On Tue, Jan 23, 2024 at 07:33:24PM -0800, Doug Flick via groups.io wrote: > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535 > > SECURITY PATCH - Patch
Not needed, the CVE number below implies that. > TCBZ4535 Not needed, the link to tianocore bugzilla is above. > CVE-2023-45230 > CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H > CWE-119 Improper Restriction of Operations within the Bounds > of a Memory Buffer Good. Given that this series of bugs got a fancy name I think it makes sense to include that too ("pixiefail bug #1"). Please include a description of the bug and how it is fixed. [ the same applies to the following patches ] > -UINT8 * > +EFI_STATUS > Dhcp6AppendOption ( > - IN OUT UINT8 *Buf, > - IN UINT16 OptType, > - IN UINT16 OptLen, > - IN UINT8 *Data > + IN OUT EFI_DHCP6_PACKET *Packet, > + IN OUT UINT8 **PacketCursor, > + IN UINT16 OptType, > + IN UINT16 OptLen, > + IN UINT8 *Data > ); Dhcp6AppendOption() and variants can return errors now. All callsites are adapted accordingly. It gets passed in EFI_DHCP6_PACKET as additional parameter ... > + // > + // Verify the PacketCursor is within the packet > + // > + if ( (*PacketCursor < Packet->Dhcp6.Option) > + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof > (EFI_DHCP6_HEADER)))) > + { > + return EFI_INVALID_PARAMETER; > + } ... so it can look at Packet->Size when checking buffer space. Also to allow Packet->Length updates. Lots of checks added. The code changes look good to me. The key changes should be highlighted in the commit message. thanks, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114275): https://edk2.groups.io/g/devel/message/114275 Mute This Topic: https://groups.io/mt/103926731/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-