From: Gerd Hoffmann <kra...@redhat.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```
No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.
Reported-by: Marc Beatove <mbeat...@google.com>
Cc: Liming Gao <gaolim...@byosoft.com.cn>
Cc: John Mathew <john.math...@intel.com>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
---
MdeModulePkg/Core/Pei/Hob/Hob.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/MdeModulePkg/Core/Pei/Hob/Hob.c b/MdeModulePkg/Core/Pei/Hob/Hob.c
index c4882a23cd..985da50995 100644
--- a/MdeModulePkg/Core/Pei/Hob/Hob.c
+++ b/MdeModulePkg/Core/Pei/Hob/Hob.c
@@ -85,7 +85,7 @@ PeiCreateHob (
//
// Check Length to avoid data overflow.
//
- if (0x10000 - Length <= 0x7) {
+ if (MAX_UINT16 - Length < 0x7) {
return EFI_INVALID_PARAMETER;
}
--
2.39.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113580): https://edk2.groups.io/g/devel/message/113580
Mute This Topic: https://groups.io/mt/103657274/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
