From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id D1135941EDA for ; Thu, 25 Jan 2024 23:06:39 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=+cSrT82Y2AHENa48y40Z3Q1IXkpL8pb0XV/EesK+iyQ=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706223998; v=1; b=BG1GLepwR4GSPMPzIBeCmuIVDwfwFxV12AN5YN0WC+GKdlyrO+4aZwPgsInsbnHbKDvtNnl/ DSe2dFFkR50UrPQp46eWYIgcFCFtof00otGKBeEkONzBYhMY1prraf2Ch8dOLo2wGmDMSdmmtnX m0kREQxMP5Ig/KhsBVFN3MnI= X-Received: by 127.0.0.2 with SMTP id gwZsYY7687511xNzy247E8yJ; Thu, 25 Jan 2024 15:06:38 -0800 X-Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.786.1706223996373798365 for ; Thu, 25 Jan 2024 15:06:36 -0800 X-Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1d71cb97937so47980985ad.3 for ; Thu, 25 Jan 2024 15:06:36 -0800 (PST) X-Gm-Message-State: nPCEmLW7pz7RAXwXYNaHB9cDx7686176AA= X-Google-Smtp-Source: AGHT+IHP1IaE4mLqHVeJfC3WyOCkK9zTohFQGfXbOoq+gQIrUfiTBPXIE+8oVElNM7cJstUml7PUuw== X-Received: by 2002:a17:902:7688:b0:1d4:4621:fe8c with SMTP id m8-20020a170902768800b001d44621fe8cmr386937pll.64.1706223995664; Thu, 25 Jan 2024 15:06:35 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id jh1-20020a170903328100b001d752c4f180sm16779plb.94.2024.01.25.15.06.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jan 2024 15:06:35 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: Doug Flick , Saloni Kasbekar , Zachary Clark-williams , "Doug Flick [MSFT]" Subject: [edk2-devel] [PATCH v2 10/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch Date: Thu, 25 Jan 2024 13:54:52 -0800 Message-ID: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=BG1GLepw; dmarc=none; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4539 Bug Details: PixieFail Bug #6 CVE-2023-45234 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message Change Overview: Introduces a function to cache the Dns Server and perform sanitizing on the incoming DnsServerLen to ensure that the length is valid > + EFI_STATUS > + PxeBcCacheDnsServerAddresses ( > + IN PXEBC_PRIVATE_DATA *Private, > + IN PXEBC_DHCP6_PACKET_CACHE *Cache6 > + ) Additional code cleanup Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 +++++++++++++++++++++++++--- 1 file changed, 65 insertions(+), 6 deletions(-) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe= /PxeBcDhcp6.c index 425e0cf8061d..2b2d372889a3 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c @@ -3,6 +3,7 @@ =0D (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
=0D Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
=0D + Copyright (c) Microsoft Corporation=0D =0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D @@ -1312,6 +1313,65 @@ PxeBcSelectDhcp6Offer ( }=0D }=0D =0D +/**=0D + Cache the DHCPv6 DNS Server addresses=0D +=0D + @param[in] Private The pointer to PXEBC_PRIVATE_DATA.=0D + @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE= .=0D +=0D + @retval EFI_SUCCESS Cache the DHCPv6 DNS Server address suc= cessfully.=0D + @retval EFI_OUT_OF_RESOURCES Failed to allocate resources.=0D + @retval EFI_DEVICE_ERROR The DNS Server Address Length provided = by a untrusted=0D + option is not a multiple of 16 bytes (s= izeof (EFI_IPv6_ADDRESS)).=0D +**/=0D +EFI_STATUS=0D +PxeBcCacheDnsServerAddresses (=0D + IN PXEBC_PRIVATE_DATA *Private,=0D + IN PXEBC_DHCP6_PACKET_CACHE *Cache6=0D + )=0D +{=0D + UINT16 DnsServerLen;=0D +=0D + DnsServerLen =3D NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpL= en);=0D + //=0D + // Make sure that the number is nonzero=0D + //=0D + if (DnsServerLen =3D=3D 0) {=0D + return EFI_DEVICE_ERROR;=0D + }=0D +=0D + //=0D + // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16)=0D + //=0D + if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) !=3D 0) {=0D + return EFI_DEVICE_ERROR;=0D + }=0D +=0D + //=0D + // This code is currently written to only support a single DNS Server in= stead=0D + // of multiple such as is spec defined (RFC3646, Section 3). The proper = behavior=0D + // would be to allocate the full space requested, CopyMem all of the dat= a,=0D + // and then add a DnsServerCount field to Private and update additional = code=0D + // that depends on this.=0D + //=0D + // To support multiple DNS servers the `AllocationSize` would need to be= changed to DnsServerLen=0D + //=0D + // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=3D1= 886=0D + //=0D + Private->DnsServer =3D AllocateZeroPool (sizeof (EFI_IPv6_ADDRESS));=0D + if (Private->DnsServer =3D=3D NULL) {=0D + return EFI_OUT_OF_RESOURCES;=0D + }=0D +=0D + //=0D + // Intentionally only copy over the first server address.=0D + // To support multiple DNS servers, the `Length` would need to be change= d to DnsServerLen=0D + //=0D + CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]= ->Data, sizeof (EFI_IPv6_ADDRESS));=0D +=0D + return EFI_SUCCESS;=0D +}=0D +=0D /**=0D Handle the DHCPv6 offer packet.=0D =0D @@ -1335,6 +1395,7 @@ PxeBcHandleDhcp6Offer ( UINT32 SelectIndex;=0D UINT32 Index;=0D =0D + ASSERT (Private !=3D NULL);=0D ASSERT (Private->SelectIndex > 0);=0D SelectIndex =3D (UINT32)(Private->SelectIndex - 1);=0D ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM);=0D @@ -1342,15 +1403,13 @@ PxeBcHandleDhcp6Offer ( Status =3D EFI_SUCCESS;=0D =0D //=0D - // First try to cache DNS server address if DHCP6 offer provides.=0D + // First try to cache DNS server addresses if DHCP6 offer provides.=0D //=0D if (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] !=3D NULL) {=0D - Private->DnsServer =3D AllocateZeroPool (NTOHS (Cache6->OptList[PXEBC_= DHCP6_IDX_DNS_SERVER]->OpLen));=0D - if (Private->DnsServer =3D=3D NULL) {=0D - return EFI_OUT_OF_RESOURCES;=0D + Status =3D PxeBcCacheDnsServerAddresses (Private, Cache6);=0D + if (EFI_ERROR (Status)) {=0D + return Status;=0D }=0D -=0D - CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVE= R]->Data, sizeof (EFI_IPv6_ADDRESS));=0D }=0D =0D if (Cache6->OfferType =3D=3D PxeOfferTypeDhcpBinl) {=0D --=20 2.43.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114472): https://edk2.groups.io/g/devel/message/114472 Mute This Topic: https://groups.io/mt/103964986/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-