|
| 1 | +From aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Gua Guo <gua.guo@intel.com> |
| 3 | +Date: Thu, 11 Jan 2024 13:07:50 +0800 |
| 4 | +Subject: [PATCH] EmbeddedPkg/Hob: Integer Overflow in CreateHob() |
| 5 | + |
| 6 | +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 |
| 7 | + |
| 8 | +Fix integer overflow in various CreateHob instances. |
| 9 | +Fixes: CVE-2022-36765 |
| 10 | + |
| 11 | +The CreateHob() function aligns the requested size to 8 |
| 12 | +performing the following operation: |
| 13 | +``` |
| 14 | +HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); |
| 15 | +``` |
| 16 | + |
| 17 | +No checks are performed to ensure this value doesn't |
| 18 | +overflow, and could lead to CreateHob() returning a smaller |
| 19 | +HOB than requested, which could lead to OOB HOB accesses. |
| 20 | + |
| 21 | +Reported-by: Marc Beatove <mbeatove@google.com> |
| 22 | +Cc: Leif Lindholm <quic_llindhol@quicinc.com> |
| 23 | +Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org> |
| 24 | +Cc: Abner Chang <abner.chang@amd.com> |
| 25 | +Cc: John Mathew <john.mathews@intel.com> |
| 26 | +Authored-by: Gerd Hoffmann <kraxel@redhat.com> |
| 27 | +Signed-off-by: Gua Guo <gua.guo@intel.com> |
| 28 | +--- |
| 29 | + EmbeddedPkg/Library/PrePiHobLib/Hob.c | 43 +++++++++++++++++++++++++++ |
| 30 | + 1 file changed, 43 insertions(+) |
| 31 | + |
| 32 | +diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c |
| 33 | +index 8eb175aa96f9..cbc35152ccbc 100644 |
| 34 | +--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c |
| 35 | ++++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c |
| 36 | +@@ -110,6 +110,13 @@ CreateHob ( |
| 37 | + |
| 38 | + HandOffHob = GetHobList (); |
| 39 | + |
| 40 | ++ // |
| 41 | ++ // Check Length to avoid data overflow. |
| 42 | ++ // |
| 43 | ++ if (HobLength > MAX_UINT16 - 0x7) { |
| 44 | ++ return NULL; |
| 45 | ++ } |
| 46 | ++ |
| 47 | + HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); |
| 48 | + |
| 49 | + FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom; |
| 50 | +@@ -160,6 +167,9 @@ BuildResourceDescriptorHob ( |
| 51 | + |
| 52 | + Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR)); |
| 53 | + ASSERT (Hob != NULL); |
| 54 | ++ if (Hob == NULL) { |
| 55 | ++ return; |
| 56 | ++ } |
| 57 | + |
| 58 | + Hob->ResourceType = ResourceType; |
| 59 | + Hob->ResourceAttribute = ResourceAttribute; |
| 60 | +@@ -401,6 +411,10 @@ BuildModuleHob ( |
| 61 | + ); |
| 62 | + |
| 63 | + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE)); |
| 64 | ++ ASSERT (Hob != NULL); |
| 65 | ++ if (Hob == NULL) { |
| 66 | ++ return; |
| 67 | ++ } |
| 68 | + |
| 69 | + CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid); |
| 70 | + Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule; |
| 71 | +@@ -449,6 +463,11 @@ BuildGuidHob ( |
| 72 | + ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE))); |
| 73 | + |
| 74 | + Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength)); |
| 75 | ++ ASSERT (Hob != NULL); |
| 76 | ++ if (Hob == NULL) { |
| 77 | ++ return NULL; |
| 78 | ++ } |
| 79 | ++ |
| 80 | + CopyGuid (&Hob->Name, Guid); |
| 81 | + return Hob + 1; |
| 82 | + } |
| 83 | +@@ -512,6 +531,10 @@ BuildFvHob ( |
| 84 | + EFI_HOB_FIRMWARE_VOLUME *Hob; |
| 85 | + |
| 86 | + Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); |
| 87 | ++ ASSERT (Hob != NULL); |
| 88 | ++ if (Hob == NULL) { |
| 89 | ++ return; |
| 90 | ++ } |
| 91 | + |
| 92 | + Hob->BaseAddress = BaseAddress; |
| 93 | + Hob->Length = Length; |
| 94 | +@@ -543,6 +566,10 @@ BuildFv2Hob ( |
| 95 | + EFI_HOB_FIRMWARE_VOLUME2 *Hob; |
| 96 | + |
| 97 | + Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); |
| 98 | ++ ASSERT (Hob != NULL); |
| 99 | ++ if (Hob == NULL) { |
| 100 | ++ return; |
| 101 | ++ } |
| 102 | + |
| 103 | + Hob->BaseAddress = BaseAddress; |
| 104 | + Hob->Length = Length; |
| 105 | +@@ -584,6 +611,10 @@ BuildFv3Hob ( |
| 106 | + EFI_HOB_FIRMWARE_VOLUME3 *Hob; |
| 107 | + |
| 108 | + Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3)); |
| 109 | ++ ASSERT (Hob != NULL); |
| 110 | ++ if (Hob == NULL) { |
| 111 | ++ return; |
| 112 | ++ } |
| 113 | + |
| 114 | + Hob->BaseAddress = BaseAddress; |
| 115 | + Hob->Length = Length; |
| 116 | +@@ -639,6 +670,10 @@ BuildCpuHob ( |
| 117 | + EFI_HOB_CPU *Hob; |
| 118 | + |
| 119 | + Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); |
| 120 | ++ ASSERT (Hob != NULL); |
| 121 | ++ if (Hob == NULL) { |
| 122 | ++ return; |
| 123 | ++ } |
| 124 | + |
| 125 | + Hob->SizeOfMemorySpace = SizeOfMemorySpace; |
| 126 | + Hob->SizeOfIoSpace = SizeOfIoSpace; |
| 127 | +@@ -676,6 +711,10 @@ BuildStackHob ( |
| 128 | + ); |
| 129 | + |
| 130 | + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK)); |
| 131 | ++ ASSERT (Hob != NULL); |
| 132 | ++ if (Hob == NULL) { |
| 133 | ++ return; |
| 134 | ++ } |
| 135 | + |
| 136 | + CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid); |
| 137 | + Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; |
| 138 | +@@ -756,6 +795,10 @@ BuildMemoryAllocationHob ( |
| 139 | + ); |
| 140 | + |
| 141 | + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION)); |
| 142 | ++ ASSERT (Hob != NULL); |
| 143 | ++ if (Hob == NULL) { |
| 144 | ++ return; |
| 145 | ++ } |
| 146 | + |
| 147 | + ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); |
| 148 | + Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; |
0 commit comments