From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id A4A44941042 for ; Wed, 24 Jan 2024 05:20:38 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=v5wzNMJc7fPSbPm+DZpv02PMTzWVNSOnJfEulxbTNac=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073637; v=1; b=WI053xx+1FFQHu5PrqogqCLS8D6pKhbEVwyJ1H2i1P4ezFGiRsZvRNyJg0zb0biSUnR7m+qS XVszC7UeQZo6wkIZxh8M/3jl68OCnhG3nDQd7X+7CZjY5abErL0GHLH4SkkEEj5kI3+YB3pm1gn K/ayhsoLG9iD02iYlwjghaWs= X-Received: by 127.0.0.2 with SMTP id vz5dYY7687511xFPEqk9zGVU; Tue, 23 Jan 2024 21:20:37 -0800 X-Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web11.16108.1706073634296646450 for ; Tue, 23 Jan 2024 21:20:34 -0800 X-Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-5cdf76cde78so2681455a12.1 for ; Tue, 23 Jan 2024 21:20:34 -0800 (PST) X-Gm-Message-State: KmViuFs7aSUuCFq1XaOIhWdax7686176AA= X-Google-Smtp-Source: AGHT+IGaTynq8lZtxB0/H5sZKvWl9yGxGBpwmDljySjT44pnQkXl4FqGBlNYmN10XS04qc4bLsntnQ== X-Received: by 2002:a05:6a20:a60c:b0:19c:32ad:4347 with SMTP id bb12-20020a056a20a60c00b0019c32ad4347mr173210pzb.95.1706073633373; Tue, 23 Jan 2024 21:20:33 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:32 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 09/14] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch Date: Tue, 23 Jan 2024 19:33:32 -0800 Message-ID: <38a84f68019d820e9284fbfc5f666bf64cbdd674.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=WI053xx+; dmarc=none; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4539 SECURITY PATCH - Patch TCBZ4539 CVE-2023-45234 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 +++++++++++++++++++++++++--- 1 file changed, 65 insertions(+), 6 deletions(-) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe= /PxeBcDhcp6.c index 425e0cf8061d..2b2d372889a3 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c @@ -3,6 +3,7 @@ =0D (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
=0D Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
=0D + Copyright (c) Microsoft Corporation=0D =0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D @@ -1312,6 +1313,65 @@ PxeBcSelectDhcp6Offer ( }=0D }=0D =0D +/**=0D + Cache the DHCPv6 DNS Server addresses=0D +=0D + @param[in] Private The pointer to PXEBC_PRIVATE_DATA.=0D + @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE= .=0D +=0D + @retval EFI_SUCCESS Cache the DHCPv6 DNS Server address suc= cessfully.=0D + @retval EFI_OUT_OF_RESOURCES Failed to allocate resources.=0D + @retval EFI_DEVICE_ERROR The DNS Server Address Length provided = by a untrusted=0D + option is not a multiple of 16 bytes (s= izeof (EFI_IPv6_ADDRESS)).=0D +**/=0D +EFI_STATUS=0D +PxeBcCacheDnsServerAddresses (=0D + IN PXEBC_PRIVATE_DATA *Private,=0D + IN PXEBC_DHCP6_PACKET_CACHE *Cache6=0D + )=0D +{=0D + UINT16 DnsServerLen;=0D +=0D + DnsServerLen =3D NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpL= en);=0D + //=0D + // Make sure that the number is nonzero=0D + //=0D + if (DnsServerLen =3D=3D 0) {=0D + return EFI_DEVICE_ERROR;=0D + }=0D +=0D + //=0D + // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16)=0D + //=0D + if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) !=3D 0) {=0D + return EFI_DEVICE_ERROR;=0D + }=0D +=0D + //=0D + // This code is currently written to only support a single DNS Server in= stead=0D + // of multiple such as is spec defined (RFC3646, Section 3). The proper = behavior=0D + // would be to allocate the full space requested, CopyMem all of the dat= a,=0D + // and then add a DnsServerCount field to Private and update additional = code=0D + // that depends on this.=0D + //=0D + // To support multiple DNS servers the `AllocationSize` would need to be= changed to DnsServerLen=0D + //=0D + // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=3D1= 886=0D + //=0D + Private->DnsServer =3D AllocateZeroPool (sizeof (EFI_IPv6_ADDRESS));=0D + if (Private->DnsServer =3D=3D NULL) {=0D + return EFI_OUT_OF_RESOURCES;=0D + }=0D +=0D + //=0D + // Intentionally only copy over the first server address.=0D + // To support multiple DNS servers, the `Length` would need to be change= d to DnsServerLen=0D + //=0D + CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]= ->Data, sizeof (EFI_IPv6_ADDRESS));=0D +=0D + return EFI_SUCCESS;=0D +}=0D +=0D /**=0D Handle the DHCPv6 offer packet.=0D =0D @@ -1335,6 +1395,7 @@ PxeBcHandleDhcp6Offer ( UINT32 SelectIndex;=0D UINT32 Index;=0D =0D + ASSERT (Private !=3D NULL);=0D ASSERT (Private->SelectIndex > 0);=0D SelectIndex =3D (UINT32)(Private->SelectIndex - 1);=0D ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM);=0D @@ -1342,15 +1403,13 @@ PxeBcHandleDhcp6Offer ( Status =3D EFI_SUCCESS;=0D =0D //=0D - // First try to cache DNS server address if DHCP6 offer provides.=0D + // First try to cache DNS server addresses if DHCP6 offer provides.=0D //=0D if (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] !=3D NULL) {=0D - Private->DnsServer =3D AllocateZeroPool (NTOHS (Cache6->OptList[PXEBC_= DHCP6_IDX_DNS_SERVER]->OpLen));=0D - if (Private->DnsServer =3D=3D NULL) {=0D - return EFI_OUT_OF_RESOURCES;=0D + Status =3D PxeBcCacheDnsServerAddresses (Private, Cache6);=0D + if (EFI_ERROR (Status)) {=0D + return Status;=0D }=0D -=0D - CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVE= R]->Data, sizeof (EFI_IPv6_ADDRESS));=0D }=0D =0D if (Cache6->OfferType =3D=3D PxeOfferTypeDhcpBinl) {=0D --=20 2.43.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114261): https://edk2.groups.io/g/devel/message/114261 Mute This Topic: https://groups.io/mt/103926740/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-