From: Gerd Hoffmann <kra...@redhat.com> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove <mbeat...@google.com> Cc: Liming Gao <gaolim...@byosoft.com.cn> Cc: John Mathew <john.math...@intel.com> Signed-off-by: Gerd Hoffmann <kra...@redhat.com> --- MdeModulePkg/Core/Pei/Hob/Hob.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Pei/Hob/Hob.c b/MdeModulePkg/Core/Pei/Hob/Hob.c index c4882a23cd..985da50995 100644 --- a/MdeModulePkg/Core/Pei/Hob/Hob.c +++ b/MdeModulePkg/Core/Pei/Hob/Hob.c @@ -85,7 +85,7 @@ PeiCreateHob ( // // Check Length to avoid data overflow. // - if (0x10000 - Length <= 0x7) { + if (MAX_UINT16 - Length < 0x7) { return EFI_INVALID_PARAMETER; } -- 2.39.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113580): https://edk2.groups.io/g/devel/message/113580 Mute This Topic: https://groups.io/mt/103657274/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-