import edk2-20200602gitca407c7246bf-4.el8_4.1

This commit is contained in:
CentOS Sources 2021-06-29 10:02:03 -04:00 committed by Andrew Lukoshko
parent 4318d0801e
commit 20b1e7017b
2 changed files with 109 additions and 1 deletions

View File

@ -0,0 +1,101 @@
From dea2c718df8b58f5147c7674797bf65df649c53e Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 19 Nov 2020 12:50:34 +0100
Subject: [PATCH] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed
buffer sizes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek (lersek)
RH-MergeRequest: 1: prevent integer overflow / heap corruption in LZMA decompression [rhel-8.4.0.z]
RH-Commit: [1/1] a8ec492d7ebb6ae3c51513f501f72d5418b71f17
RH-Bugzilla: 1952953
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
The LzmaUefiDecompressGetInfo() function
[MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c] currently
silently truncates the UINT64 "DecodedSize" property of the compressed
blob to the UINT32 "DestinationSize" output parameter.
If "DecodedSize" is 0x1_0000_0100, for example, then the subsequent memory
allocation (for decompression) will likely succeed (allocating 0x100 bytes
only), but then the LzmaUefiDecompress() function (which re-fetches the
uncompressed buffer size from the same LZMA header into a "SizeT"
variable) will overwrite the buffer.
Catch (DecodedSize > MAX_UINT32) in LzmaUefiDecompressGetInfo() at once.
This should not be a practical limitation. (The issue cannot be fixed for
32-bit systems without spec modifications anyway, given that the
"OutputSize" output parameter of
EFI_GUIDED_SECTION_EXTRACTION_PROTOCOL.ExtractSection() has type UINTN,
not UINT64.)
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daud <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Philippe Mathieu-Daud <philmd@redhat.com>
Message-Id: <20201119115034.12897-2-lersek@redhat.com>
(cherry picked from commit e7bd0dd26db7e56aa8ca70132d6ea916ee6f3db0)
---
.../Library/LzmaCustomDecompressLib/LzmaDecompress.c | 7 +++++++
.../LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
2 files changed, 12 insertions(+)
diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
index c58912eb6a..8f7c242dca 100644
--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
+++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
@@ -127,6 +127,10 @@ GetDecodedSizeOfBuf(
in DestinationSize and the size of the scratch
buffer was returned in ScratchSize.
+ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the
+ uncompressed buffer size (in bytes) does not fit
+ in a UINT32. Output parameters have not been
+ modified.
**/
RETURN_STATUS
EFIAPI
@@ -142,6 +146,9 @@ LzmaUefiDecompressGetInfo (
ASSERT(SourceSize >= LZMA_HEADER_SIZE);
DecodedSize = GetDecodedSizeOfBuf((UINT8*)Source);
+ if (DecodedSize > MAX_UINT32) {
+ return RETURN_UNSUPPORTED;
+ }
*DestinationSize = (UINT32)DecodedSize;
*ScratchSize = SCRATCH_BUFFER_REQUEST_SIZE;
diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
index 26f110ba2a..fbafd5f100 100644
--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
+++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
@@ -9,6 +9,7 @@
#ifndef __LZMADECOMPRESSLIB_INTERNAL_H__
#define __LZMADECOMPRESSLIB_INTERNAL_H__
+#include <Base.h>
#include <PiPei.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
@@ -45,6 +46,10 @@
in DestinationSize and the size of the scratch
buffer was returned in ScratchSize.
+ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the
+ uncompressed buffer size (in bytes) does not fit
+ in a UINT32. Output parameters have not been
+ modified.
**/
RETURN_STATUS
EFIAPI
--
2.27.0

View File

@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2
Version: %{GITDATE}git%{GITCOMMIT}
Release: 4%{?dist}
Release: 4%{?dist}.1
Summary: UEFI firmware for 64-bit virtual machines
Group: Applications/Emulators
License: BSD-2-Clause-Patent and OpenSSL and MIT
@ -66,6 +66,8 @@ Patch33: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch
Patch34: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch
# For bz#1893806 - attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later)
Patch35: edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch
# For bz#1952953 - edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8] [rhel-8.4.0.z]
Patch36: edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch
# python3-devel and libuuid-devel are required for building tools.
@ -515,6 +517,11 @@ true
%endif
%changelog
* Thu May 13 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-4.el8_4.1
- edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch [bz#1952953]
- Resolves: bz#1952953
(edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8] [rhel-8.4.0.z])
* Mon Nov 23 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-4.el8
- edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch [bz#1849177]
- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch [bz#1849177]