From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=siyuan.fu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A553E208AE353 for ; Tue, 26 Feb 2019 00:24:09 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Feb 2019 00:24:08 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.58,414,1544515200"; d="scan'208";a="146594317" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga002.fm.intel.com with ESMTP; 26 Feb 2019 00:24:07 -0800 Received: from fmsmsx155.amr.corp.intel.com (10.18.116.71) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 26 Feb 2019 00:24:08 -0800 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX155.amr.corp.intel.com (10.18.116.71) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 26 Feb 2019 00:24:07 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.194]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.172]) with mapi id 14.03.0415.000; Tue, 26 Feb 2019 16:24:05 +0800 From: "Fu, Siyuan" To: "Wu, Jiaxin" , "edk2-devel@lists.01.org" CC: "Ye, Ting" , "Wang, Fan" Thread-Topic: [PATCH v1] NetworkPkg/DnsDxe: Check the received packet size before parsing the message. Thread-Index: AQHUzatJvmHdQp66JU+VdYD0iCBh56XxveUw Date: Tue, 26 Feb 2019 08:24:05 +0000 Message-ID: References: <20190226081416.9400-1-Jiaxin.wu@intel.com> In-Reply-To: <20190226081416.9400-1-Jiaxin.wu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZjQ5NWJiNDYtN2Y0Yy00ZDBhLTlmNzMtMTUwNWE5YjUxNjg3IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiTFJEQjBSYmVOVDlKdE5sMW5zdFZYdmhlUkYrY0VRbGQ4MkdndjhZOU5wVUFZRkFvVlhqWkdcL2VsZ0g0djFaXC92In0= dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v1] NetworkPkg/DnsDxe: Check the received packet size before parsing the message. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 08:24:09 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Siyuan Fu > -----Original Message----- > From: Wu, Jiaxin > Sent: Tuesday, February 26, 2019 4:14 PM > To: edk2-devel@lists.01.org > Cc: Ye, Ting ; Fu, Siyuan ; Wang,= Fan > ; Wu, Jiaxin > Subject: [PATCH v1] NetworkPkg/DnsDxe: Check the received packet size bef= ore > parsing the message. >=20 > Fix CVE-2018-12178 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D809 >=20 > The DNS driver only checks the received packet size against the > minimum DNS header size in DnsOnPacketReceived(), later it accesses > the QueryName and QuerySection beyond the header scope, which might > cause the pointer within DNS driver points to an invalid entry or > modifies the memory content beyond the header scope. >=20 > This patch is to fix above problem. >=20 > Cc: Ye Ting > Cc: Fu Siyuan > Cc: Wang Fan > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Wu Jiaxin > --- > NetworkPkg/DnsDxe/DnsImpl.c | 77 ++++++++++++++++++++++++++++++++----- > NetworkPkg/DnsDxe/DnsImpl.h | 2 + > 2 files changed, 69 insertions(+), 10 deletions(-) >=20 > diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c > index 89ea755cb2..26a718987c 100644 > --- a/NetworkPkg/DnsDxe/DnsImpl.c > +++ b/NetworkPkg/DnsDxe/DnsImpl.c > @@ -1112,26 +1112,29 @@ IsValidDnsResponse ( > /** > Parse Dns Response. >=20 > @param Instance The DNS instance > @param RxString Received buffer. > + @param Length Received buffer length. > @param Completed Flag to indicate that Dns response is va= lid. >=20 > @retval EFI_SUCCESS Parse Dns Response successfully. > @retval Others Failed to parse Dns Response. >=20 > **/ > EFI_STATUS > ParseDnsResponse ( > IN OUT DNS_INSTANCE *Instance, > IN UINT8 *RxString, > + IN UINT32 Length, > OUT BOOLEAN *Completed > ) > { > DNS_HEADER *DnsHeader; >=20 > CHAR8 *QueryName; > + UINT32 QueryNameLen; > DNS_QUERY_SECTION *QuerySection; >=20 > CHAR8 *AnswerName; > DNS_ANSWER_SECTION *AnswerSection; > UINT8 *AnswerData; > @@ -1153,10 +1156,11 @@ ParseDnsResponse ( >=20 > DNS_RESOURCE_RECORD *Dns4RR; > DNS6_RESOURCE_RECORD *Dns6RR; >=20 > EFI_STATUS Status; > + UINT32 RemainingLength; >=20 > EFI_TPL OldTpl; >=20 > Item =3D NULL; > Dns4TokenEntry =3D NULL; > @@ -1176,10 +1180,21 @@ ParseDnsResponse ( > Dns4RR =3D NULL; > Dns6RR =3D NULL; >=20 > *Completed =3D TRUE; > Status =3D EFI_SUCCESS; > + RemainingLength =3D Length; > + > + // > + // Check whether the remaining packet length is avaiable or not. > + // > + if (RemainingLength <=3D sizeof (DNS_HEADER)) { > + *Completed =3D FALSE; > + return EFI_ABORTED; > + } else { > + RemainingLength -=3D sizeof (DNS_HEADER); > + } >=20 > // > // Get header > // > DnsHeader =3D (DNS_HEADER *) RxString; > @@ -1189,26 +1204,42 @@ ParseDnsResponse ( > DnsHeader->QuestionsNum =3D NTOHS (DnsHeader->QuestionsNum); > DnsHeader->AnswersNum =3D NTOHS (DnsHeader->AnswersNum); > DnsHeader->AuthorityNum =3D NTOHS (DnsHeader->AuthorityNum); > DnsHeader->AditionalNum =3D NTOHS (DnsHeader->AditionalNum); >=20 > + // > + // There is always one QuestionsNum in DNS message. The capability to > handle more > + // than one requires to redesign the message format. Currently, it's n= ot > supported. > + // > + if (DnsHeader->QuestionsNum > 1) { > + *Completed =3D FALSE; > + return EFI_UNSUPPORTED; > + } > + > // > // Get Query name > // > QueryName =3D (CHAR8 *) (RxString + sizeof (*DnsHeader)); >=20 > + QueryNameLen =3D (UINT32) AsciiStrLen (QueryName) + 1; > + > // > - // Get query section > + // Check whether the remaining packet length is avaiable or not. > // > - QuerySection =3D (DNS_QUERY_SECTION *) (QueryName + AsciiStrLen (Query= Name) + > 1); > - QuerySection->Type =3D NTOHS (QuerySection->Type); > - QuerySection->Class =3D NTOHS (QuerySection->Class); > + if (RemainingLength <=3D QueryNameLen + sizeof (DNS_QUERY_SECTION)) { > + *Completed =3D FALSE; > + return EFI_ABORTED; > + } else { > + RemainingLength -=3D (QueryNameLen + sizeof (DNS_QUERY_SECTION)); > + } >=20 > // > - // Get Answer name > + // Get query section > // > - AnswerName =3D (CHAR8 *) QuerySection + sizeof (*QuerySection); > + QuerySection =3D (DNS_QUERY_SECTION *) (QueryName + QueryNameLen); > + QuerySection->Type =3D NTOHS (QuerySection->Type); > + QuerySection->Class =3D NTOHS (QuerySection->Class); >=20 > OldTpl =3D gBS->RaiseTPL (TPL_CALLBACK); >=20 > // > // Check DnsResponse Validity, if so, also get a valid NET_MAP_ITEM. > @@ -1339,14 +1370,30 @@ ParseDnsResponse ( > } > } >=20 > Status =3D EFI_NOT_FOUND; >=20 > + // > + // Get Answer name > + // > + AnswerName =3D (CHAR8 *) QuerySection + sizeof (*QuerySection); > + > // > // Processing AnswerSection. > // > while (AnswerSectionNum < DnsHeader->AnswersNum) { > + // > + // Check whether the remaining packet length is avaiable or not. > + // > + if (RemainingLength <=3D sizeof (UINT16) + sizeof (DNS_ANSWER_SECTIO= N)) { > + *Completed =3D FALSE; > + Status =3D EFI_ABORTED; > + goto ON_EXIT; > + } else { > + RemainingLength -=3D (sizeof (UINT16) + sizeof (DNS_ANSWER_SECTION= )); > + } > + > // > // Answer name should be PTR, else EFI_UNSUPPORTED returned. > // > if ((*(UINT8 *) AnswerName & 0xC0) !=3D 0xC0) { > Status =3D EFI_UNSUPPORTED; > @@ -1360,10 +1407,21 @@ ParseDnsResponse ( > AnswerSection->Type =3D NTOHS (AnswerSection->Type); > AnswerSection->Class =3D NTOHS (AnswerSection->Class); > AnswerSection->Ttl =3D NTOHL (AnswerSection->Ttl); > AnswerSection->DataLength =3D NTOHS (AnswerSection->DataLength); >=20 > + // > + // Check whether the remaining packet length is avaiable or not. > + // > + if (RemainingLength < AnswerSection->DataLength) { > + *Completed =3D FALSE; > + Status =3D EFI_ABORTED; > + goto ON_EXIT; > + } else { > + RemainingLength -=3D AnswerSection->DataLength; > + } > + > // > // Check whether it's the GeneralLookUp querying. > // > if (Instance->Service->IpVersion =3D=3D IP_VERSION_4 && Dns4TokenEnt= ry- > >GeneralLookUp) { > Dns4RR =3D Dns4TokenEntry->Token->RspData.GLookupData->RRList; > @@ -1731,10 +1789,11 @@ DnsOnPacketReceived ( > ) > { > DNS_INSTANCE *Instance; >=20 > UINT8 *RcvString; > + UINT32 Len; >=20 > BOOLEAN Completed; >=20 > Instance =3D (DNS_INSTANCE *) Context; > NET_CHECK_SIGNATURE (Instance, DNS_INSTANCE_SIGNATURE); > @@ -1746,21 +1805,19 @@ DnsOnPacketReceived ( > goto ON_EXIT; > } >=20 > ASSERT (Packet !=3D NULL); >=20 > - if (Packet->TotalSize <=3D sizeof (DNS_HEADER)) { > - goto ON_EXIT; > - } > + Len =3D Packet->TotalSize; >=20 > RcvString =3D NetbufGetByte (Packet, 0, NULL); > ASSERT (RcvString !=3D NULL); >=20 > // > // Parse Dns Response > // > - ParseDnsResponse (Instance, RcvString, &Completed); > + ParseDnsResponse (Instance, RcvString, Len, &Completed); >=20 > ON_EXIT: >=20 > if (Packet !=3D NULL) { > NetbufFree (Packet); > diff --git a/NetworkPkg/DnsDxe/DnsImpl.h b/NetworkPkg/DnsDxe/DnsImpl.h > index 90dc054903..45feca2160 100644 > --- a/NetworkPkg/DnsDxe/DnsImpl.h > +++ b/NetworkPkg/DnsDxe/DnsImpl.h > @@ -581,20 +581,22 @@ IsValidDnsResponse ( > /** > Parse Dns Response. >=20 > @param Instance The DNS instance > @param RxString Received buffer. > + @param Length Received buffer length. > @param Completed Flag to indicate that Dns response is va= lid. >=20 > @retval EFI_SUCCESS Parse Dns Response successfully. > @retval Others Failed to parse Dns Response. >=20 > **/ > EFI_STATUS > ParseDnsResponse ( > IN OUT DNS_INSTANCE *Instance, > IN UINT8 *RxString, > + IN UINT32 Length, > OUT BOOLEAN *Completed > ); >=20 > /** > Parse response packet. > -- > 2.17.1.windows.2