From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 8D140AC138F for ; Tue, 16 Jan 2024 14:39:31 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=m2EUlYWrrqrvCR7ci85z4wTtIaXgC75OA5ffN4dyeTQ=; c=relaxed/simple; d=groups.io; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Thread-Index:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding:Content-Language; s=20140610; t=1705415970; v=1; b=h0f5ckL0Omr2bHdVEyI/n04d9boBShfuNMopou0H4NQW/59jtBHJQOC00Xqgn5DBGq4Awaqp l73+uq7NJ4bO2jmCBxNIK8MFKDr4hyHjexdCbvrmvZxmBaqIycbY+WpfIRCM601GY3F7VTnOEz1 Ju3FoNUj1eF2+h6N9l2xzzIE= X-Received: by 127.0.0.2 with SMTP id 6DRDYY7687511xRsZskjeUpY; Tue, 16 Jan 2024 06:39:30 -0800 X-Received: from zrleap.intel-email.com (zrleap.intel-email.com [114.80.218.36]) by mx.groups.io with SMTP id smtpd.web10.16044.1705415968393441436 for ; Tue, 16 Jan 2024 06:39:29 -0800 X-Received: from zrleap.intel-email.com (localhost [127.0.0.1]) by zrleap.intel-email.com (Postfix) with ESMTP id 0C83FA32E02A for ; Tue, 16 Jan 2024 22:39:23 +0800 (CST) X-Received: from localhost (localhost [127.0.0.1]) by zrleap.intel-email.com (Postfix) with ESMTP id F11AAA32DFE5 for ; Tue, 16 Jan 2024 22:39:22 +0800 (CST) X-Received: from mail.byosoft.com.cn (mail.byosoft.com.cn [58.240.74.242]) by zrleap.intel-email.com (Postfix) with SMTP id 4CEE7A32DFD7 for ; Tue, 16 Jan 2024 22:39:19 +0800 (CST) X-Received: from DESKTOPS6D0PVI ([114.93.194.54]) (envelope-sender ) by 192.168.6.13 with ESMTP(SSL) for ; Tue, 16 Jan 2024 22:39:18 +0800 X-WM-Sender: gaoliming@byosoft.com.cn X-Originating-IP: 114.93.194.54 X-WM-AuthFlag: YES X-WM-AuthUser: gaoliming@byosoft.com.cn From: "gaoliming via groups.io" To: , Cc: "'Marc Beatove'" , "'John Mathew'" , "'Gerd Hoffmann'" References: <20240112022521.710-1-gua.guo@intel.com> <20240112022521.710-5-gua.guo@intel.com> In-Reply-To: <20240112022521.710-5-gua.guo@intel.com> Subject: =?UTF-8?B?5Zue5aSNOiBbZWRrMi1kZXZlbF0gW1BBVENIIHYzIDQvNF0gTWRlTW9kdWxlUGtnL0hvYjogSW50ZWdlciBPdmVyZmxvdyBpbiBDcmVhdGVIb2IoKQ==?= Date: Tue, 16 Jan 2024 22:39:19 +0800 Message-ID: <02c401da4889$ca5ad200$5f107600$@byosoft.com.cn> MIME-Version: 1.0 Thread-Index: AQJerEsPdJx7wukV6S27PV/ifaiCHgIcnvWyr8LVpnA= Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gaoliming@byosoft.com.cn List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: KNXYbU9ccPtPJO6p4sT9v4ijx7686176AA= Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: quoted-printable Content-Language: zh-cn X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=h0f5ckL0; dmarc=none; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Gua: I think new code logic is same to old one. Can you point what difference here? Thanks Liming > -----=D3=CA=BC=FE=D4=AD=BC=FE----- > =B7=A2=BC=FE=C8=CB: devel@edk2.groups.io =B4=FA=B1= =ED Guo, Gua > =B7=A2=CB=CD=CA=B1=BC=E4: 2024=C4=EA1=D4=C212=C8=D5 10:25 > =CA=D5=BC=FE=C8=CB: devel@edk2.groups.io > =B3=AD=CB=CD: gua.guo@intel.com; Marc Beatove ; Limi= ng > Gao ; John Mathew ; > Gerd Hoffmann > =D6=F7=CC=E2: [edk2-devel] [PATCH v3 4/4] MdeModulePkg/Hob: Integer Overf= low in > CreateHob() >=20 > From: Gua Guo >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 >=20 > Fix integer overflow in various CreateHob instances. > Fixes: CVE-2022-36765 >=20 > The CreateHob() function aligns the requested size to 8 > performing the following operation: > ``` > HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); > ``` >=20 > No checks are performed to ensure this value doesn't > overflow, and could lead to CreateHob() returning a smaller > HOB than requested, which could lead to OOB HOB accesses. >=20 > Reported-by: Marc Beatove > Cc: Liming Gao > Cc: John Mathew > Authored-by: Gerd Hoffmann > Signed-off-by: Gua Guo > --- > MdeModulePkg/Core/Pei/Hob/Hob.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/MdeModulePkg/Core/Pei/Hob/Hob.c > b/MdeModulePkg/Core/Pei/Hob/Hob.c > index c4882a23cd..985da50995 100644 > --- a/MdeModulePkg/Core/Pei/Hob/Hob.c > +++ b/MdeModulePkg/Core/Pei/Hob/Hob.c > @@ -85,7 +85,7 @@ PeiCreateHob ( > // >=20 > // Check Length to avoid data overflow. >=20 > // >=20 > - if (0x10000 - Length <=3D 0x7) { >=20 > + if (MAX_UINT16 - Length < 0x7) { >=20 > return EFI_INVALID_PARAMETER; >=20 > } >=20 >=20 >=20 > -- > 2.39.2.windows.1 >=20 >=20 >=20 > -=3D-=3D-=3D-=3D-=3D-=3D > Groups.io Links: You receive all messages sent to this group. > View/Reply Online (#113643): > https://edk2.groups.io/g/devel/message/113643 > Mute This Topic: https://groups.io/mt/103675965/4905953 > Group Owner: devel+owner@edk2.groups.io > Unsubscribe: https://edk2.groups.io/g/devel/unsub > [gaoliming@byosoft.com.cn] > -=3D-=3D-=3D-=3D-=3D-=3D >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113905): https://edk2.groups.io/g/devel/message/113905 Mute This Topic: https://groups.io/mt/103762835/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-