From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
 by mx.groups.io with SMTP id smtpd.web11.2912.1678868567319924883
 for <devel@edk2.groups.io>;
 Wed, 15 Mar 2023 01:22:47 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=OgOA8urG;
 spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: cepingx.sun@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1678868567; x=1710404567;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=LeEt6Yv+5gOoJtUUK9XoDuyVS/MQPqu9uGeF/e1JQwM=;
  b=OgOA8urGp84XE1EfmaMgAhWKgnmuakmwI2PDGLeXZ5Rp0HLiMhNUHTTu
   hHR7Zi6R4cKpcg+u6qX4hrK7E2GUrUmBGX3xGdbdWi/HLORSDh0OodmiR
   usAzT+jpoZ5iZpAQI4fIIIExuFblw42+IpviTpTg47iyS5KE5/attaFpY
   alZRNOCY9gGuBsScnAtCOOEtDyZyljV6VUHVLHmDzmeZBnm25kqzFNuE5
   xETQHhfBvgpEtRptTyNCZj5STybbBsfPM8cRCmIEOB6vqqr6e75LlKw7i
   OWNZ/eBF4Zs1AhUmpAVWDBSBnZZqDURNcR1ekuTgOTOB2qCy4sm04L5Pm
   w==;
X-IronPort-AV: E=McAfee;i="6500,9779,10649"; a="317297128"
X-IronPort-AV: E=Sophos;i="5.98,262,1673942400"; 
   d="scan'208";a="317297128"
Received: from fmsmga007.fm.intel.com ([10.253.24.52])
  by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Mar 2023 01:22:29 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6500,9779,10649"; a="681741992"
X-IronPort-AV: E=Sophos;i="5.98,262,1673942400"; 
   d="scan'208";a="681741992"
Received: from cepingsx-mobl1.ccr.corp.intel.com ([10.239.56.222])
  by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Mar 2023 01:22:27 -0700
From: cepingx.sun@intel.com
To: devel@edk2.groups.io
Cc: sunceping <cepingx.sun@intel.com>,
	Erdem Aktas <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Michael Roth <michael.roth@amd.com>
Subject: [PATCH V1 1/1] OvmfPkg/TdxHelperLib: Check the HobLength of EFI_HOB_GUID_TYPE
Date: Wed, 15 Mar 2023 16:22:12 +0800
Message-Id: <20230315082212.1979-1-cepingx.sun@intel.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4364

Currently, the length of type EFI_HOB_TYPE_GUID_EXTENSION is not checked
because it is variable length data. This might give a chance to an buffer
overflow issue.

Fix this by checking the HobLength of EFI_HOB_GUID_TYPE to make sure that
it is legal. In the meantime, the total size of TdHob is checked to ensure
the Hobs in TdHob would not overflow.

Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sun Ceping <cepingx.sun@intel.com>
---
 OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c  | 20 ++++++++++++++++++-
 .../IntelTdx/TdxHelperLib/SecTdxHelperLib.inf |  1 +
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
index 3372cee2f720..818a6932cf66 100644
--- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
+++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
@@ -566,11 +566,17 @@ ValidateHobList (
     BZ3937_EFI_RESOURCE_MEMORY_UNACCEPTED
   };
 
+  UINT32  TotalSize;
+  UINT32  TDHobSize;
+
   if (VmmHobList == NULL) {
     DEBUG ((DEBUG_ERROR, "HOB: HOB data pointer is NULL\n"));
     return FALSE;
   }
 
+  TotalSize = 0;
+  TDHobSize = (UINT32)FixedPcdGet32 (PcdOvmfSecGhcbSize);
+
   Hob.Raw = (UINT8 *)VmmHobList;
 
   //
@@ -587,6 +593,12 @@ ValidateHobList (
       return FALSE;
     }
 
+    TotalSize += Hob.Header->HobLength;
+    if (TotalSize > TDHobSize) {
+      DEBUG ((DEBUG_ERROR, "HOB: TD Hob Size was overflow. Totalsize is  0x%x\n", TotalSize));
+      return FALSE;
+    }
+
     switch (Hob.Header->HobType) {
       case EFI_HOB_TYPE_HANDOFF:
         if (Hob.Header->HobLength != sizeof (EFI_HOB_HANDOFF_INFO_TABLE)) {
@@ -651,8 +663,14 @@ ValidateHobList (
 
         break;
 
-      // EFI_HOB_GUID_TYPE is variable length data, so skip check
+      // EFI_HOB_GUID_TYPE is variable length data. The total size of the TdHob list is checked at the beginning of the loop.
+      // So we only need to check the min size of the HOB.
       case EFI_HOB_TYPE_GUID_EXTENSION:
+        if (Hob.Header->HobLength < sizeof (EFI_HOB_GUID_TYPE)) {
+          DEBUG ((DEBUG_ERROR, "HOB: Hob length is not less than corresponding hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_GUID_EXTENSION));
+          return FALSE;
+        }
+
         break;
 
       case EFI_HOB_TYPE_FV:
diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
index d17b84c01f20..d5859588536b 100644
--- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
+++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
@@ -46,6 +46,7 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
   gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase
   gUefiOvmfPkgTokenSpaceGuid.PcdCfvRawDataSize
 
-- 
2.34.1