diff --git a/edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch b/edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch new file mode 100644 index 0000000..8a5d148 --- /dev/null +++ b/edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch @@ -0,0 +1,174 @@ +From f8691984227809170b702f6fd087add1f95ee8fe Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 5 Mar 2024 16:38:49 -0500 +Subject: [PATCH 1/2] EmbeddedPkg/Hob: Integer Overflow in CreateHob() + +RH-Author: Jon Maloy +RH-MergeRequest: 66: EmbeddedPkg/Hob: Integer Overflow in CreateHob() +RH-Jira: RHEL-21158 +RH-Acked-by: Oliver Steffen +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/2] 301d3bfe82c39179fb85d510788831aa340212d9 + +JIRA: https://issues.redhat.com/browse/RHEL-21158 +CVE: CVE-2022-36765 +Upstream: Merged + +commit aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 +Author: Gua Guo +Date: Thu Jan 11 13:07:50 2024 +0800 + + EmbeddedPkg/Hob: Integer Overflow in CreateHob() + + REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 + + Fix integer overflow in various CreateHob instances. + Fixes: CVE-2022-36765 + + The CreateHob() function aligns the requested size to 8 + performing the following operation: + ``` + HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); + ``` + + No checks are performed to ensure this value doesn't + overflow, and could lead to CreateHob() returning a smaller + HOB than requested, which could lead to OOB HOB accesses. + + Reported-by: Marc Beatove + Cc: Leif Lindholm + Reviewed-by: Ard Biesheuvel + Cc: Abner Chang + Cc: John Mathew + Authored-by: Gerd Hoffmann + Signed-off-by: Gua Guo + +Signed-off-by: Jon Maloy +--- + EmbeddedPkg/Library/PrePiHobLib/Hob.c | 47 +++++++++++++++++++++++++-- + 1 file changed, 45 insertions(+), 2 deletions(-) + +diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c +index b5cc6c5d8f..f4c99369c6 100644 +--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c ++++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c +@@ -112,6 +112,13 @@ CreateHob ( + + HandOffHob = GetHobList (); + ++ // ++ // Check Length to avoid data overflow. ++ // ++ if (HobLength > MAX_UINT16 - 0x7) { ++ return NULL; ++ } ++ + HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); + + FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom; +@@ -161,7 +168,10 @@ BuildResourceDescriptorHob ( + EFI_HOB_RESOURCE_DESCRIPTOR *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR)); +- ASSERT(Hob != NULL); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->ResourceType = ResourceType; + Hob->ResourceAttribute = ResourceAttribute; +@@ -403,6 +413,10 @@ BuildModuleHob ( + ((ModuleLength & (EFI_PAGE_SIZE - 1)) == 0)); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid); + Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule; +@@ -450,7 +464,12 @@ BuildGuidHob ( + // + ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE))); + +- Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16) (sizeof (EFI_HOB_GUID_TYPE) + DataLength)); ++ Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return NULL; ++ } ++ + CopyGuid (&Hob->Name, Guid); + return Hob + 1; + } +@@ -516,6 +535,10 @@ BuildFvHob ( + EFI_HOB_FIRMWARE_VOLUME *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -548,6 +571,10 @@ BuildFv2Hob ( + EFI_HOB_FIRMWARE_VOLUME2 *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -589,6 +616,10 @@ BuildFv3Hob ( + EFI_HOB_FIRMWARE_VOLUME3 *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -645,6 +676,10 @@ BuildCpuHob ( + EFI_HOB_CPU *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->SizeOfMemorySpace = SizeOfMemorySpace; + Hob->SizeOfIoSpace = SizeOfIoSpace; +@@ -681,6 +716,10 @@ BuildStackHob ( + ((Length & (EFI_PAGE_SIZE - 1)) == 0)); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid); + Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; +@@ -761,6 +800,10 @@ BuildMemoryAllocationHob ( + ((Length & (EFI_PAGE_SIZE - 1)) == 0)); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); + Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; +-- +2.39.3 + diff --git a/edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch b/edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch new file mode 100644 index 0000000..f5fdb5d --- /dev/null +++ b/edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch @@ -0,0 +1,150 @@ +From 155eceaf831492dcd77172833350072e4156e1c9 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 5 Mar 2024 16:38:49 -0500 +Subject: [PATCH 2/2] StandaloneMmPkg/Hob: Integer Overflow in CreateHob() + +RH-Author: Jon Maloy +RH-MergeRequest: 66: EmbeddedPkg/Hob: Integer Overflow in CreateHob() +RH-Jira: RHEL-21158 +RH-Acked-by: Oliver Steffen +RH-Acked-by: Gerd Hoffmann +RH-Commit: [2/2] be7ee11a65a56faec07c249a35940cf9b95b9ec1 + +JIRA: https://issues.redhat.com/browse/RHEL-21158 +CVE: CVE-2022-36765 +Upstream: Merged + +commit 9a75b030cf27d2530444e9a2f9f11867f79bf679 +Author: Gua Guo +Date: Thu Jan 11 13:03:26 2024 +0800 + + StandaloneMmPkg/Hob: Integer Overflow in CreateHob() + + REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 + + Fix integer overflow in various CreateHob instances. + Fixes: CVE-2022-36765 + + The CreateHob() function aligns the requested size to 8 + performing the following operation: + ``` + HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); + ``` + + No checks are performed to ensure this value doesn't + overflow, and could lead to CreateHob() returning a smaller + HOB than requested, which could lead to OOB HOB accesses. + + Reported-by: Marc Beatove + Reviewed-by: Ard Biesheuvel + Cc: Sami Mujawar + Reviewed-by: Ray Ni + Cc: John Mathew + Authored-by: Gerd Hoffmann + Signed-off-by: Gua Guo + + Signed-off-by: Jon Maloy +--- + .../Arm/StandaloneMmCoreHobLib.c | 37 ++++++++++++++++++- + 1 file changed, 36 insertions(+), 1 deletion(-) + +diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c +index 0ec2d4ad6f..3b13249e33 100644 +--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c ++++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c +@@ -34,6 +34,13 @@ CreateHob ( + + HandOffHob = GetHobList (); + ++ // ++ // Check Length to avoid data overflow. ++ // ++ if (HobLength > MAX_UINT16 - 0x7) { ++ return NULL; ++ } ++ + HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); + + FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom; +@@ -87,6 +94,10 @@ BuildModuleHob ( + ((ModuleLength & (EFI_PAGE_SIZE - 1)) == 0)); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid); + Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule; +@@ -127,6 +138,9 @@ BuildResourceDescriptorHob ( + + Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR)); + ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->ResourceType = ResourceType; + Hob->ResourceAttribute = ResourceAttribute; +@@ -164,7 +178,12 @@ BuildGuidHob ( + // + ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE))); + +- Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16) (sizeof (EFI_HOB_GUID_TYPE) + DataLength)); ++ Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return NULL; ++ } ++ + CopyGuid (&Hob->Name, Guid); + return Hob + 1; + } +@@ -225,6 +244,10 @@ BuildFvHob ( + EFI_HOB_FIRMWARE_VOLUME *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -255,6 +278,10 @@ BuildFv2Hob ( + EFI_HOB_FIRMWARE_VOLUME2 *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -283,6 +310,10 @@ BuildCpuHob ( + EFI_HOB_CPU *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->SizeOfMemorySpace = SizeOfMemorySpace; + Hob->SizeOfIoSpace = SizeOfIoSpace; +@@ -318,6 +349,10 @@ BuildMemoryAllocationHob ( + ((Length & (EFI_PAGE_SIZE - 1)) == 0)); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); + Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; +-- +2.39.3 + diff --git a/edk2.spec b/edk2.spec index e323461..fca9d85 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 12%{?dist} +Release: 13%{?dist} Summary: UEFI firmware for 64-bit virtual machines Group: Applications/Emulators License: BSD-2-Clause-Patent and OpenSSL and MIT @@ -256,6 +256,10 @@ Patch81: edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch # For RHEL-21850 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-8] # For RHEL-21852 - CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-8] Patch82: edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch +# For RHEL-21158 - CVE-2022-36765 edk2: integer overflow in CreateHob() could lead to HOB OOB R/W [rhel-8] +Patch83: edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch +# For RHEL-21158 - CVE-2022-36765 edk2: integer overflow in CreateHob() could lead to HOB OOB R/W [rhel-8] +Patch84: edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch # python3-devel and libuuid-devel are required for building tools. @@ -702,6 +706,12 @@ true %endif %changelog +* Thu Mar 14 2024 Miroslav Rezanina - 20220126gitbb1bba3d77-13 +- edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch [RHEL-21158] +- edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch [RHEL-21158] +- Resolves: RHEL-21158 + (CVE-2022-36765 edk2: integer overflow in CreateHob() could lead to HOB OOB R/W [rhel-8]) + * Tue Feb 27 2024 Miroslav Rezanina - 20220126gitbb1bba3d77-12 - edk2-Apply-uncrustify-changes-to-.c-.h-files-in-the-Netwo.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]