public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Laszlo Ersek <lersek@redhat.com>
To: "Gao, Liming" <liming.gao@intel.com>,
	"Zeng, Star" <star.zeng@intel.com>,
	 "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: Re: [Patch 0/3] Add more checker for Tianocompress and Ueficompress
Date: Thu, 18 Oct 2018 18:01:14 +0200	[thread overview]
Message-ID: <155ff850-d652-30c9-5c02-7f1412a8f079@redhat.com> (raw)
In-Reply-To: <4A89E2EF3DFEDB4C8BFDE51014F606A14E33D7CF@SHSMSX104.ccr.corp.intel.com>

On 10/18/18 15:36, Gao, Liming wrote:
> Laszlo and Star:
>   Thank your notes. I will add CVE number in patch subject although it
>   will make subject long than 80 characters.

I agree the subject will be overlong, but I also think that including
the CVE numbers is important enough for that.

> Here is my proposed patch subject: CVE-2017-5731..5735 MdePkg: Add
> more checker in UefiDecompressLib to access the valid buffer only.

I suggest (based on tradition) that we keep the normal subject at the
front, and then we append the CVE numbers at the end. Also, we should
spell out all those CVE identifiers individually, if the same patch
solves them all. It should be possible to search the subject line for
any one of these CVE numbers in separation, using the official CVE
number format.

>   In PEI phase, the recovery image is from the external device. If the
>   recovery image has the corrupt EFI compression section, they will be
>   handled by EFI Decompression PPI.

In the PEI phase, if the recovery image is crafted, it could cause a
buffer overflow during decompression. However, if the recovery image is
crafted, it might as well decompress cleanly, and once it is dispatched,
do "bad things". Do the decompression and the dispatch occur at
different privilege levels?

> In DXE phase, UEFI option ROM is the third party code. If it is EFI
> compression option ROM, EFI decompression protocol will be used to
> decode its data. I don't think SMM uses EFI decompression protocol.
> UefiDecompressionLib is used as EFI compression PPI/Protocol. It
> matches PI EFI compression section instead of GUID section. So, it has
> no GUID extraction PPI/Protocol.

In the DXE phase, if the option ROM is crafted, it could cause a buffer
overflow when it is decompressed. But, again, how is that different from
when a crafted oprom decompresses cleanly, and then does "bad things"
when it is dispatched?

Here (in the DXE phase), I can imagine two answers myself:

(1) Decompression occurs before Secure Boot validation, but dispatch
occurs only after. Therefore a crafted UEFI image could cause problems
via decompression even if it would fail SB verification later.

(2) Decompression of UEFI option ROMs occurs before PlatformBDS locks
down SMRAM and lockboxes. However, the execution of UEFI option ROMs
is deferred until after the lockdown.

Do these scenarios apply? Because, if they do, I agree the issue
qualifies as privilege escalation.

Thank you!
Laszlo


  reply	other threads:[~2018-10-18 16:01 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-16  2:06 [Patch 0/3] Add more checker for Tianocompress and Ueficompress Liming Gao
2018-10-16  2:06 ` [Patch 1/3] MdePkg: Add more checker in UefiDecompressLib to access the valid buffer only Liming Gao
2018-10-16  2:06 ` [Patch 2/3] IntelFrameworkModulePkg: Add more checker in UefiTianoDecompressLib Liming Gao
2018-10-16  2:06 ` [Patch 3/3] BaseTools: Add more checker in Decompress algorithm to access the valid buffer Liming Gao
2018-10-18 12:28   ` Zhu, Yonghong
2018-10-18  3:04 ` [Patch 0/3] Add more checker for Tianocompress and Ueficompress Zeng, Star
2018-10-18 13:02   ` Laszlo Ersek
2018-10-18 13:36     ` Gao, Liming
2018-10-18 16:01       ` Laszlo Ersek [this message]
2018-10-19  6:40         ` Gao, Liming
2018-10-19 11:24           ` Laszlo Ersek
2018-10-19 14:40             ` Gao, Liming
2018-10-22  8:30               ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=155ff850-d652-30c9-5c02-7f1412a8f079@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox