public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Laszlo Ersek <lersek@redhat.com>
To: "Zeng, Star" <star.zeng@intel.com>,
	Liming Gao <liming.gao@intel.com>,
	edk2-devel@lists.01.org,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	"Gao, Liming" <liming.gao@intel.com>
Subject: Re: [Patch 0/3] Add more checker for Tianocompress and Ueficompress
Date: Thu, 18 Oct 2018 15:02:40 +0200	[thread overview]
Message-ID: <b367b5d9-1bc9-ffdf-79a6-f3a54c040b2d@redhat.com> (raw)
In-Reply-To: <a9b25c6f-d0e2-11a4-bb37-4e4871178203@intel.com>

On 10/18/18 05:04, Zeng, Star wrote:
> On 2018/10/16 10:06, Liming Gao wrote:
>> https://bugzilla.tianocore.org/show_bug.cgi?id=686
>>
>> Liming Gao (3):
>>    MdePkg: Add more checker in UefiDecompressLib to access the valid
>>      buffer only
>>    IntelFrameworkModulePkg: Add more checker in UefiTianoDecompressLib
>>    BaseTools: Add more checker in Decompress algorithm to access the
>>      valid buffer
> 
> Hi Liming,
> 
> If these patches are not pushed yet, I am glad to broadcast the good
> request "add CVE number in subject line" from Laszlo at
> https://lists.01.org/pipermail/edk2-devel/2018-October/031031.html. :)

Indeed; I now see on the BZ that no fewer than five CVEs are associated
with this series / BZ. Thank you Star for pointing that out.

Can we get a more detailed attack / threat analysis on the BZ, please?
Comment 7 says, "Impact: Elevation of Privilege". What does that mean
precisely?

For example, I'd like to evaluate the practical impact on ArmVirtQemu
and OVMF. From the build reports, those platforms use the
UefiDecompressLib class in "DxeIpl.inf" and "DxeMain.inf" only.

In turn, the DXE IPL PEIM seems to expose the UEFI decompress facility
via EFI_PEI_DECOMPRESS_PPI, and the DXE core does the same via
EFI_DECOMPRESS_PROTOCOL.

I don't think 3rd party drivers / applications / OS-es have access to
the PEI phase, so I think a buffer overflow in EFI_PEI_DECOMPRESS_PPI
might be exploitable. (Or is perhaps EFI_PEI_DECOMPRESS_PPI used for
update capsule processing on some platforms?)

Regarding EFI_DECOMPRESS_PROTOCOL; any 3rd party UEFI driver or app can
locate and call it. But how can the protocol's vulnerability exploited
for "Elevation of Privilege"? Can it be used to attack SMM somehow? I
don't see any SMM module in the edk2 tree consuming
"gEfiDecompressProtocolGuid".

Is UefiDecompressLib perhaps used for extracting GUID-ed sections as
well (on some other platforms)?

Thanks
Laszlo


  reply	other threads:[~2018-10-18 13:02 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-16  2:06 [Patch 0/3] Add more checker for Tianocompress and Ueficompress Liming Gao
2018-10-16  2:06 ` [Patch 1/3] MdePkg: Add more checker in UefiDecompressLib to access the valid buffer only Liming Gao
2018-10-16  2:06 ` [Patch 2/3] IntelFrameworkModulePkg: Add more checker in UefiTianoDecompressLib Liming Gao
2018-10-16  2:06 ` [Patch 3/3] BaseTools: Add more checker in Decompress algorithm to access the valid buffer Liming Gao
2018-10-18 12:28   ` Zhu, Yonghong
2018-10-18  3:04 ` [Patch 0/3] Add more checker for Tianocompress and Ueficompress Zeng, Star
2018-10-18 13:02   ` Laszlo Ersek [this message]
2018-10-18 13:36     ` Gao, Liming
2018-10-18 16:01       ` Laszlo Ersek
2018-10-19  6:40         ` Gao, Liming
2018-10-19 11:24           ` Laszlo Ersek
2018-10-19 14:40             ` Gao, Liming
2018-10-22  8:30               ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b367b5d9-1bc9-ffdf-79a6-f3a54c040b2d@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox