[PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo

[PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo

[Laszlo Ersek]

Repo:   https://pagure.io/lersek/edk2.git
Branch: tianocore_1816_resend
Ref:    https://bugzilla.tianocore.org/show_bug.cgi?id=1816

"RESEND" because I'm publicly posting the patch from
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c9>.

The Reviewed-by tags on the patch originate from
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c12> and
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c17>.

Repeated the simple regression test at
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c10>.

This series targets edk2-stable202011. I plan to merge it later this
week, based on Liming's R-b.

Liming, highlighting TianoCore#1816 in the "proposed features" list
could be useful.

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>

Thanks!
Laszlo

Laszlo Ersek (1):
  MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer
    sizes

 MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
 MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c            | 7 +++++++
 2 files changed, 12 insertions(+)

-- 
2.19.1.3.g30247aa5d201

[PATCH RESEND 1/1] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer sizes

[Laszlo Ersek]

The LzmaUefiDecompressGetInfo() function
[MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c] currently
silently truncates the UINT64 "DecodedSize" property of the compressed
blob to the UINT32 "DestinationSize" output parameter.

If "DecodedSize" is 0x1_0000_0100, for example, then the subsequent memory
allocation (for decompression) will likely succeed (allocating 0x100 bytes
only), but then the LzmaUefiDecompress() function (which re-fetches the
uncompressed buffer size from the same LZMA header into a "SizeT"
variable) will overwrite the buffer.

Catch (DecodedSize > MAX_UINT32) in LzmaUefiDecompressGetInfo() at once.
This should not be a practical limitation. (The issue cannot be fixed for
32-bit systems without spec modifications anyway, given that the
"OutputSize" output parameter of
EFI_GUIDED_SECTION_EXTRACTION_PROTOCOL.ExtractSection() has type UINTN,
not UINT64.)

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
 MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c            | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
index 26f110ba2a12..fbafd5f10055 100644
--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
+++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
@@ -9,6 +9,7 @@
 #ifndef __LZMADECOMPRESSLIB_INTERNAL_H__
 #define __LZMADECOMPRESSLIB_INTERNAL_H__
 
+#include <Base.h>
 #include <PiPei.h>
 #include <Library/BaseLib.h>
 #include <Library/BaseMemoryLib.h>
@@ -45,6 +46,10 @@
                           in DestinationSize and the size of the scratch
                           buffer was returned in ScratchSize.
 
+  @retval RETURN_UNSUPPORTED  DestinationSize cannot be output because the
+                              uncompressed buffer size (in bytes) does not fit
+                              in a UINT32. Output parameters have not been
+                              modified.
 **/
 RETURN_STATUS
 EFIAPI
diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
index c58912eb6a45..8f7c242dcaa8 100644
--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
+++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
@@ -127,6 +127,10 @@ GetDecodedSizeOfBuf(
                           in DestinationSize and the size of the scratch
                           buffer was returned in ScratchSize.
 
+  @retval RETURN_UNSUPPORTED  DestinationSize cannot be output because the
+                              uncompressed buffer size (in bytes) does not fit
+                              in a UINT32. Output parameters have not been
+                              modified.
 **/
 RETURN_STATUS
 EFIAPI
@@ -142,6 +146,9 @@ LzmaUefiDecompressGetInfo (
   ASSERT(SourceSize >= LZMA_HEADER_SIZE);
 
   DecodedSize = GetDecodedSizeOfBuf((UINT8*)Source);
+  if (DecodedSize > MAX_UINT32) {
+    return RETURN_UNSUPPORTED;
+  }
 
   *DestinationSize = (UINT32)DecodedSize;
   *ScratchSize = SCRATCH_BUFFER_REQUEST_SIZE;
-- 
2.19.1.3.g30247aa5d201

Re: [edk2-devel] [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo

[Laszlo Ersek]

On 11/19/20 12:50, Laszlo Ersek wrote:
> Repo:   https://pagure.io/lersek/edk2.git
> Branch: tianocore_1816_resend
> Ref:    https://bugzilla.tianocore.org/show_bug.cgi?id=1816
> 
> "RESEND" because I'm publicly posting the patch from
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c9>.
> 
> The Reviewed-by tags on the patch originate from
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c12> and
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c17>.
> 
> Repeated the simple regression test at
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c10>.
> 
> This series targets edk2-stable202011. I plan to merge it later this
> week, based on Liming's R-b.
> 
> Liming, highlighting TianoCore#1816 in the "proposed features" list
> could be useful.
> 
> Cc: Dandan Bi <dandan.bi@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
> 
> Thanks!
> Laszlo
> 
> Laszlo Ersek (1):
>   MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer
>     sizes
> 
>  MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
>  MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c            | 7 +++++++
>  2 files changed, 12 insertions(+)
> 

Merged as commit e7bd0dd26db7, via
<https://github.com/tianocore/edk2/pull/1138>.

Thanks,
Laszlo