 000000000000..9aeced2f9156 --- /dev/null +++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp @@ -0,0 +1,20 @@ +/** @file + Acts as the main entry point for the tests for the Dhcp6Dxe module. + + Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ +#include + +//////////////////////////////////////////////////////////////////////////= ////// +// Run the tests +//////////////////////////////////////////////////////////////////////////= ////// +int +main ( + int argc, + char *argv[] + ) +{ + testing::InitGoogleTest (&argc, argv); + return RUN_ALL_TESTS (); +} diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/Network= Pkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp new file mode 100644 index 000000000000..7ee40e4af480 --- /dev/null +++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp @@ -0,0 +1,478 @@ +/** @file + Tests for Dhcp6Io.c. + + Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ +#include + +extern "C" { + #include + #include + #include + #include + #include "../Dhcp6Impl.h" + #include "../Dhcp6Utility.h" +} + +//////////////////////////////////////////////////////////////////////// +// Defines +//////////////////////////////////////////////////////////////////////// + +#define DHCP6_PACKET_MAX_LEN 1500 + +//////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// +// Symbol Definitions +// These functions are not directly under test - but required to compile +//////////////////////////////////////////////////////////////////////// + +// This definition is used by this test but is also required to compile +// by Dhcp6Io.c +EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress =3D { + { 0xFF, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 2 } +}; + +EFI_STATUS +EFIAPI +UdpIoSendDatagram ( + IN UDP_IO *UdpIo, + IN NET_BUF *Packet, + IN UDP_END_POINT *EndPoint OPTIONAL, + IN EFI_IP_ADDRESS *Gateway OPTIONAL, + IN UDP_IO_CALLBACK CallBack, + IN VOID *Context + ) +{ + return EFI_SUCCESS; +} + +EFI_STATUS +EFIAPI +UdpIoRecvDatagram ( + IN UDP_IO *UdpIo, + IN UDP_IO_CALLBACK CallBack, + IN VOID *Context, + IN UINT32 HeadLen + ) +{ + return EFI_SUCCESS; +} + +//////////////////////////////////////////////////////////////////////// +// Dhcp6AppendOptionTest Tests +//////////////////////////////////////////////////////////////////////// + +class Dhcp6AppendOptionTest : public ::testing::Test { +public: + UINT8 *Buffer =3D NULL; + EFI_DHCP6_PACKET *Packet; + +protected: + // Add any setup code if needed + virtual void + SetUp ( + ) + { + // Initialize any resources or variables + Buffer =3D (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN); + ASSERT_NE (Buffer, (UINT8 *)NULL); + + Packet =3D (EFI_DHCP6_PACKET *)Buffer; + Packet->Size =3D DHCP6_PACKET_MAX_LEN; + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + // Clean up any resources or variables + if (Buffer !=3D NULL) { + FreePool (Buffer); + } + } +}; + +// Test Description: +// Attempt to append an option to a packet that is too small by a duid tha= t is too large +TEST_F (Dhcp6AppendOptionTest, InvalidDataExpectBufferTooSmall) { + UINT8 *Cursor; + EFI_DHCP6_DUID *UntrustedDuid; + EFI_STATUS Status; + + UntrustedDuid =3D (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_= DUID)); + ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL); + + UntrustedDuid->Length =3D NTOHS (0xFFFF); + + Cursor =3D Dhcp6AppendOptionTest::Packet->Dhcp6.Option; + + Status =3D Dhcp6AppendOption ( + Dhcp6AppendOptionTest::Packet, + &Cursor, + HTONS (Dhcp6OptServerId), + UntrustedDuid->Length, + UntrustedDuid->Duid + ); + + ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL); +} + +// Test Description: +// Attempt to append an option to a packet that is large enough +TEST_F (Dhcp6AppendOptionTest, ValidDataExpectSuccess) { + UINT8 *Cursor; + EFI_DHCP6_DUID *UntrustedDuid; + EFI_STATUS Status; + UINTN OriginalLength; + + UINT8 Duid[6] =3D { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 }; + + Packet->Length =3D sizeof (EFI_DHCP6_HEADER); + OriginalLength =3D Packet->Length; + + UntrustedDuid =3D (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_= DUID)); + ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL); + + UntrustedDuid->Length =3D NTOHS (sizeof (Duid)); + CopyMem (UntrustedDuid->Duid, Duid, sizeof (Duid)); + + Cursor =3D Dhcp6AppendOptionTest::Packet->Dhcp6.Option; + + Status =3D Dhcp6AppendOption ( + Dhcp6AppendOptionTest::Packet, + &Cursor, + HTONS (Dhcp6OptServerId), + UntrustedDuid->Length, + UntrustedDuid->Duid + ); + + ASSERT_EQ (Status, EFI_SUCCESS); + + // verify that the pointer to cursor moved by the expected amount + ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendOptionTest::Packet->Dhcp6.Option = + sizeof (Duid) + 4); + + // verify that the length of the packet is now the expected amount + ASSERT_EQ (Dhcp6AppendOptionTest::Packet->Length, OriginalLength + sizeo= f (Duid) + 4); +} + +//////////////////////////////////////////////////////////////////////// +// Dhcp6AppendETOption Tests +//////////////////////////////////////////////////////////////////////// + +class Dhcp6AppendETOptionTest : public ::testing::Test { +public: + UINT8 *Buffer =3D NULL; + EFI_DHCP6_PACKET *Packet; + +protected: + // Add any setup code if needed + virtual void + SetUp ( + ) + { + // Initialize any resources or variables + Buffer =3D (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN); + ASSERT_NE (Buffer, (UINT8 *)NULL); + + Packet =3D (EFI_DHCP6_PACKET *)Buffer; + Packet->Size =3D DHCP6_PACKET_MAX_LEN; + Packet->Length =3D sizeof (EFI_DHCP6_HEADER); + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + // Clean up any resources or variables + if (Buffer !=3D NULL) { + FreePool (Buffer); + } + } +}; + +// Test Description: +// Attempt to append an option to a packet that is too small by a duid tha= t is too large +TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) { + UINT8 *Cursor; + EFI_STATUS Status; + DHCP6_INSTANCE Instance; + UINT16 ElapsedTimeVal; + UINT16 *ElapsedTime; + + Cursor =3D Dhcp6AppendETOptionTest::Packet->Dhcp6.Option; + ElapsedTime =3D &ElapsedTimeVal; + + Packet->Length =3D Packet->Size - 2; + + Status =3D Dhcp6AppendETOption ( + Dhcp6AppendETOptionTest::Packet, + &Cursor, + &Instance, // Instance is not used in this function + &ElapsedTime + ); + + // verify that we error out because the packet is too small for the opti= on header + ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL); + + // reset the length + Packet->Length =3D sizeof (EFI_DHCP6_HEADER); +} + +// Test Description: +// Attempt to append an option to a packet that is large enough +TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) { + UINT8 *Cursor; + EFI_STATUS Status; + DHCP6_INSTANCE Instance; + UINT16 ElapsedTimeVal; + UINT16 *ElapsedTime; + UINTN ExpectedSize; + UINTN OriginalLength; + + Cursor =3D Dhcp6AppendETOptionTest::Packet->Dhcp6.Option; + ElapsedTime =3D &ElapsedTimeVal; + ExpectedSize =3D 6; + OriginalLength =3D Packet->Length; + + Status =3D Dhcp6AppendETOption ( + Dhcp6AppendETOptionTest::Packet, + &Cursor, + &Instance, // Instance is not used in this function + &ElapsedTime + ); + + // verify that the status is EFI_SUCCESS + ASSERT_EQ (Status, EFI_SUCCESS); + + // verify that the pointer to cursor moved by the expected amount + ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendETOptionTest::Packet->Dhcp6.Optio= n + ExpectedSize); + + // verify that the length of the packet is now the expected amount + ASSERT_EQ (Dhcp6AppendETOptionTest::Packet->Length, OriginalLength + Exp= ectedSize); +} + +//////////////////////////////////////////////////////////////////////// +// Dhcp6AppendIaOption Tests +//////////////////////////////////////////////////////////////////////// + +class Dhcp6AppendIaOptionTest : public ::testing::Test { +public: + UINT8 *Buffer =3D NULL; + EFI_DHCP6_PACKET *Packet; + EFI_DHCP6_IA *Ia; + +protected: + // Add any setup code if needed + virtual void + SetUp ( + ) + { + // Initialize any resources or variables + Buffer =3D (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN); + ASSERT_NE (Buffer, (UINT8 *)NULL); + + Packet =3D (EFI_DHCP6_PACKET *)Buffer; + Packet->Size =3D DHCP6_PACKET_MAX_LEN; + + Ia =3D (EFI_DHCP6_IA *)AllocateZeroPool (sizeof (EFI_DHCP6_IA) + sizeo= f (EFI_DHCP6_IA_ADDRESS) * 2); + ASSERT_NE (Ia, (EFI_DHCP6_IA *)NULL); + + CopyMem (Ia->IaAddress, mAllDhcpRelayAndServersAddress.Addr, sizeof (E= FI_IPv6_ADDRESS)); + CopyMem (Ia->IaAddress + 1, mAllDhcpRelayAndServersAddress.Addr, sizeo= f (EFI_IPv6_ADDRESS)); + + Ia->IaAddressCount =3D 2; + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + // Clean up any resources or variables + if (Buffer !=3D NULL) { + FreePool (Buffer); + } + + if (Ia !=3D NULL) { + FreePool (Ia); + } + } +}; + +// Test Description: +// Attempt to append an option to a packet that doesn't have enough space +// for the option header +TEST_F (Dhcp6AppendIaOptionTest, IaNaInvalidDataExpectBufferTooSmall) { + UINT8 *Cursor; + EFI_STATUS Status; + + Packet->Length =3D Packet->Size - 2; + + Ia->Descriptor.Type =3D Dhcp6OptIana; + Ia->Descriptor.IaId =3D 0x12345678; + + Cursor =3D Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option; + + Status =3D Dhcp6AppendIaOption ( + Dhcp6AppendIaOptionTest::Packet, + &Cursor, + Ia, + 0x12345678, + 0x11111111, + Dhcp6OptIana + ); + + // verify that we error out because the packet is too small for the opti= on header + ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL); + + // reset the length + Packet->Length =3D sizeof (EFI_DHCP6_HEADER); +} + +// Test Description: +// Attempt to append an option to a packet that doesn't have enough space +// for the option header +TEST_F (Dhcp6AppendIaOptionTest, IaTaInvalidDataExpectBufferTooSmall) { + UINT8 *Cursor; + EFI_STATUS Status; + + // Use up nearly all the space in the packet + Packet->Length =3D Packet->Size - 2; + + Ia->Descriptor.Type =3D Dhcp6OptIata; + Ia->Descriptor.IaId =3D 0x12345678; + + Cursor =3D Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option; + + Status =3D Dhcp6AppendIaOption ( + Dhcp6AppendIaOptionTest::Packet, + &Cursor, + Ia, + 0, + 0, + Dhcp6OptIata + ); + + // verify that we error out because the packet is too small for the opti= on header + ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL); + + // reset the length + Packet->Length =3D sizeof (EFI_DHCP6_HEADER); +} + +TEST_F (Dhcp6AppendIaOptionTest, IaNaValidDataExpectSuccess) { + UINT8 *Cursor; + EFI_STATUS Status; + UINTN ExpectedSize; + UINTN OriginalLength; + + // + // 2 bytes for the option header type + // + ExpectedSize =3D 2; + // + // 2 bytes for the option header length + // + ExpectedSize +=3D 2; + // + // 4 bytes for the IAID + // + ExpectedSize +=3D 4; + // + // + 4 bytes for the T1 + // + ExpectedSize +=3D 4; + // + // + 4 bytes for the T2 + // + ExpectedSize +=3D 4; + // + // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2; + // + 2 bytes for the option header type + // + 2 bytes for the option header length + // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address + // + ExpectedSize +=3D (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2; + + Cursor =3D Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option; + + Packet->Length =3D sizeof (EFI_DHCP6_HEADER); + OriginalLength =3D Packet->Length; + + Ia->Descriptor.Type =3D Dhcp6OptIana; + Ia->Descriptor.IaId =3D 0x12345678; + + Status =3D Dhcp6AppendIaOption ( + Dhcp6AppendIaOptionTest::Packet, + &Cursor, + Ia, + 0x12345678, + 0x12345678, + Dhcp6OptIana + ); + + // verify that the pointer to cursor moved by the expected amount + ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Optio= n + ExpectedSize); + + // verify that the length of the packet is now the expected amount + ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + Exp= ectedSize); + + // verify that the status is EFI_SUCCESS + ASSERT_EQ (Status, EFI_SUCCESS); +} + +TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) { + UINT8 *Cursor; + EFI_STATUS Status; + UINTN ExpectedSize; + UINTN OriginalLength; + + // + // 2 bytes for the option header type + // + ExpectedSize =3D 2; + // + // 2 bytes for the option header length + // + ExpectedSize +=3D 2; + // + // 4 bytes for the IAID + // + ExpectedSize +=3D 4; + // + // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2; + // + 2 bytes for the option header type + // + 2 bytes for the option header length + // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address + // + ExpectedSize +=3D (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2; + + Cursor =3D Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option; + + Packet->Length =3D sizeof (EFI_DHCP6_HEADER); + OriginalLength =3D Packet->Length; + + Ia->Descriptor.Type =3D Dhcp6OptIata; + Ia->Descriptor.IaId =3D 0x12345678; + + Status =3D Dhcp6AppendIaOption ( + Dhcp6AppendIaOptionTest::Packet, + &Cursor, + Ia, + 0, + 0, + Dhcp6OptIata + ); + + // verify that the pointer to cursor moved by the expected amount + ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Optio= n + ExpectedSize); + + // verify that the length of the packet is now the expected amount + ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + Exp= ectedSize); + + // verify that the status is EFI_SUCCESS + ASSERT_EQ (Status, EFI_SUCCESS); +} diff --git a/NetworkPkg/NetworkPkg.ci.yaml b/NetworkPkg/NetworkPkg.ci.yaml index 07dc7abd6938..0060f7a2cb8f 100644 --- a/NetworkPkg/NetworkPkg.ci.yaml +++ b/NetworkPkg/NetworkPkg.ci.yaml @@ -7,73 +7,65 @@ # SPDX-License-Identifier: BSD-2-Clause-Patent ## { - "LicenseCheck": { - "IgnoreFiles": [] - }, + "LicenseCheck": { "IgnoreFiles": [] }, "EccCheck": { - ## Exception sample looks like below: - ## "ExceptionList": [ - ## "", "" - ## ] - "ExceptionList": [ - ], - ## Both file path and directory path are accepted. - "IgnoreFiles": [ - ] - }, - "CompilerPlugin": { - "DscPath": "NetworkPkg.dsc" - }, - "CharEncodingCheck": { - "IgnoreFiles": [] - }, + ## Exception sample looks like below: + ## "ExceptionList": [ + ## "", "" + ## ] + "ExceptionList": [], + ## Both file path and directory path are accepted. + "IgnoreFiles": [], + }, + "CompilerPlugin": { "DscPath": "NetworkPkg.dsc" }, + "HostUnitTestCompilerPlugin": { "DscPath": "Test/NetworkPkgHostTest.ds= c" }, + "CharEncodingCheck": { "IgnoreFiles": [] }, "DependencyCheck": { - "AcceptableDependencies": [ - "MdePkg/MdePkg.dec", - "MdeModulePkg/MdeModulePkg.dec", - "NetworkPkg/NetworkPkg.dec", - "CryptoPkg/CryptoPkg.dec" - ], - # For host based unit tests - "AcceptableDependencies-HOST_APPLICATION":[], - # For UEFI shell based apps - "AcceptableDependencies-UEFI_APPLICATION":[ - "ShellPkg/ShellPkg.dec" - ], - "IgnoreInf": [] - }, - "DscCompleteCheck": { - "DscPath": "NetworkPkg.dsc", - "IgnoreInf": [] - }, - "GuidCheck": { - "IgnoreGuidName": [], - "IgnoreGuidValue": [], - "IgnoreFoldersAndFiles": [] - }, - "LibraryClassCheck": { - "IgnoreHeaderFile": [] - }, + "AcceptableDependencies": + [ + "MdePkg/MdePkg.dec", + "MdeModulePkg/MdeModulePkg.dec", + "NetworkPkg/NetworkPkg.dec", + "CryptoPkg/CryptoPkg.dec", + ], + # For host based unit tests + "AcceptableDependencies-HOST_APPLICATION": [ + "UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec" + ], + # For UEFI shell based apps + "AcceptableDependencies-UEFI_APPLICATION": + ["ShellPkg/ShellPkg.dec"], + "IgnoreInf": [], + }, + "DscCompleteCheck": { "DscPath": "NetworkPkg.dsc", "IgnoreInf": [] }, + "GuidCheck": + { + "IgnoreGuidName": [], + "IgnoreGuidValue": [], + "IgnoreFoldersAndFiles": [], + }, + "LibraryClassCheck": { "IgnoreHeaderFile": [] }, =20 ## options defined ci/Plugin/SpellCheck "SpellCheck": { - "AuditOnly": True, # Fails test but run in AuditOnly mod= e to collect log - "IgnoreFiles": [], # use gitignore syntax to ignore erro= rs in matching files - "ExtendWords": [], # words to extend to the dictionary f= or this package - "IgnoreStandardPaths": [], # Standard Plugin defined paths that = should be ignore - "AdditionalIncludePaths": [] # Additional paths to spell check (wi= ldcards supported) - }, + "AuditOnly": True, # Fails test but run in AuditOnly mode to c= ollect log + "IgnoreFiles": [], # use gitignore syntax to ignore errors in = matching files + "ExtendWords": [], # words to extend to the dictionary for thi= s package + "IgnoreStandardPaths": [], # Standard Plugin defined paths tha= t should be ignore + "AdditionalIncludePaths": [], # Additional paths to spell chec= k (wildcards supported) + }, =20 - "Defines": { - "BLD_*_CONTINUOUS_INTEGRATION": "TRUE", - "BLD_*_NETWORK_ENABLE": "TRUE", - "BLD_*_NETWORK_SNP_ENABLE": "TRUE", - "BLD_*_NETWORK_VLAN_ENABLE": "TRUE", - "BLD_*_NETWORK_IP4_ENABLE": "TRUE", - "BLD_*_NETWORK_IP6_ENABLE": "TRUE", - "BLD_*_NETWORK_TLS_ENABLE": "TRUE", - "BLD_*_NETWORK_HTTP_ENABLE": "FALSE", - "BLD_*_NETWORK_HTTP_BOOT_ENABLE": "TRUE", - "BLD_*_NETWORK_ISCSI_ENABLE": "TRUE", - } + "Defines": + { + "BLD_*_CONTINUOUS_INTEGRATION": "TRUE", + "BLD_*_NETWORK_ENABLE": "TRUE", + "BLD_*_NETWORK_SNP_ENABLE": "TRUE", + "BLD_*_NETWORK_VLAN_ENABLE": "TRUE", + "BLD_*_NETWORK_IP4_ENABLE": "TRUE", + "BLD_*_NETWORK_IP6_ENABLE": "TRUE", + "BLD_*_NETWORK_TLS_ENABLE": "TRUE", + "BLD_*_NETWORK_HTTP_ENABLE": "FALSE", + "BLD_*_NETWORK_HTTP_BOOT_ENABLE": "TRUE", + "BLD_*_NETWORK_ISCSI_ENABLE": "TRUE", + }, } --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114254): https://edk2.groups.io/g/devel/message/114254 Mute This Topic: https://groups.io/mt/103926732/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114255+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114255+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073630; cv=none; d=zohomail.com; s=zohoarc; b=T23dDk6XO0M+X2V8RpIQQUVYika5J6rCSL//3OYCkUaKb4Ln6+eWFjYtFwMJbCbwtBocE2Z7pvODLcSTm1iWYo3LbdHNET9w0dpdWvBXJZnizfZfvMT+vTtbdLeOcyBY1ep61AdDPaMuhn8DtKemAyY9hMlq0nzLIdGzfMlAiq4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073630; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=8cBfLk8MdTKpyUAFbF7NhMfY9zxiZbbVNumk4XFkuSc=; b=FyhXsvOEXBX5qr8EJ3kRELdy5vY12hMoxf3gl/WyrQVlP1hAUvZlmAPCkcG8OjLHuEWmX43zC9NYpxfDpWAU9EqH5dU5fVHffRel/tLyiDUo52jN4PSb7IH43R1YE1WdJaJp3utrPOl2rjUJiijuBvDYHvXOuswXxbsJ0o6PIAg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114255+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073630871865.2133603426262; Tue, 23 Jan 2024 21:20:30 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=T1XbQllxKRa6KT9g6cCtlbbtnDkQM5aUCLmLsLaWnmY=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073630; v=1; b=b3pqZGIJcLiC7fZurFYHP+F7MCYLWviWLQ+Ov6lQYWRCNTsFVk8P43ynzEieZquAWcICirWM WojO061blV7ih4Eo52zJaoMJc/OA2MCsXDp7yePuT4qE81AcBgXrJTNxxgzXCd5Zzy0Itk1nXRz V9LJh17lMOL7SV7DkJZlpt9o= X-Received: by 127.0.0.2 with SMTP id IDexYY1788612xAXvxziswpg; Tue, 23 Jan 2024 21:20:30 -0800 X-Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) by mx.groups.io with SMTP id smtpd.web10.16099.1706073629861346899 for ; Tue, 23 Jan 2024 21:20:30 -0800 X-Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-5ff88cbbcceso42930057b3.2 for ; Tue, 23 Jan 2024 21:20:29 -0800 (PST) X-Gm-Message-State: n88IT6MNR2MQSoVAqAafV3arx1787277AA= X-Google-Smtp-Source: AGHT+IEG3z47VCjTdkWPBUcQzPnnHCod/zflWkYHSw//akoyhyQKs6kgjNCRFPb6SKAI2sjYzTjaQA== X-Received: by 2002:a0d:ee46:0:b0:5ff:83be:893b with SMTP id x67-20020a0dee46000000b005ff83be893bmr320571ywe.86.1706073628697; Tue, 23 Jan 2024 21:20:28 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:28 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: "Douglas Flick [MSFT]" , Saloni Kasbekar , Zachary Clark-williams Subject: [edk2-devel] [PATCH 03/14] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch Date: Tue, 23 Jan 2024 19:33:26 -0800 Message-ID: <4dfb9f186a10038db10b9c3c56748cae38357f0a.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073632293100011 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4534 SECURITY PATCH - Patch TCBZ4534 CVE-2023-45229 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 +++++++++++++++++++--- NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 203 +++++++++++++++++++++----------- 2 files changed, 256 insertions(+), 85 deletions(-) diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Imp= l.h index f2422c2f2827..220e7c68f11b 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h @@ -45,6 +45,20 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; #define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S') #define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I') =20 +#define DHCP6_PACKET_ALL 0 +#define DHCP6_PACKET_STATEFUL 1 +#define DHCP6_PACKET_STATELESS 2 + +#define DHCP6_BASE_PACKET_SIZE 1024 + +#define DHCP6_PORT_CLIENT 546 +#define DHCP6_PORT_SERVER 547 + +#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20) + +#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE= , Dhcp6, DHCP6_INSTANCE_SIGNATURE) +#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, = ServiceBinding, DHCP6_SERVICE_SIGNATURE) + // // For more information on DHCP options see RFC 8415, Section 21.1 // @@ -59,12 +73,10 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; // | (option-len octets) | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // -#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16)) -#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16)) +#define DHCP6_SIZE_OF_OPT_CODE (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->O= pCode)) +#define DHCP6_SIZE_OF_OPT_LEN (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->O= pLen)) =20 -// // Combined size of Code and Length -// #define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \ DHCP6_SIZE_OF_OPT_LEN) =20 @@ -73,34 +85,122 @@ STATIC_ASSERT ( "Combined size of Code and Length must be 4 per RFC 8415" ); =20 -// // Offset to the length is just past the code -// -#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE) +#define DHCP6_OFFSET_OF_OPT_LEN(a) (a + DHCP6_SIZE_OF_OPT_CODE) STATIC_ASSERT ( - DHCP6_OPT_LEN_OFFSET (0) =3D=3D 2, + DHCP6_OFFSET_OF_OPT_LEN (0) =3D=3D 2, "Offset of length is + 2 past start of option" ); =20 -#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) +#define DHCP6_OFFSET_OF_OPT_DATA(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_= LEN) STATIC_ASSERT ( - DHCP6_OPT_DATA_OFFSET (0) =3D=3D 4, + DHCP6_OFFSET_OF_OPT_DATA (0) =3D=3D 4, "Offset to option data should be +4 from start of option" ); +// +// Identity Association options (both NA (Non-Temporary) and TA (Temporary= Association)) +// are defined in RFC 8415 and are a deriviation of a TLV stucture +// For more information on IA_NA see Section 21.4 +// For more information on IA_TA see Section 21.5 +// +// +// The format of IA_NA and IA_TA option: +// +// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | OPTION_IA_NA | option-len | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | IAID (4 octets) | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | T1 (only for IA_NA) | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | T2 (only for IA_NA) | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | | +// . IA_NA-options/IA_TA-options . +// . . +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// +#define DHCP6_SIZE_OF_IAID (sizeof(UINT32)) +#define DHCP6_SIZE_OF_TIME_INTERVAL (sizeof(UINT32)) =20 -#define DHCP6_PACKET_ALL 0 -#define DHCP6_PACKET_STATEFUL 1 -#define DHCP6_PACKET_STATELESS 2 +// Combined size of IAID, T1, and T2 +#define DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 (DHCP6_SIZE_OF_IAID + \ + DHCP6_SIZE_OF_TIME_INTERVAL + \ + DHCP6_SIZE_OF_TIME_INTERVAL) +STATIC_ASSERT ( + DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 =3D=3D 12, + "Combined size of IAID, T1, T2 must be 12 per RFC 8415" + ); =20 -#define DHCP6_BASE_PACKET_SIZE 1024 +// This is the size of IA_TA without options +#define DHCP6_MIN_SIZE_OF_IA_TA (DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \ + DHCP6_SIZE_OF_IAID) +STATIC_ASSERT ( + DHCP6_MIN_SIZE_OF_IA_TA =3D=3D 8, + "Minimum combined size of IA_TA per RFC 8415" + ); =20 -#define DHCP6_PORT_CLIENT 546 -#define DHCP6_PORT_SERVER 547 +// Offset to a IA_TA inner option +#define DHCP6_OFFSET_OF_IA_TA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_TA) +STATIC_ASSERT ( + DHCP6_OFFSET_OF_IA_TA_INNER_OPT (0) =3D=3D 8, + "Offset of IA_TA Inner option is + 8 past start of option" + ); =20 -#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20) +// This is the size of IA_NA without options (16) +#define DHCP6_MIN_SIZE_OF_IA_NA DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \ + DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 +STATIC_ASSERT ( + DHCP6_MIN_SIZE_OF_IA_NA =3D=3D 16, + "Minimum combined size of IA_TA per RFC 8415" + ); =20 -#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE= , Dhcp6, DHCP6_INSTANCE_SIGNATURE) -#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, = ServiceBinding, DHCP6_SERVICE_SIGNATURE) +#define DHCP6_OFFSET_OF_IA_NA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_NA) +STATIC_ASSERT ( + DHCP6_OFFSET_OF_IA_NA_INNER_OPT (0) =3D=3D 16, + "Offset of IA_NA Inner option is + 16 past start of option" + ); + +#define DHCP6_OFFSET_OF_IA_NA_T1(a) (a + \ + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \ + DHCP6_SIZE_OF_IAID) +STATIC_ASSERT ( + DHCP6_OFFSET_OF_IA_NA_T1 (0) =3D=3D 8, + "Offset of IA_NA Inner option is + 8 past start of option" + ); + +#define DHCP6_OFFSET_OF_IA_NA_T2(a) (a + \ + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN +\ + DHCP6_SIZE_OF_IAID + \ + DHCP6_SIZE_OF_TIME_INTERVAL) +STATIC_ASSERT ( + DHCP6_OFFSET_OF_IA_NA_T2 (0) =3D=3D 12, + "Offset of IA_NA Inner option is + 12 past start of option" + ); + +// +// For more information see RFC 8415 Section 21.13 +// +// The format of the Status Code Option: +// +// 0 1 2 3 +// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | OPTION_STATUS_CODE | option-len | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | status-code | | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +// . . +// . status-message . +// . . +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// +#define DHCP6_OFFSET_OF_STATUS_CODE(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_A= ND_LEN) +STATIC_ASSERT ( + DHCP6_OFFSET_OF_STATUS_CODE (0) =3D=3D 4, + "Offset of status is + 4 past start of option" + ); =20 extern EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress; extern EFI_DHCP6_PROTOCOL gDhcp6ProtocolTemplate; diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c index bf5aa7a769de..89d16484a568 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -598,8 +598,8 @@ Dhcp6UpdateIaInfo ( // The inner options still start with 2 bytes option-code and 2 bytes op= tion-len. // if (Instance->Config->IaDescriptor.Type =3D=3D Dhcp6OptIana) { - T1 =3D NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 8))); - T2 =3D NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 12))); + T1 =3D NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Op= tion)))); + T2 =3D NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Op= tion)))); // // Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T= 1 greater than T2, // and both T1 and T2 are greater than 0, the client discards the IA_N= A option and processes @@ -609,13 +609,14 @@ Dhcp6UpdateIaInfo ( return EFI_DEVICE_ERROR; } =20 - IaInnerOpt =3D Option + 16; - IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2)= )) - 12); + IaInnerOpt =3D DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option); + IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSE= T_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2); } else { - T1 =3D 0; - T2 =3D 0; - IaInnerOpt =3D Option + 8; - IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2)= )) - 4); + T1 =3D 0; + T2 =3D 0; + + IaInnerOpt =3D DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option); + IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSE= T_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID); } =20 // @@ -641,7 +642,7 @@ Dhcp6UpdateIaInfo ( Option =3D Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode); =20 if (Option !=3D NULL) { - StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4))); + StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN= (Option)))); if (StsCode !=3D Dhcp6StsSuccess) { return EFI_DEVICE_ERROR; } @@ -661,6 +662,87 @@ Dhcp6UpdateIaInfo ( return Status; } =20 +/** + Seeks the Inner Options from a DHCP6 Option + + @param[in] IaType The type of the IA option. + @param[in] Option The pointer to the DHCP6 Option. + @param[in] OptionLen The length of the DHCP6 Option. + @param[out] IaInnerOpt The pointer to the IA inner option. + @param[out] IaInnerLen The length of the IA inner option. + + @retval EFI_SUCCESS Seek the inner option successfully. + @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error, + the pointers are not modified +**/ +EFI_STATUS +Dhcp6SeekInnerOptionSafe ( + IN UINT16 IaType, + IN UINT8 *Option, + IN UINT32 OptionLen, + OUT UINT8 **IaInnerOpt, + OUT UINT16 *IaInnerLen + ) +{ + UINT16 IaInnerLenTmp; + UINT8 *IaInnerOptTmp; + + if (Option =3D=3D NULL) { + ASSERT (Option !=3D NULL); + return EFI_DEVICE_ERROR; + } + + if (IaInnerOpt =3D=3D NULL) { + ASSERT (IaInnerOpt !=3D NULL); + return EFI_DEVICE_ERROR; + } + + if (IaInnerLen =3D=3D NULL) { + ASSERT (IaInnerLen !=3D NULL); + return EFI_DEVICE_ERROR; + } + + if (IaType =3D=3D Dhcp6OptIana) { + // Verify we have a fully formed IA_NA + if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) { + return EFI_DEVICE_ERROR; + } + + // + IaInnerOptTmp =3D DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option); + + // Verify the IaInnerLen is valid. + IaInnerLenTmp =3D (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFS= ET_OF_OPT_LEN (Option))); + if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) { + return EFI_DEVICE_ERROR; + } + + IaInnerLenTmp -=3D DHCP6_SIZE_OF_COMBINED_IAID_T1_T2; + } else if (IaType =3D=3D Dhcp6OptIata) { + // Verify the OptionLen is valid. + if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) { + return EFI_DEVICE_ERROR; + } + + IaInnerOptTmp =3D DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option); + + // Verify the IaInnerLen is valid. + IaInnerLenTmp =3D (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFF= SET_OF_OPT_LEN (Option)))); + if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) { + return EFI_DEVICE_ERROR; + } + + IaInnerLenTmp -=3D DHCP6_SIZE_OF_IAID; + } else { + return EFI_DEVICE_ERROR; + } + + *IaInnerOpt =3D IaInnerOptTmp; + *IaInnerLen =3D IaInnerLenTmp; + + return EFI_SUCCESS; +} + /** Seek StatusCode Option in package. A Status Code option may appear in the options field of a DHCP message and/or in the options field of another o= ption. @@ -684,6 +766,12 @@ Dhcp6SeekStsOption ( UINT8 *IaInnerOpt; UINT16 IaInnerLen; UINT16 StsCode; + UINT32 OptionLen; + + // OptionLen is the length of the Options excluding the DHCP header. + // Length of the EFI_DHCP6_PACKET from the first byte of the Header fiel= d to the last + // byte of the Option[] field. + OptionLen =3D Packet->Length - sizeof (Packet->Dhcp6.Header); =20 // // Seek StatusCode option directly in DHCP message body. That is, search= in @@ -691,12 +779,12 @@ Dhcp6SeekStsOption ( // *Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option, - Packet->Length - 4, + OptionLen, Dhcp6OptStatusCode ); =20 if (*Option !=3D NULL) { - StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4))); + StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_= CODE (*Option)))); if (StsCode !=3D Dhcp6StsSuccess) { return EFI_DEVICE_ERROR; } @@ -707,7 +795,7 @@ Dhcp6SeekStsOption ( // *Option =3D Dhcp6SeekIaOption ( Packet->Dhcp6.Option, - Packet->Length - sizeof (EFI_DHCP6_HEADER), + OptionLen, &Instance->Config->IaDescriptor ); if (*Option =3D=3D NULL) { @@ -715,52 +803,35 @@ Dhcp6SeekStsOption ( } =20 // - // The format of the IA_NA option is: + // Calculate the distance from Packet->Dhcp6.Option to the IA option. // - // 0 1 2 3 - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // | OPTION_IA_NA | option-len | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // | IAID (4 octets) | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // | T1 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // | T2 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // | | - // . IA_NA-options . - // . . - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + // Packet->Size and Packet->Length are both UINT32 type, and Packet->Siz= e is + // the size of the whole packet, including the DHCP header, and Packet->= Length + // is the length of the DHCP message body, excluding the DHCP header. // - // The format of the IA_TA option is: + // (*Option - Packet->Dhcp6.Option) is the number of bytes from the star= t of + // DHCP6 option area to the start of the IA option. // - // 0 1 2 3 - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // | OPTION_IA_TA | option-len | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // | IAID (4 octets) | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // | | - // . IA_TA-options . - // . . - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the + // IA option to the end of the DHCP6 option area, thus subtract the space + // up until this option // + OptionLen =3D OptionLen - (*Option - Packet->Dhcp6.Option); =20 // - // sizeof (option-code + option-len + IaId) =3D 8 - // sizeof (option-code + option-len + IaId + T1) =3D 12 - // sizeof (option-code + option-len + IaId + T1 + T2) =3D 16 + // Seek the inner option // - // The inner options still start with 2 bytes option-code and 2 bytes op= tion-len. - // - if (Instance->Config->IaDescriptor.Type =3D=3D Dhcp6OptIana) { - IaInnerOpt =3D *Option + 16; - IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 2= ))) - 12); - } else { - IaInnerOpt =3D *Option + 8; - IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 2= ))) - 4); + if (EFI_ERROR ( + Dhcp6SeekInnerOptionSafe ( + Instance->Config->IaDescriptor.Type, + *Option, + OptionLen, + &IaInnerOpt, + &IaInnerLen + ) + )) + { + return EFI_DEVICE_ERROR; } =20 // @@ -784,7 +855,7 @@ Dhcp6SeekStsOption ( // *Option =3D Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode); if (*Option !=3D NULL) { - StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4))); + StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS= _CODE (*Option))))); if (StsCode !=3D Dhcp6StsSuccess) { return EFI_DEVICE_ERROR; } @@ -1105,7 +1176,7 @@ Dhcp6SendRequestMsg ( // Option =3D Dhcp6SeekOption ( Instance->AdSelect->Dhcp6.Option, - Instance->AdSelect->Length - 4, + Instance->AdSelect->Length - sizeof (EFI_DHCP6_HEADER), Dhcp6OptServerId ); if (Option =3D=3D NULL) { @@ -1289,7 +1360,7 @@ Dhcp6SendDeclineMsg ( // Option =3D Dhcp6SeekOption ( LastReply->Dhcp6.Option, - LastReply->Length - 4, + LastReply->Length - sizeof (EFI_DHCP6_HEADER), Dhcp6OptServerId ); if (Option =3D=3D NULL) { @@ -1448,7 +1519,7 @@ Dhcp6SendReleaseMsg ( // Option =3D Dhcp6SeekOption ( LastReply->Dhcp6.Option, - LastReply->Length - 4, + LastReply->Length - sizeof (EFI_DHCP6_HEADER), Dhcp6OptServerId ); if (Option =3D=3D NULL) { @@ -1673,7 +1744,7 @@ Dhcp6SendRenewRebindMsg ( =20 Option =3D Dhcp6SeekOption ( LastReply->Dhcp6.Option, - LastReply->Length - 4, + LastReply->Length - sizeof (EFI_DHCP6_HEADER), Dhcp6OptServerId ); if (Option =3D=3D NULL) { @@ -2208,7 +2279,7 @@ Dhcp6HandleReplyMsg ( // Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option, - Packet->Length - 4, + Packet->Length - sizeof (EFI_DHCP6_HEADER), Dhcp6OptRapidCommit ); =20 @@ -2354,7 +2425,7 @@ Dhcp6HandleReplyMsg ( // // Any error status code option is found. // - StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4))); + StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS= _CODE (Option))))); switch (StsCode) { case Dhcp6StsUnspecFail: // @@ -2487,7 +2558,7 @@ Dhcp6SelectAdvertiseMsg ( // Option =3D Dhcp6SeekOption ( AdSelect->Dhcp6.Option, - AdSelect->Length - 4, + AdSelect->Length - sizeof (EFI_DHCP6_HEADER), Dhcp6OptServerUnicast ); =20 @@ -2498,7 +2569,7 @@ Dhcp6SelectAdvertiseMsg ( return EFI_OUT_OF_RESOURCES; } =20 - CopyMem (Instance->Unicast, Option + 4, sizeof (EFI_IPv6_ADDRESS)); + CopyMem (Instance->Unicast, DHCP6_OFFSET_OF_OPT_DATA (Option), sizeof = (EFI_IPv6_ADDRESS)); } =20 // @@ -2551,7 +2622,7 @@ Dhcp6HandleAdvertiseMsg ( // Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option, - Packet->Length - 4, + Packet->Length - sizeof (EFI_DHCP6_HEADER), Dhcp6OptRapidCommit ); =20 @@ -2645,7 +2716,7 @@ Dhcp6HandleAdvertiseMsg ( CopyMem (Instance->AdSelect, Packet, Packet->Size); =20 if (Option !=3D NULL) { - Instance->AdPref =3D *(Option + 4); + Instance->AdPref =3D *(DHCP6_OFFSET_OF_OPT_DATA (Option)); } } else { // @@ -2714,11 +2785,11 @@ Dhcp6HandleStateful ( // Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option, - Packet->Length - 4, + Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN, Dhcp6OptClientId ); =20 - if ((Option =3D=3D NULL) || (CompareMem (Option + 4, ClientId->Duid, Cli= entId->Length) !=3D 0)) { + if ((Option =3D=3D NULL) || (CompareMem (DHCP6_OFFSET_OF_OPT_DATA (Optio= n), ClientId->Duid, ClientId->Length) !=3D 0)) { goto ON_CONTINUE; } =20 @@ -2727,7 +2798,7 @@ Dhcp6HandleStateful ( // Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option, - Packet->Length - 4, + Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN, Dhcp6OptServerId ); =20 @@ -2832,7 +2903,7 @@ Dhcp6HandleStateless ( // Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option, - Packet->Length - 4, + Packet->Length - sizeof (EFI_DHCP6_HEADER), Dhcp6OptServerId ); =20 --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114255): https://edk2.groups.io/g/devel/message/114255 Mute This Topic: https://groups.io/mt/103926733/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114256+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114256+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073631; cv=none; d=zohomail.com; s=zohoarc; b=jrthgyU4BQQ2eTSTpByKsc72GxwfRE804xLGELwmbUe7PAjt6yxVpdxF8Let+wKPmndz0GoRN2WDxdFrzQSp0XH41aJCM9ZvGfmI+n08ShTQnkblpbcZA4S0kyHfqEL138UqVl1ZAyz6AO6OG6y0TgwmbhzK7H4mD543sjkNy7Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073631; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=dd87rJX6KX118nEshYNL+zdOg/rB1K7ZqFDKN1rmtd8=; b=Cn+Rbk7baI2/uCpSmFPetCEnmsvIrI72DLzCG5mis3Z/TSWYkQcrlLaor91cwi46sn09mwgCeLksEgkNp5v5Urv8YuntI2aHvWaZ+UTsffV7Diyt/uWPS0VHZ6mZ6XVmFVNvqQghQTUxsspCcBs34rjPbuMcqN4B4bCUH9e3irY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114256+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073631391513.1199465401849; Tue, 23 Jan 2024 21:20:31 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=1LZ1I4yQmdy04PWw+HQBlZ5peWUb6QcU6RaKH9S+eDI=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073631; v=1; b=tR+dgv+aG5lXCI6gMesD+q32pfWRlY2DF3qL4qOEzPbvpKIk/p9+bAjuIYorHeDUJBnm/Xtl ph3GDSKWxWUlLHeStSFWkGAMk6iie3YA6l5rnJ3n2kgX32qlYymg8ThQgIBNB6vjfURZKmdh1ll TolYloaGHt4y7FuhNQm3HKtE= X-Received: by 127.0.0.2 with SMTP id gNxcYY1788612xxn4asKbGlO; Tue, 23 Jan 2024 21:20:31 -0800 X-Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web11.16103.1706073630477624504 for ; Tue, 23 Jan 2024 21:20:30 -0800 X-Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-5cddfe0cb64so2569410a12.0 for ; Tue, 23 Jan 2024 21:20:30 -0800 (PST) X-Gm-Message-State: ab6xUHCA4iQq2cyNlUA5l6z4x1787277AA= X-Google-Smtp-Source: AGHT+IHagWLT3iDQl+Og4ecyn7jfS13hYYJPJxdi/ZSwfyEMG+RPH/15znPGtJ4gz0uvBE0TV4u8YQ== X-Received: by 2002:a17:903:2649:b0:1d7:4ea2:3dc3 with SMTP id je9-20020a170903264900b001d74ea23dc3mr173555plb.82.1706073629503; Tue, 23 Jan 2024 21:20:29 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:29 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: "Douglas Flick [MSFT]" , Saloni Kasbekar , Zachary Clark-williams Subject: [edk2-devel] [PATCH 04/14] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests Date: Tue, 23 Jan 2024 19:33:27 -0800 Message-ID: <9cedd6b0094a541bf6a32c728feda217c0964ea4.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073632297100012 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4534 SECURITY PATCH - Unit Tests TCBZ4534 CVE-2023-45229 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 + .../GoogleTest/Dhcp6DxeGoogleTest.inf | 1 + .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h | 58 +++ NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 2 +- .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 365 +++++++++++++++++- 5 files changed, 424 insertions(+), 3 deletions(-) create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/Netwo= rkPkgHostTest.dsc index 20bc90b1728d..24dee654df2e 100644 --- a/NetworkPkg/Test/NetworkPkgHostTest.dsc +++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc @@ -16,6 +16,7 @@ [Defines] SKUID_IDENTIFIER =3D DEFAULT =20 !include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc + [Packages] MdePkg/MdePkg.dec UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/Networ= kPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf index 8e9119a37158..12532ed30cb3 100644 --- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf +++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf @@ -18,6 +18,7 @@ [Defines] [Sources] Dhcp6DxeGoogleTest.cpp Dhcp6IoGoogleTest.cpp + Dhcp6IoGoogleTest.h ../Dhcp6Io.c ../Dhcp6Utility.c =20 diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h b/NetworkPk= g/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h new file mode 100644 index 000000000000..aed3b890827b --- /dev/null +++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h @@ -0,0 +1,58 @@ +/** @file + Acts as header for private functions under test in Dhcp6Io.c + + Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef DHCP6_IO_GOOGLE_TEST_H_ +#define DHCP6_IO_GOOGLE_TEST_H_ + +//////////////////////////////////////////////////////////////////////////= ////// +// These are the functions that are being unit tested +//////////////////////////////////////////////////////////////////////////= ////// + +#include + +/** + Seeks the Inner Options from a DHCP6 Option + + @param[in] IaType The type of the IA option. + @param[in] Option The pointer to the DHCP6 Option. + @param[in] OptionLen The length of the DHCP6 Option. + @param[out] IaInnerOpt The pointer to the IA inner option. + @param[out] IaInnerLen The length of the IA inner option. + + @retval EFI_SUCCESS Seek the inner option successfully. + @retval EFI_DEVICE_ERROR The OptionLen is invalid. +*/ +EFI_STATUS +Dhcp6SeekInnerOptionSafe ( + UINT16 IaType, + UINT8 *Option, + UINT32 OptionLen, + UINT8 **IaInnerOpt, + UINT16 *IaInnerLen + ); + +/** + Seek StatusCode Option in package. A Status Code option may appear in the + options field of a DHCP message and/or in the options field of another o= ption. + See details in section 22.13, RFC3315. + + @param[in] Instance The pointer to the Dhcp6 instance. + @param[in] Packet The pointer to reply messages. + @param[out] Option The pointer to status code option. + + @retval EFI_SUCCESS Seek status code option successfully. + @retval EFI_DEVICE_ERROR An unexpected error. + +**/ +EFI_STATUS +Dhcp6SeekStsOption ( + IN DHCP6_INSTANCE *Instance, + IN EFI_DHCP6_PACKET *Packet, + OUT UINT8 **Option + ); + +#endif // DHCP6_IO_GOOGLE_TEST_H diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c index 89d16484a568..3b8feb4a2032 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -816,7 +816,7 @@ Dhcp6SeekStsOption ( // IA option to the end of the DHCP6 option area, thus subtract the space // up until this option // - OptionLen =3D OptionLen - (*Option - Packet->Dhcp6.Option); + OptionLen =3D OptionLen - (UINT32)(*Option - Packet->Dhcp6.Option); =20 // // Seek the inner option diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/Network= Pkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp index 7ee40e4af480..7db253a7b87f 100644 --- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp +++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp @@ -13,6 +13,7 @@ extern "C" { #include #include "../Dhcp6Impl.h" #include "../Dhcp6Utility.h" + #include "Dhcp6IoGoogleTest.h" } =20 //////////////////////////////////////////////////////////////////////// @@ -21,7 +22,35 @@ extern "C" { =20 #define DHCP6_PACKET_MAX_LEN 1500 =20 +// This definition is used by this test but is also required to compile +// by Dhcp6Io.c +#define DHCPV6_OPTION_IA_NA 3 +#define DHCPV6_OPTION_IA_TA 4 + +#define SEARCH_PATTERN 0xDEADC0DE +#define SEARCH_PATTERN_LEN sizeof(SEARCH_PATTERN) + //////////////////////////////////////////////////////////////////////// +// Test structures for IA_NA and IA_TA options +//////////////////////////////////////////////////////////////////////// +typedef struct { + UINT16 Code; + UINT16 Len; + UINT32 IAID; +} DHCPv6_OPTION; + +typedef struct { + DHCPv6_OPTION Header; + UINT32 T1; + UINT32 T2; + UINT8 InnerOptions[0]; +} DHCPv6_OPTION_IA_NA; + +typedef struct { + DHCPv6_OPTION Header; + UINT8 InnerOptions[0]; +} DHCPv6_OPTION_IA_TA; + //////////////////////////////////////////////////////////////////////// // Symbol Definitions // These functions are not directly under test - but required to compile @@ -210,7 +239,7 @@ TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBuffe= rTooSmall) { Status =3D Dhcp6AppendETOption ( Dhcp6AppendETOptionTest::Packet, &Cursor, - &Instance, // Instance is not used in this function + &Instance, // Instance is not used in this= function &ElapsedTime ); =20 @@ -240,7 +269,7 @@ TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess= ) { Status =3D Dhcp6AppendETOption ( Dhcp6AppendETOptionTest::Packet, &Cursor, - &Instance, // Instance is not used in this function + &Instance, // Instance is not used in this= function &ElapsedTime ); =20 @@ -476,3 +505,335 @@ TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectS= uccess) { // verify that the status is EFI_SUCCESS ASSERT_EQ (Status, EFI_SUCCESS); } + +//////////////////////////////////////////////////////////////////////// +// Dhcp6SeekInnerOptionSafe Tests +//////////////////////////////////////////////////////////////////////// + +// Define a fixture for your tests if needed +class Dhcp6SeekInnerOptionSafeTest : public ::testing::Test { +protected: + // Add any setup code if needed + virtual void + SetUp ( + ) + { + // Initialize any resources or variables + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + // Clean up any resources or variables + } +}; + +// Test Description: +// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS wh= en the IANA option is found. +TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAValidOptionExpectSuccess) { + EFI_STATUS Result; + UINT8 Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTER= N_LEN] =3D { 0 }; + UINT32 OptionLength = =3D sizeof (Option); + DHCPv6_OPTION_IA_NA *OptionPtr = =3D (DHCPv6_OPTION_IA_NA *)Option; + UINT32 SearchPattern = =3D SEARCH_PATTERN; + + UINTN SearchPatternLength =3D SEARCH_PATTERN_LEN; + UINT8 *InnerOptionPtr =3D NULL; + UINT16 InnerOptionLength =3D 0; + + OptionPtr->Header.Code =3D Dhcp6OptIana; + OptionPtr->Header.Len =3D HTONS (4 + 12); // Valid length has to be mor= e than 12 + OptionPtr->Header.IAID =3D 0x12345678; + OptionPtr->T1 =3D 0x11111111; + OptionPtr->T2 =3D 0x22222222; + CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); + + Result =3D Dhcp6SeekInnerOptionSafe ( + Dhcp6OptIana, + Option, + OptionLength, + &InnerOptionPtr, + &InnerOptionLength + ); + ASSERT_EQ (Result, EFI_SUCCESS); + ASSERT_EQ (InnerOptionLength, 4); + ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLeng= th), 0); +} + +// Test Description: +// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_DEIVCE_ERR= OR when the IANA option size is invalid. +TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAInvalidSizeExpectFail) { + // Lets add an inner option of bytes we expect to find + EFI_STATUS Status; + UINT8 Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTER= N_LEN] =3D { 0 }; + UINT32 OptionLength = =3D sizeof (Option); + DHCPv6_OPTION_IA_NA *OptionPtr = =3D (DHCPv6_OPTION_IA_NA *)Option; + UINT32 SearchPattern = =3D SEARCH_PATTERN; + + UINTN SearchPatternLength =3D SEARCH_PATTERN_LEN; + UINT8 *InnerOptionPtr =3D NULL; + UINT16 InnerOptionLength =3D 0; + + OptionPtr->Header.Code =3D Dhcp6OptIana; + OptionPtr->Header.Len =3D HTONS (4); // Set the length to lower than ex= pected (12) + OptionPtr->Header.IAID =3D 0x12345678; + OptionPtr->T1 =3D 0x11111111; + OptionPtr->T2 =3D 0x22222222; + CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); + + // Set the InnerOptionLength to be less than the size of the option + Status =3D Dhcp6SeekInnerOptionSafe ( + Dhcp6OptIana, + Option, + OptionLength, + &InnerOptionPtr, + &InnerOptionLength + ); + ASSERT_EQ (Status, EFI_DEVICE_ERROR); + + // Now set the OptionLength to be less than the size of the option + OptionLength =3D sizeof (DHCPv6_OPTION_IA_NA) - 1; + Status =3D Dhcp6SeekInnerOptionSafe ( + Dhcp6OptIana, + Option, + OptionLength, + &InnerOptionPtr, + &InnerOptionLength + ); + ASSERT_EQ (Status, EFI_DEVICE_ERROR); +} + +// Test Description: +// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS wh= en the IATA option is found +TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAValidOptionExpectSuccess) { + // Lets add an inner option of bytes we expect to find + EFI_STATUS Status; + UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTER= N_LEN] =3D { 0 }; + UINT32 OptionLength = =3D sizeof (Option); + DHCPv6_OPTION_IA_TA *OptionPtr = =3D (DHCPv6_OPTION_IA_TA *)Option; + UINT32 SearchPattern = =3D SEARCH_PATTERN; + + UINTN SearchPatternLength =3D SEARCH_PATTERN_LEN; + UINT8 *InnerOptionPtr =3D NULL; + UINT16 InnerOptionLength =3D 0; + + OptionPtr->Header.Code =3D Dhcp6OptIata; + OptionPtr->Header.Len =3D HTONS (4 + 4); // Valid length has to be more= than 4 + OptionPtr->Header.IAID =3D 0x12345678; + CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); + + Status =3D Dhcp6SeekInnerOptionSafe ( + Dhcp6OptIata, + Option, + OptionLength, + &InnerOptionPtr, + &InnerOptionLength + ); + ASSERT_EQ (Status, EFI_SUCCESS); + ASSERT_EQ (InnerOptionLength, 4); + ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLeng= th), 0); +} + +// Test Description: +// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS wh= en the IATA option size is invalid. +TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAInvalidSizeExpectFail) { + // Lets add an inner option of bytes we expect to find + EFI_STATUS Status; + UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTER= N_LEN] =3D { 0 }; + UINT32 OptionLength = =3D sizeof (Option); + DHCPv6_OPTION_IA_TA *OptionPtr = =3D (DHCPv6_OPTION_IA_TA *)Option; + UINT32 SearchPattern = =3D SEARCH_PATTERN; + + UINTN SearchPatternLength =3D SEARCH_PATTERN_LEN; + UINT8 *InnerOptionPtr =3D NULL; + UINT16 InnerOptionLength =3D 0; + + OptionPtr->Header.Code =3D Dhcp6OptIata; + OptionPtr->Header.Len =3D HTONS (2); // Set the length to lower than ex= pected (4) + OptionPtr->Header.IAID =3D 0x12345678; + CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); + + Status =3D Dhcp6SeekInnerOptionSafe ( + Dhcp6OptIata, + Option, + OptionLength, + &InnerOptionPtr, + &InnerOptionLength + ); + ASSERT_EQ (Status, EFI_DEVICE_ERROR); + + // Now lets try modifying the OptionLength to be less than the size of t= he option + OptionLength =3D sizeof (DHCPv6_OPTION_IA_TA) - 1; + Status =3D Dhcp6SeekInnerOptionSafe ( + Dhcp6OptIata, + Option, + OptionLength, + &InnerOptionPtr, + &InnerOptionLength + ); + ASSERT_EQ (Status, EFI_DEVICE_ERROR); +} + +// Test Description: +// This test verifies that any other Option Type fails +TEST_F (Dhcp6SeekInnerOptionSafeTest, InvalidOption) { + // Lets add an inner option of bytes we expect to find + EFI_STATUS Result; + UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTER= N_LEN] =3D { 0 }; + UINT32 OptionLength = =3D sizeof (Option); + DHCPv6_OPTION_IA_TA *OptionPtr = =3D (DHCPv6_OPTION_IA_TA *)Option; + UINT32 SearchPattern = =3D SEARCH_PATTERN; + + UINTN SearchPatternLength =3D SEARCH_PATTERN_LEN; + UINT8 *InnerOptionPtr =3D NULL; + UINT16 InnerOptionLength =3D 0; + + OptionPtr->Header.Code =3D 0xC0DE; + OptionPtr->Header.Len =3D HTONS (2); // Set the length to lower than ex= pected (4) + OptionPtr->Header.IAID =3D 0x12345678; + CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); + + Result =3D Dhcp6SeekInnerOptionSafe (0xC0DE, Option, OptionLength, &Inne= rOptionPtr, &InnerOptionLength); + ASSERT_EQ (Result, EFI_DEVICE_ERROR); +} + +//////////////////////////////////////////////////////////////////////// +// Dhcp6SeekStsOption Tests +//////////////////////////////////////////////////////////////////////// + +#define PACKET_SIZE (1500) + +class Dhcp6SeekStsOptionTest : public ::testing::Test { +public: + DHCP6_INSTANCE Instance =3D { 0 }; + EFI_DHCP6_PACKET *Packet =3D NULL; + EFI_DHCP6_CONFIG_DATA Config =3D { 0 }; + +protected: + // Add any setup code if needed + virtual void + SetUp ( + ) + { + // Allocate a packet + Packet =3D (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE); + ASSERT_NE (Packet, nullptr); + + // Initialize the packet + Packet->Size =3D PACKET_SIZE; + + Instance.Config =3D &Config; + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + // Clean up any resources or variables + FreePool (Packet); + } +}; + +// Test Description: +// This test verifies that Dhcp6SeekStsOption returns EFI_DEVICE_ERROR whe= n the option is invalid +// This verifies that the calling function is working as expected +TEST_F (Dhcp6SeekStsOptionTest, SeekIATAOptionExpectFail) { + EFI_STATUS Status; + UINT8 *Option =3D NULL; + UINT32 SearchPattern =3D SEARCH_PATTERN; + UINT16 SearchPatternLength =3D SEARCH_PATTERN_LEN; + UINT16 *Len =3D NULL; + EFI_DHCP6_IA Ia =3D { 0 }; + + Ia.Descriptor.Type =3D DHCPV6_OPTION_IA_TA; + Ia.IaAddressCount =3D 1; + Ia.IaAddress[0].PreferredLifetime =3D 0xDEADBEEF; + Ia.IaAddress[0].ValidLifetime =3D 0xDEADAAAA; + Ia.IaAddress[0].IpAddress =3D mAllDhcpRelayAndServersAddress; + + Packet->Length =3D sizeof (EFI_DHCP6_HEADER); + + Option =3D Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option; + + // Let's append the option to the packet + Status =3D Dhcp6AppendOption ( + Dhcp6SeekStsOptionTest::Packet, + &Option, + Dhcp6OptStatusCode, + SearchPatternLength, + (UINT8 *)&SearchPattern + ); + ASSERT_EQ (Status, EFI_SUCCESS); + + // Inner option length - this will be overwritten later + Len =3D (UINT16 *)(Option + 2); + + // Fill in the inner IA option + Status =3D Dhcp6AppendIaOption ( + Dhcp6SeekStsOptionTest::Packet, + &Option, + &Ia, + 0x12345678, + 0x11111111, + 0x22222222 + ); + ASSERT_EQ (Status, EFI_SUCCESS); + + // overwrite the len of inner Ia option + *Len =3D HTONS (3); + + Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type =3D DHCPV6_OP= TION_IA_TA; + + Option =3D NULL; + Status =3D Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp= 6SeekStsOptionTest::Packet, &Option); + + ASSERT_EQ (Status, EFI_DEVICE_ERROR); +} + +// Test Description: +// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS wh= en the IATA option size is invalid. +TEST_F (Dhcp6SeekStsOptionTest, SeekIANAOptionExpectSuccess) { + EFI_STATUS Status =3D EFI_NOT_FOUND; + UINT8 *Option =3D NULL; + UINT32 SearchPattern =3D SEARCH_PATTERN; + UINT16 SearchPatternLength =3D SEARCH_PATTERN_LEN; + EFI_DHCP6_IA Ia =3D { 0 }; + + Ia.Descriptor.Type =3D DHCPV6_OPTION_IA_NA; + Ia.IaAddressCount =3D 1; + Ia.IaAddress[0].PreferredLifetime =3D 0x11111111; + Ia.IaAddress[0].ValidLifetime =3D 0x22222222; + Ia.IaAddress[0].IpAddress =3D mAllDhcpRelayAndServersAddress; + Packet->Length =3D sizeof (EFI_DHCP6_HEADER); + + Option =3D Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option; + + Status =3D Dhcp6AppendOption ( + Dhcp6SeekStsOptionTest::Packet, + &Option, + Dhcp6OptStatusCode, + SearchPatternLength, + (UINT8 *)&SearchPattern + ); + ASSERT_EQ (Status, EFI_SUCCESS); + + Status =3D Dhcp6AppendIaOption ( + Dhcp6SeekStsOptionTest::Packet, + &Option, + &Ia, + 0x12345678, + 0x11111111, + 0x22222222 + ); + ASSERT_EQ (Status, EFI_SUCCESS); + + Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type =3D DHCPV6_OP= TION_IA_NA; + + Option =3D NULL; + Status =3D Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp= 6SeekStsOptionTest::Packet, &Option); + + ASSERT_EQ (Status, EFI_SUCCESS); +} --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114256): https://edk2.groups.io/g/devel/message/114256 Mute This Topic: https://groups.io/mt/103926734/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114257+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114257+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073631; cv=none; d=zohomail.com; s=zohoarc; b=GxGLsstljirckpuTTsbCUhjP88KJ3EvMPKVn43hUEUuNUbK8t+MzjzPJy4BnE35OROLrPLcmqorB39Qaov4zEMJ8UhBEz+357gemJQ0VSQDU7+ZmfDUyBdjV0fpNa3Tvr4uMxjeXYqiRCP4eFbNV4QgdnfjyI9nuPJOCYeYAjmQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073631; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=uGjgFP1lhcp6Lypkri7lqXleX56gMUt1C1jeyRhgSvc=; b=Y0uOxKSLqd+PCYaGdKLRO+e8EjSmTMHt8i3XvjGIJoYNbuHcwT9Pm9zZOvSWIaDHXyFdTixiwRXwQ34QFSNiOkdTQzfDbb60cUhU1hHgCb4EMbx8rD4Z5XYg/9pZ0dd8seUCxOd06q7fpCXhbTqCKG4pUyPN6tyJ5R+pc+pL748= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114257+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073631869123.43845118009267; Tue, 23 Jan 2024 21:20:31 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=GMDApCxl5cDhGnQhBIx9jEu7yw7cGpjakPcfCSzSWWA=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073631; v=1; b=OZbA3iTiJSeN0dbPGFJ5tbrxveFrI62p1JpAu/6RHj+j7NifZzAmvOmrRJSUoofTl9oD5rn9 xHiu4+0XlXiuGiaHBkycfw4zRD1+A1/dcMo2MEKiPlKW+yZa++GjWSV8h54YjFYf7BzUVevGaNA u9c5vvCxGhzQh3mFoFVW8ew4= X-Received: by 127.0.0.2 with SMTP id DpGAYY1788612xyPwZcKCOB7; Tue, 23 Jan 2024 21:20:31 -0800 X-Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web11.16104.1706073630752031188 for ; Tue, 23 Jan 2024 21:20:30 -0800 X-Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-1d74dce86f7so24121395ad.2 for ; Tue, 23 Jan 2024 21:20:30 -0800 (PST) X-Gm-Message-State: GQKECz6Dc8uY4XFXiigQGWuTx1787277AA= X-Google-Smtp-Source: AGHT+IG+q2hNfvMGbmqq6MCYY+eQHtPrL1C2GSpb+Y41vVMRtsHIQbLjHQAkgNcT44aJR2WFLBFGaw== X-Received: by 2002:a17:902:d486:b0:1d5:36e8:9ac0 with SMTP id c6-20020a170902d48600b001d536e89ac0mr344957plg.50.1706073630163; Tue, 23 Jan 2024 21:20:30 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:29 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 05/14] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 - Patch Date: Tue, 23 Jan 2024 19:33:28 -0800 Message-ID: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073632248100009 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4536 SECURITY PATCH - Patch TCBZ4536 CVE-2023-45231 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c index 199eea124dfe..8718d5d8756a 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.c +++ b/NetworkPkg/Ip6Dxe/Ip6Option.c @@ -137,6 +137,14 @@ Ip6IsNDOptionValid ( return FALSE; } =20 + // + // Cannot process truncated options. + // Cannot process options with a length of 0 as there is no Type field. + // + if (OptionLen < sizeof (IP6_OPTION_HEADER)) { + return FALSE; + } + Offset =3D 0; =20 // --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114257): https://edk2.groups.io/g/devel/message/114257 Mute This Topic: https://groups.io/mt/103926735/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114258+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114258+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073632; cv=none; d=zohomail.com; s=zohoarc; b=FTERwsKky4oIJ5GxC1agKVYjP/i0/tgmf9q7dvAzsLKB8bobTnwsudbslL5SxBtucGF25ju4rahOaE+iD1oLAJ7Bw6PXO7/Yxb2V4mHu+ATnNRQkhtWCfhb2KLsEdECI0mHPaPfxNL5duqjyJ0YtVEzbQfa1BihelzzQyYncaio= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073632; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=QNUEYima4IBRkCCekPunX1eVfgXN7a1jznnrx5dVLh0=; b=RDp/CPO9t5AlgneY0SjNNhQaTg8ZnR2vIbsQrrnHlXVnlvso7DLTpyEvO1D8Y0jN2VAnIR2hZXu/fGP/kYMbQ5FI+kpJkbe+rfH+BTvrt/wLPs40yFxSzfLlUrVcBwOLhVj+lVqrB87rV4Bc6DXH/sLdo0lIbPgR9uJ7GeQSBNM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114258+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073632603557.5770836398185; Tue, 23 Jan 2024 21:20:32 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=QMz6KxHFFSWoFwPjJzrp551OGiPOyyt9KUW1yco8NW0=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073632; v=1; b=vbndVspKtctQhN9nccDYzT7UiRCOHcT0frc1mTNxLLp+Asi8gcNCj4x7AGb6UWamybighY+X ay+Wr2xXmQI+N+icFS4XrOmOAmT4ooV6wAf0OXN+CZZGxuRNANz8FRG4f/vHvCem6Y0HQrUs6BK 4LR7n46IQ0R6JjtpwLZK9R8Y= X-Received: by 127.0.0.2 with SMTP id IWm9YY1788612xiGSkZgKGUe; Tue, 23 Jan 2024 21:20:32 -0800 X-Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.16100.1706073631665720135 for ; Tue, 23 Jan 2024 21:20:31 -0800 X-Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1d74045c463so20611585ad.3 for ; Tue, 23 Jan 2024 21:20:31 -0800 (PST) X-Gm-Message-State: NHml0NsCapCHRjR38ETmOpG4x1787277AA= X-Google-Smtp-Source: AGHT+IHioiiRBl0X+jMBvePLpUgXDRjQ+obKY+d8kYLVO2KqdRMWY2dyXHKtBcvJNMBeZ1cHy/YeTA== X-Received: by 2002:a17:902:ead5:b0:1d7:35ba:6a39 with SMTP id p21-20020a170902ead500b001d735ba6a39mr201009pld.69.1706073630919; Tue, 23 Jan 2024 21:20:30 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:30 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 06/14] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 - Unit Tests Date: Tue, 23 Jan 2024 19:33:29 -0800 Message-ID: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073634279100023 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4536 SECURITY PATCH - Unit Tests TCBZ4536 CVE-2023-45231 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 + .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 42 ++++++ .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp | 20 +++ .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 129 ++++++++++++++++++ 4 files changed, 192 insertions(+) create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/Netwo= rkPkgHostTest.dsc index 24dee654df2e..7fa7b0f9d5be 100644 --- a/NetworkPkg/Test/NetworkPkgHostTest.dsc +++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc @@ -26,6 +26,7 @@ [Components] # Build HOST_APPLICATION that tests NetworkPkg # NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf + NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf =20 # Despite these library classes being listed in [LibraryClasses] below, th= ey are not needed for the host-based unit tests. [LibraryClasses] diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg= /Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf new file mode 100644 index 000000000000..6e4de0745fb5 --- /dev/null +++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf @@ -0,0 +1,42 @@ +## @file +# Unit test suite for the Ip6Dxe using Google Test +# +# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +## +[Defines] + INF_VERSION =3D 0x00010017 + BASE_NAME =3D Ip6DxeUnitTest + FILE_GUID =3D 4F05D17D-D3E7-4AAE-820C-576D46D2D34A + VERSION_STRING =3D 1.0 + MODULE_TYPE =3D HOST_APPLICATION +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# +[Sources] + Ip6DxeGoogleTest.cpp + Ip6OptionGoogleTest.cpp + ../Ip6Option.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec + NetworkPkg/NetworkPkg.dec + +[LibraryClasses] + GoogleTestLib + DebugLib + NetLib + PcdLib + +[Protocols] + gEfiDhcp6ServiceBindingProtocolGuid + +[Pcd] + gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType + +[Guids] + gZeroGuid diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp b/NetworkPkg= /Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp new file mode 100644 index 000000000000..6ebfd5fdfb70 --- /dev/null +++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp @@ -0,0 +1,20 @@ +/** @file + Acts as the main entry point for the tests for the Ip6Dxe module. + + Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ +#include + +//////////////////////////////////////////////////////////////////////////= ////// +// Run the tests +//////////////////////////////////////////////////////////////////////////= ////// +int +main ( + int argc, + char *argv[] + ) +{ + testing::InitGoogleTest (&argc, argv); + return RUN_ALL_TESTS (); +} diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/Network= Pkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp new file mode 100644 index 000000000000..f2cd90e1a952 --- /dev/null +++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp @@ -0,0 +1,129 @@ +/** @file + Tests for Ip6Option.c. + + Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ +#include + +extern "C" { + #include + #include + #include + #include "../Ip6Impl.h" + #include "../Ip6Option.h" +} + +///////////////////////////////////////////////////////////////////////// +// Defines +/////////////////////////////////////////////////////////////////////// + +#define IP6_PREFIX_INFO_OPTION_DATA_LEN 32 +#define OPTION_HEADER_IP6_PREFIX_DATA_LEN (sizeof (IP6_OPTION_HEADER) + I= P6_PREFIX_INFO_OPTION_DATA_LEN) + +//////////////////////////////////////////////////////////////////////// +// Symbol Definitions +// These functions are not directly under test - but required to compile +//////////////////////////////////////////////////////////////////////// +UINT32 mIp6Id; + +EFI_STATUS +Ip6SendIcmpError ( + IN IP6_SERVICE *IpSb, + IN NET_BUF *Packet, + IN EFI_IPv6_ADDRESS *SourceAddress OPTIONAL, + IN EFI_IPv6_ADDRESS *DestinationAddress, + IN UINT8 Type, + IN UINT8 Code, + IN UINT32 *Pointer OPTIONAL + ) +{ + // .. + return EFI_SUCCESS; +} + +//////////////////////////////////////////////////////////////////////// +// Ip6OptionValidation Tests +//////////////////////////////////////////////////////////////////////// + +// Define a fixture for your tests if needed +class Ip6OptionValidationTest : public ::testing::Test { +protected: + // Add any setup code if needed + virtual void + SetUp ( + ) + { + // Initialize any resources or variables + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + // Clean up any resources or variables + } +}; + +// Test Description: +// Null option should return false +TEST_F (Ip6OptionValidationTest, NullOptionShouldReturnFalse) { + UINT8 *option =3D nullptr; + UINT16 optionLen =3D 10; // Provide a suitable length + + EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen)); +} + +// Test Description: +// Truncated option should return false +TEST_F (Ip6OptionValidationTest, TruncatedOptionShouldReturnFalse) { + UINT8 option[] =3D { 0x01 }; // Provide a truncated option + UINT16 optionLen =3D 1; + + EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen)); +} + +// Test Description: +// Ip6OptionPrefixInfo Option with zero length should return false +TEST_F (Ip6OptionValidationTest, OptionWithZeroLengthShouldReturnFalse) { + IP6_OPTION_HEADER optionHeader; + + optionHeader.Type =3D Ip6OptionPrefixInfo; + optionHeader.Length =3D 0; + UINT8 option[sizeof (IP6_OPTION_HEADER)]; + + CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER)); + UINT16 optionLen =3D sizeof (IP6_OPTION_HEADER); + + EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen)); +} + +// Test Description: +// Ip6OptionPrefixInfo Option with valid length should return true +TEST_F (Ip6OptionValidationTest, ValidPrefixInfoOptionShouldReturnTrue) { + IP6_OPTION_HEADER optionHeader; + + optionHeader.Type =3D Ip6OptionPrefixInfo; + optionHeader.Length =3D 4; // Length 4 * 8 =3D 32 + UINT8 option[OPTION_HEADER_IP6_PREFIX_DATA_LEN]; + + CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER)); + + EXPECT_TRUE (Ip6IsNDOptionValid (option, IP6_PREFIX_INFO_OPTION_DATA_LEN= )); +} + +// Test Description: +// Ip6OptionPrefixInfo Option with invalid length should return false +TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOptionLengthShouldReturn= False) { + IP6_OPTION_HEADER optionHeader; + + optionHeader.Type =3D Ip6OptionPrefixInfo; + optionHeader.Length =3D 3; // Length 3 * 8 =3D 24 (Invalid) + UINT8 option[sizeof (IP6_OPTION_HEADER)]; + + CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER)); + UINT16 optionLen =3D sizeof (IP6_OPTION_HEADER); + + EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen)); +} --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114258): https://edk2.groups.io/g/devel/message/114258 Mute This Topic: https://groups.io/mt/103926736/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114259+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114259+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073633; cv=none; d=zohomail.com; s=zohoarc; b=VZlUz4bof9CwBtfRdZKUpVAGNrVJmDtT5OR01Qg6VXXkx4kJEtiMAUHNLZ+4LZx0T73ALj2eI3LCLo8PxptKaQhlrbpNeiSBcO8WLZARTF/kaJl88xDBg33GoIImuxA8mgBQe2eV23MvBnM7CJoZDpRaalXC5TCdbht0D98H93I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073633; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=njgte7grE5nzy1K1PtyHOWKbw+jW3qYnOOq8KSwDPaY=; b=YvuAtjygO43Zt1fJm70KEhpB5Liw3IzblM4UKGVYvYAZh2v51Cq5cxAQAGHYQPGCWbp/qgxuc9KyLrc6Vl0Krai4WJKi4R5jTuHuoSimL89ZsjaoSbx69sTKoRizRE37DcFSsAIf7N3cvpsG1sMqOVMSaNjKGnLC8OQbh1WK+Hk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114259+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073633453622.2702012875224; Tue, 23 Jan 2024 21:20:33 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=sywebht9rLXogLi14OuT/bj1RaPUt/eUNRh7L2ee4iw=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073633; v=1; b=XO5+dXFYeHwmQivFTaftvf3euGUH2l4TKBT/Q67vSiCKdkgukKusR5eQ0TZ+YjqPtCG1doMb lqRyWJXvBPLJD/e6MKrVtZgvWM8r+T+nhjuGV+V+0Mmo+jV6ffiihIAzylTYzAQ9ifmHIkIOwpY /qEufQEvAJddYO089KoaL5wU= X-Received: by 127.0.0.2 with SMTP id IoleYY1788612xWmQ60rVjJf; Tue, 23 Jan 2024 21:20:33 -0800 X-Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.16101.1706073632480551406 for ; Tue, 23 Jan 2024 21:20:32 -0800 X-Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1d780a392fdso3803325ad.3 for ; Tue, 23 Jan 2024 21:20:32 -0800 (PST) X-Gm-Message-State: fHSZVHlgRpXjUwJMeW8tVu3Yx1787277AA= X-Google-Smtp-Source: AGHT+IEKc8epC/wAF6lgyoOF0HMiAeaWRyZ0cYinTtss1v+A57HKdRfwZfuu45XZa/qnR1z/4h5+lw== X-Received: by 2002:a17:902:eccf:b0:1d3:f1ca:6a13 with SMTP id a15-20020a170902eccf00b001d3f1ca6a13mr426419plh.109.1706073631610; Tue, 23 Jan 2024 21:20:31 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:31 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 07/14] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch Date: Tue, 23 Jan 2024 19:33:30 -0800 Message-ID: <53d416e177a558d2d95e0fe7b2aecb52e6745bf3.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073634273100022 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4538 SECURITY PATCH - Patch TCBZ4537 CVE-2023-45232 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') TCBZ4538 CVE-2023-45233 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Ip6Dxe/Ip6Option.h | 89 +++++++++++++++++++++++++++++++++++ NetworkPkg/Ip6Dxe/Ip6Option.c | 76 +++++++++++++++++++++++++----- 2 files changed, 154 insertions(+), 11 deletions(-) diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.h b/NetworkPkg/Ip6Dxe/Ip6Option.h index bd8e223c8a67..5d786073ebcb 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.h +++ b/NetworkPkg/Ip6Dxe/Ip6Option.h @@ -12,6 +12,95 @@ =20 #define IP6_FRAGMENT_OFFSET_MASK (~0x3) =20 +// +// Per RFC8200 Section 4.2 +// +// Two of the currently-defined extension headers -- the Hop-by-Hop +// Options header and the Destination Options header -- carry a variable +// number of type-length-value (TLV) encoded "options", of the following +// format: +// +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - +// | Option Type | Opt Data Len | Option Data +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - +// +// Option Type 8-bit identifier of the type of option. +// +// Opt Data Len 8-bit unsigned integer. Length of the Option +// Data field of this option, in octets. +// +// Option Data Variable-length field. Option-Type-specific +// data. +// +#define IP6_SIZE_OF_OPT_TYPE (sizeof(UINT8)) +#define IP6_SIZE_OF_OPT_LEN (sizeof(UINT8)) +#define IP6_COMBINED_SIZE_OF_OPT_TAG_AND_LEN (IP6_SIZE_OF_OPT_TYPE + IP6_= SIZE_OF_OPT_LEN) +#define IP6_OFFSET_OF_OPT_LEN(a) (a + IP6_SIZE_OF_OPT_TYPE) +STATIC_ASSERT ( + IP6_OFFSET_OF_OPT_LEN (0) =3D=3D 1, + "The Length field should be 1 octet (8 bits) past the start of the optio= n" + ); + +#define IP6_NEXT_OPTION_OFFSET(offset, length) (offset + IP6_COMBINED_SIZ= E_OF_OPT_TAG_AND_LEN + length) +STATIC_ASSERT ( + IP6_NEXT_OPTION_OFFSET (0, 0) =3D=3D 2, + "The next option is minimally the combined size of the option tag and le= ngth" + ); + +// +// For more information see RFC 8200, Section 4.3, 4.4, and 4.6 +// +// This example format is from section 4.6 +// This does not apply to fragment headers +// +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | Next Header | Hdr Ext Len | | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +// | | +// . . +// . Header-Specific Data . +// . . +// | | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// +// Next Header 8-bit selector. Identifies the type of +// header immediately following the extension +// header. Uses the same values as the IPv4 +// Protocol field [IANA-PN]. +// +// Hdr Ext Len 8-bit unsigned integer. Length of the +// Destination Options header in 8-octet units, +// not including the first 8 octets. + +// +// These defines apply to the following: +// 1. Hop by Hop +// 2. Routing +// 3. Destination +// +#define IP6_SIZE_OF_EXT_NEXT_HDR (sizeof(UINT8)) +#define IP6_SIZE_OF_HDR_EXT_LEN (sizeof(UINT8)) + +#define IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN (IP6_SIZE_OF_EXT_NEXT_HDR += IP6_SIZE_OF_HDR_EXT_LEN) +STATIC_ASSERT ( + IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN =3D=3D 2, + "The combined size of Next Header and Len is two 8 bit fields" + ); + +// +// The "+ 1" in this calculation is because of the "not including the firs= t 8 octets" +// part of the definition (meaning the value of 0 represents 64 bits) +// +#define IP6_HDR_EXT_LEN(a) (((UINT16)(UINT8)(a) + 1) * 8) + +// This is the maxmimum length permissible by a extension header +// Length is UINT8 of 8 octets not including the first 8 octets +#define IP6_MAX_EXT_DATA_LENGTH (IP6_HDR_EXT_LEN (MAX_UINT8) - IP6_COMBIN= ED_SIZE_OF_NEXT_HDR_AND_LEN) +STATIC_ASSERT ( + IP6_MAX_EXT_DATA_LENGTH =3D=3D 2046, + "Maximum data length is ((MAX_UINT8 + 1) * 8) - 2" + ); + typedef struct _IP6_FRAGMENT_HEADER { UINT8 NextHeader; UINT8 Reserved; diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c index 8718d5d8756a..144f8d34dead 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.c +++ b/NetworkPkg/Ip6Dxe/Ip6Option.c @@ -17,7 +17,8 @@ @param[in] IpSb The IP6 service data. @param[in] Packet The to be validated packet. @param[in] Option The first byte of the option. - @param[in] OptionLen The length of the whole option. + @param[in] OptionLen The length of all options, expressed in by= te length of octets. + Maximum length is 2046 bytes or ((n + 1) *= 8) - 2 where n is 255. @param[in] Pointer Identifies the octet offset within the invoking packet where the error was de= tected. =20 @@ -31,12 +32,33 @@ Ip6IsOptionValid ( IN IP6_SERVICE *IpSb, IN NET_BUF *Packet, IN UINT8 *Option, - IN UINT8 OptionLen, + IN UINT16 OptionLen, IN UINT32 Pointer ) { - UINT8 Offset; - UINT8 OptionType; + UINT16 Offset; + UINT8 OptionType; + UINT8 OptDataLen; + + if (Option =3D=3D NULL) { + ASSERT (Option !=3D NULL); + return FALSE; + } + + if ((OptionLen <=3D 0) || (OptionLen > IP6_MAX_EXT_DATA_LENGTH)) { + ASSERT (OptionLen > 0 && OptionLen <=3D IP6_MAX_EXT_DATA_LENGTH); + return FALSE; + } + + if (Packet =3D=3D NULL) { + ASSERT (Packet !=3D NULL); + return FALSE; + } + + if (IpSb =3D=3D NULL) { + ASSERT (IpSb !=3D NULL); + return FALSE; + } =20 Offset =3D 0; =20 @@ -54,7 +76,8 @@ Ip6IsOptionValid ( // // It is a PadN option // - Offset =3D (UINT8)(Offset + *(Option + Offset + 1) + 2); + OptDataLen =3D *(IP6_OFFSET_OF_OPT_LEN (Option + Offset)); + Offset =3D IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); break; case Ip6OptionRouterAlert: // @@ -69,7 +92,8 @@ Ip6IsOptionValid ( // switch (OptionType & Ip6OptionMask) { case Ip6OptionSkip: - Offset =3D (UINT8)(Offset + *(Option + Offset + 1)); + OptDataLen =3D *(IP6_OFFSET_OF_OPT_LEN (Option + Offset)); + Offset =3D IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); break; case Ip6OptionDiscard: return FALSE; @@ -308,7 +332,7 @@ Ip6IsExtsValid ( UINT32 Pointer; UINT32 Offset; UINT8 *Option; - UINT8 OptionLen; + UINT16 OptionLen; BOOLEAN Flag; UINT8 CountD; UINT8 CountA; @@ -385,6 +409,36 @@ Ip6IsExtsValid ( // Fall through // case IP6_DESTINATION: + // + // See https://www.rfc-editor.org/rfc/rfc2460#section-4.2 page 23 + // + // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+ + // | Next Header | Hdr Ext Len | = | + // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ = + + // | = | + // . = . + // . Options = . + // . = . + // | = | + // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+ + // + // + // Next Header 8-bit selector. Identifies the type of header + // immediately following the Destination Options + // header. Uses the same values as the IPv4 + // Protocol field [RFC-1700 et seq.]. + // + // Hdr Ext Len 8-bit unsigned integer. Length of the + // Destination Options header in 8-octet units, n= ot + // including the first 8 octets. + // + // Options Variable-length field, of length such that the + // complete Destination Options header is an + // integer multiple of 8 octets long. Contains o= ne + // or more TLV-encoded options, as described in + // section 4.2. + // + if (*NextHeader =3D=3D IP6_DESTINATION) { CountD++; } @@ -398,7 +452,7 @@ Ip6IsExtsValid ( =20 Offset++; Option =3D ExtHdrs + Offset; - OptionLen =3D (UINT8)((*Option + 1) * 8 - 2); + OptionLen =3D IP6_HDR_EXT_LEN (*Option) - IP6_COMBINED_SIZE_OF_NEX= T_HDR_AND_LEN; Option++; Offset++; =20 @@ -430,7 +484,7 @@ Ip6IsExtsValid ( // // Ignore the routing header and proceed to process the next hea= der. // - Offset =3D Offset + (RoutingHead->HeaderLen + 1) * 8; + Offset =3D Offset + IP6_HDR_EXT_LEN (RoutingHead->HeaderLen); =20 if (UnFragmentLen !=3D NULL) { *UnFragmentLen =3D Offset; @@ -441,7 +495,7 @@ Ip6IsExtsValid ( // to the packet's source address, pointing to the unrecognized = routing // type. // - Pointer =3D Offset + 2 + sizeof (EFI_IP6_HEADER); + Pointer =3D Offset + IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN + siz= eof (EFI_IP6_HEADER); if ((IpSb !=3D NULL) && (Packet !=3D NULL) && !IP6_IS_MULTICAST (&Packet->Ip.Ip6->DestinationAddress)) { @@ -527,7 +581,7 @@ Ip6IsExtsValid ( // // RFC2402, Payload length is specified in 32-bit words, minus "2". // - OptionLen =3D (UINT8)((*Option + 2) * 4); + OptionLen =3D ((UINT16)(*Option + 2) * 4); Offset =3D Offset + OptionLen; break; =20 --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114259): https://edk2.groups.io/g/devel/message/114259 Mute This Topic: https://groups.io/mt/103926738/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114260+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114260+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073634; cv=none; d=zohomail.com; s=zohoarc; b=M/kr4HDp6KGCNAZ8V7YaosK/lVqa+NvnKd7xydXpNGNK7OYV0A4a22LvgdTlaVtsMFNdxP5nTn25wSDXwsdo0MBG7iET7AdszB5WFOpsywleWs6rtneMvBuoGt6nR9g6a3Zl7ZCsiNyvDKMKwLFIo5AgJxtdeLymNwBb2964FDM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073634; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=bx1SIRB8XHrpYC52DSeXMPHkOReXKZi2N13gUZuTLlM=; b=FfUJagoxO8fZt103DnsPBJ90JaeI9OxJIcm7RoPMbD1piHyE3PYQEDclWChNQesZr/MlvLKsZxQAPfcGEkdIUBgFHPZ5BHORUYYWhqwhdWsK+TDafCFBX+7+6DsbeEDvg/CDVKuwePZmgSKvhZuW1sXPUAVjhK5EbvAXG4Z8OPA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114260+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073634367804.6182726408713; Tue, 23 Jan 2024 21:20:34 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=kkHHq6I+XGnWdPj6NIPs3yULL0mqeJPMZfnd4oi63Vw=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073634; v=1; b=bleA+M02ae4D8WcHTfw8fZoeF741+ZuS7/FsRDqHG8W16QZdJc0Gty4FKyUpHtAdFv+vVmLP vWomZn/ZYLk8yFPIwxyiv6HYS+uBYjQPQhKC9xtiQtSdlSu1URaPHJsDPg8QvBDQnCb3MCkN7ji bAVNxbtQvYaaqtgw/S5mvF+I= X-Received: by 127.0.0.2 with SMTP id f1ruYY1788612xDtU3PDYvcg; Tue, 23 Jan 2024 21:20:34 -0800 X-Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.16102.1706073633462009143 for ; Tue, 23 Jan 2024 21:20:33 -0800 X-Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1d74dce86f7so24121555ad.2 for ; Tue, 23 Jan 2024 21:20:33 -0800 (PST) X-Gm-Message-State: JrwllFfhrHABUn3b4YBt7V4Dx1787277AA= X-Google-Smtp-Source: AGHT+IF3wwVFg2/PdtJhGm1ynaPlAwtu45VkoSNZP7ENIxcrOL8cX0ypuB3mRfc2xbY/M+OICxOl/w== X-Received: by 2002:a17:902:c946:b0:1d7:8553:35c with SMTP id i6-20020a170902c94600b001d78553035cmr256117pla.13.1706073632491; Tue, 23 Jan 2024 21:20:32 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:32 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 08/14] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests Date: Tue, 23 Jan 2024 19:33:31 -0800 Message-ID: <6acb5c2e7046f8d988b4475accac076d5728354c.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073636302100034 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4538 SECURITY PATCH - Unit Tests TCBZ4537 CVE-2023-45232 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') TCBZ4538 CVE-2023-45233 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 10 +- .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h | 40 +++ .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 282 ++++++++++++++++++ 3 files changed, 328 insertions(+), 4 deletions(-) create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg= /Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf index 6e4de0745fb5..ba29dbabadb9 100644 --- a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf +++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf @@ -1,13 +1,13 @@ ## @file -# Unit test suite for the Ip6Dxe using Google Test +# Unit test suite for the Ip6DxeGoogleTest using Google Test # # Copyright (c) Microsoft Corporation.
# SPDX-License-Identifier: BSD-2-Clause-Patent ## [Defines] INF_VERSION =3D 0x00010017 - BASE_NAME =3D Ip6DxeUnitTest - FILE_GUID =3D 4F05D17D-D3E7-4AAE-820C-576D46D2D34A + BASE_NAME =3D Ip6DxeGoogleTest + FILE_GUID =3D AE39981C-B7FE-41A8-A9C2-F41910477CA3 VERSION_STRING =3D 1.0 MODULE_TYPE =3D HOST_APPLICATION # @@ -16,9 +16,11 @@ [Defines] # VALID_ARCHITECTURES =3D IA32 X64 AARCH64 # [Sources] + ../Ip6Option.c + Ip6OptionGoogleTest.h Ip6DxeGoogleTest.cpp Ip6OptionGoogleTest.cpp - ../Ip6Option.c + Ip6OptionGoogleTest.h =20 [Packages] MdePkg/MdePkg.dec diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h b/NetworkPk= g/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h new file mode 100644 index 000000000000..618a7e658e5a --- /dev/null +++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h @@ -0,0 +1,40 @@ +/** @file + Exposes the functions needed to test the Ip6Option module. + + Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef EFI_IP6_OPTION_GOOGLE_TEST_H_ +#define EFI_IP6_OPTION_GOOGLE_TEST_H_ + +#include +#include "../Ip6Impl.h" + +/** + Validate the IP6 option format for both the packets we received + and that we will transmit. It will compute the ICMPv6 error message fiel= ds + if the option is malformatted. + + @param[in] IpSb The IP6 service data. + @param[in] Packet The to be validated packet. + @param[in] Option The first byte of the option. + @param[in] OptionLen The length of the whole option. + @param[in] Pointer Identifies the octet offset within + the invoking packet where the error was de= tected. + + + @retval TRUE The option is properly formatted. + @retval FALSE The option is malformatted. + +**/ +BOOLEAN +Ip6IsOptionValid ( + IN IP6_SERVICE *IpSb, + IN NET_BUF *Packet, + IN UINT8 *Option, + IN UINT16 OptionLen, + IN UINT32 Pointer + ); + +#endif // __EFI_IP6_OPTION_GOOGLE_TEST_H__ diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/Network= Pkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp index f2cd90e1a952..69eef4b98ed2 100644 --- a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp +++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp @@ -12,6 +12,7 @@ extern "C" { #include #include "../Ip6Impl.h" #include "../Ip6Option.h" + #include "Ip6OptionGoogleTest.h" } =20 ///////////////////////////////////////////////////////////////////////// @@ -127,3 +128,284 @@ TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOpt= ionLengthShouldReturnFalse) =20 EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen)); } + +//////////////////////////////////////////////////////////////////////// +// Ip6IsOptionValid Tests +//////////////////////////////////////////////////////////////////////// + +// Define a fixture for your tests if needed +class Ip6IsOptionValidTest : public ::testing::Test { +protected: + // Add any setup code if needed + virtual void + SetUp ( + ) + { + // Initialize any resources or variables + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + // Clean up any resources or variables + } +}; + +//////////////////////////////////////////////////////////////////////////= ///// +// Ip6IsOptionValidTest Tests +//////////////////////////////////////////////////////////////////////////= ///// + +// Test Description +// Verify that a NULL option is Invalid +TEST_F (Ip6IsOptionValidTest, NullOptionShouldReturnTrue) { + NET_BUF Packet =3D { 0 }; + // we need to define enough of the packet to make the function work + // The function being tested will pass IpSb to Ip6SendIcmpError which is= defined above + IP6_SERVICE *IpSb =3D NULL; + + EFI_IPv6_ADDRESS SourceAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IPv6_ADDRESS DestinationAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IP6_HEADER Ip6Header =3D { 0 }; + + Ip6Header.SourceAddress =3D SourceAddress; + Ip6Header.DestinationAddress =3D DestinationAddress; + Packet.Ip.Ip6 =3D &Ip6Header; + + EXPECT_FALSE (Ip6IsOptionValid (IpSb, &Packet, NULL, 0, 0)); +} + +// Test Description +// Verify that an unknown option with a length of 0 and type of = does not cause an infinite loop +TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLength0) { + NET_BUF Packet =3D { 0 }; + // we need to define enough of the packet to make the function work + // The function being tested will pass IpSb to Ip6SendIcmpError which is= defined above + UINT32 DeadCode =3D 0xDeadC0de; + // Don't actually use this pointer, just pass it to the function, nothin= g will be done with it + IP6_SERVICE *IpSb =3D (IP6_SERVICE *)&DeadCode; + + EFI_IPv6_ADDRESS SourceAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IPv6_ADDRESS DestinationAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IP6_HEADER Ip6Header =3D { 0 }; + + Ip6Header.SourceAddress =3D SourceAddress; + Ip6Header.DestinationAddress =3D DestinationAddress; + Packet.Ip.Ip6 =3D &Ip6Header; + + IP6_OPTION_HEADER optionHeader; + + optionHeader.Type =3D 23; // Unknown Option + optionHeader.Length =3D 0; // This will cause an infinite loop if the= function is not working correctly + + // This should be a valid option even though the length is 0 + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); +} + +// Test Description +// Verify that an unknown option with a length of 1 and type of = does not cause an infinite loop +TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLength1) { + NET_BUF Packet =3D { 0 }; + // we need to define enough of the packet to make the function work + // The function being tested will pass IpSb to Ip6SendIcmpError which is= defined above + UINT32 DeadCode =3D 0xDeadC0de; + // Don't actually use this pointer, just pass it to the function, nothin= g will be done with it + IP6_SERVICE *IpSb =3D (IP6_SERVICE *)&DeadCode; + + EFI_IPv6_ADDRESS SourceAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IPv6_ADDRESS DestinationAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IP6_HEADER Ip6Header =3D { 0 }; + + Ip6Header.SourceAddress =3D SourceAddress; + Ip6Header.DestinationAddress =3D DestinationAddress; + Packet.Ip.Ip6 =3D &Ip6Header; + + IP6_OPTION_HEADER optionHeader; + + optionHeader.Type =3D 23; // Unknown Option + optionHeader.Length =3D 1; // This will cause an infinite loop if the= function is not working correctly + + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); +} + +// Test Description +// Verify that an unknown option with a length of 2 and type of = does not cause an infinite loop +TEST_F (Ip6IsOptionValidTest, VerifyIpSkipUnknownOption) { + NET_BUF Packet =3D { 0 }; + // we need to define enough of the packet to make the function work + // The function being tested will pass IpSb to Ip6SendIcmpError which is= defined above + UINT32 DeadCode =3D 0xDeadC0de; + // Don't actually use this pointer, just pass it to the function, nothin= g will be done with it + IP6_SERVICE *IpSb =3D (IP6_SERVICE *)&DeadCode; + + EFI_IPv6_ADDRESS SourceAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IPv6_ADDRESS DestinationAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IP6_HEADER Ip6Header =3D { 0 }; + + Ip6Header.SourceAddress =3D SourceAddress; + Ip6Header.DestinationAddress =3D DestinationAddress; + Packet.Ip.Ip6 =3D &Ip6Header; + + IP6_OPTION_HEADER optionHeader; + + optionHeader.Type =3D 23; // Unknown Option + optionHeader.Length =3D 2; // Valid length for an unknown option + + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); +} + +// Test Description +// Verify that Ip6OptionPad1 is valid with a length of 0 +TEST_F (Ip6IsOptionValidTest, VerifyIp6OptionPad1) { + NET_BUF Packet =3D { 0 }; + // we need to define enough of the packet to make the function work + // The function being tested will pass IpSb to Ip6SendIcmpError which is= defined above + UINT32 DeadCode =3D 0xDeadC0de; + // Don't actually use this pointer, just pass it to the function, nothin= g will be done with it + IP6_SERVICE *IpSb =3D (IP6_SERVICE *)&DeadCode; + + EFI_IPv6_ADDRESS SourceAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IPv6_ADDRESS DestinationAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IP6_HEADER Ip6Header =3D { 0 }; + + Ip6Header.SourceAddress =3D SourceAddress; + Ip6Header.DestinationAddress =3D DestinationAddress; + Packet.Ip.Ip6 =3D &Ip6Header; + + IP6_OPTION_HEADER optionHeader; + + optionHeader.Type =3D Ip6OptionPad1; + optionHeader.Length =3D 0; + + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); +} + +// Test Description +// Verify that Ip6OptionPadN doesn't overflow with various lengths +TEST_F (Ip6IsOptionValidTest, VerifyIp6OptionPadN) { + NET_BUF Packet =3D { 0 }; + // we need to define enough of the packet to make the function work + // The function being tested will pass IpSb to Ip6SendIcmpError which is= defined above + UINT32 DeadCode =3D 0xDeadC0de; + // Don't actually use this pointer, just pass it to the function, nothin= g will be done with it + IP6_SERVICE *IpSb =3D (IP6_SERVICE *)&DeadCode; + + EFI_IPv6_ADDRESS SourceAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IPv6_ADDRESS DestinationAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IP6_HEADER Ip6Header =3D { 0 }; + + Ip6Header.SourceAddress =3D SourceAddress; + Ip6Header.DestinationAddress =3D DestinationAddress; + Packet.Ip.Ip6 =3D &Ip6Header; + + IP6_OPTION_HEADER optionHeader; + + optionHeader.Type =3D Ip6OptionPadN; + optionHeader.Length =3D 0xFF; + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); + + optionHeader.Length =3D 0xFE; + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); + + optionHeader.Length =3D 0xFD; + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); + + optionHeader.Length =3D 0xFC; + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); +} + +// Test Description +// Verify an unknown option doesn't cause an infinite loop with various le= ngths +TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLengthAtt= emptOverflow) { + NET_BUF Packet =3D { 0 }; + // we need to define enough of the packet to make the function work + // The function being tested will pass IpSb to Ip6SendIcmpError which is= defined above + UINT32 DeadCode =3D 0xDeadC0de; + // Don't actually use this pointer, just pass it to the function, nothin= g will be done with it + IP6_SERVICE *IpSb =3D (IP6_SERVICE *)&DeadCode; + + EFI_IPv6_ADDRESS SourceAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IPv6_ADDRESS DestinationAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IP6_HEADER Ip6Header =3D { 0 }; + + Ip6Header.SourceAddress =3D SourceAddress; + Ip6Header.DestinationAddress =3D DestinationAddress; + Packet.Ip.Ip6 =3D &Ip6Header; + + IP6_OPTION_HEADER optionHeader; + + optionHeader.Type =3D 23; // Unknown Option + optionHeader.Length =3D 0xFF; + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); + + optionHeader.Length =3D 0xFE; + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); + + optionHeader.Length =3D 0xFD; + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); + + optionHeader.Length =3D 0xFC; + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, si= zeof (optionHeader), 0)); +} + +// Test Description +// Verify that the function supports multiple options +TEST_F (Ip6IsOptionValidTest, MultiOptionSupport) { + UINT16 HdrLen; + NET_BUF Packet =3D { 0 }; + // we need to define enough of the packet to make the function work + // The function being tested will pass IpSb to Ip6SendIcmpError which is= defined above + UINT32 DeadCode =3D 0xDeadC0de; + // Don't actually use this pointer, just pass it to the function, nothin= g will be done with it + IP6_SERVICE *IpSb =3D (IP6_SERVICE *)&DeadCode; + + EFI_IPv6_ADDRESS SourceAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IPv6_ADDRESS DestinationAddress =3D { 0x20, 0x01, 0x0d, 0xb8, 0x00,= 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; + EFI_IP6_HEADER Ip6Header =3D { 0 }; + + Ip6Header.SourceAddress =3D SourceAddress; + Ip6Header.DestinationAddress =3D DestinationAddress; + Packet.Ip.Ip6 =3D &Ip6Header; + + UINT8 ExtHdr[1024] =3D { 0 }; + UINT8 *Cursor =3D ExtHdr; + IP6_OPTION_HEADER *Option =3D (IP6_OPTION_HEADER *)ExtHdr; + + // Let's start chaining options + + Option->Type =3D 23; // Unknown Option + Option->Length =3D 0xFC; + + Cursor +=3D sizeof (IP6_OPTION_HEADER) + 0xFC; + + Option =3D (IP6_OPTION_HEADER *)Cursor; + Option->Type =3D Ip6OptionPad1; + + Cursor +=3D sizeof (1); + + // Type and length aren't processed, instead it just moves the pointer f= orward by 4 bytes + Option =3D (IP6_OPTION_HEADER *)Cursor; + Option->Type =3D Ip6OptionRouterAlert; + Option->Length =3D 4; + + Cursor +=3D sizeof (IP6_OPTION_HEADER) + 4; + + Option =3D (IP6_OPTION_HEADER *)Cursor; + Option->Type =3D Ip6OptionPadN; + Option->Length =3D 0xFC; + + Cursor +=3D sizeof (IP6_OPTION_HEADER) + 0xFC; + + Option =3D (IP6_OPTION_HEADER *)Cursor; + Option->Type =3D Ip6OptionRouterAlert; + Option->Length =3D 4; + + Cursor +=3D sizeof (IP6_OPTION_HEADER) + 4; + + // Total 524 + + HdrLen =3D (UINT16)(Cursor - ExtHdr); + + EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, ExtHdr, HdrLen, 0)); +} --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114260): https://edk2.groups.io/g/devel/message/114260 Mute This Topic: https://groups.io/mt/103926739/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114261+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114261+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073635; cv=none; d=zohomail.com; s=zohoarc; b=Jdy7ZBJXUeQKzjZrRW9kF22vYaEvH/PLk6qg2c/JNDAb4d5CudzF8zwzZVoJfelVatBiVPg8EhXoWS0RK+Dgx6T3s2dH22QNE2eT1V9arR52O2dnzXqjm+mQN7aQlCDamkrFrrQ4e6rlaiu1JQpFHQLStLYrM3RJSGkFiIZCCRE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073635; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=hPnRb2nzfEuzpEgl6rz0rru8koBMqiItm22aglWbjTo=; b=BBmn2bo+aJpZB3Qd39Vad69eBgdjXio8ma0IfaqCvWECCgpXNszt0oBa5InQibaswevhLH6Aton9PE9GfBuaeKslPEeygfzhiz6Cr5THTdC8mEaRd4Q47MX6p8oZcjEzuAV3FtJVYAOj833FHVx2QDr4spwF0M7ybDOs2JxZJYg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114261+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073635231221.6626817756537; Tue, 23 Jan 2024 21:20:35 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=I9LV4kMmdtMP7fdWq/Y8WKsKcjdCQa+6NnEcnnNpwoE=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073634; v=1; b=INy0FSEiRcFPHVVPBZ+pokyxLDL89e5CqG5ajF7cnQTe9Ck0a0VOlnBwtNK/EaO9HwJGJdAq e4NpZ1DsQW8m6eWp6wGkGp0AaFeIV4s4wrSpnc8bDoKrOW/IC3pL0e3rTiGQPwg7MhKn/092XFg xLsF1tuZ9mKFRIMXrCthCDvY= X-Received: by 127.0.0.2 with SMTP id QIMbYY1788612xpijyjirTr3; Tue, 23 Jan 2024 21:20:34 -0800 X-Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web11.16108.1706073634296646450 for ; Tue, 23 Jan 2024 21:20:34 -0800 X-Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-5cdf76cde78so2681455a12.1 for ; Tue, 23 Jan 2024 21:20:34 -0800 (PST) X-Gm-Message-State: wBKsLbWpzhRWtcjERJOuoAmlx1787277AA= X-Google-Smtp-Source: AGHT+IGaTynq8lZtxB0/H5sZKvWl9yGxGBpwmDljySjT44pnQkXl4FqGBlNYmN10XS04qc4bLsntnQ== X-Received: by 2002:a05:6a20:a60c:b0:19c:32ad:4347 with SMTP id bb12-20020a056a20a60c00b0019c32ad4347mr173210pzb.95.1706073633373; Tue, 23 Jan 2024 21:20:33 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:32 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 09/14] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch Date: Tue, 23 Jan 2024 19:33:32 -0800 Message-ID: <38a84f68019d820e9284fbfc5f666bf64cbdd674.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073636275100033 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4539 SECURITY PATCH - Patch TCBZ4539 CVE-2023-45234 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 +++++++++++++++++++++++++--- 1 file changed, 65 insertions(+), 6 deletions(-) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe= /PxeBcDhcp6.c index 425e0cf8061d..2b2d372889a3 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c @@ -3,6 +3,7 @@ =20 (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+ Copyright (c) Microsoft Corporation =20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 @@ -1312,6 +1313,65 @@ PxeBcSelectDhcp6Offer ( } } =20 +/** + Cache the DHCPv6 DNS Server addresses + + @param[in] Private The pointer to PXEBC_PRIVATE_DATA. + @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE. + + @retval EFI_SUCCESS Cache the DHCPv6 DNS Server address suc= cessfully. + @retval EFI_OUT_OF_RESOURCES Failed to allocate resources. + @retval EFI_DEVICE_ERROR The DNS Server Address Length provided = by a untrusted + option is not a multiple of 16 bytes (s= izeof (EFI_IPv6_ADDRESS)). +**/ +EFI_STATUS +PxeBcCacheDnsServerAddresses ( + IN PXEBC_PRIVATE_DATA *Private, + IN PXEBC_DHCP6_PACKET_CACHE *Cache6 + ) +{ + UINT16 DnsServerLen; + + DnsServerLen =3D NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpL= en); + // + // Make sure that the number is nonzero + // + if (DnsServerLen =3D=3D 0) { + return EFI_DEVICE_ERROR; + } + + // + // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16) + // + if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) !=3D 0) { + return EFI_DEVICE_ERROR; + } + + // + // This code is currently written to only support a single DNS Server in= stead + // of multiple such as is spec defined (RFC3646, Section 3). The proper = behavior + // would be to allocate the full space requested, CopyMem all of the dat= a, + // and then add a DnsServerCount field to Private and update additional = code + // that depends on this. + // + // To support multiple DNS servers the `AllocationSize` would need to be= changed to DnsServerLen + // + // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=3D1= 886 + // + Private->DnsServer =3D AllocateZeroPool (sizeof (EFI_IPv6_ADDRESS)); + if (Private->DnsServer =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Intentionally only copy over the first server address. + // To support multiple DNS servers, the `Length` would need to be change= d to DnsServerLen + // + CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]= ->Data, sizeof (EFI_IPv6_ADDRESS)); + + return EFI_SUCCESS; +} + /** Handle the DHCPv6 offer packet. =20 @@ -1335,6 +1395,7 @@ PxeBcHandleDhcp6Offer ( UINT32 SelectIndex; UINT32 Index; =20 + ASSERT (Private !=3D NULL); ASSERT (Private->SelectIndex > 0); SelectIndex =3D (UINT32)(Private->SelectIndex - 1); ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM); @@ -1342,15 +1403,13 @@ PxeBcHandleDhcp6Offer ( Status =3D EFI_SUCCESS; =20 // - // First try to cache DNS server address if DHCP6 offer provides. + // First try to cache DNS server addresses if DHCP6 offer provides. // if (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] !=3D NULL) { - Private->DnsServer =3D AllocateZeroPool (NTOHS (Cache6->OptList[PXEBC_= DHCP6_IDX_DNS_SERVER]->OpLen)); - if (Private->DnsServer =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D PxeBcCacheDnsServerAddresses (Private, Cache6); + if (EFI_ERROR (Status)) { + return Status; } - - CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVE= R]->Data, sizeof (EFI_IPv6_ADDRESS)); } =20 if (Cache6->OfferType =3D=3D PxeOfferTypeDhcpBinl) { --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114261): https://edk2.groups.io/g/devel/message/114261 Mute This Topic: https://groups.io/mt/103926740/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114262+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114262+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073636; cv=none; d=zohomail.com; s=zohoarc; b=COgkiUrqttewXS4kvnra/kgwAb1pTmjUxh2g3+27M7GQ/3ROuMqgTx5Xew65hWOl3+3qdIaB4YQshbd2z2tYrzXtpJFr7N68UCL/trkgCZZ9CURuwer7SuWjJzzCjVkX65vEmeIs7fRtustP7higJ54v6BY9rUuw3DP/936wZMY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073636; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=s3nU072OLQlIvGrPAc6ozwQtFRWzZx6NNe+wYGcEaWg=; b=U0qN30YocBZGnvKcw9XVOolpFsdLAVpZtSQnxomfHk3UY1XGssMW8NOyiQBSAk/lufGPmWsxtpmzGsVp60I5THLUnCRzM3RlyUB1N6TB8+gLmEiMgEQPOToOB1512/5al3c3wNPkIbmZqfK1GQuY6XdSQhlXiXskhfKROld2Yi8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114262+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073636288592.7024351497558; Tue, 23 Jan 2024 21:20:36 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=L6GK9U8lGran5eEs3EXnc9dQqMGPMRWuuiL2VIS6Ji0=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073635; v=1; b=nlg0XA/hbFBufmbTcsnMesx5CVxuun4hwRxsZ0Fahg2YKp5rMp3ayE++/c+EOr0GIwmNIOig epoJBcWcIsj5LcIqyQbPVXPCDpAoR3lP9DqAswwyvOxYzwX8RWXugsiKcf36sgk+HIhcfxYUwMm ajHEhLqM+BWlOH1ynxPgxlvY= X-Received: by 127.0.0.2 with SMTP id vDOQYY1788612x10BOHP3Q1C; Tue, 23 Jan 2024 21:20:35 -0800 X-Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.16103.1706073635240015184 for ; Tue, 23 Jan 2024 21:20:35 -0800 X-Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1d71e24845aso29217475ad.0 for ; Tue, 23 Jan 2024 21:20:35 -0800 (PST) X-Gm-Message-State: xBI47NRso4mSCUEgDqp5xbFQx1787277AA= X-Google-Smtp-Source: AGHT+IHdQhR0Tk5UqF6MrUupO47L1GuiekqIywG6GrdsDqWUuJoBh7jPx8TfGfMdVupAqgZg4NXdAA== X-Received: by 2002:a17:902:9a86:b0:1d7:5c60:f508 with SMTP id w6-20020a1709029a8600b001d75c60f508mr181335plp.109.1706073634181; Tue, 23 Jan 2024 21:20:34 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:33 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 10/14] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit Tests Date: Tue, 23 Jan 2024 19:33:33 -0800 Message-ID: <7765fc863cb658830aec48b077f1104627fdc630.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073638373100045 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4539 SECURITY PATCH - Unit Tests TCBZ4539 CVE-2023-45234 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Bu= ffer Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 + .../GoogleTest/UefiPxeBcDxeGoogleTest.inf | 48 +++ .../GoogleTest/PxeBcDhcp6GoogleTest.h | 50 +++ .../GoogleTest/PxeBcDhcp6GoogleTest.cpp | 300 ++++++++++++++++++ .../GoogleTest/UefiPxeBcDxeGoogleTest.cpp | 19 ++ 5 files changed, 418 insertions(+) create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTe= st.inf create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest= .h create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest= .cpp create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTe= st.cpp diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/Netwo= rkPkgHostTest.dsc index 7fa7b0f9d5be..a0273c431025 100644 --- a/NetworkPkg/Test/NetworkPkgHostTest.dsc +++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc @@ -27,6 +27,7 @@ [Components] # NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf + NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf =20 # Despite these library classes being listed in [LibraryClasses] below, th= ey are not needed for the host-based unit tests. [LibraryClasses] diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf = b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf new file mode 100644 index 000000000000..301dcdf61109 --- /dev/null +++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf @@ -0,0 +1,48 @@ +## @file +# Unit test suite for the UefiPxeBcDxe using Google Test +# +# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +## +[Defines] +INF_VERSION =3D 0x00010005 +BASE_NAME =3D UefiPxeBcDxeGoogleTest +FILE_GUID =3D 77D45C64-EC1E-4174-887B-886E89FD1EDF +MODULE_TYPE =3D HOST_APPLICATION +VERSION_STRING =3D 1.0 + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + UefiPxeBcDxeGoogleTest.cpp + PxeBcDhcp6GoogleTest.cpp + PxeBcDhcp6GoogleTest.h + ../PxeBcDhcp6.c + ../PxeBcSupport.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec + NetworkPkg/NetworkPkg.dec + +[LibraryClasses] + GoogleTestLib + DebugLib + NetLib + PcdLib + +[Protocols] + gEfiDhcp6ServiceBindingProtocolGuid + gEfiDns6ServiceBindingProtocolGuid + gEfiDns6ProtocolGuid + +[Pcd] + gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType + +[Guids] + gZeroGuid diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h b/Ne= tworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h new file mode 100644 index 000000000000..b17c314791c8 --- /dev/null +++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h @@ -0,0 +1,50 @@ +/** @file + This file exposes the internal interfaces which may be unit tested + for the PxeBcDhcp6Dxe driver. + + Copyright (c) Microsoft Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef PXE_BC_DHCP6_GOOGLE_TEST_H_ +#define PXE_BC_DHCP6_GOOGLE_TEST_H_ + +// +// Minimal includes needed to compile +// +#include +#include "../PxeBcImpl.h" + +/** + Handle the DHCPv6 offer packet. + + @param[in] Private The pointer to PXEBC_PRIVATE_DATA. + + @retval EFI_SUCCESS Handled the DHCPv6 offer packet succes= sfully. + @retval EFI_NO_RESPONSE No response to the following request p= acket. + @retval EFI_OUT_OF_RESOURCES Failed to allocate resources. + @retval EFI_BUFFER_TOO_SMALL Can't cache the offer pacet. + +**/ +EFI_STATUS +PxeBcHandleDhcp6Offer ( + IN PXEBC_PRIVATE_DATA *Private + ); + +/** + Cache the DHCPv6 Server address + + @param[in] Private The pointer to PXEBC_PRIVATE_DATA. + @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE. + + @retval EFI_SUCCESS Cache the DHCPv6 Server address success= fully. + @retval EFI_OUT_OF_RESOURCES Failed to allocate resources. + @retval EFI_DEVICE_ERROR Failed to cache the DHCPv6 Server addre= ss. +**/ +EFI_STATUS +PxeBcCacheDnsServerAddresses ( + IN PXEBC_PRIVATE_DATA *Private, + IN PXEBC_DHCP6_PACKET_CACHE *Cache6 + ); + +#endif // PXE_BC_DHCP6_GOOGLE_TEST_H_ diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/= NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp new file mode 100644 index 000000000000..8260eeee50dc --- /dev/null +++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp @@ -0,0 +1,300 @@ +/** @file + Host based unit test for PxeBcDhcp6.c. + + Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ +#include + +extern "C" { + #include + #include + #include + #include "../PxeBcImpl.h" + #include "../PxeBcDhcp6.h" + #include "PxeBcDhcp6GoogleTest.h" +} + +//////////////////////////////////////////////////////////////////////////= ///// +// Definitions +//////////////////////////////////////////////////////////////////////////= ///// + +#define PACKET_SIZE (1500) + +typedef struct { + UINT16 OptionCode; // The option code for DHCP6_OPT_SERVER_ID (e.g.= , 0x03) + UINT16 OptionLen; // The length of the option (e.g., 16 bytes) + UINT8 ServerId[16]; // The 16-byte DHCPv6 Server Identifier +} DHCP6_OPTION_SERVER_ID; + +//////////////////////////////////////////////////////////////////////////= ///// +/// Symbol Definitions +//////////////////////////////////////////////////////////////////////////= ///// + +EFI_STATUS +MockUdpWrite ( + IN EFI_PXE_BASE_CODE_PROTOCOL *This, + IN UINT16 OpFlags, + IN EFI_IP_ADDRESS *DestIp, + IN EFI_PXE_BASE_CODE_UDP_PORT *DestPort, + IN EFI_IP_ADDRESS *GatewayIp OPTIONAL, + IN EFI_IP_ADDRESS *SrcIp OPTIONAL, + IN OUT EFI_PXE_BASE_CODE_UDP_PORT *SrcPort OPTIONAL, + IN UINTN *HeaderSize OPTIONAL, + IN VOID *HeaderPtr OPTIONAL, + IN UINTN *BufferSize, + IN VOID *BufferPtr + ) +{ + return EFI_SUCCESS; +} + +EFI_STATUS +MockUdpRead ( + IN EFI_PXE_BASE_CODE_PROTOCOL *This, + IN UINT16 OpFlags, + IN OUT EFI_IP_ADDRESS *DestIp OPTIONAL, + IN OUT EFI_PXE_BASE_CODE_UDP_PORT *DestPort OPTIONAL, + IN OUT EFI_IP_ADDRESS *SrcIp OPTIONAL, + IN OUT EFI_PXE_BASE_CODE_UDP_PORT *SrcPort OPTIONAL, + IN UINTN *HeaderSize OPTIONAL, + IN VOID *HeaderPtr OPTIONAL, + IN OUT UINTN *BufferSize, + IN VOID *BufferPtr + ) +{ + return EFI_SUCCESS; +} + +EFI_STATUS +MockConfigure ( + IN EFI_UDP6_PROTOCOL *This, + IN EFI_UDP6_CONFIG_DATA *UdpConfigData OPTIONAL + ) +{ + return EFI_SUCCESS; +} + +// Needed by PxeBcSupport +EFI_STATUS +EFIAPI +QueueDpc ( + IN EFI_TPL DpcTpl, + IN EFI_DPC_PROCEDURE DpcProcedure, + IN VOID *DpcContext OPTIONAL + ) +{ + return EFI_SUCCESS; +} + +//////////////////////////////////////////////////////////////////////////= ///// +// PxeBcHandleDhcp6OfferTest Tests +//////////////////////////////////////////////////////////////////////////= ///// + +class PxeBcHandleDhcp6OfferTest : public ::testing::Test { +public: + PXEBC_PRIVATE_DATA Private =3D { 0 }; + EFI_UDP6_PROTOCOL Udp6Read; + EFI_PXE_BASE_CODE_MODE Mode =3D { 0 }; + +protected: + // Add any setup code if needed + virtual void + SetUp ( + ) + { + Private.Dhcp6Request =3D (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_= SIZE); + + // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL + // The function under test really only needs the following: + // UdpWrite + // UdpRead + + Private.PxeBc.UdpWrite =3D (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite; + Private.PxeBc.UdpRead =3D (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead; + + // Need to setup EFI_UDP6_PROTOCOL + // The function under test really only needs the following: + // Configure + + Udp6Read.Configure =3D (EFI_UDP6_CONFIGURE)MockConfigure; + Private.Udp6Read =3D &Udp6Read; + + // Need to setup the EFI_PXE_BASE_CODE_MODE + Private.PxeBc.Mode =3D &Mode; + + // for this test it doesn't really matter what the Dhcpv6 ack is set to + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + if (Private.Dhcp6Request !=3D NULL) { + FreePool (Private.Dhcp6Request); + } + + // Clean up any resources or variables + } +}; + +// Note: +// Testing PxeBcHandleDhcp6Offer() is difficult because it depends on a +// properly setup Private structure. Attempting to properly test this func= tion +// without a signficant refactor is a fools errand. Instead, we will test +// that we can prevent an overflow in the function. +TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) { + PXEBC_DHCP6_PACKET_CACHE *Cache6 =3D NULL; + EFI_DHCP6_PACKET_OPTION Option =3D { 0 }; + + Private.SelectIndex =3D 1; // SelectIndex is 1-based + Cache6 =3D &Private.OfferBuffer[Private.SelectIndex - 1].Dh= cp6; + + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] =3D &Option; + // Setup the DHCPv6 offer packet + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode =3D DHCP6_OPT_SERVER= _ID; + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen =3D NTOHS (1337); + + ASSERT_EQ (PxeBcHandleDhcp6Offer (&(PxeBcHandleDhcp6OfferTest::Private))= , EFI_DEVICE_ERROR); +} + +class PxeBcCacheDnsServerAddressesTest : public ::testing::Test { +public: + PXEBC_PRIVATE_DATA Private =3D { 0 }; + +protected: + // Add any setup code if needed + virtual void + SetUp ( + ) + { + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + } +}; + +// Test Description +// Test that we cache the DNS server address from the DHCPv6 offer packet +TEST_F (PxeBcCacheDnsServerAddressesTest, BasicUsageTest) { + UINT8 SearchPattern[16] =3D { 0xDE, 0xAD, 0xBE, 0xEF= , 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF }; + EFI_DHCP6_PACKET_OPTION *Option; + PXEBC_DHCP6_PACKET_CACHE *Cache6 =3D NULL; + + Option =3D (EFI_DHCP6_PACKET_OPTION *)AllocateZeroPool (sizeof (EFI_DHCP= 6_PACKET_OPTION) + sizeof (SearchPattern)); + ASSERT_NE (Option, nullptr); + + Option->OpCode =3D DHCP6_OPT_SERVER_ID; + Option->OpLen =3D NTOHS (sizeof (SearchPattern)); + CopyMem (Option->Data, SearchPattern, sizeof (SearchPattern)); + + Private.SelectIndex =3D 1; // SelectIndex is 1-b= ased + Cache6 =3D &Private.OfferBuffer[Pri= vate.SelectIndex - 1].Dhcp6; + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] =3D Option; + + Private.DnsServer =3D nullptr; + + ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesT= est::Private), Cache6), EFI_SUCCESS); + ASSERT_NE (Private.DnsServer, nullptr); + ASSERT_EQ (CompareMem (Private.DnsServer, SearchPattern, sizeof (SearchP= attern)), 0); + + if (Private.DnsServer) { + FreePool (Private.DnsServer); + } + + if (Option) { + FreePool (Option); + } +} +// Test Description +// Test that we can prevent an overflow in the function +TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptOverflowTest) { + EFI_DHCP6_PACKET_OPTION Option =3D { 0 }; + PXEBC_DHCP6_PACKET_CACHE *Cache6 =3D NULL; + + Private.SelectIndex =3D 1; // SelectIndex is 1-b= ased + Cache6 =3D &Private.OfferBuffer[Pri= vate.SelectIndex - 1].Dhcp6; + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] =3D &Option; + // Setup the DHCPv6 offer packet + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode =3D DHCP6_OPT_SERVER= _ID; + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen =3D NTOHS (1337); + + Private.DnsServer =3D NULL; + + ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesT= est::Private), Cache6), EFI_DEVICE_ERROR); + ASSERT_EQ (Private.DnsServer, nullptr); + + if (Private.DnsServer) { + FreePool (Private.DnsServer); + } +} + +// Test Description +// Test that we can prevent an underflow in the function +TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptUnderflowTest) { + EFI_DHCP6_PACKET_OPTION Option =3D { 0 }; + PXEBC_DHCP6_PACKET_CACHE *Cache6 =3D NULL; + + Private.SelectIndex =3D 1; // SelectIndex is 1-b= ased + Cache6 =3D &Private.OfferBuffer[Pri= vate.SelectIndex - 1].Dhcp6; + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] =3D &Option; + // Setup the DHCPv6 offer packet + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode =3D DHCP6_OPT_SERVER= _ID; + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen =3D NTOHS (2); + + Private.DnsServer =3D NULL; + + ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesT= est::Private), Cache6), EFI_DEVICE_ERROR); + ASSERT_EQ (Private.DnsServer, nullptr); + + if (Private.DnsServer) { + FreePool (Private.DnsServer); + } +} + +// Test Description +// Test that we can handle recursive dns (multiple dns entries) +TEST_F (PxeBcCacheDnsServerAddressesTest, MultipleDnsEntries) { + EFI_DHCP6_PACKET_OPTION Option =3D { 0 }; + PXEBC_DHCP6_PACKET_CACHE *Cache6 =3D NULL; + + Private.SelectIndex =3D 1; // SelectIndex is 1-b= ased + Cache6 =3D &Private.OfferBuffer[Pri= vate.SelectIndex - 1].Dhcp6; + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] =3D &Option; + // Setup the DHCPv6 offer packet + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode =3D DHCP6_OPT_SERVER= _ID; + + EFI_IPv6_ADDRESS addresses[2] =3D { + // 2001:db8:85a3::8a2e:370:7334 + { 0x20, 0x01, 0x0d, 0xb8, 0x85, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8a, 0x= 2e, 0x03, 0x70, 0x73, 0x34 }, + // fe80::d478:91c3:ecd7:4ff9 + { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd4, 0x78, 0x91, 0x= c3, 0xec, 0xd7, 0x4f, 0xf9 } + }; + + CopyMem (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, &addresses, = sizeof (addresses)); + + Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen =3D NTOHS (sizeof (ad= dresses)); + + Private.DnsServer =3D NULL; + + ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesT= est::Private), Cache6), EFI_SUCCESS); + + ASSERT_NE (Private.DnsServer, nullptr); + + // + // This is expected to fail until DnsServer supports multiple DNS servers + // + // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=3D1= 886 + // + // Disabling: + // ASSERT_EQ (CompareMem(Private.DnsServer, &addresses, sizeof(addresses= )), 0); + + if (Private.DnsServer) { + FreePool (Private.DnsServer); + } +} diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp = b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp new file mode 100644 index 000000000000..cc4fdf525b62 --- /dev/null +++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp @@ -0,0 +1,19 @@ +/** @file + Acts as the main entry point for the tests for the UefiPxeBcDxe module. + Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ +#include + +//////////////////////////////////////////////////////////////////////////= ////// +// Run the tests +//////////////////////////////////////////////////////////////////////////= ////// +int +main ( + int argc, + char *argv[] + ) +{ + testing::InitGoogleTest (&argc, argv); + return RUN_ALL_TESTS (); +} --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114262): https://edk2.groups.io/g/devel/message/114262 Mute This Topic: https://groups.io/mt/103926741/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114263+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114263+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073636; cv=none; d=zohomail.com; s=zohoarc; b=KXZatvTKBAfHfJJ91M64ENu3Fx0HAldQ+SY2R4+qdtSKSlf4qCMO5sILxqvnEzcxeMbHjRhHC/mPjhL+95cxJLfP2HDhOv7xZmHcf/TwjGhTs8+un7492ucKzzcHZrGqEWTV+T4d5sgyLgepX7O05tFXmXKySsLY7uLYIrYE6Ww= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073636; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=nI1G2OQ9td+OObPukBCnYvfRx4jedC878wwImq5Ag5A=; b=U9Db5U66AsP2QApNzINZKC4OgZbjqUm8nzmQnrnd40sjVmy06zbWC6wui9vXKxg9di1nWI71DJ+h0oTLtJR6Xe7g/DKdd6ZkSvH2CfkOoPOWtdbCDPZGERl1HmXUhF85olzSlmz7bK+jANHPHzBxzjow684SHijCTie5MD7QIZ0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114263+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073636720123.92814093286381; Tue, 23 Jan 2024 21:20:36 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=X3pfKuprR3Jn379vaHp2Wvgerz6rrLMLkO4zExPLuAU=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073636; v=1; b=iTxe8xONFXDqef1MwtgWncfDLqqn0lW4h03BbUo9Qwzt9F8nHKcX/PJ8vf47ru7T+5PsxS+l mCurYDIfu5ZYt1rnVILaG/8bpnjNup5Bsel/bokiK2NlCp6DXiOXF13uu+QXV7CtiyV9vZCKMiF 8Rt9gUlxdyC0e6jCMtm7k3KM= X-Received: by 127.0.0.2 with SMTP id FCi7YY1788612xSd8qBXTp6U; Tue, 23 Jan 2024 21:20:36 -0800 X-Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web11.16110.1706073635766037587 for ; Tue, 23 Jan 2024 21:20:35 -0800 X-Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-1d71e184695so19838265ad.3 for ; Tue, 23 Jan 2024 21:20:35 -0800 (PST) X-Gm-Message-State: aKLYhq28wS984crP4YNz21X3x1787277AA= X-Google-Smtp-Source: AGHT+IHatw7kHpg5y8Bmht5Ai2Kj5TtANlHbl6OlGg77QvOjdoSORDPSCtMAXBpJQwEyFtHpy73cAg== X-Received: by 2002:a17:902:e80d:b0:1d7:4e9a:b415 with SMTP id u13-20020a170902e80d00b001d74e9ab415mr227205plg.127.1706073634774; Tue, 23 Jan 2024 21:20:34 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:34 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: "Douglas Flick [MSFT]" , Michael D Kinney , Liming Gao , Zhiguang Liu Subject: [edk2-devel] [PATCH 11/14] MdePkg: Test: Add gRT_GetTime Google Test Mock Date: Tue, 23 Jan 2024 19:33:34 -0800 Message-ID: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073638336100043 Content-Type: text/plain; charset="utf-8" This adds support for GetTime Google Test Mock Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] Reviewed-by: Michael D Kinney --- .../GoogleTest/Library/MockUefiRuntimeServicesTableLib.h | 7 +++++++ .../MockUefiRuntimeServicesTableLib.cpp | 5 +++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiRuntimeSer= vicesTableLib.h b/MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiRunti= meServicesTableLib.h index 241abc55c079..bcc902cb93c2 100644 --- a/MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiRuntimeServicesTa= bleLib.h +++ b/MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiRuntimeServicesTa= bleLib.h @@ -37,6 +37,13 @@ struct MockUefiRuntimeServicesTableLib { IN UINTN DataSize, IN VOID *Data) ); + + MOCK_FUNCTION_DECLARATION ( + EFI_STATUS, + gRT_GetTime, + (OUT EFI_TIME *Time, + OUT EFI_TIME_CAPABILITIES *Capabilities OPTIONAL) + ); }; =20 #endif diff --git a/MdePkg/Test/Mock/Library/GoogleTest/MockUefiRuntimeServicesTab= leLib/MockUefiRuntimeServicesTableLib.cpp b/MdePkg/Test/Mock/Library/Google= Test/MockUefiRuntimeServicesTableLib/MockUefiRuntimeServicesTableLib.cpp index 14296b0ccb88..8d2afd5dd63a 100644 --- a/MdePkg/Test/Mock/Library/GoogleTest/MockUefiRuntimeServicesTableLib/M= ockUefiRuntimeServicesTableLib.cpp +++ b/MdePkg/Test/Mock/Library/GoogleTest/MockUefiRuntimeServicesTableLib/M= ockUefiRuntimeServicesTableLib.cpp @@ -10,11 +10,12 @@ MOCK_INTERFACE_DEFINITION (MockUefiRuntimeServicesTable= Lib); =20 MOCK_FUNCTION_DEFINITION (MockUefiRuntimeServicesTableLib, gRT_GetVariable= , 5, EFIAPI); MOCK_FUNCTION_DEFINITION (MockUefiRuntimeServicesTableLib, gRT_SetVariable= , 5, EFIAPI); +MOCK_FUNCTION_DEFINITION (MockUefiRuntimeServicesTableLib, gRT_GetTime, 2,= EFIAPI); =20 static EFI_RUNTIME_SERVICES localRt =3D { - { 0 }, // EFI_TABLE_HEADER + { 0 }, // EFI_TABLE_HEADER =20 - NULL, // EFI_GET_TIME + gRT_GetTime, // EFI_GET_TIME NULL, // EFI_SET_TIME NULL, // EFI_GET_WAKEUP_TIME NULL, // EFI_SET_WAKEUP_TIME --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114263): https://edk2.groups.io/g/devel/message/114263 Mute This Topic: https://groups.io/mt/103926742/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114264+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114264+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073642; cv=none; d=zohomail.com; s=zohoarc; b=fIzh+CFkcmUEosyZdApmFWXhE+ME9/UxfJaI+YZreafF8+oShAcNsCo0bRuUxmefejBPYnX1rOLwzLR4ivxp8fGYTBo7zTjpYMU53bV7OAjodIpEr2qmevDUF/a1GbddVkBWTF2gZfKpkCW1/aBec72RHZWdFCact+qTSaMt0Sk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073642; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=4W+Wh7gyfxVe8ZA4Ih2UDi7ArYMCvOpYsbrEgjXJ9Wo=; b=URAhzX7aqZhQJfoEZSosVQlpr9TBIoC6cDsN3aYXrlKizSvUhHPtXyZ7uJO8QiTAK/C1UDLqCsBsPHhjQMkjhj5V6foeyR96mgQnRWvWz6MtLTf3TC1dQQ7k3/+3oY+ri6BhC+iV6lcTuxf/d5nbMW5oMO/RAKMs6pf3V8yQo6E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114264+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073642120402.13028639727213; Tue, 23 Jan 2024 21:20:42 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=2SWVe07eJL/W8zEevEaX4yGERB4uX5LTqA65Rq7mkRc=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073641; v=1; b=hsToXohEjVX4XgDydYVL83zaB388WV45a0vZ4+uywFPMdz+rkgmSQzL1nnWU+kKEo97GmDlO xr2zoQZmxxyRS6IM4H0GM5bgLYVz9MWdoPPBCulWs8nWKnr1J+vFoedADokHFSwTuL/yZNuI5Ak cGEPkk9wswdM83n5eRsJ1u4g= X-Received: by 127.0.0.2 with SMTP id et22YY1788612xWS28sjXKDT; Tue, 23 Jan 2024 21:20:41 -0800 X-Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.16111.1706073636260957922 for ; Tue, 23 Jan 2024 21:20:36 -0800 X-Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1d75c97ea6aso18771875ad.1 for ; Tue, 23 Jan 2024 21:20:36 -0800 (PST) X-Gm-Message-State: ohL9jk7hDh9bb8y61t1wXXsdx1787277AA= X-Google-Smtp-Source: AGHT+IE9t5WUPcUhu1wXxCFQeNjVEDzWpI1A5ssAISS10gdHBrZ7KDJ92cVqrlsWdEXzuOTXAryYAg== X-Received: by 2002:a17:902:ee15:b0:1d6:f17b:ecfc with SMTP id z21-20020a170902ee1500b001d6f17becfcmr429620plb.15.1706073635511; Tue, 23 Jan 2024 21:20:35 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:35 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 12/14] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch Date: Tue, 23 Jan 2024 19:33:35 -0800 Message-ID: <2276136eefe1d8080cfcdb5cdac3cf297a58aa3a.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073644368100001 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4540 SECURITY PATCH - Patch TCBZ4540 CVE-2023-45235 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | 17 ++++++ NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 77 ++++++++++++++++++++++------ 2 files changed, 78 insertions(+), 16 deletions(-) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h b/NetworkPkg/UefiPxeBcDxe= /PxeBcDhcp6.h index c86f6d391b80..6357d27faefd 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h @@ -34,6 +34,23 @@ #define PXEBC_ADDR_START_DELIMITER '[' #define PXEBC_ADDR_END_DELIMITER ']' =20 +// +// A DUID consists of a 2-octet type code represented in network byte +// order, followed by a variable number of octets that make up the +// actual identifier. The length of the DUID (not including the type +// code) is at least 1 octet and at most 128 octets. +// +#define PXEBC_MIN_SIZE_OF_DUID (sizeof(UINT16) + 1) +#define PXEBC_MAX_SIZE_OF_DUID (sizeof(UINT16) + 128) + +// +// This define represents the combineds code and length field from +// https://datatracker.ietf.org/doc/html/rfc3315#section-22.1 +// +#define PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN \ + (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode) + \ + sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen)) + #define GET_NEXT_DHCP6_OPTION(Opt) \ (EFI_DHCP6_PACKET_OPTION *) ((UINT8 *) (Opt) + \ sizeof (EFI_DHCP6_PACKET_OPTION) + (NTOHS ((Opt)->OpLen)) - 1) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe= /PxeBcDhcp6.c index 2b2d372889a3..7fd1281c1184 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c @@ -887,6 +887,7 @@ PxeBcRequestBootService ( EFI_STATUS Status; EFI_DHCP6_PACKET *IndexOffer; UINT8 *Option; + UINTN DiscoverLenNeeded; =20 PxeBc =3D &Private->PxeBc; Request =3D Private->Dhcp6Request; @@ -899,7 +900,8 @@ PxeBcRequestBootService ( return EFI_DEVICE_ERROR; } =20 - Discover =3D AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET)); + DiscoverLenNeeded =3D sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); + Discover =3D AllocateZeroPool (DiscoverLenNeeded); if (Discover =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } @@ -924,16 +926,34 @@ PxeBcRequestBootService ( DHCP6_OPT_SERVER_ID ); if (Option =3D=3D NULL) { - return EFI_NOT_FOUND; + Status =3D EFI_NOT_FOUND; + goto ON_ERROR; } =20 // // Add Server ID Option. // OpLen =3D NTOHS (((EFI_DHCP6_PACKET_OPTION *)Option)->OpLen); - CopyMem (DiscoverOpt, Option, OpLen + 4); - DiscoverOpt +=3D (OpLen + 4); - DiscoverLen +=3D (OpLen + 4); + + // + // Check that the minimum and maximum requirements are met + // + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUI= D)) { + Status =3D EFI_INVALID_PARAMETER; + goto ON_ERROR; + } + + // + // Check that the option length is valid. + // + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > = DiscoverLenNeeded) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; + } + + CopyMem (DiscoverOpt, Option, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_= AND_LEN); + DiscoverOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); + DiscoverLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } =20 while (RequestLen < Request->Length) { @@ -944,16 +964,24 @@ PxeBcRequestBootService ( (OpCode !=3D DHCP6_OPT_SERVER_ID) ) { + // + // Check that the option length is valid. + // + if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > = DiscoverLenNeeded) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; + } + // // Copy all the options except IA option and Server ID // - CopyMem (DiscoverOpt, RequestOpt, OpLen + 4); - DiscoverOpt +=3D (OpLen + 4); - DiscoverLen +=3D (OpLen + 4); + CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT= _CODE_AND_LEN); + DiscoverOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); + DiscoverLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } =20 - RequestOpt +=3D (OpLen + 4); - RequestLen +=3D (OpLen + 4); + RequestOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); + RequestLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } =20 // @@ -2154,6 +2182,7 @@ PxeBcDhcp6Discover ( UINT16 OpLen; UINT32 Xid; EFI_STATUS Status; + UINTN DiscoverLenNeeded; =20 PxeBc =3D &Private->PxeBc; Mode =3D PxeBc->Mode; @@ -2169,7 +2198,8 @@ PxeBcDhcp6Discover ( return EFI_DEVICE_ERROR; } =20 - Discover =3D AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET)); + DiscoverLenNeeded =3D sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); + Discover =3D AllocateZeroPool (DiscoverLenNeeded); if (Discover =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } @@ -2185,22 +2215,37 @@ PxeBcDhcp6Discover ( DiscoverLen =3D sizeof (EFI_DHCP6_HEADER); RequestLen =3D DiscoverLen; =20 + // + // The request packet is generated by the UEFI network stack. In the DHC= P4 DORA and DHCP6 SARR sequence, + // the first (discover in DHCP4 and solicit in DHCP6) and third (request= in both DHCP4 and DHCP6) are + // generated by the DHCP client (the UEFI network stack in this case). B= y the time this function executes, + // the DHCP sequence already has been executed once (see UEFI Specificat= ion Figures 24.2 and 24.3), with + // Private->Dhcp6Request being a cached copy of the DHCP6 request packet= that UEFI network stack previously + // generated and sent. + // + // Therefore while this code looks like it could overflow, in practice i= t's not possible. + // while (RequestLen < Request->Length) { OpCode =3D NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpCode); OpLen =3D NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpLen); if ((OpCode !=3D EFI_DHCP6_IA_TYPE_NA) && (OpCode !=3D EFI_DHCP6_IA_TYPE_TA)) { + if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > = DiscoverLenNeeded) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; + } + // // Copy all the options except IA option. // - CopyMem (DiscoverOpt, RequestOpt, OpLen + 4); - DiscoverOpt +=3D (OpLen + 4); - DiscoverLen +=3D (OpLen + 4); + CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT= _CODE_AND_LEN); + DiscoverOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); + DiscoverLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } =20 - RequestOpt +=3D (OpLen + 4); - RequestLen +=3D (OpLen + 4); + RequestOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); + RequestLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } =20 Status =3D PxeBc->UdpWrite ( --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114264): https://edk2.groups.io/g/devel/message/114264 Mute This Topic: https://groups.io/mt/103926743/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114265+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114265+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073637; cv=none; d=zohomail.com; s=zohoarc; b=SXH4Z4Lqb4u5jvce77FN0Ks6IzBLiwS7fyVBqQOoJvhtRL61HuE43WZkgjfY67LQ/Ix7Ig+R23J8qROQHSzmMSfpED1qUDCne/DqVS1NCEOObFCwYXHa4jzE55IseaIrbgQ+Nx0GpFs9162iGl1+5kMpn0Dfd/bb/D4r/CaO1d0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073637; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=BNtd5DQSNdOiTAD3O1dYfH1qZq8c9Hh+B1yu2aVSDQk=; b=N+6XZYeeSh4/4DwLg9cE90zI+fs+OgqlYIaljrn5sZvoZGG6uSllMvw6DiotytbI6+pKi6/TsgtNTTalG3YVEdfibRR3zvQNlvVmkqq4etmnAoPjiuM9XrMeilecJctxc+i3piqCAIFlUCsItALW09Gymfa5yB5Ud7jIDckAr/E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114265+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073637973625.7332663062233; Tue, 23 Jan 2024 21:20:37 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=IM/SMbI1DpesVDzSzvRBUL9AH9B+bplNovmz7ZyxdnI=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073637; v=1; b=SQLzeh17oqGwzcJsCpELjRBy3skKqVTqLOYzmTuav5ervkm0qQ3fKccc6fBeL88fQaYDYp+v GuRWtQpQpFv3V8N5we+kGqTsEksveS8DzI+u18ckPSVH4WqgWy7UNXb8zzY+HyOEANE7sha8iq2 GIof1I2pI/PloY3MhKPfcFvk= X-Received: by 127.0.0.2 with SMTP id I6A0YY1788612xj9DTnf5YJJ; Tue, 23 Jan 2024 21:20:37 -0800 X-Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web11.16113.1706073637049071586 for ; Tue, 23 Jan 2024 21:20:37 -0800 X-Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-1d51ba18e1bso45715585ad.0 for ; Tue, 23 Jan 2024 21:20:37 -0800 (PST) X-Gm-Message-State: HzKUN97N1oDO0kjcdaCkPqrMx1787277AA= X-Google-Smtp-Source: AGHT+IG/7lhZo3RdEoCjMZzImfnTQRfNwSk9i0BZ1JQe/tiRwNiwyN2xYgWxx8gocZYv4sjuPDg+ng== X-Received: by 2002:a17:902:e802:b0:1d3:eb37:57bf with SMTP id u2-20020a170902e80200b001d3eb3757bfmr478601plg.12.1706073636214; Tue, 23 Jan 2024 21:20:36 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:35 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 13/14] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests Date: Tue, 23 Jan 2024 19:33:36 -0800 Message-ID: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073638346100044 Content-Type: text/plain; charset="utf-8" From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4540 SECURITY PATCH - Unit Tests TCBZ4540 CVE-2023-45235 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Test/NetworkPkgHostTest.dsc | 5 +- .../GoogleTest/PxeBcDhcp6GoogleTest.h | 18 ++ .../GoogleTest/PxeBcDhcp6GoogleTest.cpp | 278 +++++++++++++++++- 3 files changed, 298 insertions(+), 3 deletions(-) diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/Netwo= rkPkgHostTest.dsc index a0273c431025..fa301a7a52ab 100644 --- a/NetworkPkg/Test/NetworkPkgHostTest.dsc +++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc @@ -27,7 +27,10 @@ [Components] # NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf - NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf + NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf { + + UefiRuntimeServicesTableLib|MdePkg/Test/Mock/Library/GoogleTest/Mock= UefiRuntimeServicesTableLib/MockUefiRuntimeServicesTableLib.inf + } =20 # Despite these library classes being listed in [LibraryClasses] below, th= ey are not needed for the host-based unit tests. [LibraryClasses] diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h b/Ne= tworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h index b17c314791c8..0d825e44250a 100644 --- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h +++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h @@ -47,4 +47,22 @@ PxeBcCacheDnsServerAddresses ( IN PXEBC_DHCP6_PACKET_CACHE *Cache6 ); =20 +/** + Build and send out the request packet for the bootfile, and parse the re= ply. + + @param[in] Private The pointer to PxeBc private data. + @param[in] Index PxeBc option boot item type. + + @retval EFI_SUCCESS Successfully discovered the boot file. + @retval EFI_OUT_OF_RESOURCES Failed to allocate resources. + @retval EFI_NOT_FOUND Can't get the PXE reply packet. + @retval Others Failed to discover the boot file. + +**/ +EFI_STATUS +PxeBcRequestBootService ( + IN PXEBC_PRIVATE_DATA *Private, + IN UINT32 Index + ); + #endif // PXE_BC_DHCP6_GOOGLE_TEST_H_ diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/= NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp index 8260eeee50dc..bd423ebadfce 100644 --- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp +++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp @@ -4,7 +4,9 @@ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/ -#include +#include +#include +#include =20 extern "C" { #include @@ -19,7 +21,8 @@ extern "C" { // Definitions //////////////////////////////////////////////////////////////////////////= ///// =20 -#define PACKET_SIZE (1500) +#define PACKET_SIZE (1500) +#define REQUEST_OPTION_LENGTH (120) =20 typedef struct { UINT16 OptionCode; // The option code for DHCP6_OPT_SERVER_ID (e.g.= , 0x03) @@ -76,6 +79,26 @@ MockConfigure ( } =20 // Needed by PxeBcSupport +EFI_STATUS +PxeBcDns6 ( + IN PXEBC_PRIVATE_DATA *Private, + IN CHAR16 *HostName, + OUT EFI_IPv6_ADDRESS *IpAddress + ) +{ + return EFI_SUCCESS; +} + +UINT32 +PxeBcBuildDhcp6Options ( + IN PXEBC_PRIVATE_DATA *Private, + OUT EFI_DHCP6_PACKET_OPTION **OptList, + IN UINT8 *Buffer + ) +{ + return EFI_SUCCESS; +} + EFI_STATUS EFIAPI QueueDpc ( @@ -159,6 +182,10 @@ TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) { ASSERT_EQ (PxeBcHandleDhcp6Offer (&(PxeBcHandleDhcp6OfferTest::Private))= , EFI_DEVICE_ERROR); } =20 +//////////////////////////////////////////////////////////////////////////= ///// +// PxeBcCacheDnsServerAddresses Tests +//////////////////////////////////////////////////////////////////////////= ///// + class PxeBcCacheDnsServerAddressesTest : public ::testing::Test { public: PXEBC_PRIVATE_DATA Private =3D { 0 }; @@ -298,3 +325,250 @@ TEST_F (PxeBcCacheDnsServerAddressesTest, MultipleDns= Entries) { FreePool (Private.DnsServer); } } + +//////////////////////////////////////////////////////////////////////////= ///// +// PxeBcRequestBootServiceTest Test Cases +//////////////////////////////////////////////////////////////////////////= ///// + +class PxeBcRequestBootServiceTest : public ::testing::Test { +public: + PXEBC_PRIVATE_DATA Private =3D { 0 }; + EFI_UDP6_PROTOCOL Udp6Read; + +protected: + // Add any setup code if needed + virtual void + SetUp ( + ) + { + Private.Dhcp6Request =3D (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_= SIZE); + + // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL + // The function under test really only needs the following: + // UdpWrite + // UdpRead + + Private.PxeBc.UdpWrite =3D (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite; + Private.PxeBc.UdpRead =3D (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead; + + // Need to setup EFI_UDP6_PROTOCOL + // The function under test really only needs the following: + // Configure + + Udp6Read.Configure =3D (EFI_UDP6_CONFIGURE)MockConfigure; + Private.Udp6Read =3D &Udp6Read; + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + if (Private.Dhcp6Request !=3D NULL) { + FreePool (Private.Dhcp6Request); + } + + // Clean up any resources or variables + } +}; + +TEST_F (PxeBcRequestBootServiceTest, ServerDiscoverBasicUsageTest) { + PxeBcRequestBootServiceTest::Private.OfferBuffer[0].Dhcp6.OfferType =3D = PxeOfferTypeProxyBinl; + + DHCP6_OPTION_SERVER_ID Server =3D { 0 }; + + Server.OptionCode =3D HTONS (DHCP6_OPT_SERVER_ID); + Server.OptionLen =3D HTONS (16); // valid length + UINT8 Index =3D 0; + + EFI_DHCP6_PACKET *Packet =3D (EFI_DHCP6_PACKET *)&Private.OfferBuffer[I= ndex].Dhcp6.Packet.Offer; + + UINT8 *Cursor =3D (UINT8 *)(Packet->Dhcp6.Option); + + CopyMem (Cursor, &Server, sizeof (Server)); + Cursor +=3D sizeof (Server); + + // Update the packet length + Packet->Length =3D (UINT16)(Cursor - (UINT8 *)Packet); + Packet->Size =3D PACKET_SIZE; + + ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Priva= te), Index), EFI_SUCCESS); +} + +TEST_F (PxeBcRequestBootServiceTest, AttemptDiscoverOverFlowExpectFailure)= { + PxeBcRequestBootServiceTest::Private.OfferBuffer[0].Dhcp6.OfferType =3D = PxeOfferTypeProxyBinl; + + DHCP6_OPTION_SERVER_ID Server =3D { 0 }; + + Server.OptionCode =3D HTONS (DHCP6_OPT_SERVER_ID); + Server.OptionLen =3D HTONS (1500); // This length would overflow withou= t a check + UINT8 Index =3D 0; + + EFI_DHCP6_PACKET *Packet =3D (EFI_DHCP6_PACKET *)&Private.OfferBuffer[I= ndex].Dhcp6.Packet.Offer; + + UINT8 *Cursor =3D (UINT8 *)(Packet->Dhcp6.Option); + + CopyMem (Cursor, &Server, sizeof (Server)); + Cursor +=3D sizeof (Server); + + // Update the packet length + Packet->Length =3D (UINT16)(Cursor - (UINT8 *)Packet); + Packet->Size =3D PACKET_SIZE; + + // This is going to be stopped by the duid overflow check + ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Priva= te), Index), EFI_INVALID_PARAMETER); +} + +TEST_F (PxeBcRequestBootServiceTest, RequestBasicUsageTest) { + EFI_DHCP6_PACKET_OPTION RequestOpt =3D { 0 }; // the data section doesn= 't really matter + + RequestOpt.OpCode =3D HTONS (0x1337); + RequestOpt.OpLen =3D 0; // valid length + + UINT8 Index =3D 0; + + EFI_DHCP6_PACKET *Packet =3D (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[= Index]; + + UINT8 *Cursor =3D (UINT8 *)(Packet->Dhcp6.Option); + + CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt)); + Cursor +=3D sizeof (RequestOpt); + + // Update the packet length + Packet->Length =3D (UINT16)(Cursor - (UINT8 *)Packet); + Packet->Size =3D PACKET_SIZE; + + ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Priva= te), Index), EFI_SUCCESS); +} + +TEST_F (PxeBcRequestBootServiceTest, AttemptRequestOverFlowExpectFailure) { + EFI_DHCP6_PACKET_OPTION RequestOpt =3D { 0 }; // the data section doesn= 't really matter + + RequestOpt.OpCode =3D HTONS (0x1337); + RequestOpt.OpLen =3D 1500; // this length would overflow without a check + + UINT8 Index =3D 0; + + EFI_DHCP6_PACKET *Packet =3D (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[= Index]; + + UINT8 *Cursor =3D (UINT8 *)(Packet->Dhcp6.Option); + + CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt)); + Cursor +=3D sizeof (RequestOpt); + + // Update the packet length + Packet->Length =3D (UINT16)(Cursor - (UINT8 *)Packet); + Packet->Size =3D PACKET_SIZE; + + ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Priva= te), Index), EFI_OUT_OF_RESOURCES); +} + +//////////////////////////////////////////////////////////////////////////= ///// +// PxeBcDhcp6Discover Test +//////////////////////////////////////////////////////////////////////////= ///// + +class PxeBcDhcp6DiscoverTest : public ::testing::Test { +public: + PXEBC_PRIVATE_DATA Private =3D { 0 }; + EFI_UDP6_PROTOCOL Udp6Read; + +protected: + MockUefiRuntimeServicesTableLib RtServicesMock; + + // Add any setup code if needed + virtual void + SetUp ( + ) + { + Private.Dhcp6Request =3D (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_= SIZE); + + // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL + // The function under test really only needs the following: + // UdpWrite + // UdpRead + + Private.PxeBc.UdpWrite =3D (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite; + Private.PxeBc.UdpRead =3D (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead; + + // Need to setup EFI_UDP6_PROTOCOL + // The function under test really only needs the following: + // Configure + + Udp6Read.Configure =3D (EFI_UDP6_CONFIGURE)MockConfigure; + Private.Udp6Read =3D &Udp6Read; + } + + // Add any cleanup code if needed + virtual void + TearDown ( + ) + { + if (Private.Dhcp6Request !=3D NULL) { + FreePool (Private.Dhcp6Request); + } + + // Clean up any resources or variables + } +}; + +// Test Description +// This will cause an overflow by an untrusted packet during the option pa= rsing +TEST_F (PxeBcDhcp6DiscoverTest, BasicOverflowTest) { + EFI_IPv6_ADDRESS DestIp =3D { 0 }; + EFI_DHCP6_PACKET_OPTION RequestOpt =3D { 0 }; // the data section doesn= 't really matter + + RequestOpt.OpCode =3D HTONS (0x1337); + RequestOpt.OpLen =3D HTONS (0xFFFF); // overflow + + UINT8 *Cursor =3D (UINT8 *)(Private.Dhcp6Request->Dhcp6.Option); + + CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt)); + Cursor +=3D sizeof (RequestOpt); + + Private.Dhcp6Request->Length =3D (UINT16)(Cursor - (UINT8 *)Private.Dhcp= 6Request); + + EXPECT_CALL (RtServicesMock, gRT_GetTime) + .WillOnce (::testing::Return (0)); + + ASSERT_EQ ( + PxeBcDhcp6Discover ( + &(PxeBcDhcp6DiscoverTest::Private), + 0, + NULL, + FALSE, + (EFI_IP_ADDRESS *)&DestIp + ), + EFI_OUT_OF_RESOURCES + ); +} + +// Test Description +// This will test that we can handle a packet with a valid option length +TEST_F (PxeBcDhcp6DiscoverTest, BasicUsageTest) { + EFI_IPv6_ADDRESS DestIp =3D { 0 }; + EFI_DHCP6_PACKET_OPTION RequestOpt =3D { 0 }; // the data section doesn= 't really matter + + RequestOpt.OpCode =3D HTONS (0x1337); + RequestOpt.OpLen =3D HTONS (0x30); + + UINT8 *Cursor =3D (UINT8 *)(Private.Dhcp6Request->Dhcp6.Option); + + CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt)); + Cursor +=3D sizeof (RequestOpt); + + Private.Dhcp6Request->Length =3D (UINT16)(Cursor - (UINT8 *)Private.Dhcp= 6Request); + + EXPECT_CALL (RtServicesMock, gRT_GetTime) + .WillOnce (::testing::Return (0)); + + ASSERT_EQ ( + PxeBcDhcp6Discover ( + &(PxeBcDhcp6DiscoverTest::Private), + 0, + NULL, + FALSE, + (EFI_IP_ADDRESS *)&DestIp + ), + EFI_SUCCESS + ); +} --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114265): https://edk2.groups.io/g/devel/message/114265 Mute This Topic: https://groups.io/mt/103926744/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 10 09:50:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114266+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114266+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073638; cv=none; d=zohomail.com; s=zohoarc; b=J4dk8HhYuAFCvuGeuvuy8IpXbs8y8ZRT1SPrKkuOxC1v+NE7CewOwg62AknwlJY4CiwB36frg080caWNtwQP2ZJv/yTeao50OBj7aVwWmKOmEXE/pD5vi/ml7Trp4XUEag6S4xM12kwHeW41s3XvOIBKZkgTHG9dTfbhhuHVzx4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073638; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=ZkOUlcK8L51v+nhzas9NttB+iMp68HAjM6R2HW7UxTI=; b=ax8fg7mt1l+3exBrZsrpWeG3sKypek832dJR/8VsJmd25tFgAQ1+7LHvwr7B9LNI3+zSjeTxKLGrvCq+6eXln5/kXyg0mdsyhY7HkvST5eErh+I/WRSLEfKC222oeybeXzCTA4lVM+U7KY2Zl7epnaz0YRvR9Yj7HHRYrMMtQwE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114266+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073638637210.18852900961178; Tue, 23 Jan 2024 21:20:38 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=drwnk8efp7PJ6VNmandE0urkkn5w+6Jvr/1aK/QyhOI=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073638; v=1; b=P6Af0OgB2UPlUagJSkdXB29SQ9xPqo9HDhLwgbkzIVlFn3HRqKKWUPbWBJiyTGw7TP7AV+EI K4NhvW4ZCwuW0H2ps3CSSj6Tr53H+habZ91iJ+/lMuGlxPtrYgBGmjdIv7sUcTLtQSqtJS6wNLW +WLcWFaKo5N1t/tcWgN7JTeQ= X-Received: by 127.0.0.2 with SMTP id btKxYY1788612xGl8CkkyCQw; Tue, 23 Jan 2024 21:20:38 -0800 X-Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.16104.1706073637789147739 for ; Tue, 23 Jan 2024 21:20:37 -0800 X-Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1d7859efea5so322045ad.0 for ; Tue, 23 Jan 2024 21:20:37 -0800 (PST) X-Gm-Message-State: 7JKl2VWRzh1lWgUvKBv7Axsvx1787277AA= X-Google-Smtp-Source: AGHT+IFrerRX9HU0Ukc+6Hi6HijpL8Aagv+1MLVZoCLAODS7tScJVzllFTlPduj7TIQjq7EBxjZcsw== X-Received: by 2002:a17:902:da82:b0:1d7:3131:4dd6 with SMTP id j2-20020a170902da8200b001d731314dd6mr208695plx.12.1706073637108; Tue, 23 Jan 2024 21:20:37 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:36 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: "Douglas Flick [MSFT]" , Saloni Kasbekar , Zachary Clark-williams Subject: [edk2-devel] [PATCH 14/14] NetworkPkg: : Adds a SecurityFix.yaml file Date: Tue, 23 Jan 2024 19:33:37 -0800 Message-ID: <851a15e8da32b3e6ecc43cd92a59c6ff3064a8f2.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073640554100057 Content-Type: text/plain; charset="utf-8" This creates / adds a security file that tracks the security fixes found in this package and can be used to find the fixes that were applied. Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/SecurityFixes.yaml | 123 ++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 NetworkPkg/SecurityFixes.yaml diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml new file mode 100644 index 000000000000..7e900483fec5 --- /dev/null +++ b/NetworkPkg/SecurityFixes.yaml @@ -0,0 +1,123 @@ +## @file +# Security Fixes for SecurityPkg +# +# Copyright (c) Microsoft Corporation +# SPDX-License-Identifier: BSD-2-Clause-Patent +## +CVE_2023_45229: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests" + cve: CVE-2023-45229 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processi= ng IA_NA/IA_TA options in a DHCPv6 Advertise message" + note: + files_impacted: + - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c + - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4534 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45229 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce= pts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco= res-edk-ii-ipv6-network-stack.html +CVE_2023_45230: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests" + cve: CVE-2023-45230 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 02 - edk2/NetworkPkg: Buffer overflow in the DHCPv6 cl= ient via a long Server ID option" + note: + files_impacted: + - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c + - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4535 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45230 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce= pts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco= res-edk-ii-ipv6-network-stack.html +CVE_2023_45231: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests" + cve: CVE-2023-45231 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 03 - edk2/NetworkPkg: Out-of-bounds read when handling= a ND Redirect message with truncated options" + note: + files_impacted: + - NetworkPkg/Ip6Dxe/Ip6Option.c + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4536 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45231 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce= pts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco= res-edk-ii-ipv6-network-stack.html +CVE_2023_45232: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests" + cve: CVE-2023-45232 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 04 - edk2/NetworkPkg: Infinite loop when parsing unkno= wn options in the Destination Options header" + note: + files_impacted: + - NetworkPkg/Ip6Dxe/Ip6Option.c + - NetworkPkg/Ip6Dxe/Ip6Option.h + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4537 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45232 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce= pts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco= res-edk-ii-ipv6-network-stack.html +CVE_2023_45233: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests" + cve: CVE-2023-45233 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 05 - edk2/NetworkPkg: Infinite loop when parsing a Pad= N option in the Destination Options header " + note: This was fixed along with CVE-2023-45233 + files_impacted: + - NetworkPkg/Ip6Dxe/Ip6Option.c + - NetworkPkg/Ip6Dxe/Ip6Option.h + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4538 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45233 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce= pts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco= res-edk-ii-ipv6-network-stack.html +CVE_2023_45234: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Unit Tests" + cve: CVE-2023-45234 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 06 - edk2/NetworkPkg: Buffer overflow when processing = DNS Servers option in a DHCPv6 Advertise message" + note: + files_impacted: + - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4539 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45234 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce= pts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco= res-edk-ii-ipv6-network-stack.html +CVE_2023_45235: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Unit Tests" + cve: CVE-2023-45235 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 07 - edk2/NetworkPkg: Buffer overflow when handling Se= rver ID option from a DHCPv6 proxy Advertise message" + note: + files_impacted: + - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c + - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4540 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45235 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce= pts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco= res-edk-ii-ipv6-network-stack.html --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114266): https://edk2.groups.io/g/devel/message/114266 Mute This Topic: https://groups.io/mt/103926745/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-