On Thu, 11 Jan 2024 at 06:15, <gua....@intel.com> wrote: > > From: Gerd Hoffmann <kra...@redhat.com> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 > > Fix integer overflow in various CreateHob instances. > Fixes: CVE-2022-36765 > > The CreateHob() function aligns the requested size to 8 > performing the following operation: > ``` > HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); > ``` > > No checks are performed to ensure this value doesn't > overflow, and could lead to CreateHob() returning a smaller > HOB than requested, which could lead to OOB HOB accesses. > > Reported-by: Marc Beatove <mbeat...@google.com> > Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org> > Cc: Sami Mujawar <sami.muja...@arm.com> > Cc: Ray Ni <ray...@intel.com> > Cc: John Mathew <john.math...@intel.com> > Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Ard Biesheuvel <a...@kernel.org> > --- > .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git > a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c > b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c > index 1550e1babc..29ade2e4ef 100644 > --- > a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c > +++ > b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c > @@ -34,6 +34,12 @@ CreateHob ( > > HandOffHob = GetHobList (); > > + // > + // Check Length to avoid data overflow. > + // > + if (HobLength > MAX_UINT16 - 0x7) { > + return NULL; > + } > HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); > > FreeMemory = HandOffHob->EfiFreeMemoryTop - > HandOffHob->EfiFreeMemoryBottom; > -- > 2.39.2.windows.1 > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113581): https://edk2.groups.io/g/devel/message/113581 Mute This Topic: https://groups.io/mt/103657272/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-