From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id ED4FA740038 for ; Thu, 1 Feb 2024 21:22:11 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=hooVATmeCS3humOQIBnK82CrKxPwgkHfAkKFulV6Phk=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1706822530; v=1; b=U/zPUCZuU0cB38XgN/O12AaYz+ORy39/jBtgxOdu+9ewQgWcRadx3Gte0ex+bc8cyGquDYrl oRa5PKW4v7/bSe5ZftwTyVqrelA8pafZBvwtPqDVBsMMNSBiDlcpr1qQNtd+0oagPn15dfxfiJA q7NCs9HDiRhxWpcZ4PIk74dU= X-Received: by 127.0.0.2 with SMTP id ewr4YY7687511x349gFt4QU6; Thu, 01 Feb 2024 13:22:10 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.11]) by mx.groups.io with SMTP id smtpd.web10.7680.1706822530014052952 for ; Thu, 01 Feb 2024 13:22:10 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10971"; a="10668256" X-IronPort-AV: E=Sophos;i="6.05,236,1701158400"; d="scan'208";a="10668256" X-Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmvoesa105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Feb 2024 13:22:09 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10971"; a="1120072122" X-IronPort-AV: E=Sophos;i="6.05,236,1701158400"; d="scan'208";a="1120072122" X-Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by fmsmga005.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 01 Feb 2024 13:22:07 -0800 X-Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 1 Feb 2024 13:22:07 -0800 X-Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Thu, 1 Feb 2024 13:22:07 -0800 X-Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.57.41) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Thu, 1 Feb 2024 13:22:06 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UqLLauXlXUOVAw52G+Q5tsm4a/oEcU162DyWM7uCxB/OB0k+kN1wUYy4XhfAj8x5p7WDggfceSrouNI/amTdAV0Z74bas7xHSirZpHGCWJrawe0Tt4HfSKdPekwy8fU6UoqclnGa5/vY7dteFqFmsyu2RxQjypbDstd4GzeB7EGJMjlEUCUpqafo8Bw1gpff/qLQuxafLRpF655ZD3hmJYgTD3Syhrjiv67ljo4hnlC0QeNxLdgCqHDlfvi0ZC2yypkCNdCWNrCD6X++SHnq0QGmMFg39St1y0vc87EhLGOLXwRWxpiPV5RGfRrTpfxI54/jHEIhSRxYB6dd8o1p/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jRQPaHsaHfxMRdMDax57ARZ5aWsz3wxCIA4N4PJWC0I=; b=QL0rGrZBM4B9eSQxQmuwVhP/kCDVtJ86uJSj5zA3q/to00wxikx4kwvB7i4iUOILFtfIfScxgt0tgR1o/krm4taRcXxx9m8rAei/AvOUa4x48TIG2qqaRD0qVx8R6pMAapTP8MBi6x29RiecI4sjFGWtH4pivOCzyvX8cpcAFSRe6BISd37Y+0fRTmAdkSRpclt3hgBZIlALpC2VsNi3+qVpbWhqI09MPtAPnVmoQimpxAp4ZVEbHYNQbeSffXGtNS9ymDn0jLLBkuAdNmQxcMC2DUWRqo4MQjynuhSZDflQ66Pv3xq5zAKF+P/sWP0hbTM8FQWF8hfDZ6sqTRUQgA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com (2603:10b6:806:26b::20) by SA1PR11MB8593.namprd11.prod.outlook.com (2603:10b6:806:3ab::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.24; Thu, 1 Feb 2024 21:22:04 +0000 X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f]) by SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f%5]) with mapi id 15.20.7249.024; Thu, 1 Feb 2024 21:22:04 +0000 From: "Saloni Kasbekar" To: "Douglas Flick [MSFT]" , "devel@edk2.groups.io" CC: Doug Flick , "Clark-williams, Zachary" Subject: Re: [edk2-devel] [PATCH v2 10/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch Thread-Topic: [PATCH v2 10/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch Thread-Index: AQHaT+Mzt4kqS6ZSoUyBHCAgNzyb8LD2AO4A Date: Thu, 1 Feb 2024 21:22:04 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SN7PR11MB8281:EE_|SA1PR11MB8593:EE_ x-ms-office365-filtering-correlation-id: d4bcbd3e-0d0f-4ce1-5796-08dc236bd625 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: OWS6uw15XQbhPVdiGiNsAd/Z7CaK06/Sf6dMlndTdLBm2wHw4jPdwgfMVl/0fs6ES7xrc1FhqTs5U3KilHzK3mcFjxgaE4zFSuVi4gFynaELqbOSHhQp80QlJSD2M7xZ/wz6MTQpBMLn8SEUeAJWlIkbR5gRk9qWN8y2swnL3hNRiiXaRTk4P915jFmzKzYGggDVOTZelRt5DbRkMiH9C77X+CDjfEnL85/fyQn/dUDjzvfG7677+cGHmQSvzKiuAAMa7y3LgwB1vKxD+pqCs5KlSCOBjB/wqx0jmCmBujtrr2YDAXCNML3QRDzz3ikgJzsBaGxYjxyw8Y5ZTH8eA9lTi6uz3WmGeb/QfRIV13+B6WKVKWfPZbT1jj56WZ1SccAX/MjOh2JTfPMCmKML4OptLnOEbSXT3R3xqrG4rNMg9kNacS9YhsH+94fekrvIvr0wQQ49FWkKoKIY0Mq33G729L+KSnOU7xupQ9P9jWnUcoxt44t5YZlfSkZ0bwD9U+AdaGa7OQ4NvgQLHP7WsZSjDYVHjoNycIfWdEKlB+3Xm1je5unSeillvARqBvNBbtYJG60qZQKL0HZCsF0mguJRoKlXGu9MVSn1uVX+iJMbZMbgToT10tF7XuercFYBca6BNpQ01j5wGDlpCG8hgQ== x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?tpt4AzgLreMmwuYeC+BmA/T0HC5VEDGLOG/1Cwk3MgDNYv1zjRhCL47gYO8j?= =?us-ascii?Q?TjLZ4Tsx9RFivEZ0wPKV2asVsDOJoWdRcbdFiEUVwI3tiMkh6LDPDOxAiUvb?= =?us-ascii?Q?K2t5I6VUusKrlY9jMh9EIPmTNcndrKRew48WhdUaZ6urHczzpQFMSCGieUec?= =?us-ascii?Q?t7TRwSbDn2iT3GBdhP9Y9pG65ItFOL0IGusMHOMMqzqHo9K6I+hirITxnInk?= =?us-ascii?Q?WY+9S+xerZsHvwy92rN57mRKbXB7MznhkOvZeUrAnFTpy4m/kwzwPMO3YlZ/?= =?us-ascii?Q?CFQQspRuUO2lIEm3YMqB1ZG7t9UN+rbYdVCZ4AXAaSIvFgo8L/1OomL4Hf6d?= =?us-ascii?Q?TS2VFRdo7qU1jCAtd6zX9G2bNYnVx0yEfLOk8eX2dSiklDSgNcKisXAjndNd?= =?us-ascii?Q?mpvqSa1WZigNO5fBcy9r1xUTEg33W9mp7+qLaj1oAzJ8JzNVDDLqWPv8yz8o?= =?us-ascii?Q?tfZpszi5H/4JieGhJtFkTRb52pA/plTMCO+6hEkIWiJ+6RObjxDBJxCdP/sl?= =?us-ascii?Q?mb2CqG874yLHGJzNoqu40yntIJ0WJzgV84KIPnY8rHVVHO016D0TN0lPcQVK?= =?us-ascii?Q?sYy+TRzToJlSxP+CaxDahu68f2ifMamQgIXgNIPtol1kxRR7r+md460VkOk0?= =?us-ascii?Q?8U9ADIh1MP7toOnKDe+E4f9r1Vc943qcO4PagTVYnL+oCM32s3uyFK94PMlw?= =?us-ascii?Q?uh0HgoC52IyjGr5SwVcNyQQ0AQ9UhrpDWrn0+5UvUqBalbiRHaSBdMnBE+HS?= =?us-ascii?Q?oLSdrwFaVoUGvig42+D69egZbz/OlOCYe6PcdF7Zyvw7yFqERad4/qXUidmN?= =?us-ascii?Q?S/bnH9dVmTw0vgQu/0mk1zAe5HmeiAqmFAOEVZ+pQgj3EzUh7JfwA5RcTEAH?= =?us-ascii?Q?qFwvIjgoPaXq6yosk3qhtp14aMWMaMZngPaxUFajnVoWaG1AJUph8edy+PGB?= =?us-ascii?Q?72rocypTr+NfSor14hh2A0+XH8SX5bjy/J1Re7/CSWI8Jc3veGoWjwLk7Fqf?= =?us-ascii?Q?OW3vbwRIPlmozcSncHDpCQSiXuoIZ8oZPcrZu9NjVF2+Oma1N9WvB38Pg86n?= =?us-ascii?Q?FDbMPaMzJGx9zBRvr+A+nzU1d8zAnwu99xmCrdUh6UgKD+KvV/nteocVfLDd?= =?us-ascii?Q?FaJ61Sp/ahwX1HqET+UC6L1cW9Dc9gquivjUvXlgyp1UP+69vGVHA0R+g9az?= =?us-ascii?Q?IatvcWiyDBvdvEz8Vc2ADKjJdoOLdWMMGsXrrew54cBrJpD1EzBQqT/Ea5+Q?= =?us-ascii?Q?VQKsU4pclL0/WPoeGiIzxjrJVhjc2TC/kXhNFmBa49cD6BhVcydOKfB+lFtF?= =?us-ascii?Q?2sV1OhQZZtmp6aLt1xZat7qhm48/P1V5BjTKizpBlzEscwWXakAyITbmP2hA?= =?us-ascii?Q?LT81B/CXbsGb7BxyJwcNvzRhWH91e/OitrHdEmfasvi9HG0+5Jwa+fLzRyNf?= =?us-ascii?Q?fmqXgjhGd77jYoiXoqnkKgUN+TRxNPoZJ239tkA7qjYD7NZ3HMy3gESGbtmW?= =?us-ascii?Q?u00nIOhu2WUNmrAuZjIGTfs7pef+y+qK9/tNjaRAv8bOcKQVcvlHdXDHh2s4?= =?us-ascii?Q?qY9tiJzMbTkzoOlGk70aWHWM+8CC2VtS/eA5KYns?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN7PR11MB8281.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: d4bcbd3e-0d0f-4ce1-5796-08dc236bd625 X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Feb 2024 21:22:04.0557 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: O0slXUZAeMPFMXmtxYbfjgpf8PoZHShZeyv61/Sl8hYGYHyiRXV35f0Se2HCtFy9imD/BUelHwoHp5cQScYZJv9wibmyd1JIX1qo2MhBCkE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR11MB8593 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,saloni.kasbekar@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 5BJBnOU6xTIRdDSyBATX0kMjx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b="U/zPUCZu"; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}") Reviewed-by: Saloni Kasbekar -----Original Message----- From: Douglas Flick [MSFT] =20 Sent: Thursday, January 25, 2024 1:55 PM To: devel@edk2.groups.io Cc: Doug Flick ; Kasbekar, Saloni ; Clark-williams, Zachary ; Do= ug Flick [MSFT] Subject: [PATCH v2 10/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023= -45234 Patch From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4539 Bug Details: PixieFail Bug #6 CVE-2023-45234 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory B= uffer Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise me= ssage Change Overview: Introduces a function to cache the Dns Server and perform sanitizing on the= incoming DnsServerLen to ensure that the length is valid > + EFI_STATUS > + PxeBcCacheDnsServerAddresses ( > + IN PXEBC_PRIVATE_DATA *Private, > + IN PXEBC_DHCP6_PACKET_CACHE *Cache6 > + ) Additional code cleanup Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 +++++++++++++++++++++++++--- 1 file changed, 65 insertions(+), 6 deletions(-) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe= /PxeBcDhcp6.c index 425e0cf8061d..2b2d372889a3 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c @@ -3,6 +3,7 @@ (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
Copy= right (c) 2009 - 2018, Intel Corporation. All rights reserved.
+ Copyri= ght (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Pate= nt @@ -1312,6 +1313,65 @@ PxeBcSelectDhcp6Offer ( } } +/**+ Cache the DHCPv6 DNS Server addresses++ @param[in] Private = The pointer to PXEBC_PRIVATE_DATA.+ @param[in] Cache6 = The pointer to PXEBC_DHCP6_PACKET_CACHE.++ @retval EFI_SUCCESS = Cache the DHCPv6 DNS Server address successfully.+ @retval EF= I_OUT_OF_RESOURCES Failed to allocate resources.+ @retval EFI_DEVICE_E= RROR The DNS Server Address Length provided by a untrusted+ = option is not a multiple of 16 bytes (sizeof (EFI_I= Pv6_ADDRESS)).+**/+EFI_STATUS+PxeBcCacheDnsServerAddresses (+ IN PXEBC_PRI= VATE_DATA *Private,+ IN PXEBC_DHCP6_PACKET_CACHE *Cache6+ )+{+ U= INT16 DnsServerLen;++ DnsServerLen =3D NTOHS (Cache6->OptList[PXEBC_DHCP6= _IDX_DNS_SERVER]->OpLen);+ //+ // Make sure that the number is nonzero+ = //+ if (DnsServerLen =3D=3D 0) {+ return EFI_DEVICE_ERROR;+ }++ //+ = // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16)+ //+ = if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) !=3D 0) {+ return EFI_DEVI= CE_ERROR;+ }++ //+ // This code is currently written to only support a s= ingle DNS Server instead+ // of multiple such as is spec defined (RFC3646,= Section 3). The proper behavior+ // would be to allocate the full space r= equested, CopyMem all of the data,+ // and then add a DnsServerCount field= to Private and update additional code+ // that depends on this.+ //+ //= To support multiple DNS servers the `AllocationSize` would need to be chan= ged to DnsServerLen+ //+ // This is tracked in https://bugzilla.tianocore= .org/show_bug.cgi?id=3D1886+ //+ Private->DnsServer =3D AllocateZeroPool = (sizeof (EFI_IPv6_ADDRESS));+ if (Private->DnsServer =3D=3D NULL) {+ re= turn EFI_OUT_OF_RESOURCES;+ }++ //+ // Intentionally only copy over the = first server address.+ // To support multiple DNS servers, the `Length` wo= uld need to be changed to DnsServerLen+ //+ CopyMem (Private->DnsServer, = Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, sizeof (EFI_IPv6_ADDRESS= ));++ return EFI_SUCCESS;+}+ /** Handle the DHCPv6 offer packet. @@ -133= 5,6 +1395,7 @@ PxeBcHandleDhcp6Offer ( UINT32 SelectIndex; UINT32 Index= ; + ASSERT (Private !=3D NULL); ASSERT (Private->SelectIndex > 0); Sel= ectIndex =3D (UINT32)(Private->SelectIndex - 1); ASSERT (SelectIndex < PX= EBC_OFFER_MAX_NUM);@@ -1342,15 +1403,13 @@ PxeBcHandleDhcp6Offer ( Status =3D EFI_SUCCESS; //- // First try to cache DNS server address= if DHCP6 offer provides.+ // First try to cache DNS server addresses if D= HCP6 offer provides. // if (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]= !=3D NULL) {- Private->DnsServer =3D AllocateZeroPool (NTOHS (Cache6->O= ptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen));- if (Private->DnsServer =3D= =3D NULL) {- return EFI_OUT_OF_RESOURCES;+ Status =3D PxeBcCacheDns= ServerAddresses (Private, Cache6);+ if (EFI_ERROR (Status)) {+ retu= rn Status; }-- CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DH= CP6_IDX_DNS_SERVER]->Data, sizeof (EFI_IPv6_ADDRESS)); } if (Cache6->O= fferType =3D=3D PxeOfferTypeDhcpBinl) {--=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114965): https://edk2.groups.io/g/devel/message/114965 Mute This Topic: https://groups.io/mt/103964986/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-