From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 3364D78003C for ; Fri, 12 Jan 2024 08:56:20 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=j3FBste6HYFDqA6aY1zaAql6QQp0S2AlU13TObeWIx8=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1705049779; v=1; b=kQhCJ7wqmS/fB+PHZx02vLlScOXOZCuWmC8ZQTbL6EpMxIVqlbFsaot/eU1FRifOsjzaay2a GInYi2XvuAWdbRI/FU0BMLVU2oZcIC/UmTJsMtFiYWPDloN7NnTFRr+4bmLZXTXWNyt3+AjAdvb 3z49RnNWk72DwakGyf9uNhxg= X-Received: by 127.0.0.2 with SMTP id 503LYY7687511x9kAMfxZYjN; Fri, 12 Jan 2024 00:56:19 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web11.3342.1705049779227012804 for ; Fri, 12 Jan 2024 00:56:19 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="463403783" X-IronPort-AV: E=Sophos;i="6.04,189,1695711600"; d="scan'208";a="463403783" X-Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jan 2024 00:56:18 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.04,189,1695711600"; d="scan'208";a="17334743" X-Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82]) by fmviesa002.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 12 Jan 2024 00:56:18 -0800 X-Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Fri, 12 Jan 2024 00:56:18 -0800 X-Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Fri, 12 Jan 2024 00:56:17 -0800 X-Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Fri, 12 Jan 2024 00:56:17 -0800 X-Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.101) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Fri, 12 Jan 2024 00:56:05 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f7WhBszKe7tv3zafCBe0lJ4VJIuXpwlk7kiTZD2HZi75wrTYh3j3dSs7ZzSZyAC50KITz0uuHDNaIfWavjJSVEcrbYoezOt5wjhoeucc0wUMbu8vEIFxNCfhyRDkzHq+W9p1UHTJ0al7kGUfTdQaU6+XcNWJg1FR8y097WCIwZXkjo229HIhkV28rK3idphDZC8IsMkueQZxAmEXsMRJlBl2j7mgQtD3cVaucu3G3fb3iuIL1OUGQ/6ER7AdpXraQgLDW+tWCdmO4OveZenLetcy8t7GMC1jdASveErmU0Z+SDInZ9RrPCCLpAATGz2t075JCpt+zY8YYE3qKss6MQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tSnUvfRI8RqPDZ9t/P055n82fNxjDU/X+2WcI70+9Kw=; b=eKcjRJCPpeUpDxyNgfcpclmy4mom9hicjtgqELFowIsxYbD6Qfr2gQBwDxIqY9OrwFLsUd/VGg4cz5s2MI/nxhmUV1bdbLBYBQhNYgWYA1f9wQlOQPpSUZyeblPhHsKIAYRgGsqbQKjeLSRW18syzTj1ZuRklIRASPj6I0ZTeAbyc++RTAXPxNUCTajmjOdOzJQeQiB+A4zeuGzDVC6PF5Dni8nJjeHkDvOFfqK0SgA90oMl0UtweGlDUzi3I/CfXnTg//QE9vYv9ofW2dd36WfCKlGcijUs79tow/lco5kjIOTUT9jFpOFe9qf1GPeAuBKjdUyGOjRTZFNnlwBOUg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from MN6PR11MB8244.namprd11.prod.outlook.com (2603:10b6:208:470::14) by SJ2PR11MB7427.namprd11.prod.outlook.com (2603:10b6:a03:4c1::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7181.17; Fri, 12 Jan 2024 08:56:03 +0000 X-Received: from MN6PR11MB8244.namprd11.prod.outlook.com ([fe80::3fea:ca2b:2ef7:e3d4]) by MN6PR11MB8244.namprd11.prod.outlook.com ([fe80::3fea:ca2b:2ef7:e3d4%4]) with mapi id 15.20.7159.020; Fri, 12 Jan 2024 08:56:02 +0000 From: "Ni, Ray" To: "Guo, Gua" , "devel@edk2.groups.io" CC: Marc Beatove , Ard Biesheuvel , Sami Mujawar , "Mathews, John" , Gerd Hoffmann Subject: Re: [edk2-devel] [PATCH v3 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob() Thread-Topic: [PATCH v3 2/4] StandaloneMmPkg/Hob: Integer Overflow in CreateHob() Thread-Index: AQHaRP6jzKvgGpGu8Uan9AGwhCn4I7DV4C3A Date: Fri, 12 Jan 2024 08:56:02 +0000 Message-ID: References: <20240112022521.710-1-gua.guo@intel.com> <20240112022521.710-3-gua.guo@intel.com> In-Reply-To: <20240112022521.710-3-gua.guo@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MN6PR11MB8244:EE_|SJ2PR11MB7427:EE_ x-ms-office365-filtering-correlation-id: bfe45773-20f0-4559-a684-08dc134c4db3 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: 7uSnJ7hTcz/anqjyz5h/71Kdjbfgd2gzVP6Ii/fYVqBKiyDf7a2UBXIUXA3DjTfrHQ2s5C94saf7IACczTu4BuGr5o04Hhv73+BOBqy5kOeqsC7Md9kNEGnoc+hbrEG1B2h6qkGhwoaV7rtdu+xIf7G2SqHVGssB+zY0P8gziqFQe/5ZZ/SNLUvxjj123QT6gOQfRF5zNstw16nA15nZVXJKdWOqs4yNTNCK0gJkRA1ypXDNIp7hgOqoBdSnoXpoxlXE7uEYssVia0O8c8BOLu0x0jFh4uI0cXrAVRDw9jY+S6bHtH5QnVJS4tjT5Z4HpYoQoNISbAoA32t9/XcGOziqC8DPthmTKPOTJYmCKAH3i7q88BmmG4CZvZvLdnWiaItARFUz96C1Ztiib2EwRYPaMRtixCO216lIEqaEYHo+RychHY+9peZHldioSLaTA8hJ1of4KvOEWPi9J+lWXuPHe0PV24UtIKjD0E2mdKpU0xfNGdyYAp5lLcN+/wNrPrAifN+rRzlcedTuxtl9odBiGvoMU3BrR+m63QkJs5nzvy5MlMkx2cmh7FGeLvjZfyOlClqAhUPWoZsDZt6hhfwrZCtSgNilH2z2qCQH2Sw= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?cTRrmLyoq7jUZA/cBwdw+Pz6LD5sJh3QU8EiXZsbkljS5Eb+JhULLKp0wh+z?= =?us-ascii?Q?uI9Se14tP2bYBhYZs4GRh10qP+1yZuMdyVO9mmU0FrI1Ugd6cgTbuhneg/r1?= =?us-ascii?Q?8sRwmOfAomHEL2LyKEv+LxnlSwXPsmVlv4rReckwRbCc5zWD/orNfdzlb+P8?= =?us-ascii?Q?fkGBUmdbHwwBImUaND2OpqrvuPjdUtJYtIgBCcSyC3uxf/Hj53/ywsnDo2h3?= =?us-ascii?Q?gHfiMFPrhkTQgPFIhRFqFqz65piSxyyecOQfudCcUFet00EydegqWYRGTlIa?= =?us-ascii?Q?dZMhG2jGNkJPmcyg6SpkisClurF45IZeS2aNFYdLiD5I27/g8O0rooEWKRrr?= =?us-ascii?Q?tRjrR9nbxE2taQ2B6BokC+kJYK7pAP6VwRWAXt2Uts9IZTuof8jr6TYtFmlf?= =?us-ascii?Q?0/TFMjMnkehX7j7oL0BmmsIvT+kA8fqgld3sqkCN1+Ienf6gFVUVqTI6lR1P?= =?us-ascii?Q?LOmOpmioYg0Srz5ukvtNsWQeS6eq1hzkntMREM2IS8O1e1gYKF7oGntbz4wd?= =?us-ascii?Q?ZMx/Hf2wkj6HAny6VVMBnjmnHZFtVxJuGIIEviF2cxucELs0tugSQmnsdyQU?= =?us-ascii?Q?EMEiRa7GYIL+X7diJH6JMp/GhiEJZRb3FX0EWw4dKh9y7vMDXnSzobausE6I?= =?us-ascii?Q?AZ+xWEajatdpsx9sh2/SUOWRAdzZfP6M64Wfw4v00j4RcDz6GTgj1YDJP5un?= =?us-ascii?Q?Ct77dLNtgWqWnHAMWZQcpeCfY6y1b1uVLJk3kGXxzufU09891mPFRV/P0geO?= =?us-ascii?Q?TLa786oeuu+nK17dCg0bXx0wgdkfeRsWgDBfkETXNuTSQV9Bon2G/Ss7h5zr?= =?us-ascii?Q?NKQRq69CqX7Zxg9R1wQhH/exGH82j5+2PHtlQfJtSCF6Qxx5n2qMpQq1BF/k?= =?us-ascii?Q?NUaN2N5IuPQnNWiUel/iGeDFUTycD7jJyPTUSeBQj7I+K3BTtZwB444i1N51?= =?us-ascii?Q?mlmmDnvzl/jS3i0lAH9yoJf/GcWRIRWm2dqNNdJK21383IFKKXWIy2KF1V1F?= =?us-ascii?Q?33f1XrWDah1fLnAB4WNecZVyUBzEaY1yOtDTC++pcgsCJLy0Y9F0PwHpzr1s?= =?us-ascii?Q?oJ1qsQem4JsD+hQlqoiehP297an17n3nz70mF+rLG4PmwIIakt17V90kG9Bw?= =?us-ascii?Q?tiBaPXwiD3cDwmjQDyjmVOXY+HglPQfoYHKfvMqHy01JJXQguh0IdhoutVkN?= =?us-ascii?Q?X18UrHisDi7CbqoNetKHWaHgccbnTRIuZ9P1IdBK2X+wa+WQ3O4KHbrFSfI7?= =?us-ascii?Q?53Ht0AapxQlT9LMf22ARjfO4YrQOOMOYYA4A8P2vfxp78cXmctT4uHCbCmbd?= =?us-ascii?Q?3GEFlCjen2+AJ4+3o0Jp8Y0anD3H4KDjt97N1elfUc1FdqT3cRGet0tN5DEK?= =?us-ascii?Q?hYmiphwevvjg1+XtN1zbhsP7gNaNgiySSUV3Qtb0b6jfBfwWsd1ZdO+LfV+V?= =?us-ascii?Q?YChs9mehJNQJriVqkjrTqDfB8ueinWOh4Udn7Ft9c5RiSh1DORUpj029saFU?= =?us-ascii?Q?ziOPAaTr7yCUXcAJybQfwtUk5sr1Z5NIGVxRZFxmv5NvyazKXWfbb+vLMXkM?= =?us-ascii?Q?JvIbGDojUza99X/xzFM=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MN6PR11MB8244.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: bfe45773-20f0-4559-a684-08dc134c4db3 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2024 08:56:02.1420 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ZZYbCa8ql/UkJtAJ7eByXGEBr0wILbR8rjOAnCKIo/0c1egevjEvSXZH+fvcO6fKt1/u8ZjuX/y2shvsowSrAA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR11MB7427 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ray.ni@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 8U3Psp0sAyb4T9GF6qum0DJfx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=kQhCJ7wq; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io It's strange to me that ARM's MM env still allows modifying HOBs. Thanks, Ray > -----Original Message----- > From: Guo, Gua > Sent: Friday, January 12, 2024 10:25 AM > To: devel@edk2.groups.io > Cc: Guo, Gua ; Marc Beatove ; > Ard Biesheuvel ; Sami Mujawar > ; Ni, Ray ; Mathews, John > ; Gerd Hoffmann > Subject: [PATCH v3 2/4] StandaloneMmPkg/Hob: Integer Overflow in > CreateHob() >=20 > From: Gua Guo >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4166 >=20 > Fix integer overflow in various CreateHob instances. > Fixes: CVE-2022-36765 >=20 > The CreateHob() function aligns the requested size to 8 > performing the following operation: > ``` > HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); > ``` >=20 > No checks are performed to ensure this value doesn't > overflow, and could lead to CreateHob() returning a smaller > HOB than requested, which could lead to OOB HOB accesses. >=20 > Reported-by: Marc Beatove > Reviewed-by: Ard Biesheuvel > Cc: Sami Mujawar > Cc: Ray Ni > Cc: John Mathew > Authored-by: Gerd Hoffmann > Signed-off-by: Gua Guo > --- > .../Arm/StandaloneMmCoreHobLib.c | 35 +++++++++++++++++++ > 1 file changed, 35 insertions(+) >=20 > diff --git > a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneM > mCoreHobLib.c > b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneM > mCoreHobLib.c > index 1550e1babc..59473e28fe 100644 > --- > a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneM > mCoreHobLib.c > +++ > b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneM > mCoreHobLib.c > @@ -34,6 +34,13 @@ CreateHob ( >=20 >=20 > HandOffHob =3D GetHobList (); >=20 >=20 >=20 > + // >=20 > + // Check Length to avoid data overflow. >=20 > + // >=20 > + if (HobLength > MAX_UINT16 - 0x7) { >=20 > + return NULL; >=20 > + } >=20 > + >=20 > HobLength =3D (UINT16)((HobLength + 0x7) & (~0x7)); >=20 >=20 >=20 > FreeMemory =3D HandOffHob->EfiFreeMemoryTop - HandOffHob- > >EfiFreeMemoryBottom; >=20 > @@ -89,6 +96,10 @@ BuildModuleHob ( > ); >=20 >=20 >=20 > Hob =3D CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof > (EFI_HOB_MEMORY_ALLOCATION_MODULE)); >=20 > + ASSERT (Hob !=3D NULL); >=20 > + if (Hob =3D=3D NULL) { >=20 > + return; >=20 > + } >=20 >=20 >=20 > CopyGuid (&(Hob->MemoryAllocationHeader.Name), > &gEfiHobMemoryAllocModuleGuid); >=20 > Hob->MemoryAllocationHeader.MemoryBaseAddress =3D > MemoryAllocationModule; >=20 > @@ -129,6 +140,9 @@ BuildResourceDescriptorHob ( >=20 >=20 > Hob =3D CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof > (EFI_HOB_RESOURCE_DESCRIPTOR)); >=20 > ASSERT (Hob !=3D NULL); >=20 > + if (Hob =3D=3D NULL) { >=20 > + return; >=20 > + } >=20 >=20 >=20 > Hob->ResourceType =3D ResourceType; >=20 > Hob->ResourceAttribute =3D ResourceAttribute; >=20 > @@ -167,6 +181,11 @@ BuildGuidHob ( > ASSERT (DataLength <=3D (0xffff - sizeof (EFI_HOB_GUID_TYPE))); >=20 >=20 >=20 > Hob =3D CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof > (EFI_HOB_GUID_TYPE) + DataLength)); >=20 > + ASSERT (Hob !=3D NULL); >=20 > + if (Hob =3D=3D NULL) { >=20 > + return NULL; >=20 > + } >=20 > + >=20 > CopyGuid (&Hob->Name, Guid); >=20 > return Hob + 1; >=20 > } >=20 > @@ -226,6 +245,10 @@ BuildFvHob ( > EFI_HOB_FIRMWARE_VOLUME *Hob; >=20 >=20 >=20 > Hob =3D CreateHob (EFI_HOB_TYPE_FV, sizeof > (EFI_HOB_FIRMWARE_VOLUME)); >=20 > + ASSERT (Hob !=3D NULL); >=20 > + if (Hob =3D=3D NULL) { >=20 > + return; >=20 > + } >=20 >=20 >=20 > Hob->BaseAddress =3D BaseAddress; >=20 > Hob->Length =3D Length; >=20 > @@ -255,6 +278,10 @@ BuildFv2Hob ( > EFI_HOB_FIRMWARE_VOLUME2 *Hob; >=20 >=20 >=20 > Hob =3D CreateHob (EFI_HOB_TYPE_FV2, sizeof > (EFI_HOB_FIRMWARE_VOLUME2)); >=20 > + ASSERT (Hob !=3D NULL); >=20 > + if (Hob =3D=3D NULL) { >=20 > + return; >=20 > + } >=20 >=20 >=20 > Hob->BaseAddress =3D BaseAddress; >=20 > Hob->Length =3D Length; >=20 > @@ -282,6 +309,10 @@ BuildCpuHob ( > EFI_HOB_CPU *Hob; >=20 >=20 >=20 > Hob =3D CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); >=20 > + ASSERT (Hob !=3D NULL); >=20 > + if (Hob =3D=3D NULL) { >=20 > + return; >=20 > + } >=20 >=20 >=20 > Hob->SizeOfMemorySpace =3D SizeOfMemorySpace; >=20 > Hob->SizeOfIoSpace =3D SizeOfIoSpace; >=20 > @@ -319,6 +350,10 @@ BuildMemoryAllocationHob ( > ); >=20 >=20 >=20 > Hob =3D CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof > (EFI_HOB_MEMORY_ALLOCATION)); >=20 > + ASSERT (Hob !=3D NULL); >=20 > + if (Hob =3D=3D NULL) { >=20 > + return; >=20 > + } >=20 >=20 >=20 > ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); >=20 > Hob->AllocDescriptor.MemoryBaseAddress =3D BaseAddress; >=20 > -- > 2.39.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113699): https://edk2.groups.io/g/devel/message/113699 Mute This Topic: https://groups.io/mt/103675962/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/19134562= 12/xyzzy [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-