* [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo
@ 2020-11-19 11:50 Laszlo Ersek
2020-11-19 11:50 ` [PATCH RESEND 1/1] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer sizes Laszlo Ersek
2020-11-21 2:07 ` [edk2-devel] [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
0 siblings, 2 replies; 3+ messages in thread
From: Laszlo Ersek @ 2020-11-19 11:50 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Dandan Bi, Hao A Wu, Jian J Wang, Liming Gao,
Philippe Mathieu-Daudé
Repo: https://pagure.io/lersek/edk2.git
Branch: tianocore_1816_resend
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816
"RESEND" because I'm publicly posting the patch from
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c9>.
The Reviewed-by tags on the patch originate from
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c12> and
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c17>.
Repeated the simple regression test at
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c10>.
This series targets edk2-stable202011. I plan to merge it later this
week, based on Liming's R-b.
Liming, highlighting TianoCore#1816 in the "proposed features" list
could be useful.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Thanks!
Laszlo
Laszlo Ersek (1):
MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer
sizes
MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c | 7 +++++++
2 files changed, 12 insertions(+)
--
2.19.1.3.g30247aa5d201
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH RESEND 1/1] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer sizes
2020-11-19 11:50 [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
@ 2020-11-19 11:50 ` Laszlo Ersek
2020-11-21 2:07 ` [edk2-devel] [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
1 sibling, 0 replies; 3+ messages in thread
From: Laszlo Ersek @ 2020-11-19 11:50 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Dandan Bi, Hao A Wu, Jian J Wang, Liming Gao,
Philippe Mathieu-Daudé
The LzmaUefiDecompressGetInfo() function
[MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c] currently
silently truncates the UINT64 "DecodedSize" property of the compressed
blob to the UINT32 "DestinationSize" output parameter.
If "DecodedSize" is 0x1_0000_0100, for example, then the subsequent memory
allocation (for decompression) will likely succeed (allocating 0x100 bytes
only), but then the LzmaUefiDecompress() function (which re-fetches the
uncompressed buffer size from the same LZMA header into a "SizeT"
variable) will overwrite the buffer.
Catch (DecodedSize > MAX_UINT32) in LzmaUefiDecompressGetInfo() at once.
This should not be a practical limitation. (The issue cannot be fixed for
32-bit systems without spec modifications anyway, given that the
"OutputSize" output parameter of
EFI_GUIDED_SECTION_EXTRACTION_PROTOCOL.ExtractSection() has type UINTN,
not UINT64.)
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c | 7 +++++++
2 files changed, 12 insertions(+)
diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
index 26f110ba2a12..fbafd5f10055 100644
--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
+++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
@@ -9,6 +9,7 @@
#ifndef __LZMADECOMPRESSLIB_INTERNAL_H__
#define __LZMADECOMPRESSLIB_INTERNAL_H__
+#include <Base.h>
#include <PiPei.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
@@ -45,6 +46,10 @@
in DestinationSize and the size of the scratch
buffer was returned in ScratchSize.
+ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the
+ uncompressed buffer size (in bytes) does not fit
+ in a UINT32. Output parameters have not been
+ modified.
**/
RETURN_STATUS
EFIAPI
diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
index c58912eb6a45..8f7c242dcaa8 100644
--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
+++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
@@ -127,6 +127,10 @@ GetDecodedSizeOfBuf(
in DestinationSize and the size of the scratch
buffer was returned in ScratchSize.
+ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the
+ uncompressed buffer size (in bytes) does not fit
+ in a UINT32. Output parameters have not been
+ modified.
**/
RETURN_STATUS
EFIAPI
@@ -142,6 +146,9 @@ LzmaUefiDecompressGetInfo (
ASSERT(SourceSize >= LZMA_HEADER_SIZE);
DecodedSize = GetDecodedSizeOfBuf((UINT8*)Source);
+ if (DecodedSize > MAX_UINT32) {
+ return RETURN_UNSUPPORTED;
+ }
*DestinationSize = (UINT32)DecodedSize;
*ScratchSize = SCRATCH_BUFFER_REQUEST_SIZE;
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo
2020-11-19 11:50 [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
2020-11-19 11:50 ` [PATCH RESEND 1/1] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer sizes Laszlo Ersek
@ 2020-11-21 2:07 ` Laszlo Ersek
1 sibling, 0 replies; 3+ messages in thread
From: Laszlo Ersek @ 2020-11-21 2:07 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Dandan Bi, Hao A Wu, Jian J Wang, Liming Gao,
Philippe Mathieu-Daudé
On 11/19/20 12:50, Laszlo Ersek wrote:
> Repo: https://pagure.io/lersek/edk2.git
> Branch: tianocore_1816_resend
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816
>
> "RESEND" because I'm publicly posting the patch from
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c9>.
>
> The Reviewed-by tags on the patch originate from
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c12> and
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c17>.
>
> Repeated the simple regression test at
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c10>.
>
> This series targets edk2-stable202011. I plan to merge it later this
> week, based on Liming's R-b.
>
> Liming, highlighting TianoCore#1816 in the "proposed features" list
> could be useful.
>
> Cc: Dandan Bi <dandan.bi@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
>
> Thanks!
> Laszlo
>
> Laszlo Ersek (1):
> MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer
> sizes
>
> MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
> MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c | 7 +++++++
> 2 files changed, 12 insertions(+)
>
Merged as commit e7bd0dd26db7, via
<https://github.com/tianocore/edk2/pull/1138>.
Thanks,
Laszlo
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-11-21 2:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-19 11:50 [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
2020-11-19 11:50 ` [PATCH RESEND 1/1] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer sizes Laszlo Ersek
2020-11-21 2:07 ` [edk2-devel] [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox