From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+113587+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id AD66DAC0B17
	for <rebecca@openfw.io>; Thu, 11 Jan 2024 06:54:59 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=RXu7+aCjQg9fwoIGcgZjX+EMJP+uauofL1IEgyl6lPc=;
 c=relaxed/simple; d=groups.io;
 h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type;
 s=20140610; t=1704956098; v=1;
 b=C22FYlB2phnYxJnrY2Fiz+gOdJC84uUQy77HXeZYfRCHhRieOU6nk4X+OJSridJ0YE/jNYMm
 KBo1gZPgbwMXKt439udC9nrhhmokyW7rCs6/ErGs9HcwiLo8V7V8wduPVvS3wBkTbM6OUniLVIg
 SQDe748rRFSOebmq8Y6/4Tu8=
X-Received: by 127.0.0.2 with SMTP id YXhZYY7687511xw29DOmWEk3; Wed, 10 Jan 2024 22:54:58 -0800
X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
 by mx.groups.io with SMTP id smtpd.web11.6315.1704956097496516742
 for <devel@edk2.groups.io>;
 Wed, 10 Jan 2024 22:54:57 -0800
X-Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by ams.source.kernel.org (Postfix) with ESMTP id 2902CB81EC5
	for <devel@edk2.groups.io>; Thu, 11 Jan 2024 06:54:55 +0000 (UTC)
X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7E51AC433C7
	for <devel@edk2.groups.io>; Thu, 11 Jan 2024 06:54:54 +0000 (UTC)
X-Received: by mail-lf1-f48.google.com with SMTP id 2adb3069b0e04-50e835800adso5040172e87.0
        for <devel@edk2.groups.io>; Wed, 10 Jan 2024 22:54:54 -0800 (PST)
X-Gm-Message-State: J6uBHmqtx7j1NISfFBknHHYCx7686176AA=
X-Google-Smtp-Source: AGHT+IEkUZZrOuFjv1jmDA4GKlIkbPs6UUug1yh0Inracbg6pe/pm+ou62Slu62Cji4JkNdKWk+l398ua3NMd+tbYjE=
X-Received: by 2002:a05:6512:3c97:b0:50e:609c:ab90 with SMTP id
 h23-20020a0565123c9700b0050e609cab90mr247465lfv.32.1704956092732; Wed, 10 Jan
 2024 22:54:52 -0800 (PST)
MIME-Version: 1.0
References: <20240111051521.1366-1-gua.guo@intel.com> <20240111051521.1366-3-gua.guo@intel.com>
 <CAMj1kXEFO2MOksJQcXd3KJzkbThTxnudR37dHFPC3n8cOZQnyQ@mail.gmail.com>
In-Reply-To: <CAMj1kXEFO2MOksJQcXd3KJzkbThTxnudR37dHFPC3n8cOZQnyQ@mail.gmail.com>
From: "Ard Biesheuvel" <ardb@kernel.org>
Date: Thu, 11 Jan 2024 07:54:41 +0100
X-Gmail-Original-Message-ID: <CAMj1kXGe72dE2k0714S87jpc6xqTqcCTHhYTO0z-eMoqDmJOWg@mail.gmail.com>
Message-ID: <CAMj1kXGe72dE2k0714S87jpc6xqTqcCTHhYTO0z-eMoqDmJOWg@mail.gmail.com>
Subject: Re: [edk2-devel] [PATCH v1 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
To: gua.guo@intel.com
Cc: devel@edk2.groups.io, Gerd Hoffmann <kraxel@redhat.com>, 
	Sami Mujawar <sami.mujawar@arm.com>, Ray Ni <ray.ni@intel.com>, 
	John Mathew <john.mathews@intel.com>
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,ardb@kernel.org
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
Content-Type: text/plain; charset="UTF-8"
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=C22FYlB2;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

On Thu, 11 Jan 2024 at 07:52, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> On Thu, 11 Jan 2024 at 06:15, <gua.guo@intel.com> wrote:
> >
> > From: Gerd Hoffmann <kraxel@redhat.com>
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
> >
> > Fix integer overflow in various CreateHob instances.
> > Fixes: CVE-2022-36765
> >
> > The CreateHob() function aligns the requested size to 8
> > performing the following operation:
> > ```
> > HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
> > ```
> >
> > No checks are performed to ensure this value doesn't
> > overflow, and could lead to CreateHob() returning a smaller
> > HOB than requested, which could lead to OOB HOB accesses.
> >
> > Reported-by: Marc Beatove <mbeatove@google.com>
> > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > Cc: Ray Ni <ray.ni@intel.com>
> > Cc: John Mathew <john.mathews@intel.com>
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
>
> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
>

Same as the other patch: this needs a signoff from the sender, not the
author of the patch.

> > ---
> >  .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c     | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> > index 1550e1babc..29ade2e4ef 100644
> > --- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> > +++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> > @@ -34,6 +34,12 @@ CreateHob (
> >
> >    HandOffHob = GetHobList ();
> >
> > +  //
> > +  // Check Length to avoid data overflow.
> > +  //
> > +  if (HobLength > MAX_UINT16 - 0x7) {
> > +    return NULL;
> > +  }
> >    HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
> >
> >    FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
> > --
> > 2.39.2.windows.1
> >


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113587): https://edk2.groups.io/g/devel/message/113587
Mute This Topic: https://groups.io/mt/103657272/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-