From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id EC6FD740041 for ; Wed, 24 Jan 2024 11:30:32 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=F8cxhD3Kstcro6NBk/j/duS8ALxEaTJhtzLM2IRUeN0=; c=relaxed/simple; d=groups.io; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Disposition; s=20140610; t=1706095831; v=1; b=JIkqhi6WT5+rydGnJbWjK6iS1cdIziX8Lqx8JCDP4OTa0Mm4bdOTdhd652SxUfkWzQS1CahM h/5U8v3VgWzrZ/euxm8TH1knIdsKHqnEfe7g5QTNBRjQwAbN6prlA4Yz/4t2SfGU8D0eAIJ7L1G wKo4Kck3Dp+mzJ7do4TNFMoQ= X-Received: by 127.0.0.2 with SMTP id LgcvYY7687511xwGJd9lcmSS; Wed, 24 Jan 2024 03:30:31 -0800 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.20330.1706095830910780762 for ; Wed, 24 Jan 2024 03:30:31 -0800 X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-52-LEkmoV4ROpy5-L_utVUdYg-1; Wed, 24 Jan 2024 06:30:26 -0500 X-MC-Unique: LEkmoV4ROpy5-L_utVUdYg-1 X-Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4FB73185A784; Wed, 24 Jan 2024 11:30:26 +0000 (UTC) X-Received: from sirius.home.kraxel.org (unknown [10.39.193.66]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1784C2166B32; Wed, 24 Jan 2024 11:30:26 +0000 (UTC) X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 17281180038B; Wed, 24 Jan 2024 12:30:25 +0100 (CET) Date: Wed, 24 Jan 2024 12:30:25 +0100 From: "Gerd Hoffmann" To: devel@edk2.groups.io, dougflick@microsoft.com Cc: "Douglas Flick [MSFT]" , Saloni Kasbekar , Zachary Clark-williams Subject: Re: [edk2-devel] [PATCH 01/14] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch Message-ID: References: <931c86114b8f62b633f92aeb8573d2559c66c0f0.1706062164.git.doug.edk2@gmail.com> MIME-Version: 1.0 In-Reply-To: <931c86114b8f62b633f92aeb8573d2559c66c0f0.1706062164.git.doug.edk2@gmail.com> X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kraxel@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: L3zruqFFv7Bw9yM3PJE5UdEMx7686176AA= Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=JIkqhi6W; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On Tue, Jan 23, 2024 at 07:33:24PM -0800, Doug Flick via groups.io wrote: > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535 > > SECURITY PATCH - Patch Not needed, the CVE number below implies that. > TCBZ4535 Not needed, the link to tianocore bugzilla is above. > CVE-2023-45230 > CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H > CWE-119 Improper Restriction of Operations within the Bounds > of a Memory Buffer Good. Given that this series of bugs got a fancy name I think it makes sense to include that too ("pixiefail bug #1"). Please include a description of the bug and how it is fixed. [ the same applies to the following patches ] > -UINT8 * > +EFI_STATUS > Dhcp6AppendOption ( > - IN OUT UINT8 *Buf, > - IN UINT16 OptType, > - IN UINT16 OptLen, > - IN UINT8 *Data > + IN OUT EFI_DHCP6_PACKET *Packet, > + IN OUT UINT8 **PacketCursor, > + IN UINT16 OptType, > + IN UINT16 OptLen, > + IN UINT8 *Data > ); Dhcp6AppendOption() and variants can return errors now. All callsites are adapted accordingly. It gets passed in EFI_DHCP6_PACKET as additional parameter ... > + // > + // Verify the PacketCursor is within the packet > + // > + if ( (*PacketCursor < Packet->Dhcp6.Option) > + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) > + { > + return EFI_INVALID_PARAMETER; > + } ... so it can look at Packet->Size when checking buffer space. Also to allow Packet->Length updates. Lots of checks added. The code changes look good to me. The key changes should be highlighted in the commit message. thanks, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114275): https://edk2.groups.io/g/devel/message/114275 Mute This Topic: https://groups.io/mt/103926731/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-