[edk2-devel] [PATCH v1 0/4] Bz4166: Integer Overflow in CreateHob()

[edk2-devel] [PATCH v1 0/4] Bz4166: Integer Overflow in CreateHob()

[Guo, Gua]

From: Gua Guo <gua.guo@intel.com>

Fix Integer Overflow for CVE-2022-36765
1. UefiPayloadPkg/Hob: Integer Overflow in CreateHob()
2. StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
3. EmbeddedPkg/Hob: Integer Overflow in CreateHob()
4. MdeModulePkg/Hob: Integer Overflow in CreateHob()


Gerd Hoffmann (4):
  UefiPayloadPkg/Hob: Integer Overflow in CreateHob()
  StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
  EmbeddedPkg/Hob: Integer Overflow in CreateHob()
  MdeModulePkg/Hob: Integer Overflow in CreateHob()

 EmbeddedPkg/Library/PrePiHobLib/Hob.c                       | 6 ++++++
 MdeModulePkg/Core/Pei/Hob/Hob.c                             | 2 +-
 .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c     | 6 ++++++
 UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c             | 6 ++++++
 4 files changed, 19 insertions(+), 1 deletion(-)

--
2.39.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113576): https://edk2.groups.io/g/devel/message/113576
Mute This Topic: https://groups.io/mt/103657270/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH v1 1/4] UefiPayloadPkg/Hob: Integer Overflow in CreateHob()

[Guo, Gua]

From: Gerd Hoffmann <kraxel@redhat.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166

Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765

The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```

No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.

Reported-by: Marc Beatove <mbeatove@google.com>
Cc: Guo Dong <guo.dong@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Reviewed-by: Gua Guo <gua.guo@intel.com>
Cc: John Mathew <john.mathews@intel.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
index 2c3acbbc19..f2bd2650b6 100644
--- a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
+++ b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
@@ -110,6 +110,12 @@ CreateHob (
 
   HandOffHob = GetHobList ();
 
+  //
+  // Check Length to avoid data overflow.
+  //
+  if (HobLength > MAX_UINT16 - 0x7) {
+    return NULL;
+  }
   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
 
   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
-- 
2.39.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113577): https://edk2.groups.io/g/devel/message/113577
Mute This Topic: https://groups.io/mt/103657271/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH v1 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()

[Guo, Gua]

From: Gerd Hoffmann <kraxel@redhat.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166

Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765

The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```

No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.

Reported-by: Marc Beatove <mbeatove@google.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: John Mathew <john.mathews@intel.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
index 1550e1babc..29ade2e4ef 100644
--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
+++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
@@ -34,6 +34,12 @@ CreateHob (
 
   HandOffHob = GetHobList ();
 
+  //
+  // Check Length to avoid data overflow.
+  //
+  if (HobLength > MAX_UINT16 - 0x7) {
+    return NULL;
+  }
   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
 
   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
-- 
2.39.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113578): https://edk2.groups.io/g/devel/message/113578
Mute This Topic: https://groups.io/mt/103657272/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH v1 3/4] EmbeddedPkg/Hob: Integer Overflow in CreateHob()

[Guo, Gua]

From: Gerd Hoffmann <kraxel@redhat.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166

Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765

The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```

No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.

Reported-by: Marc Beatove <mbeatove@google.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@amd.com>
Cc: John Mathew <john.mathews@intel.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 EmbeddedPkg/Library/PrePiHobLib/Hob.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
index 8eb175aa96..ee2e3176be 100644
--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c
+++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
@@ -110,6 +110,12 @@ CreateHob (
 
   HandOffHob = GetHobList ();
 
+  //
+  // Check Length to avoid data overflow.
+  //
+  if (HobLength > MAX_UINT16 - 0x7) {
+    return NULL;
+  }
   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
 
   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
-- 
2.39.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113579): https://edk2.groups.io/g/devel/message/113579
Mute This Topic: https://groups.io/mt/103657273/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH v1 4/4] MdeModulePkg/Hob: Integer Overflow in CreateHob()

[Guo, Gua]

From: Gerd Hoffmann <kraxel@redhat.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166

Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765

The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```

No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.

Reported-by: Marc Beatove <mbeatove@google.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: John Mathew <john.mathews@intel.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 MdeModulePkg/Core/Pei/Hob/Hob.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MdeModulePkg/Core/Pei/Hob/Hob.c b/MdeModulePkg/Core/Pei/Hob/Hob.c
index c4882a23cd..985da50995 100644
--- a/MdeModulePkg/Core/Pei/Hob/Hob.c
+++ b/MdeModulePkg/Core/Pei/Hob/Hob.c
@@ -85,7 +85,7 @@ PeiCreateHob (
   //
   // Check Length to avoid data overflow.
   //
-  if (0x10000 - Length <= 0x7) {
+  if (MAX_UINT16 - Length < 0x7) {
     return EFI_INVALID_PARAMETER;
   }
 
-- 
2.39.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113580): https://edk2.groups.io/g/devel/message/113580
Mute This Topic: https://groups.io/mt/103657274/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v1 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()

[Ard Biesheuvel]

On Thu, 11 Jan 2024 at 06:15, <gua.guo@intel.com> wrote:
>
> From: Gerd Hoffmann <kraxel@redhat.com>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
>
> Fix integer overflow in various CreateHob instances.
> Fixes: CVE-2022-36765
>
> The CreateHob() function aligns the requested size to 8
> performing the following operation:
> ```
> HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
> ```
>
> No checks are performed to ensure this value doesn't
> overflow, and could lead to CreateHob() returning a smaller
> HOB than requested, which could lead to OOB HOB accesses.
>
> Reported-by: Marc Beatove <mbeatove@google.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: John Mathew <john.mathews@intel.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Reviewed-by: Ard Biesheuvel <ardb@kernel.org>

> ---
>  .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c     | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> index 1550e1babc..29ade2e4ef 100644
> --- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> +++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> @@ -34,6 +34,12 @@ CreateHob (
>
>    HandOffHob = GetHobList ();
>
> +  //
> +  // Check Length to avoid data overflow.
> +  //
> +  if (HobLength > MAX_UINT16 - 0x7) {
> +    return NULL;
> +  }
>    HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
>
>    FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
> --
> 2.39.2.windows.1
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113581): https://edk2.groups.io/g/devel/message/113581
Mute This Topic: https://groups.io/mt/103657272/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v1 3/4] EmbeddedPkg/Hob: Integer Overflow in CreateHob()

[Ard Biesheuvel]

On Thu, 11 Jan 2024 at 06:15, <gua.guo@intel.com> wrote:
>
> From: Gerd Hoffmann <kraxel@redhat.com>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
>
> Fix integer overflow in various CreateHob instances.
> Fixes: CVE-2022-36765
>
> The CreateHob() function aligns the requested size to 8
> performing the following operation:
> ```
> HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
> ```
>
> No checks are performed to ensure this value doesn't
> overflow, and could lead to CreateHob() returning a smaller
> HOB than requested, which could lead to OOB HOB accesses.
>
> Reported-by: Marc Beatove <mbeatove@google.com>
> Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Abner Chang <abner.chang@amd.com>
> Cc: John Mathew <john.mathews@intel.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

This is missing a signed-off line from the sender.

(the signoff is not a statement of authorship, it is a promise by the
sender that the contribution complies with the license)

With that fixed:

Reviewed-by: Ard Biesheuvel <ardb@kernel.org>


> ---
>  EmbeddedPkg/Library/PrePiHobLib/Hob.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
> index 8eb175aa96..ee2e3176be 100644
> --- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c
> +++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
> @@ -110,6 +110,12 @@ CreateHob (
>
>    HandOffHob = GetHobList ();
>
> +  //
> +  // Check Length to avoid data overflow.
> +  //
> +  if (HobLength > MAX_UINT16 - 0x7) {
> +    return NULL;
> +  }
>    HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
>
>    FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
> --
> 2.39.2.windows.1
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113584): https://edk2.groups.io/g/devel/message/113584
Mute This Topic: https://groups.io/mt/103657273/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v1 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()

[Ard Biesheuvel]

On Thu, 11 Jan 2024 at 07:52, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> On Thu, 11 Jan 2024 at 06:15, <gua.guo@intel.com> wrote:
> >
> > From: Gerd Hoffmann <kraxel@redhat.com>
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
> >
> > Fix integer overflow in various CreateHob instances.
> > Fixes: CVE-2022-36765
> >
> > The CreateHob() function aligns the requested size to 8
> > performing the following operation:
> > ```
> > HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
> > ```
> >
> > No checks are performed to ensure this value doesn't
> > overflow, and could lead to CreateHob() returning a smaller
> > HOB than requested, which could lead to OOB HOB accesses.
> >
> > Reported-by: Marc Beatove <mbeatove@google.com>
> > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > Cc: Ray Ni <ray.ni@intel.com>
> > Cc: John Mathew <john.mathews@intel.com>
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
>
> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
>

Same as the other patch: this needs a signoff from the sender, not the
author of the patch.

> > ---
> >  .../StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c     | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> > index 1550e1babc..29ade2e4ef 100644
> > --- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> > +++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
> > @@ -34,6 +34,12 @@ CreateHob (
> >
> >    HandOffHob = GetHobList ();
> >
> > +  //
> > +  // Check Length to avoid data overflow.
> > +  //
> > +  if (HobLength > MAX_UINT16 - 0x7) {
> > +    return NULL;
> > +  }
> >    HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
> >
> >    FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
> > --
> > 2.39.2.windows.1
> >


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113587): https://edk2.groups.io/g/devel/message/113587
Mute This Topic: https://groups.io/mt/103657272/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-