edk2/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch

From e3f153773bd2ca13ee4869187f1711840fc8afc9 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 15 Feb 2024 11:51:09 -0500
Subject: [PATCH 02/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch

RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 56: Pixiefail issues in NetworkPkg package
RH-Jira: RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Commit: [2/15] 61eaf6aac61b774c3a8ace54af8abd607651d2db

JIRA: https://issues.redhat.com/browse/RHEL-21844
CVE: CVE-2022-45231
Upstream: Merged

commit bbfee34f4188ac00371abe1389ae9c9fb989a0cd
Author: Doug Flick <dougflick@microsoft.com>
Date:   Fri Jan 26 05:54:48 2024 +0800

    NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch

    REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536

    Bug Overview:
    PixieFail Bug #3
    CVE-2023-45231
    CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    CWE-125 Out-of-bounds Read

    Out-of-bounds read when handling a ND Redirect message with truncated
    options

    Change Overview:

    Adds a check to prevent truncated options from being parsed
    +  //
    +  // Cannot process truncated options.
    +  // Cannot process options with a length of 0 as there is no Type
    field.
    +  //
    +  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
    +    return FALSE;
    +  }

    Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
    Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

    Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
    Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
 NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
index 199eea124d..8718d5d875 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
@@ -137,6 +137,14 @@ Ip6IsNDOptionValid (
     return FALSE;
   }
 
+  //
+  // Cannot process truncated options.
+  // Cannot process options with a length of 0 as there is no Type field.
+  //
+  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+    return FALSE;
+  }
+
   Offset = 0;
 
   //
-- 
2.39.3
* Tue Feb 27 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-12 - edk2-Apply-uncrustify-changes-to-.c-.h-files-in-the-Netwo.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Apply-uncrustify-changes.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p2.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p3.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p4.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Apply-uncrustify-changes-p2.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - Resolves: RHEL-21840 (CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]) - Resolves: RHEL-21844 (CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-8]) - Resolves: RHEL-21846 (CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-8]) - Resolves: RHEL-21848 (CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-8]) - Resolves: RHEL-21850 (CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-8]) - Resolves: RHEL-21852 (CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-8]) 2024-02-27 11:10:11 +00:00			`From e3f153773bd2ca13ee4869187f1711840fc8afc9 Mon Sep 17 00:00:00 2001`
			`From: Jon Maloy <jmaloy@redhat.com>`
			`Date: Thu, 15 Feb 2024 11:51:09 -0500`
			`Subject: [PATCH 02/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch`

			`RH-Author: Jon Maloy <jmaloy@redhat.com>`
			`RH-MergeRequest: 56: Pixiefail issues in NetworkPkg package`
			`RH-Jira: RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852`
			`RH-Acked-by: Gerd Hoffmann <None>`
			`RH-Acked-by: Oliver Steffen <osteffen@redhat.com>`
			`RH-Commit: [2/15] 61eaf6aac61b774c3a8ace54af8abd607651d2db`

			`JIRA: https://issues.redhat.com/browse/RHEL-21844`
			`CVE: CVE-2022-45231`
			`Upstream: Merged`

			`commit bbfee34f4188ac00371abe1389ae9c9fb989a0cd`
			`Author: Doug Flick <dougflick@microsoft.com>`
			`Date: Fri Jan 26 05:54:48 2024 +0800`

			`NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch`

			`REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536`

			`Bug Overview:`
			`PixieFail Bug #3`
			`CVE-2023-45231`
			`CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`CWE-125 Out-of-bounds Read`

			`Out-of-bounds read when handling a ND Redirect message with truncated`
			`options`

			`Change Overview:`

			`Adds a check to prevent truncated options from being parsed`
			`+ //`
			`+ // Cannot process truncated options.`
			`+ // Cannot process options with a length of 0 as there is no Type`
			`field.`
			`+ //`
			`+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {`
			`+ return FALSE;`
			`+ }`

			`Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>`
			`Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>`

			`Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>`
			`Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>`

			`Signed-off-by: Jon Maloy <jmaloy@redhat.com>`
			`---`
			`NetworkPkg/Ip6Dxe/Ip6Option.c \| 8 ++++++++`
			`1 file changed, 8 insertions(+)`

			`diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c`
			`index 199eea124d..8718d5d875 100644`
			`--- a/NetworkPkg/Ip6Dxe/Ip6Option.c`
			`+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c`
			`@@ -137,6 +137,14 @@ Ip6IsNDOptionValid (`
			`return FALSE;`
			`}`

			`+ //`
			`+ // Cannot process truncated options.`
			`+ // Cannot process options with a length of 0 as there is no Type field.`
			`+ //`
			`+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {`
			`+ return FALSE;`
			`+ }`
			`+`
			`Offset = 0;`

			`//`
			`--`
			`2.39.3`