From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga17.intel.com (mga17.intel.com [192.55.52.151])
 by mx.groups.io with SMTP id smtpd.web09.9437.1581949619019089193
 for <devel@edk2.groups.io>;
 Mon, 17 Feb 2020 06:26:59 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: liming.gao@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Feb 2020 06:26:58 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,453,1574150400"; 
   d="scan'208";a="382197524"
Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203])
  by orsmga004.jf.intel.com with ESMTP; 17 Feb 2020 06:26:58 -0800
Received: from shsmsx602.ccr.corp.intel.com (10.109.6.142) by
 FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Mon, 17 Feb 2020 06:26:58 -0800
Received: from shsmsx606.ccr.corp.intel.com (10.109.6.216) by
 SHSMSX602.ccr.corp.intel.com (10.109.6.142) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1713.5; Mon, 17 Feb 2020 22:26:55 +0800
Received: from shsmsx606.ccr.corp.intel.com ([10.109.6.216]) by
 SHSMSX606.ccr.corp.intel.com ([10.109.6.216]) with mapi id 15.01.1713.004;
 Mon, 17 Feb 2020 22:26:55 +0800
From: "Liming Gao" <liming.gao@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>, "lersek@redhat.com"
	<lersek@redhat.com>, "Wu, Jiaxin" <jiaxin.wu@intel.com>
CC: "Fu, Siyuan" <siyuan.fu@intel.com>, Maciej Rabeda
	<maciej.rabeda@linux.intel.com>, "Armour, Nicholas"
	<nicholas.armour@intel.com>
Subject: Re: [edk2-devel] [PATCH v1] MdeModulePkg/Ip4Dxe: Check the received package length (CVE-2019-14559).
Thread-Topic: [edk2-devel] [PATCH v1] MdeModulePkg/Ip4Dxe: Check the received
 package length (CVE-2019-14559).
Thread-Index: AQHV5WYR1EduBtoRIUKZqrYPsvLfUagerEuAgADFP6A=
Date: Mon, 17 Feb 2020 14:26:55 +0000
Message-ID: <bf608603ff3741d296934b27ed8e8f69@intel.com>
References: <20200217074349.8924-1-Jiaxin.wu@intel.com>
 <cfe13333-a01f-ecc6-b8d7-425c1d5bc163@redhat.com>
In-Reply-To: <cfe13333-a01f-ecc6-b8d7-425c1d5bc163@redhat.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.2.0.6
dlp-product: dlpe-windows
dlp-reaction: no-action
x-originating-ip: [10.239.127.36]
MIME-Version: 1.0
Return-Path: liming.gao@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Another minor comment. Ip4Dxe is moved into NetworkPkg. So, the patch title=
 should be NetworkPkg/Ip4Dxe.

Thanks
Liming
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo Er=
sek
> Sent: Monday, February 17, 2020 6:40 PM
> To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>
> Cc: Fu, Siyuan <siyuan.fu@intel.com>; Maciej Rabeda <maciej.rabeda@linux=
.intel.com>; Armour, Nicholas <nicholas.armour@intel.com>
> Subject: Re: [edk2-devel] [PATCH v1] MdeModulePkg/Ip4Dxe: Check the rece=
ived package length (CVE-2019-14559).
>=20
> On 02/17/20 08:43, Wu, Jiaxin wrote:
> > This patch is to check the received package length to make sure the pa=
ckage
> > has a valid length field.
> >
> > Cc: Fu Siyuan <siyuan.fu@intel.com>
> > Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> > Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> > Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
> > ---
> >  NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++++++++=
---------
> >  1 file changed, 37 insertions(+), 9 deletions(-)
>=20
> There are two patches on the list for CVE-2019-14559:
>=20
> - [edk2-devel] [PATCH v1] MdeModulePkg/Ip4Dxe: Check the received packag=
e length (CVE-2019-14559).
> - [edk2-devel] [PATCH 1/1] NetworkPkg/ArpDxe: Recycle invalid ARP packet=
s(CVE-2019-14559).
>=20
> sent by different submitters.
>=20
> How do they relate to each other?
>=20
> Also, while Nick's patch mentions TianoCore#2031, the current patch does=
n't include a BZ link. Is the current patch for TianoCore#2032?
> (Per <https://bugzilla.tianocore.org/show_bug.cgi?id=3D2032#c8>, both BZ=
s share the same CVE ID.)
>=20
> Also, I remain confused (with comment 11 being the latest one, as of thi=
s time, in TianoCore#2032), whether the issue affects IPv4 only,
> IPv6 only, or both. This patch is only for IPv4, apparently.
>=20
> If the present patch is related to TianoCore#2032, then please add a mai=
ling list archive link to the BZ, and move the BZ to IN_PROGRESS
> status.
>=20
> Laszlo
>=20
> >
> > diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input=
.c
> > index fec242c71f..95fbd01d05 100644
> > --- a/NetworkPkg/Ip4Dxe/Ip4Input.c
> > +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c
> > @@ -1,9 +1,9 @@
> >  /** @file
> >    IP4 input process.
> >
> > -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR=
>
> > +Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR=
>
> >  (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
> >
> >  SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> >  **/
> > @@ -709,14 +709,10 @@ Ip4PreProcessPacket (
> >    UINT16                    Checksum;
> >
> >    //
> >    // Check if the IP4 header is correctly formatted.
> >    //
> > -  if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
> > -    return EFI_INVALID_PARAMETER;
> > -  }
> > -
> >    HeadLen  =3D (Head->HeadLen << 2);
> >    TotalLen =3D NTOHS (Head->TotalLen);
> >
> >    //
> >    // Mnp may deliver frame trailer sequence up, trim it off.
> > @@ -806,10 +802,34 @@ Ip4PreProcessPacket (
> >    }
> >
> >    return EFI_SUCCESS;
> >  }
> >
> > +/**
> > +  This function checks the IPv4 packet length.
> > +
> > +  @param[in]       Packet          Pointer to the IPv4 Packet to be c=
hecked.
> > +
> > +  @retval TRUE                   The input IPv4 packet length is vali=
d.
> > +  @retval FALSE                  The input IPv4 packet length is inva=
lid.
> > +
> > +**/
> > +BOOLEAN
> > +Ip4IsValidPacketLength (
> > +  IN NET_BUF        *Packet
> > +  )
> > +{
> > +  //
> > +  // Check the IP4 packet length.
> > +  //
> > +  if (Packet->TotalSize < IP4_MIN_HEADLEN) {
> > +    return FALSE;
> > +  }
> > +
> > +  return TRUE;
> > +}
> > +
> >  /**
> >    The IP4 input routine. It is called by the IP4_INTERFACE when a
> >    IP4 fragment is received from MNP.
> >
> >    @param[in]  Ip4Instance        The IP4 child that request the recei=
ve, most like
> > @@ -842,10 +862,14 @@ Ip4AccpetFrame (
> >
> >    if (EFI_ERROR (IoStatus) || (IpSb->State =3D=3D IP4_SERVICE_DESTROY=
)) {
> >      goto DROP;
> >    }
> >
> > +  if (!Ip4IsValidPacketLength (Packet)) {
> > +    goto RESTART;
> > +  }
> > +
> >    Head      =3D (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
> >    ASSERT (Head !=3D NULL);
> >    OptionLen =3D (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
> >    if (OptionLen > 0) {
> >      Option =3D (UINT8 *) (Head + 1);
> > @@ -888,14 +912,18 @@ Ip4AccpetFrame (
> >    //
> >    // If the packet is protected by tunnel mode, parse the inner Ip Pa=
cket.
> >    //
> >    ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
> >    if (0 =3D=3D CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
> > -  // Packet may have been changed. Head, HeadLen, TotalLen, and
> > -  // info must be reloaded before use. The ownership of the packet
> > -  // is transferred to the packet process logic.
> > -  //
> > +    // Packet may have been changed. Head, HeadLen, TotalLen, and
> > +    // info must be reloaded before use. The ownership of the packet
> > +    // is transferred to the packet process logic.
> > +    //
> > +    if (!Ip4IsValidPacketLength (Packet)) {
> > +      goto RESTART;
> > +    }
> > +
> >      Head =3D (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
> >      ASSERT (Head !=3D NULL);
> >      Status =3D Ip4PreProcessPacket (
> >                 IpSb,
> >                 &Packet,
> >
>=20
>=20
>=20