From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id C0A68D8065A for ; Thu, 11 Jan 2024 13:32:05 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=3r+8jTUZ/iltRhYQv9+QlO1Ps0HO09VEB8JExUEfPH0=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1704979924; v=1; b=keW0dvINs7/Q7REeF1QpMSFb3HwyPxJfKbgLlst+s64+fTccMJpERevyigIVTDSA/o73zvzR eYH6wepaOgCPyi8BhEl+HU1TtdncA0SlHDEL4rlO1r9pDuUvIGxH4L7rxKzKic2s8bj7MQO6/Tp ivVYsZ4J0IxePCZfWqmEQMsI= X-Received: by 127.0.0.2 with SMTP id DandYY7687511x0OMHS49QXB; Thu, 11 Jan 2024 05:32:04 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.11311.1704979922468717269 for ; Thu, 11 Jan 2024 05:32:04 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10949"; a="398535487" X-IronPort-AV: E=Sophos;i="6.04,186,1695711600"; d="scan'208";a="398535487" X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 05:31:35 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10949"; a="852951495" X-IronPort-AV: E=Sophos;i="6.04,186,1695711600"; d="scan'208";a="852951495" X-Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by fmsmga004.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 11 Jan 2024 05:31:32 -0800 X-Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 11 Jan 2024 05:31:32 -0800 X-Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Thu, 11 Jan 2024 05:31:32 -0800 X-Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.41) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Thu, 11 Jan 2024 05:31:31 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M6OpXvPLvIi4ATx7wE2k+dImhujzi4Wirmt0w90vVWgbvcLtHXo08VCKRQj4fJIgeZBIDcZUiU0qQMqm5h8zSqbzD5tSZ0NgNOlhBDDrYoTjTaXn71uuRWw31uIkFIoRPpbq/mRGCV6Fs/688OjdweB5UR9BUOCYd3nieErOPzovAgxag3AtR901Eo4TtW/vIgy1DS3N/fbwFdtfKgg+ePqU7IQ1EO/T0dJQ3p2nZfB2+8pn6wxak1u8WSTj1M+ewRmTwRgqPE0DSKos+v+tes0MiuZfiUFUj2/H5njYBQS1dS655468KQp2EifnX1onk4SkQMCJfnI9L2Q5eW2jlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Rucv0Ts3wILO71Iv6VdZU94Dbv7m91t8KwPktOOw8OI=; b=RYx25W5KUXlktK0UUAYciyk+TqlSessDyQ80vdFmaWeYeNmmy2JsESGTrcVO/WzN8J8qwHMP9XCNN5Q/ZwkM9+mwyxSmxwRyk4V40hGFSkgO8FFrquhTDjDuYGYYbvVavmN6CBCcVkXgujpODPYmXko9pq1EqM2EF1eyY4oXA5+odqE7KfIOL9ZFmNSMKroQ5ZD9CLI8gQb3zRFd3EZi2DkJcaGQguoAgJvZkeamlqfOInNtcWto/r9DmvwxxU70tALvYBXli4ej4uCwYEbEe8vCbwXqDorYjGTBi1vYQa2sFzIA4Muzjznv+Pfn0FEqjt7cb4VhWNTeDJ9XQOHfVQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from BL1PR11MB5478.namprd11.prod.outlook.com (2603:10b6:208:31d::12) by CO1PR11MB5156.namprd11.prod.outlook.com (2603:10b6:303:94::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.23; Thu, 11 Jan 2024 13:31:24 +0000 X-Received: from BL1PR11MB5478.namprd11.prod.outlook.com ([fe80::1732:8b4d:9f8b:3e2f]) by BL1PR11MB5478.namprd11.prod.outlook.com ([fe80::1732:8b4d:9f8b:3e2f%6]) with mapi id 15.20.7181.015; Thu, 11 Jan 2024 13:31:24 +0000 From: "Guo, Gua" To: "devel@edk2.groups.io" , "Gao, Liming" CC: Marc Beatove , "Mathews, John" , Gerd Hoffmann Subject: Re: [edk2-devel] [PATCH v2 4/4] MdeModulePkg/Hob: Integer Overflow in CreateHob() Thread-Topic: [PATCH v2 4/4] MdeModulePkg/Hob: Integer Overflow in CreateHob() Thread-Index: AQHaRG6pH4mbRfZMjkCYyIYiHanfKLDUm4eQ Date: Thu, 11 Jan 2024 13:31:24 +0000 Message-ID: References: <20240111091439.1767-1-gua.guo@intel.com> <20240111091439.1767-5-gua.guo@intel.com> In-Reply-To: <20240111091439.1767-5-gua.guo@intel.com> Accept-Language: en-US X-Mentions: gaoliming@byosoft.com.cn X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: BL1PR11MB5478:EE_|CO1PR11MB5156:EE_ x-ms-office365-filtering-correlation-id: 3ee1dd3d-8da7-4488-52d3-08dc12a99b27 x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: sYWxPFdDIeVHZ9mOxQDqfiZoSlH1OSzSMP/YrGFdqaH+eZmXY2UgUcmrx4uZPrTyZx+bdHC925kFFlWRYBo8ZAT5QP/52fiT5IwdEqZ4rBuxIggqjR8fh+3QBAQFcG7mXvNzkD29U8JUuiFBuI9Ned1ZUChmU4pP8mLVBN2ADf0Avcr8sccZ3CsIriEdICh4sj9LVKHWMkmAzMfD08FR4pu6leeXnKLMniZ1qIcaiMB4KvME2hRqhPCPhHB6ZSlI3Swmuai0D71bn+KqgL1GHSkt+GNnX6xIDW0WyaCrOgG3Usk2nUtuGJ1pYqMlzKarDNnm5FYv8HIq81H557FoAOH2VnGuKbbkKhm3fTsp3UlazASUAzS8M4/S775bT/8CzLq1pS2ZpJBTP5BDeUnjrs6ajLEzPpeHARxo5ZqNZuZiaI+9xTt1W1swcDog8VZTkRgH0kRB+D54GY92X9hzn/bMlLpQZnrHCOqtmEM2jQeVY2p4EFhahctAhOVwBetOKgkHNZ2DgOrOOmc5AcHiaIojcvW4veJGYc9TI48BeuqjA6S4ADcActlDu1Ya03KwvE6Kd0gG2BKMAhvKdgTz5Lkjvay1TgaPcx0xT366cUFjc+j8PvYffB2aM+Lm/p7i8lrxGBvl/yjLWowz+Uq3aQ== x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?yVRDTQQU6gLcJROeZ5RJG7zW+F4AVCF4/7j8vjseyNvlHCwiDB29XhBJniDw?= =?us-ascii?Q?pNXsPk4i7701ZcZRcFYjBot2+4dQDwA2uht5FQ63fxAE9Hi7hVJT+MM4O7dp?= =?us-ascii?Q?rXL33/9kSd3kinUXCw0TopQirgI6KdjcN4D5PJ1YOX6tzT5ZT+LN6iIbYU3F?= =?us-ascii?Q?Z8aRNYn8rlpdjVvbW+UMWtGi6R4UHPbiVNPhJHNkqyTz3v51+Lgj5Lc/AOZg?= =?us-ascii?Q?y3k9fxYjlLIq4GsSO0xVw2NDFYd0zoDpinI7hM0/n8CA/0hBsLUs7ffAU8iF?= =?us-ascii?Q?8ZztA/JavHdwsUQVijlnQsXH/zDC4jLxkFLuI+D/oKAg0V1JiI83+vO2mShw?= =?us-ascii?Q?JoK/PLNx/Kij2UhaC8+Qk/ybE8kSj6xI85V8Go44WKP8nrxMWU64wv4KM3YE?= =?us-ascii?Q?O2NgAJLp7WD8Kh+Xavwm82laYTH5od4EJGGZiYD6cfa2OR38BtKOR4+Mr4ni?= =?us-ascii?Q?PSzSbaKPXWmK57uWhb7a8wlTfaJI0FuyEOr4V70FxBtUBXOHvlkGkM3aMM4z?= =?us-ascii?Q?WSmyovYrIC4oIS30U/ClJbcgOf5UjwpANYEWyF8kQMvKI4aEY6u3Qsqs+I5G?= =?us-ascii?Q?/9+xnduRWCU3nWEN5qVkyGhBvvoTiJoV+SYfATR9OBnRXxABGrM+gNZgVIcp?= =?us-ascii?Q?4t4EXfsLS6QlBjGG/yiSWcrrVtmcFcvSVxLU0R+9P6R7FeKRgy3HEgNrqvNQ?= =?us-ascii?Q?Yk3xnOoO9UVT3Ahx4V4l7yktnvQLM6U3x7XUFYHXLg16Z1t2oBqxf3xw3pmI?= =?us-ascii?Q?LGhz/t+vy9WqnTtS9uIyi6o1juVVcCFHSrKgLOZQ9vZxYQMsf/P/+5/MNqH5?= =?us-ascii?Q?QiWldCLBwNCDyCUz0Fg6+qnD2vEdQe8AHKuE1D4iA8LWtoV4Qtt8ouQxopPd?= =?us-ascii?Q?7RE6rxBOqVUIalOjONBqdEuel0h2VpXgrH2AJoj4YE1K1hA4nY+lavb5GrEQ?= =?us-ascii?Q?GXA/enFikmWIHf/hV0TtdKjQZJMJHuVKqw0NkPsaSjgfcqzI6IclHpmKn7Ml?= =?us-ascii?Q?8dBj6e+NjRVIpeDoyqWffw/+YX8/HzgvbkrmdNSLP8xGHvxtBeDhD6u1jQVX?= =?us-ascii?Q?3NFK9V9+u1ueRDvLKV0qzelFbqd6j2t+F0xZdEMMFy/X4sf7HP84Fp8XoSUE?= =?us-ascii?Q?zNn/d0PZOZqoRiKGByLUt4XwjyEgakU8SBBsCAAC4vJqxtPV/YB1KCHxQRN3?= =?us-ascii?Q?mvQRlbAR7fr3mb1LBCVHAMDBHXOtmaPQpssxuIEW+5cuNAKspce8fHEGL8mo?= =?us-ascii?Q?KZE8pg62Z30zSNivumRLBFriIUtOQ1SKfZCJvCHrDNrkDf3+w1jE0E6b57nm?= =?us-ascii?Q?TLsoL0V0Vpv1O8p8FG9w/q4jkfwHCfFYyxRT21UIcbD7PyHU2u//08rYMrE8?= =?us-ascii?Q?FoEWqeWeFLfDL5tvCK5CWFyS7ux3GhLc9+/ewKraL87YuKqRDnXWdGKScrCp?= =?us-ascii?Q?jpAMCcvJl2tJr0yy9Ej+zkwTxwn8lp7vDvVx2EMr6dqnzHfwNETMAmP/poi2?= =?us-ascii?Q?zoVTJoNRdSMchSRJryLAkdJ1ZZ4kLsLhc8S4dlgNGflMk/AxQEwIBHvvlI4G?= =?us-ascii?Q?zvf3r9+DCWF8wdknd5w=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BL1PR11MB5478.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3ee1dd3d-8da7-4488-52d3-08dc12a99b27 X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2024 13:31:24.1200 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: W3Ekm5FnH1Z/YQmWCN4+uaoj46Ltw0Jz45hK6mo8AJM7GXJKtOtLbeBCxavLFLRHPtdeQ5LTbvZwQcq1c13WLw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5156 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gua.guo@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: iSrHmwERKfJCEXyyQQcz6NCTx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=keW0dvIN; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}") Hi @Gao, Liming I may need to get your help to check this change when you're available. If it's fine for you from MdeModulePkg. I think we can merge this PR. https://github.com/tianocore/edk2/pull/5252 Thanks, Gua -----Original Message----- From: Guo, Gua =20 Sent: Thursday, January 11, 2024 5:15 PM To: devel@edk2.groups.io Cc: Guo, Gua ; Marc Beatove ; Gao, = Liming ; Mathews, John ; = Gerd Hoffmann Subject: [PATCH v2 4/4] MdeModulePkg/Hob: Integer Overflow in CreateHob() From: Gua Guo REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the foll= owing operation: ``` HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could le= ad to CreateHob() returning a smaller HOB than requested, which could lead = to OOB HOB accesses. Reported-by: Marc Beatove Cc: Liming Gao Cc: John Mathew Authored-by: Gerd Hoffmann Signed-off-by: Gua Guo --- MdeModulePkg/Core/Pei/Hob/Hob.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Pei/Hob/Hob.c b/MdeModulePkg/Core/Pei/Hob/Ho= b.c index c4882a23cd..985da50995 100644 --- a/MdeModulePkg/Core/Pei/Hob/Hob.c +++ b/MdeModulePkg/Core/Pei/Hob/Hob.c @@ -85,7 +85,7 @@ PeiCreateHob ( // // Check Length to avoid data overflow. //- if (0x10000 - Length= <=3D 0x7) {+ if (MAX_UINT16 - Length < 0x7) { return EFI_INVALID_PARA= METER; } --=20 2.39.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113617): https://edk2.groups.io/g/devel/message/113617 Mute This Topic: https://groups.io/mt/103658964/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-