From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web12.1275.1581059814861691253 for ; Thu, 06 Feb 2020 23:16:55 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Feb 2020 23:16:54 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,412,1574150400"; d="scan'208";a="225476099" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga007.fm.intel.com with ESMTP; 06 Feb 2020 23:16:54 -0800 Received: from fmsmsx126.amr.corp.intel.com (10.18.125.43) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 6 Feb 2020 23:16:53 -0800 Received: from shsmsx108.ccr.corp.intel.com (10.239.4.97) by FMSMSX126.amr.corp.intel.com (10.18.125.43) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 6 Feb 2020 23:16:53 -0800 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.46]) by SHSMSX108.ccr.corp.intel.com ([169.254.8.98]) with mapi id 14.03.0439.000; Fri, 7 Feb 2020 15:16:51 +0800 From: "Wang, Jian J" To: "Wu, Hao A" , "devel@edk2.groups.io" CC: "Dong, Eric" Subject: Re: [PATCH v1] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric truncation (CVE-2019-14563) Thread-Topic: [PATCH v1] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric truncation (CVE-2019-14563) Thread-Index: AQHV3I7iJbxwBqgreU6Ivk+nMtZix6gPU/Mw Date: Fri, 7 Feb 2020 07:16:51 +0000 Message-ID: References: <20200206014347.3792-1-hao.a.wu@intel.com> In-Reply-To: <20200206014347.3792-1-hao.a.wu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYTVmOTZkODgtMTAwNy00NmVlLTk1MmQtYjZkN2U5MmY3YWMyIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiOTU0OE5nUUo4XC80SGVJcTFOMENtRWY2dXpVZjhjSjJUREtVUTJ6SEZGTksycFhNVFhBV1l2dkxtQXZEQkd1TjQifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jian.j.wang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Acked-by: Jian J Wang > -----Original Message----- > From: Wu, Hao A > Sent: Thursday, February 06, 2020 9:44 AM > To: devel@edk2.groups.io > Cc: Wu, Hao A ; Dong, Eric ; > Wang, Jian J > Subject: [PATCH v1] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential nume= ric > truncation (CVE-2019-14563) >=20 > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D2001 >=20 > For S3BootScriptLib APIs: >=20 > S3BootScriptSaveIoWrite > S3BootScriptSaveMemWrite > S3BootScriptSavePciCfgWrite > S3BootScriptSavePciCfg2Write > S3BootScriptSaveSmbusExecute > S3BootScriptSaveInformation > S3BootScriptSaveInformationAsciiString > S3BootScriptLabel (happen in S3BootScriptLabelInternal()) >=20 > possible numeric truncations will happen that may lead to S3 boot script > entry with improper size being returned to store the boot script data. > This commit will add checks to prevent this kind of issue. >=20 > Please note that the remaining S3BootScriptLib APIs: >=20 > S3BootScriptSaveIoReadWrite > S3BootScriptSaveMemReadWrite > S3BootScriptSavePciCfgReadWrite > S3BootScriptSavePciCfg2ReadWrite > S3BootScriptSaveStall > S3BootScriptSaveDispatch2 > S3BootScriptSaveDispatch > S3BootScriptSaveMemPoll > S3BootScriptSaveIoPoll > S3BootScriptSavePciPoll > S3BootScriptSavePci2Poll > S3BootScriptCloseTable > S3BootScriptExecute > S3BootScriptMoveLastOpcode > S3BootScriptCompare >=20 > are not affected by such numeric truncation. >=20 > Cc: Eric Dong > Cc: Jian J Wang > Signed-off-by: Hao A Wu > Reviewed-by: Laszlo Ersek > --- > MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c | 52 > +++++++++++++++++++- > 1 file changed, 51 insertions(+), 1 deletion(-) >=20 > diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c > b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c > index 9106e7d0f9..9315fc9f01 100644 > --- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c > +++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c > @@ -1,7 +1,7 @@ > /** @file > Save the S3 data to S3 boot script. >=20 > - Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
> + Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.
>=20 > SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @@ -1006,6 +1006,14 @@ S3BootScriptSaveIoWrite ( > EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite; >=20 > WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); > + > + // > + // Truncation check > + // > + if ((Count > MAX_UINT8) || > + (WidthInByte * Count > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_IO_WRITE))) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * > Count)); >=20 > Script =3D S3BootScriptGetEntryAddAddress (Length); > @@ -1102,6 +1110,14 @@ S3BootScriptSaveMemWrite ( > EFI_BOOT_SCRIPT_MEM_WRITE ScriptMemWrite; >=20 > WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); > + > + // > + // Truncation check > + // > + if ((Count > MAX_UINT8) || > + (WidthInByte * Count > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_MEM_WRITE))) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * > Count)); >=20 > Script =3D S3BootScriptGetEntryAddAddress (Length); > @@ -1206,6 +1222,14 @@ S3BootScriptSavePciCfgWrite ( > } >=20 > WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); > + > + // > + // Truncation check > + // > + if ((Count > MAX_UINT8) || > + (WidthInByte * Count > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE))) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + > (WidthInByte * Count)); >=20 > Script =3D S3BootScriptGetEntryAddAddress (Length); > @@ -1324,6 +1348,14 @@ S3BootScriptSavePciCfg2Write ( > } >=20 > WidthInByte =3D (UINT8) (0x01 << (Width & 0x03)); > + > + // > + // Truncation check > + // > + if ((Count > MAX_UINT8) || > + (WidthInByte * Count > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE))) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + > (WidthInByte * Count)); >=20 > Script =3D S3BootScriptGetEntryAddAddress (Length); > @@ -1549,6 +1581,12 @@ S3BootScriptSaveSmbusExecute ( > return Status; > } >=20 > + // > + // Truncation check > + // > + if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) > { > + return RETURN_OUT_OF_RESOURCES; > + } > DataSize =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + > BufferLength); >=20 > Script =3D S3BootScriptGetEntryAddAddress (DataSize); > @@ -1736,6 +1774,12 @@ S3BootScriptSaveInformation ( > UINT8 *Script; > EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; >=20 > + // > + // Truncation check > + // > + if (InformationLength > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_INFORMATION)) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + > InformationLength); >=20 > Script =3D S3BootScriptGetEntryAddAddress (Length); > @@ -2195,6 +2239,12 @@ S3BootScriptLabelInternal ( > UINT8 *Script; > EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; >=20 > + // > + // Truncation check > + // > + if (InformationLength > MAX_UINT8 - sizeof > (EFI_BOOT_SCRIPT_INFORMATION)) { > + return RETURN_OUT_OF_RESOURCES; > + } > Length =3D (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + > InformationLength); >=20 > Script =3D S3BootScriptGetEntryAddAddress (Length); > -- > 2.12.0.windows.1