* [PATCH V1 1/1] OvmfPkg/TdxHelperLib: Check the HobLength of EFI_HOB_GUID_TYPE
@ 2023-03-15 8:22 cepingx.sun
0 siblings, 0 replies; only message in thread
From: cepingx.sun @ 2023-03-15 8:22 UTC (permalink / raw)
To: devel
Cc: sunceping, Erdem Aktas, James Bottomley, Jiewen Yao, Min Xu,
Tom Lendacky, Michael Roth
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4364
Currently, the length of type EFI_HOB_TYPE_GUID_EXTENSION is not checked
because it is variable length data. This might give a chance to an buffer
overflow issue.
Fix this by checking the HobLength of EFI_HOB_GUID_TYPE to make sure that
it is legal. In the meantime, the total size of TdHob is checked to ensure
the Hobs in TdHob would not overflow.
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sun Ceping <cepingx.sun@intel.com>
---
OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c | 20 ++++++++++++++++++-
.../IntelTdx/TdxHelperLib/SecTdxHelperLib.inf | 1 +
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
index 3372cee2f720..818a6932cf66 100644
--- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
+++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
@@ -566,11 +566,17 @@ ValidateHobList (
BZ3937_EFI_RESOURCE_MEMORY_UNACCEPTED
};
+ UINT32 TotalSize;
+ UINT32 TDHobSize;
+
if (VmmHobList == NULL) {
DEBUG ((DEBUG_ERROR, "HOB: HOB data pointer is NULL\n"));
return FALSE;
}
+ TotalSize = 0;
+ TDHobSize = (UINT32)FixedPcdGet32 (PcdOvmfSecGhcbSize);
+
Hob.Raw = (UINT8 *)VmmHobList;
//
@@ -587,6 +593,12 @@ ValidateHobList (
return FALSE;
}
+ TotalSize += Hob.Header->HobLength;
+ if (TotalSize > TDHobSize) {
+ DEBUG ((DEBUG_ERROR, "HOB: TD Hob Size was overflow. Totalsize is 0x%x\n", TotalSize));
+ return FALSE;
+ }
+
switch (Hob.Header->HobType) {
case EFI_HOB_TYPE_HANDOFF:
if (Hob.Header->HobLength != sizeof (EFI_HOB_HANDOFF_INFO_TABLE)) {
@@ -651,8 +663,14 @@ ValidateHobList (
break;
- // EFI_HOB_GUID_TYPE is variable length data, so skip check
+ // EFI_HOB_GUID_TYPE is variable length data. The total size of the TdHob list is checked at the beginning of the loop.
+ // So we only need to check the min size of the HOB.
case EFI_HOB_TYPE_GUID_EXTENSION:
+ if (Hob.Header->HobLength < sizeof (EFI_HOB_GUID_TYPE)) {
+ DEBUG ((DEBUG_ERROR, "HOB: Hob length is not less than corresponding hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_GUID_EXTENSION));
+ return FALSE;
+ }
+
break;
case EFI_HOB_TYPE_FV:
diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
index d17b84c01f20..d5859588536b 100644
--- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
+++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
@@ -46,6 +46,7 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase
gUefiOvmfPkgTokenSpaceGuid.PcdCfvRawDataSize
--
2.34.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2023-03-15 8:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-15 8:22 [PATCH V1 1/1] OvmfPkg/TdxHelperLib: Check the HobLength of EFI_HOB_GUID_TYPE cepingx.sun
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox