From: Gerd Hoffmann <kra...@redhat.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```
No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.
Reported-by: Marc Beatove <mbeat...@google.com>
Cc: Guo Dong <guo.d...@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james...@intel.com>
Reviewed-by: Gua Guo <gua....@intel.com>
Cc: John Mathew <john.math...@intel.com>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
---
UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
index 2c3acbbc19..f2bd2650b6 100644
--- a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
+++ b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
@@ -110,6 +110,12 @@ CreateHob (
HandOffHob = GetHobList ();
+ //
+ // Check Length to avoid data overflow.
+ //
+ if (HobLength > MAX_UINT16 - 0x7) {
+ return NULL;
+ }
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
--
2.39.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113577): https://edk2.groups.io/g/devel/message/113577
Mute This Topic: https://groups.io/mt/103657271/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
