Hi @Gao, Liming
I may need to get your help to check this change when you're available.
If it's fine for you from MdeModulePkg. I think we can merge this PR.
https://github.com/tianocore/edk2/pull/5252
Thanks,
Gua
-Original Message-
From: Guo, Gua
Sent: Thursday, January 11, 2024 5:15 PM
To: devel@edk2.groups.io
Cc: Guo, Gua ; Marc Beatove ; Gao,
Liming ; Mathews, John ; Gerd
Hoffmann
Subject: [PATCH v2 4/4] MdeModulePkg/Hob: Integer Overflow in CreateHob()
From: Gua Guo
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8 performing the
following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); ```
No checks are performed to ensure this value doesn't overflow, and could lead
to CreateHob() returning a smaller HOB than requested, which could lead to OOB
HOB accesses.
Reported-by: Marc Beatove
Cc: Liming Gao
Cc: John Mathew
Authored-by: Gerd Hoffmann
Signed-off-by: Gua Guo
---
MdeModulePkg/Core/Pei/Hob/Hob.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/MdeModulePkg/Core/Pei/Hob/Hob.c b/MdeModulePkg/Core/Pei/Hob/Hob.c
index c4882a23cd..985da50995 100644
--- a/MdeModulePkg/Core/Pei/Hob/Hob.c
+++ b/MdeModulePkg/Core/Pei/Hob/Hob.c
@@ -85,7 +85,7 @@ PeiCreateHob (
// // Check Length to avoid data overflow. //- if (0x1 - Length <=
0x7) {+ if (MAX_UINT16 - Length < 0x7) { return EFI_INVALID_PARAMETER; }
--
2.39.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113617): https://edk2.groups.io/g/devel/message/113617
Mute This Topic: https://groups.io/mt/103658964/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
