From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 8AB71AC0A31 for ; Wed, 24 Jan 2024 05:20:36 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=206k4v+B6NR2kgZCrnB5XA83n4qUnl8Mcos2JhKMMJU=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073635; v=1; b=SwDRw8LUt2Jd0eLp487TiJNUoVjr4oapACwzH3LbiJ5zV737RHEDM7708V+epY3t19fckvo0 WqY+Qe1pahP9ZbPsx+oM0PkoeHzZvpeny29lGJI/rjjTKL5Uw0RGyiCzyD1FLctISmMYMBX9kKN 1C4Lmqlw4fYCyBfmhIVk9O7g= X-Received: by 127.0.0.2 with SMTP id kvkOYY7687511xKp3x2gY7t4; Tue, 23 Jan 2024 21:20:35 -0800 X-Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.16101.1706073632480551406 for ; Tue, 23 Jan 2024 21:20:32 -0800 X-Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1d780a392fdso3803325ad.3 for ; Tue, 23 Jan 2024 21:20:32 -0800 (PST) X-Gm-Message-State: UjaP4BpdRiipRddlwcwKRDy0x7686176AA= X-Google-Smtp-Source: AGHT+IEKc8epC/wAF6lgyoOF0HMiAeaWRyZ0cYinTtss1v+A57HKdRfwZfuu45XZa/qnR1z/4h5+lw== X-Received: by 2002:a17:902:eccf:b0:1d3:f1ca:6a13 with SMTP id a15-20020a170902eccf00b001d3f1ca6a13mr426419plh.109.1706073631610; Tue, 23 Jan 2024 21:20:31 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:31 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH 07/14] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch Date: Tue, 23 Jan 2024 19:33:30 -0800 Message-ID: <53d416e177a558d2d95e0fe7b2aecb52e6745bf3.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=SwDRw8LU; dmarc=none; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4538 SECURITY PATCH - Patch TCBZ4537 CVE-2023-45232 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') TCBZ4538 CVE-2023-45233 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Ip6Dxe/Ip6Option.h | 89 +++++++++++++++++++++++++++++++++++ NetworkPkg/Ip6Dxe/Ip6Option.c | 76 +++++++++++++++++++++++++----- 2 files changed, 154 insertions(+), 11 deletions(-) diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.h b/NetworkPkg/Ip6Dxe/Ip6Option.h index bd8e223c8a67..5d786073ebcb 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.h +++ b/NetworkPkg/Ip6Dxe/Ip6Option.h @@ -12,6 +12,95 @@ =0D #define IP6_FRAGMENT_OFFSET_MASK (~0x3)=0D =0D +//=0D +// Per RFC8200 Section 4.2=0D +//=0D +// Two of the currently-defined extension headers -- the Hop-by-Hop=0D +// Options header and the Destination Options header -- carry a variable= =0D +// number of type-length-value (TLV) encoded "options", of the following= =0D +// format:=0D +//=0D +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -=0D +// | Option Type | Opt Data Len | Option Data=0D +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -=0D +//=0D +// Option Type 8-bit identifier of the type of option.=0D +//=0D +// Opt Data Len 8-bit unsigned integer. Length of the Option= =0D +// Data field of this option, in octets.=0D +//=0D +// Option Data Variable-length field. Option-Type-specific= =0D +// data.=0D +//=0D +#define IP6_SIZE_OF_OPT_TYPE (sizeof(UINT8))=0D +#define IP6_SIZE_OF_OPT_LEN (sizeof(UINT8))=0D +#define IP6_COMBINED_SIZE_OF_OPT_TAG_AND_LEN (IP6_SIZE_OF_OPT_TYPE + IP6_= SIZE_OF_OPT_LEN)=0D +#define IP6_OFFSET_OF_OPT_LEN(a) (a + IP6_SIZE_OF_OPT_TYPE)=0D +STATIC_ASSERT (=0D + IP6_OFFSET_OF_OPT_LEN (0) =3D=3D 1,=0D + "The Length field should be 1 octet (8 bits) past the start of the optio= n"=0D + );=0D +=0D +#define IP6_NEXT_OPTION_OFFSET(offset, length) (offset + IP6_COMBINED_SIZ= E_OF_OPT_TAG_AND_LEN + length)=0D +STATIC_ASSERT (=0D + IP6_NEXT_OPTION_OFFSET (0, 0) =3D=3D 2,=0D + "The next option is minimally the combined size of the option tag and le= ngth"=0D + );=0D +=0D +//=0D +// For more information see RFC 8200, Section 4.3, 4.4, and 4.6=0D +//=0D +// This example format is from section 4.6=0D +// This does not apply to fragment headers=0D +//=0D +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=0D +// | Next Header | Hdr Ext Len | |=0D +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +=0D +// | |=0D +// . .=0D +// . Header-Specific Data .=0D +// . .=0D +// | |=0D +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=0D +//=0D +// Next Header 8-bit selector. Identifies the type of=0D +// header immediately following the extension=0D +// header. Uses the same values as the IPv4=0D +// Protocol field [IANA-PN].=0D +//=0D +// Hdr Ext Len 8-bit unsigned integer. Length of the=0D +// Destination Options header in 8-octet units,= =0D +// not including the first 8 octets.=0D +=0D +//=0D +// These defines apply to the following:=0D +// 1. Hop by Hop=0D +// 2. Routing=0D +// 3. Destination=0D +//=0D +#define IP6_SIZE_OF_EXT_NEXT_HDR (sizeof(UINT8))=0D +#define IP6_SIZE_OF_HDR_EXT_LEN (sizeof(UINT8))=0D +=0D +#define IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN (IP6_SIZE_OF_EXT_NEXT_HDR += IP6_SIZE_OF_HDR_EXT_LEN)=0D +STATIC_ASSERT (=0D + IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN =3D=3D 2,=0D + "The combined size of Next Header and Len is two 8 bit fields"=0D + );=0D +=0D +//=0D +// The "+ 1" in this calculation is because of the "not including the firs= t 8 octets"=0D +// part of the definition (meaning the value of 0 represents 64 bits)=0D +//=0D +#define IP6_HDR_EXT_LEN(a) (((UINT16)(UINT8)(a) + 1) * 8)=0D +=0D +// This is the maxmimum length permissible by a extension header=0D +// Length is UINT8 of 8 octets not including the first 8 octets=0D +#define IP6_MAX_EXT_DATA_LENGTH (IP6_HDR_EXT_LEN (MAX_UINT8) - IP6_COMBIN= ED_SIZE_OF_NEXT_HDR_AND_LEN)=0D +STATIC_ASSERT (=0D + IP6_MAX_EXT_DATA_LENGTH =3D=3D 2046,=0D + "Maximum data length is ((MAX_UINT8 + 1) * 8) - 2"=0D + );=0D +=0D typedef struct _IP6_FRAGMENT_HEADER {=0D UINT8 NextHeader;=0D UINT8 Reserved;=0D diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c index 8718d5d8756a..144f8d34dead 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.c +++ b/NetworkPkg/Ip6Dxe/Ip6Option.c @@ -17,7 +17,8 @@ @param[in] IpSb The IP6 service data.=0D @param[in] Packet The to be validated packet.=0D @param[in] Option The first byte of the option.=0D - @param[in] OptionLen The length of the whole option.=0D + @param[in] OptionLen The length of all options, expressed in by= te length of octets.=0D + Maximum length is 2046 bytes or ((n + 1) *= 8) - 2 where n is 255.=0D @param[in] Pointer Identifies the octet offset within=0D the invoking packet where the error was de= tected.=0D =0D @@ -31,12 +32,33 @@ Ip6IsOptionValid ( IN IP6_SERVICE *IpSb,=0D IN NET_BUF *Packet,=0D IN UINT8 *Option,=0D - IN UINT8 OptionLen,=0D + IN UINT16 OptionLen,=0D IN UINT32 Pointer=0D )=0D {=0D - UINT8 Offset;=0D - UINT8 OptionType;=0D + UINT16 Offset;=0D + UINT8 OptionType;=0D + UINT8 OptDataLen;=0D +=0D + if (Option =3D=3D NULL) {=0D + ASSERT (Option !=3D NULL);=0D + return FALSE;=0D + }=0D +=0D + if ((OptionLen <=3D 0) || (OptionLen > IP6_MAX_EXT_DATA_LENGTH)) {=0D + ASSERT (OptionLen > 0 && OptionLen <=3D IP6_MAX_EXT_DATA_LENGTH);=0D + return FALSE;=0D + }=0D +=0D + if (Packet =3D=3D NULL) {=0D + ASSERT (Packet !=3D NULL);=0D + return FALSE;=0D + }=0D +=0D + if (IpSb =3D=3D NULL) {=0D + ASSERT (IpSb !=3D NULL);=0D + return FALSE;=0D + }=0D =0D Offset =3D 0;=0D =0D @@ -54,7 +76,8 @@ Ip6IsOptionValid ( //=0D // It is a PadN option=0D //=0D - Offset =3D (UINT8)(Offset + *(Option + Offset + 1) + 2);=0D + OptDataLen =3D *(IP6_OFFSET_OF_OPT_LEN (Option + Offset));=0D + Offset =3D IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);=0D break;=0D case Ip6OptionRouterAlert:=0D //=0D @@ -69,7 +92,8 @@ Ip6IsOptionValid ( //=0D switch (OptionType & Ip6OptionMask) {=0D case Ip6OptionSkip:=0D - Offset =3D (UINT8)(Offset + *(Option + Offset + 1));=0D + OptDataLen =3D *(IP6_OFFSET_OF_OPT_LEN (Option + Offset));=0D + Offset =3D IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);=0D break;=0D case Ip6OptionDiscard:=0D return FALSE;=0D @@ -308,7 +332,7 @@ Ip6IsExtsValid ( UINT32 Pointer;=0D UINT32 Offset;=0D UINT8 *Option;=0D - UINT8 OptionLen;=0D + UINT16 OptionLen;=0D BOOLEAN Flag;=0D UINT8 CountD;=0D UINT8 CountA;=0D @@ -385,6 +409,36 @@ Ip6IsExtsValid ( // Fall through=0D //=0D case IP6_DESTINATION:=0D + //=0D + // See https://www.rfc-editor.org/rfc/rfc2460#section-4.2 page 23= =0D + //=0D + // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+=0D + // | Next Header | Hdr Ext Len | = |=0D + // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ = +=0D + // | = |=0D + // . = .=0D + // . Options = .=0D + // . = .=0D + // | = |=0D + // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+=0D + //=0D + //=0D + // Next Header 8-bit selector. Identifies the type of header= =0D + // immediately following the Destination Options= =0D + // header. Uses the same values as the IPv4=0D + // Protocol field [RFC-1700 et seq.].=0D + //=0D + // Hdr Ext Len 8-bit unsigned integer. Length of the=0D + // Destination Options header in 8-octet units, n= ot=0D + // including the first 8 octets.=0D + //=0D + // Options Variable-length field, of length such that the= =0D + // complete Destination Options header is an=0D + // integer multiple of 8 octets long. Contains o= ne=0D + // or more TLV-encoded options, as described in= =0D + // section 4.2.=0D + //=0D +=0D if (*NextHeader =3D=3D IP6_DESTINATION) {=0D CountD++;=0D }=0D @@ -398,7 +452,7 @@ Ip6IsExtsValid ( =0D Offset++;=0D Option =3D ExtHdrs + Offset;=0D - OptionLen =3D (UINT8)((*Option + 1) * 8 - 2);=0D + OptionLen =3D IP6_HDR_EXT_LEN (*Option) - IP6_COMBINED_SIZE_OF_NEX= T_HDR_AND_LEN;=0D Option++;=0D Offset++;=0D =0D @@ -430,7 +484,7 @@ Ip6IsExtsValid ( //=0D // Ignore the routing header and proceed to process the next hea= der.=0D //=0D - Offset =3D Offset + (RoutingHead->HeaderLen + 1) * 8;=0D + Offset =3D Offset + IP6_HDR_EXT_LEN (RoutingHead->HeaderLen);=0D =0D if (UnFragmentLen !=3D NULL) {=0D *UnFragmentLen =3D Offset;=0D @@ -441,7 +495,7 @@ Ip6IsExtsValid ( // to the packet's source address, pointing to the unrecognized = routing=0D // type.=0D //=0D - Pointer =3D Offset + 2 + sizeof (EFI_IP6_HEADER);=0D + Pointer =3D Offset + IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN + siz= eof (EFI_IP6_HEADER);=0D if ((IpSb !=3D NULL) && (Packet !=3D NULL) &&=0D !IP6_IS_MULTICAST (&Packet->Ip.Ip6->DestinationAddress))=0D {=0D @@ -527,7 +581,7 @@ Ip6IsExtsValid ( //=0D // RFC2402, Payload length is specified in 32-bit words, minus "2"= .=0D //=0D - OptionLen =3D (UINT8)((*Option + 2) * 4);=0D + OptionLen =3D ((UINT16)(*Option + 2) * 4);=0D Offset =3D Offset + OptionLen;=0D break;=0D =0D --=20 2.43.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114259): https://edk2.groups.io/g/devel/message/114259 Mute This Topic: https://groups.io/mt/103926738/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-