From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61]) by mx.groups.io with SMTP id smtpd.web10.7993.1582825236953004122 for ; Thu, 27 Feb 2020 09:40:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=WBGtrL/H; spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1582825236; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9MpwSy0uA6kCxiggor2sOkZKmBIjpD9IFcEQDIUY+98=; b=WBGtrL/HVYfc+TFDXXVWmfeUZo4QZ9bCZmoXlY++6KPf99y0uM4LGW4DH5bxjHF3vFQ0h1 /LIXzix86fKt+/zZ1ceWcg1DqY96NJt90YXfT0a9pBu/WWcgLauXPLhRSMkYOlwGsC5vvT O6N6oZuJNTGxLqxj6zgA2OaDB33JeJg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-486-xITbAlbnMp-Ai7mnMucWlQ-1; Thu, 27 Feb 2020 12:40:29 -0500 X-MC-Unique: xITbAlbnMp-Ai7mnMucWlQ-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6ABBA800D5A; Thu, 27 Feb 2020 17:40:27 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-46.ams2.redhat.com [10.36.116.46]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2586919C69; Thu, 27 Feb 2020 17:40:24 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v1] ShellPkg: Fix 'ping' command Ip4 receive flow. From: "Laszlo Ersek" To: devel@edk2.groups.io, maciej.rabeda@linux.intel.com, Liming Gao , Michael Kinney , Andrew Fish , "Leif Lindholm (Linaro address)" Cc: Ray Ni , Zhichao Gao , nicholas.armour@intel.com References: <20200227110212.1070-1-maciej.rabeda@linux.intel.com> Message-ID: <4dcf2f0b-c86e-7533-3428-ad07e9129f2d@redhat.com> Date: Thu, 27 Feb 2020 18:40:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 02/27/20 14:14, Laszlo Ersek wrote: > (+Liming and stewards; CC Nick) > > On 02/27/20 12:02, Maciej Rabeda wrote: >> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2032 >> >> 'ping' command's receive flow utilizes a single Rx token which it >> attempts to reuse before recycling the previously received packet. >> This causes a situation where under ICMP traffic, >> Ping6OnEchoReplyReceived() function will receive an already >> recycled packet with EFI_SUCCESS token status and finally >> dereference invalid pointers from RxData structure. >> >> Cc: Ray Ni >> Cc: Zhichao Gao >> Signed-off-by: Maciej Rabeda >> --- >> ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c | 9 +++++---- >> 1 file changed, 5 insertions(+), 4 deletions(-) >> >> diff --git a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c >> index 23567fa2c1bb..a3fa32515192 100644 >> --- a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c >> +++ b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c >> @@ -614,6 +614,11 @@ Ping6OnEchoReplyReceived ( >> >> ON_EXIT: >> >> + // >> + // Recycle the packet before reusing RxToken >> + // >> + gBS->SignalEvent (Private->IpChoice == PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal); >> + >> if (Private->RxCount < Private->SendNum) { >> // >> // Continue to receive icmp echo reply packets. >> @@ -632,10 +637,6 @@ ON_EXIT: >> // >> Private->Status = EFI_SUCCESS; >> } >> - // >> - // Singal to recycle the each rxdata here, not at the end of process. >> - // >> - gBS->SignalEvent (Private->IpChoice == PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal); >> } >> >> /** >> > > (1) This patch proposes to fix one of the BZs (2032) that fall under > CVE-2019-14559 (joint tracker: 2550). > > Consequently: > > (1a) Do we want to include this in the upcoming stable tag? > > If so, we might want to extend the hard feature freeze by a few days. > > (1b) Please append the string " (CVE-2019-14559)" -- note the separating > space! -- to the subject line. > > (2) However: I remember from an earlier Bugzilla entry (can't tell > off-hand, which one, sorry) that ShellPkg issues are *never* considered > CVE-worthy, because the shell is not considered a "production element" > of the UEFI boot path. I misremembered -- there is indeed a comment like that, in the TianoCore bugzilla, but it does not refer to ShellPkg. It refers to StdLib (which has since been split off to the edk2-libc project): https://bugzilla.tianocore.org/show_bug.cgi?id=1510#c1 StdLib is supposed to be used only by applications in shell, all of which are meant for debug, diagnosis and/or test purpose, not for product UEFI BIOS. Any issue in it will not be taken as security issue but just normal bug. Sorry about causing confusion. So, the ShellPkg maintainers should decide what to do about this bug (keep it under the CVE scope vs. exclude it from the CVE scope; and then, propose it for the stable tag or merge it afterwards). One data point: the bug appears to go back to the inception of the Ping command, in historical commit 68fb05272b45 ("Add Network1 profile.", 2011-03-25). It's not a new bug, it seems. Thanks Laszlo > > TianoCore#2032 was originally filed for NetworkPkg, and indeed that > seemed to justify the CVE assignment. However, now that Nick's and > Maciej's analysis shows that NetworkPkg is unaffected (and we know, per > above, that ShellPkg is not CVE-worthy), should we rather *remove* this > BZ from the CVE-2019-14559 umbrella? > > Because, in that case, modifying the subject line on the patch is not > necessary; and more importantly, we might not even want to put this into > edk2-stable202002. (It's still a bugfix, but may not be important enough.) > > Thanks! > Laszlo >