Re: [edk2-devel] [PATCH v1 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()

Wed, 10 Jan 2024 22:52:27 -0800 

On Thu, 11 Jan 2024 at 06:15, <gua....@intel.com> wrote:
>
> From: Gerd Hoffmann <kra...@redhat.com>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
>
> Fix integer overflow in various CreateHob instances.
> Fixes: CVE-2022-36765
>
> The CreateHob() function aligns the requested size to 8
> performing the following operation:
> ```
> HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
> ```
>
> No checks are performed to ensure this value doesn't
> overflow, and could lead to CreateHob() returning a smaller
> HOB than requested, which could lead to OOB HOB accesses.
>
> Reported-by: Marc Beatove <mbeat...@google.com>
> Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org>
> Cc: Sami Mujawar <sami.muja...@arm.com>
> Cc: Ray Ni <ray...@intel.com>
> Cc: John Mathew <john.math...@intel.com>
> Signed-off-by: Gerd Hoffmann <kra...@redhat.com>

Reviewed-by: Ard Biesheuvel <a...@kernel.org>

> ---
>  .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c     | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git 
> a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c 
> b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> index 1550e1babc..29ade2e4ef 100644
> --- 
> a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> +++ 
> b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> @@ -34,6 +34,12 @@ CreateHob (
>
>    HandOffHob = GetHobList ();
>
> +  //
> +  // Check Length to avoid data overflow.
> +  //
> +  if (HobLength > MAX_UINT16 - 0x7) {
> +    return NULL;
> +  }
>    HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
>
>    FreeMemory = HandOffHob->EfiFreeMemoryTop - 
> HandOffHob->EfiFreeMemoryBottom;
> --
> 2.39.2.windows.1
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113581): https://edk2.groups.io/g/devel/message/113581
Mute This Topic: https://groups.io/mt/103657272/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to