* Wed Feb 14 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-11
- edk2-SecurityPkg-Change-use-of-EFI_D_-to-DEBUG_.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-Change-OPTIONAL-keyword-usage-style.patch [RHEL-21154 RHEL-21156] - edk2-MdePkg-Introduce-CcMeasurementProtocol-for-CC-Guest-.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpm2.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpmM.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-418.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-DxeTpm2MeasureBootLib-SEC-PATCH-4118-2.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-DxeTpmMeasureBootLib-SEC-PATCH-4117-2.patch [RHEL-21154 RHEL-21156] - edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch [RHEL-21154 RHEL-21156] - edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch [RHEL-21840 RHEL-21842] - edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch [RHEL-21840 RHEL-21842] - edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch [RHEL-21840 RHEL-21842] - edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch [RHEL-21840 RHEL-21842] - Resolves: RHEL-21154 (CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]) - Resolves: RHEL-21156 (CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]) - Resolves: RHEL-21840 (CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]) - Resolves: RHEL-21842 (CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8])
This commit is contained in:
parent
d6671b1ccc
commit
a0d9f2d87e
390
edk2-MdePkg-Introduce-CcMeasurementProtocol-for-CC-Guest-.patch
Normal file
390
edk2-MdePkg-Introduce-CcMeasurementProtocol-for-CC-Guest-.patch
Normal file
@ -0,0 +1,390 @@
|
||||
From b8261ac422ba284249cd4f341d78d058e79960f5 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Wed, 7 Feb 2024 11:56:37 -0500
|
||||
Subject: [PATCH 03/17] MdePkg: Introduce CcMeasurementProtocol for CC Guest
|
||||
firmware
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [3/13] 6bf304f8e3bc875024c8fb0a4cd5d2c944f69480 (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21154
|
||||
CVE: CVE-2022-36763
|
||||
Upstream: Merged
|
||||
|
||||
commit e193584da60550008722498442c62ddb77bf27d5
|
||||
Author: Min Xu <min.m.xu@intel.com>
|
||||
Date: Sat Dec 11 21:08:40 2021 +0800
|
||||
|
||||
MdePkg: Introduce CcMeasurementProtocol for CC Guest firmware
|
||||
|
||||
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3625
|
||||
|
||||
CC guest is a Confidential Computing guest. If CC Guest firmware
|
||||
supports measurement and an event is created, CC Guest firmware
|
||||
is designed to report the event log with the same data structure
|
||||
in TCG-Platform-Firmware-Profile specification with
|
||||
EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 format.
|
||||
|
||||
The CC Guest firmware supports measurement. It is designed to
|
||||
produce EFI_CC_MEASUREMENT_PROTOCOL with new GUID
|
||||
EFI_CC_MEASUREMENT_PROTOCOL_GUID to report event log and provides
|
||||
hash capability.
|
||||
|
||||
Cc: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
Cc: Liming Gao <gaoliming@byosoft.com.cn>
|
||||
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Ken Lu <ken.lu@intel.com>
|
||||
Cc: Sami Mujawar <sami.mujawar@arm.com>
|
||||
Cc: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
|
||||
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
|
||||
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Signed-off-by: Min Xu <min.m.xu@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
MdePkg/Include/Protocol/CcMeasurement.h | 302 ++++++++++++++++++++++++
|
||||
MdePkg/MdePkg.dec | 6 +
|
||||
2 files changed, 308 insertions(+)
|
||||
create mode 100644 MdePkg/Include/Protocol/CcMeasurement.h
|
||||
|
||||
diff --git a/MdePkg/Include/Protocol/CcMeasurement.h b/MdePkg/Include/Protocol/CcMeasurement.h
|
||||
new file mode 100644
|
||||
index 0000000000..68029e977f
|
||||
--- /dev/null
|
||||
+++ b/MdePkg/Include/Protocol/CcMeasurement.h
|
||||
@@ -0,0 +1,302 @@
|
||||
+/** @file
|
||||
+ If CC Guest firmware supports measurement and an event is created,
|
||||
+ CC Guest firmware is designed to report the event log with the same
|
||||
+ data structure in TCG-Platform-Firmware-Profile specification with
|
||||
+ EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 format.
|
||||
+
|
||||
+ The CC Guest firmware supports measurement, the CC Guest Firmware is
|
||||
+ designed to produce EFI_CC_MEASUREMENT_PROTOCOL with new GUID
|
||||
+ EFI_CC_MEASUREMENT_PROTOCOL_GUID to report event log and provides hash
|
||||
+ capability.
|
||||
+
|
||||
+Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.<BR>
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#ifndef CC_MEASUREMENT_PROTOCOL_H_
|
||||
+#define CC_MEASUREMENT_PROTOCOL_H_
|
||||
+
|
||||
+#include <IndustryStandard/UefiTcgPlatform.h>
|
||||
+
|
||||
+#define EFI_CC_MEASUREMENT_PROTOCOL_GUID \
|
||||
+ { 0x96751a3d, 0x72f4, 0x41a6, { 0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b }}
|
||||
+extern EFI_GUID gEfiCcMeasurementProtocolGuid;
|
||||
+
|
||||
+typedef struct _EFI_CC_MEASUREMENT_PROTOCOL EFI_CC_MEASUREMENT_PROTOCOL;
|
||||
+
|
||||
+typedef struct {
|
||||
+ UINT8 Major;
|
||||
+ UINT8 Minor;
|
||||
+} EFI_CC_VERSION;
|
||||
+
|
||||
+//
|
||||
+// EFI_CC Type/SubType definition
|
||||
+//
|
||||
+#define EFI_CC_TYPE_NONE 0
|
||||
+#define EFI_CC_TYPE_SEV 1
|
||||
+#define EFI_CC_TYPE_TDX 2
|
||||
+
|
||||
+typedef struct {
|
||||
+ UINT8 Type;
|
||||
+ UINT8 SubType;
|
||||
+} EFI_CC_TYPE;
|
||||
+
|
||||
+typedef UINT32 EFI_CC_EVENT_LOG_BITMAP;
|
||||
+typedef UINT32 EFI_CC_EVENT_LOG_FORMAT;
|
||||
+typedef UINT32 EFI_CC_EVENT_ALGORITHM_BITMAP;
|
||||
+typedef UINT32 EFI_CC_MR_INDEX;
|
||||
+
|
||||
+//
|
||||
+// Intel TDX measure register index
|
||||
+//
|
||||
+#define TDX_MR_INDEX_MRTD 0
|
||||
+#define TDX_MR_INDEX_RTMR0 1
|
||||
+#define TDX_MR_INDEX_RTMR1 2
|
||||
+#define TDX_MR_INDEX_RTMR2 3
|
||||
+#define TDX_MR_INDEX_RTMR3 4
|
||||
+
|
||||
+#define EFI_CC_EVENT_LOG_FORMAT_TCG_2 0x00000002
|
||||
+#define EFI_CC_BOOT_HASH_ALG_SHA384 0x00000004
|
||||
+
|
||||
+//
|
||||
+// This bit is shall be set when an event shall be extended but not logged.
|
||||
+//
|
||||
+#define EFI_CC_FLAG_EXTEND_ONLY 0x0000000000000001
|
||||
+//
|
||||
+// This bit shall be set when the intent is to measure a PE/COFF image.
|
||||
+//
|
||||
+#define EFI_CC_FLAG_PE_COFF_IMAGE 0x0000000000000010
|
||||
+
|
||||
+#pragma pack (1)
|
||||
+
|
||||
+#define EFI_CC_EVENT_HEADER_VERSION 1
|
||||
+
|
||||
+typedef struct {
|
||||
+ //
|
||||
+ // Size of the event header itself (sizeof(EFI_CC_EVENT_HEADER)).
|
||||
+ //
|
||||
+ UINT32 HeaderSize;
|
||||
+ //
|
||||
+ // Header version. For this version of this specification, the value shall be 1.
|
||||
+ //
|
||||
+ UINT16 HeaderVersion;
|
||||
+ //
|
||||
+ // Index of the MR (measurement register) that shall be extended.
|
||||
+ //
|
||||
+ EFI_CC_MR_INDEX MrIndex;
|
||||
+ //
|
||||
+ // Type of the event that shall be extended (and optionally logged).
|
||||
+ //
|
||||
+ UINT32 EventType;
|
||||
+} EFI_CC_EVENT_HEADER;
|
||||
+
|
||||
+typedef struct {
|
||||
+ //
|
||||
+ // Total size of the event including the Size component, the header and the Event data.
|
||||
+ //
|
||||
+ UINT32 Size;
|
||||
+ EFI_CC_EVENT_HEADER Header;
|
||||
+ UINT8 Event[1];
|
||||
+} EFI_CC_EVENT;
|
||||
+
|
||||
+#pragma pack()
|
||||
+
|
||||
+typedef struct {
|
||||
+ //
|
||||
+ // Allocated size of the structure
|
||||
+ //
|
||||
+ UINT8 Size;
|
||||
+ //
|
||||
+ // Version of the EFI_CC_BOOT_SERVICE_CAPABILITY structure itself.
|
||||
+ // For this version of the protocol, the Major version shall be set to 1
|
||||
+ // and the Minor version shall be set to 0.
|
||||
+ //
|
||||
+ EFI_CC_VERSION StructureVersion;
|
||||
+ //
|
||||
+ // Version of the EFI CC Measurement protocol.
|
||||
+ // For this version of the protocol, the Major version shall be set to 1
|
||||
+ // and the Minor version shall be set to 0.
|
||||
+ //
|
||||
+ EFI_CC_VERSION ProtocolVersion;
|
||||
+ //
|
||||
+ // Supported hash algorithms
|
||||
+ //
|
||||
+ EFI_CC_EVENT_ALGORITHM_BITMAP HashAlgorithmBitmap;
|
||||
+ //
|
||||
+ // Bitmap of supported event log formats
|
||||
+ //
|
||||
+ EFI_CC_EVENT_LOG_BITMAP SupportedEventLogs;
|
||||
+
|
||||
+ //
|
||||
+ // Indicates the CC type
|
||||
+ //
|
||||
+ EFI_CC_TYPE CcType;
|
||||
+} EFI_CC_BOOT_SERVICE_CAPABILITY;
|
||||
+
|
||||
+/**
|
||||
+ The EFI_CC_MEASUREMENT_PROTOCOL GetCapability function call provides protocol
|
||||
+ capability information and state information.
|
||||
+
|
||||
+ @param[in] This Indicates the calling context
|
||||
+ @param[in, out] ProtocolCapability The caller allocates memory for a EFI_CC_BOOT_SERVICE_CAPABILITY
|
||||
+ structure and sets the size field to the size of the structure allocated.
|
||||
+ The callee fills in the fields with the EFI CC BOOT Service capability
|
||||
+ information and the current CC information.
|
||||
+
|
||||
+ @retval EFI_SUCCESS Operation completed successfully.
|
||||
+ @retval EFI_DEVICE_ERROR The command was unsuccessful.
|
||||
+ The ProtocolCapability variable will not be populated.
|
||||
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect.
|
||||
+ The ProtocolCapability variable will not be populated.
|
||||
+ @retval EFI_BUFFER_TOO_SMALL The ProtocolCapability variable is too small to hold the full response.
|
||||
+ It will be partially populated (required Size field will be set).
|
||||
+**/
|
||||
+typedef
|
||||
+EFI_STATUS
|
||||
+(EFIAPI *EFI_CC_GET_CAPABILITY)(
|
||||
+ IN EFI_CC_MEASUREMENT_PROTOCOL *This,
|
||||
+ IN OUT EFI_CC_BOOT_SERVICE_CAPABILITY *ProtocolCapability
|
||||
+ );
|
||||
+
|
||||
+/**
|
||||
+ The EFI_CC_MEASUREMENT_PROTOCOL Get Event Log function call allows a caller to
|
||||
+ retrieve the address of a given event log and its last entry.
|
||||
+
|
||||
+ @param[in] This Indicates the calling context
|
||||
+ @param[in] EventLogFormat The type of the event log for which the information is requested.
|
||||
+ @param[out] EventLogLocation A pointer to the memory address of the event log.
|
||||
+ @param[out] EventLogLastEntry If the Event Log contains more than one entry, this is a pointer to the
|
||||
+ address of the start of the last entry in the event log in memory.
|
||||
+ @param[out] EventLogTruncated If the Event Log is missing at least one entry because an event would
|
||||
+ have exceeded the area allocated for events, this value is set to TRUE.
|
||||
+ Otherwise, the value will be FALSE and the Event Log will be complete.
|
||||
+
|
||||
+ @retval EFI_SUCCESS Operation completed successfully.
|
||||
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect
|
||||
+ (e.g. asking for an event log whose format is not supported).
|
||||
+**/
|
||||
+typedef
|
||||
+EFI_STATUS
|
||||
+(EFIAPI *EFI_CC_GET_EVENT_LOG)(
|
||||
+ IN EFI_CC_MEASUREMENT_PROTOCOL *This,
|
||||
+ IN EFI_CC_EVENT_LOG_FORMAT EventLogFormat,
|
||||
+ OUT EFI_PHYSICAL_ADDRESS *EventLogLocation,
|
||||
+ OUT EFI_PHYSICAL_ADDRESS *EventLogLastEntry,
|
||||
+ OUT BOOLEAN *EventLogTruncated
|
||||
+ );
|
||||
+
|
||||
+/**
|
||||
+ The EFI_CC_MEASUREMENT_PROTOCOL HashLogExtendEvent function call provides
|
||||
+ callers with an opportunity to extend and optionally log events without requiring
|
||||
+ knowledge of actual CC commands.
|
||||
+ The extend operation will occur even if this function cannot create an event
|
||||
+ log entry (e.g. due to the event log being full).
|
||||
+
|
||||
+ @param[in] This Indicates the calling context
|
||||
+ @param[in] Flags Bitmap providing additional information.
|
||||
+ @param[in] DataToHash Physical address of the start of the data buffer to be hashed.
|
||||
+ @param[in] DataToHashLen The length in bytes of the buffer referenced by DataToHash.
|
||||
+ @param[in] EfiCcEvent Pointer to data buffer containing information about the event.
|
||||
+
|
||||
+ @retval EFI_SUCCESS Operation completed successfully.
|
||||
+ @retval EFI_DEVICE_ERROR The command was unsuccessful.
|
||||
+ @retval EFI_VOLUME_FULL The extend operation occurred, but the event could not be written to one or more event logs.
|
||||
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect.
|
||||
+ @retval EFI_UNSUPPORTED The PE/COFF image type is not supported.
|
||||
+**/
|
||||
+typedef
|
||||
+EFI_STATUS
|
||||
+(EFIAPI *EFI_CC_HASH_LOG_EXTEND_EVENT)(
|
||||
+ IN EFI_CC_MEASUREMENT_PROTOCOL *This,
|
||||
+ IN UINT64 Flags,
|
||||
+ IN EFI_PHYSICAL_ADDRESS DataToHash,
|
||||
+ IN UINT64 DataToHashLen,
|
||||
+ IN EFI_CC_EVENT *EfiCcEvent
|
||||
+ );
|
||||
+
|
||||
+/**
|
||||
+ The EFI_CC_MEASUREMENT_PROTOCOL MapPcrToMrIndex function call provides callers
|
||||
+ the info on TPM PCR <-> CC MR mapping information.
|
||||
+
|
||||
+ @param[in] This Indicates the calling context
|
||||
+ @param[in] PcrIndex TPM PCR index.
|
||||
+ @param[out] MrIndex CC MR index.
|
||||
+
|
||||
+ @retval EFI_SUCCESS The MrIndex is returned.
|
||||
+ @retval EFI_INVALID_PARAMETER The MrIndex is NULL.
|
||||
+ @retval EFI_UNSUPPORTED The PcrIndex is invalid.
|
||||
+**/
|
||||
+typedef
|
||||
+EFI_STATUS
|
||||
+(EFIAPI *EFI_CC_MAP_PCR_TO_MR_INDEX)(
|
||||
+ IN EFI_CC_MEASUREMENT_PROTOCOL *This,
|
||||
+ IN TCG_PCRINDEX PcrIndex,
|
||||
+ OUT EFI_CC_MR_INDEX *MrIndex
|
||||
+ );
|
||||
+
|
||||
+struct _EFI_CC_MEASUREMENT_PROTOCOL {
|
||||
+ EFI_CC_GET_CAPABILITY GetCapability;
|
||||
+ EFI_CC_GET_EVENT_LOG GetEventLog;
|
||||
+ EFI_CC_HASH_LOG_EXTEND_EVENT HashLogExtendEvent;
|
||||
+ EFI_CC_MAP_PCR_TO_MR_INDEX MapPcrToMrIndex;
|
||||
+};
|
||||
+
|
||||
+//
|
||||
+// CC event log
|
||||
+//
|
||||
+
|
||||
+#pragma pack(1)
|
||||
+
|
||||
+//
|
||||
+// Crypto Agile Log Entry Format.
|
||||
+// It is similar with TCG_PCR_EVENT2 except the field of MrIndex and PCRIndex.
|
||||
+//
|
||||
+typedef struct {
|
||||
+ EFI_CC_MR_INDEX MrIndex;
|
||||
+ UINT32 EventType;
|
||||
+ TPML_DIGEST_VALUES Digests;
|
||||
+ UINT32 EventSize;
|
||||
+ UINT8 Event[1];
|
||||
+} CC_EVENT;
|
||||
+
|
||||
+//
|
||||
+// EFI CC Event Header
|
||||
+// It is similar with TCG_PCR_EVENT2_HDR except the field of MrIndex and PCRIndex
|
||||
+//
|
||||
+typedef struct {
|
||||
+ EFI_CC_MR_INDEX MrIndex;
|
||||
+ UINT32 EventType;
|
||||
+ TPML_DIGEST_VALUES Digests;
|
||||
+ UINT32 EventSize;
|
||||
+} CC_EVENT_HDR;
|
||||
+
|
||||
+#pragma pack()
|
||||
+
|
||||
+//
|
||||
+// Log entries after Get Event Log service
|
||||
+//
|
||||
+
|
||||
+#define EFI_CC_FINAL_EVENTS_TABLE_VERSION 1
|
||||
+
|
||||
+typedef struct {
|
||||
+ //
|
||||
+ // The version of this structure. It shall be set to 1.
|
||||
+ //
|
||||
+ UINT64 Version;
|
||||
+ //
|
||||
+ // Number of events recorded after invocation of GetEventLog API
|
||||
+ //
|
||||
+ UINT64 NumberOfEvents;
|
||||
+ //
|
||||
+ // List of events of type CC_EVENT.
|
||||
+ //
|
||||
+ // CC_EVENT Event[1];
|
||||
+} EFI_CC_FINAL_EVENTS_TABLE;
|
||||
+
|
||||
+#define EFI_CC_FINAL_EVENTS_TABLE_GUID \
|
||||
+ {0xdd4a4648, 0x2de7, 0x4665, {0x96, 0x4d, 0x21, 0xd9, 0xef, 0x5f, 0xb4, 0x46}}
|
||||
+
|
||||
+extern EFI_GUID gEfiCcFinalEventsTableGuid;
|
||||
+
|
||||
+#endif
|
||||
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
|
||||
index 8b18415b10..6389a48338 100644
|
||||
--- a/MdePkg/MdePkg.dec
|
||||
+++ b/MdePkg/MdePkg.dec
|
||||
@@ -823,6 +823,9 @@
|
||||
#
|
||||
gLinuxEfiInitrdMediaGuid = {0x5568e427, 0x68fc, 0x4f3d, {0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68}}
|
||||
|
||||
+ ## Include/Protocol/CcMeasurement.h
|
||||
+ gEfiCcFinalEventsTableGuid = { 0xdd4a4648, 0x2de7, 0x4665, { 0x96, 0x4d, 0x21, 0xd9, 0xef, 0x5f, 0xb4, 0x46 }}
|
||||
+
|
||||
[Guids.IA32, Guids.X64]
|
||||
## Include/Guid/Cper.h
|
||||
gEfiIa32X64ErrorTypeCacheCheckGuid = { 0xA55701F5, 0xE3EF, 0x43de, { 0xAC, 0x72, 0x24, 0x9B, 0x57, 0x3F, 0xAD, 0x2C }}
|
||||
@@ -1011,6 +1014,9 @@
|
||||
## Include/Protocol/PcdInfo.h
|
||||
gGetPcdInfoProtocolGuid = { 0x5be40f57, 0xfa68, 0x4610, { 0xbb, 0xbf, 0xe9, 0xc5, 0xfc, 0xda, 0xd3, 0x65 } }
|
||||
|
||||
+ ## Include/Protocol/CcMeasurement.h
|
||||
+ gEfiCcMeasurementProtocolGuid = { 0x96751a3d, 0x72f4, 0x41a6, { 0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b }}
|
||||
+
|
||||
#
|
||||
# Protocols defined in PI1.0.
|
||||
#
|
||||
--
|
||||
2.41.0
|
||||
|
169
edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
Normal file
169
edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
Normal file
@ -0,0 +1,169 @@
|
||||
From aa66757951e9880df4e21e191142400480aa3908 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Thu, 8 Feb 2024 10:35:14 -0500
|
||||
Subject: [PATCH 15/17] NetworkPkg: : Add Unit tests to CI and create Host Test
|
||||
DSC
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 50: CVE-2023-45230 and CVE-2023-45229
|
||||
RH-Jira: RHEL-21840 RHEL-21842
|
||||
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
|
||||
RH-Commit: [2/4] 6669306e2dbb5aa3e7691d57f4a61685b7cd57b2 (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21842
|
||||
CVE: CVE-2023-45230
|
||||
Upstream: Merged
|
||||
|
||||
commit 8014ac2d7bbbc503f5562b51af46bb20ae3d22ff
|
||||
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
|
||||
Date: Fri Jan 26 05:54:44 2024 +0800
|
||||
|
||||
NetworkPkg: : Add Unit tests to CI and create Host Test DSC
|
||||
|
||||
Adds Host Based testing to the NetworkPkg
|
||||
|
||||
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||||
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
NetworkPkg/NetworkPkg.ci.yaml | 7 +-
|
||||
NetworkPkg/Test/NetworkPkgHostTest.dsc | 98 ++++++++++++++++++++++++++
|
||||
2 files changed, 104 insertions(+), 1 deletion(-)
|
||||
create mode 100644 NetworkPkg/Test/NetworkPkgHostTest.dsc
|
||||
|
||||
diff --git a/NetworkPkg/NetworkPkg.ci.yaml b/NetworkPkg/NetworkPkg.ci.yaml
|
||||
index 07dc7abd69..076424eb60 100644
|
||||
--- a/NetworkPkg/NetworkPkg.ci.yaml
|
||||
+++ b/NetworkPkg/NetworkPkg.ci.yaml
|
||||
@@ -24,6 +24,9 @@
|
||||
"CompilerPlugin": {
|
||||
"DscPath": "NetworkPkg.dsc"
|
||||
},
|
||||
+ "HostUnitTestCompilerPlugin": {
|
||||
+ "DscPath": "Test/NetworkPkgHostTest.dsc"
|
||||
+ },
|
||||
"CharEncodingCheck": {
|
||||
"IgnoreFiles": []
|
||||
},
|
||||
@@ -35,7 +38,9 @@
|
||||
"CryptoPkg/CryptoPkg.dec"
|
||||
],
|
||||
# For host based unit tests
|
||||
- "AcceptableDependencies-HOST_APPLICATION":[],
|
||||
+ "AcceptableDependencies-HOST_APPLICATION":[
|
||||
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
|
||||
+ ],
|
||||
# For UEFI shell based apps
|
||||
"AcceptableDependencies-UEFI_APPLICATION":[
|
||||
"ShellPkg/ShellPkg.dec"
|
||||
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
|
||||
new file mode 100644
|
||||
index 0000000000..1aeca5c5b3
|
||||
--- /dev/null
|
||||
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
|
||||
@@ -0,0 +1,98 @@
|
||||
+## @file
|
||||
+# NetworkPkgHostTest DSC file used to build host-based unit tests.
|
||||
+#
|
||||
+# Copyright (c) Microsoft Corporation.<BR>
|
||||
+# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+#
|
||||
+##
|
||||
+[Defines]
|
||||
+ PLATFORM_NAME = NetworkPkgHostTest
|
||||
+ PLATFORM_GUID = 3b68324e-fc07-4d49-9520-9347ede65879
|
||||
+ PLATFORM_VERSION = 0.1
|
||||
+ DSC_SPECIFICATION = 0x00010005
|
||||
+ OUTPUT_DIRECTORY = Build/NetworkPkg/HostTest
|
||||
+ SUPPORTED_ARCHITECTURES = IA32|X64|AARCH64
|
||||
+ BUILD_TARGETS = NOOPT
|
||||
+ SKUID_IDENTIFIER = DEFAULT
|
||||
+
|
||||
+!include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc
|
||||
+[Packages]
|
||||
+ MdePkg/MdePkg.dec
|
||||
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
|
||||
+
|
||||
+[Components]
|
||||
+ #
|
||||
+ # Build HOST_APPLICATION that tests NetworkPkg
|
||||
+ #
|
||||
+
|
||||
+# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
|
||||
+[LibraryClasses]
|
||||
+ NetLib|NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
|
||||
+ DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
|
||||
+ BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
|
||||
+ BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
|
||||
+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
|
||||
+ HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
|
||||
+ MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
|
||||
+ PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
|
||||
+ PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
|
||||
+ UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
|
||||
+ UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
|
||||
+ UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf
|
||||
+ UefiLib|MdePkg/Library/UefiLib/UefiLib.inf
|
||||
+ UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf
|
||||
+ UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServicesLib.inf
|
||||
+ UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf
|
||||
+ TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
|
||||
+ PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf
|
||||
+ PeCoffGetEntryPointLib|MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf
|
||||
+ DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
|
||||
+ DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf
|
||||
+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
|
||||
+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
|
||||
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
|
||||
+!ifdef CONTINUOUS_INTEGRATION
|
||||
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
|
||||
+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
|
||||
+!else
|
||||
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
|
||||
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
|
||||
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
|
||||
+!endif
|
||||
+ DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
|
||||
+ FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
|
||||
+ FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
|
||||
+ SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf
|
||||
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
|
||||
+
|
||||
+!if $(TOOL_CHAIN_TAG) == VS2019 or $(TOOL_CHAIN_TAG) == VS2022
|
||||
+[LibraryClasses.X64]
|
||||
+ # Provide StackCookie support lib so that we can link to /GS exports for VS builds
|
||||
+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
|
||||
+!endif
|
||||
+
|
||||
+[LibraryClasses.common.UEFI_DRIVER]
|
||||
+ HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
|
||||
+ ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
|
||||
+ DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
|
||||
+[LibraryClasses.common.UEFI_APPLICATION]
|
||||
+ DebugLib|MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
|
||||
+ ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
|
||||
+[LibraryClasses.ARM, LibraryClasses.AARCH64]
|
||||
+ #
|
||||
+ # It is not possible to prevent ARM compiler calls to generic intrinsic functions.
|
||||
+ # This library provides the instrinsic functions generated by a given compiler.
|
||||
+ # [LibraryClasses.ARM] and NULL mean link this library into all ARM images.
|
||||
+ #
|
||||
+!if $(TOOL_CHAIN_TAG) != VS2017 and $(TOOL_CHAIN_TAG) != VS2015 and $(TOOL_CHAIN_TAG) != VS2019
|
||||
+ NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
|
||||
+!endif
|
||||
+ NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf
|
||||
+[LibraryClasses.ARM]
|
||||
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
|
||||
+[LibraryClasses.RISCV64]
|
||||
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
|
||||
+
|
||||
+[PcdsFixedAtBuild]
|
||||
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2
|
||||
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType|0x4
|
||||
--
|
||||
2.41.0
|
||||
|
621
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
Normal file
621
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
Normal file
@ -0,0 +1,621 @@
|
||||
From a115d0a66c3e73c60b74ec6d09e3759da89e919b Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Fri, 9 Feb 2024 17:57:07 -0500
|
||||
Subject: [PATCH 17/17] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229
|
||||
Patch
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 50: CVE-2023-45230 and CVE-2023-45229
|
||||
RH-Jira: RHEL-21840 RHEL-21842
|
||||
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
|
||||
RH-Commit: [4/4] 3daf69000f78416ee1f1bad0b6ceb01ed28a84a5 (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21840
|
||||
CVE: CVE-2023-45229
|
||||
Upstream: Merged
|
||||
|
||||
commit 1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0
|
||||
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
|
||||
Date: Fri Jan 26 05:54:46 2024 +0800
|
||||
|
||||
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
|
||||
|
||||
Bug Details:
|
||||
PixieFail Bug #1
|
||||
CVE-2023-45229
|
||||
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
CWE-125 Out-of-bounds Read
|
||||
|
||||
Change Overview:
|
||||
|
||||
Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking
|
||||
the Inner Option from a DHCP6 Option.
|
||||
|
||||
>
|
||||
> EFI_STATUS
|
||||
> Dhcp6SeekInnerOptionSafe (
|
||||
> IN UINT16 IaType,
|
||||
> IN UINT8 *Option,
|
||||
> IN UINT32 OptionLen,
|
||||
> OUT UINT8 **IaInnerOpt,
|
||||
> OUT UINT16 *IaInnerLen
|
||||
> );
|
||||
>
|
||||
|
||||
Lots of code cleanup to improve code readability.
|
||||
|
||||
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||||
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 ++++++++++++++++++---
|
||||
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 205 +++++++++++++++++++++-----------
|
||||
2 files changed, 257 insertions(+), 86 deletions(-)
|
||||
|
||||
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
|
||||
index ec0ed5d8f5..e759ab9a62 100644
|
||||
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
|
||||
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
|
||||
@@ -47,6 +47,20 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
|
||||
#define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S')
|
||||
#define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I')
|
||||
|
||||
+#define DHCP6_PACKET_ALL 0
|
||||
+#define DHCP6_PACKET_STATEFUL 1
|
||||
+#define DHCP6_PACKET_STATELESS 2
|
||||
+
|
||||
+#define DHCP6_BASE_PACKET_SIZE 1024
|
||||
+
|
||||
+#define DHCP6_PORT_CLIENT 546
|
||||
+#define DHCP6_PORT_SERVER 547
|
||||
+
|
||||
+#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20)
|
||||
+
|
||||
+#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
|
||||
+#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
|
||||
+
|
||||
//
|
||||
// For more information on DHCP options see RFC 8415, Section 21.1
|
||||
//
|
||||
@@ -61,12 +75,10 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
|
||||
// | (option-len octets) |
|
||||
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
//
|
||||
-#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16))
|
||||
-#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16))
|
||||
+#define DHCP6_SIZE_OF_OPT_CODE (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode))
|
||||
+#define DHCP6_SIZE_OF_OPT_LEN (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen))
|
||||
|
||||
-//
|
||||
// Combined size of Code and Length
|
||||
-//
|
||||
#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \
|
||||
DHCP6_SIZE_OF_OPT_LEN)
|
||||
|
||||
@@ -75,34 +87,122 @@ STATIC_ASSERT (
|
||||
"Combined size of Code and Length must be 4 per RFC 8415"
|
||||
);
|
||||
|
||||
-//
|
||||
// Offset to the length is just past the code
|
||||
-//
|
||||
-#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE)
|
||||
+#define DHCP6_OFFSET_OF_OPT_LEN(a) (a + DHCP6_SIZE_OF_OPT_CODE)
|
||||
STATIC_ASSERT (
|
||||
- DHCP6_OPT_LEN_OFFSET (0) == 2,
|
||||
+ DHCP6_OFFSET_OF_OPT_LEN (0) == 2,
|
||||
"Offset of length is + 2 past start of option"
|
||||
);
|
||||
|
||||
-#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
|
||||
+#define DHCP6_OFFSET_OF_OPT_DATA(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
|
||||
STATIC_ASSERT (
|
||||
- DHCP6_OPT_DATA_OFFSET (0) == 4,
|
||||
+ DHCP6_OFFSET_OF_OPT_DATA (0) == 4,
|
||||
"Offset to option data should be +4 from start of option"
|
||||
);
|
||||
+//
|
||||
+// Identity Association options (both NA (Non-Temporary) and TA (Temporary Association))
|
||||
+// are defined in RFC 8415 and are a deriviation of a TLV stucture
|
||||
+// For more information on IA_NA see Section 21.4
|
||||
+// For more information on IA_TA see Section 21.5
|
||||
+//
|
||||
+//
|
||||
+// The format of IA_NA and IA_TA option:
|
||||
+//
|
||||
+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+// | OPTION_IA_NA | option-len |
|
||||
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+// | IAID (4 octets) |
|
||||
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+// | T1 (only for IA_NA) |
|
||||
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+// | T2 (only for IA_NA) |
|
||||
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+// | |
|
||||
+// . IA_NA-options/IA_TA-options .
|
||||
+// . .
|
||||
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+//
|
||||
+#define DHCP6_SIZE_OF_IAID (sizeof(UINT32))
|
||||
+#define DHCP6_SIZE_OF_TIME_INTERVAL (sizeof(UINT32))
|
||||
|
||||
-#define DHCP6_PACKET_ALL 0
|
||||
-#define DHCP6_PACKET_STATEFUL 1
|
||||
-#define DHCP6_PACKET_STATELESS 2
|
||||
+// Combined size of IAID, T1, and T2
|
||||
+#define DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 (DHCP6_SIZE_OF_IAID + \
|
||||
+ DHCP6_SIZE_OF_TIME_INTERVAL + \
|
||||
+ DHCP6_SIZE_OF_TIME_INTERVAL)
|
||||
+STATIC_ASSERT (
|
||||
+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 == 12,
|
||||
+ "Combined size of IAID, T1, T2 must be 12 per RFC 8415"
|
||||
+ );
|
||||
|
||||
-#define DHCP6_BASE_PACKET_SIZE 1024
|
||||
+// This is the size of IA_TA without options
|
||||
+#define DHCP6_MIN_SIZE_OF_IA_TA (DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
|
||||
+ DHCP6_SIZE_OF_IAID)
|
||||
+STATIC_ASSERT (
|
||||
+ DHCP6_MIN_SIZE_OF_IA_TA == 8,
|
||||
+ "Minimum combined size of IA_TA per RFC 8415"
|
||||
+ );
|
||||
|
||||
-#define DHCP6_PORT_CLIENT 546
|
||||
-#define DHCP6_PORT_SERVER 547
|
||||
+// Offset to a IA_TA inner option
|
||||
+#define DHCP6_OFFSET_OF_IA_TA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_TA)
|
||||
+STATIC_ASSERT (
|
||||
+ DHCP6_OFFSET_OF_IA_TA_INNER_OPT (0) == 8,
|
||||
+ "Offset of IA_TA Inner option is + 8 past start of option"
|
||||
+ );
|
||||
|
||||
-#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20)
|
||||
+// This is the size of IA_NA without options (16)
|
||||
+#define DHCP6_MIN_SIZE_OF_IA_NA DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
|
||||
+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2
|
||||
+STATIC_ASSERT (
|
||||
+ DHCP6_MIN_SIZE_OF_IA_NA == 16,
|
||||
+ "Minimum combined size of IA_TA per RFC 8415"
|
||||
+ );
|
||||
|
||||
-#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
|
||||
-#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
|
||||
+#define DHCP6_OFFSET_OF_IA_NA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_NA)
|
||||
+STATIC_ASSERT (
|
||||
+ DHCP6_OFFSET_OF_IA_NA_INNER_OPT (0) == 16,
|
||||
+ "Offset of IA_NA Inner option is + 16 past start of option"
|
||||
+ );
|
||||
+
|
||||
+#define DHCP6_OFFSET_OF_IA_NA_T1(a) (a + \
|
||||
+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
|
||||
+ DHCP6_SIZE_OF_IAID)
|
||||
+STATIC_ASSERT (
|
||||
+ DHCP6_OFFSET_OF_IA_NA_T1 (0) == 8,
|
||||
+ "Offset of IA_NA Inner option is + 8 past start of option"
|
||||
+ );
|
||||
+
|
||||
+#define DHCP6_OFFSET_OF_IA_NA_T2(a) (a + \
|
||||
+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN +\
|
||||
+ DHCP6_SIZE_OF_IAID + \
|
||||
+ DHCP6_SIZE_OF_TIME_INTERVAL)
|
||||
+STATIC_ASSERT (
|
||||
+ DHCP6_OFFSET_OF_IA_NA_T2 (0) == 12,
|
||||
+ "Offset of IA_NA Inner option is + 12 past start of option"
|
||||
+ );
|
||||
+
|
||||
+//
|
||||
+// For more information see RFC 8415 Section 21.13
|
||||
+//
|
||||
+// The format of the Status Code Option:
|
||||
+//
|
||||
+// 0 1 2 3
|
||||
+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+// | OPTION_STATUS_CODE | option-len |
|
||||
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+// | status-code | |
|
||||
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|
||||
+// . .
|
||||
+// . status-message .
|
||||
+// . .
|
||||
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+//
|
||||
+#define DHCP6_OFFSET_OF_STATUS_CODE(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
|
||||
+STATIC_ASSERT (
|
||||
+ DHCP6_OFFSET_OF_STATUS_CODE (0) == 4,
|
||||
+ "Offset of status is + 4 past start of option"
|
||||
+ );
|
||||
|
||||
extern EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress;
|
||||
extern EFI_DHCP6_PROTOCOL gDhcp6ProtocolTemplate;
|
||||
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
|
||||
index 2976684aba..d680febbf1 100644
|
||||
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
|
||||
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
|
||||
@@ -611,8 +611,8 @@ Dhcp6UpdateIaInfo (
|
||||
// The inner options still start with 2 bytes option-code and 2 bytes option-len.
|
||||
//
|
||||
if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
|
||||
- T1 = NTOHL (ReadUnaligned32 ((UINT32 *) (Option + 8)));
|
||||
- T2 = NTOHL (ReadUnaligned32 ((UINT32 *) (Option + 12)));
|
||||
+ T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option))));
|
||||
+ T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option))));
|
||||
//
|
||||
// Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2,
|
||||
// and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes
|
||||
@@ -621,13 +621,14 @@ Dhcp6UpdateIaInfo (
|
||||
if (T1 > T2 && T2 > 0) {
|
||||
return EFI_DEVICE_ERROR;
|
||||
}
|
||||
- IaInnerOpt = Option + 16;
|
||||
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 2))) - 12);
|
||||
+ IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
|
||||
+ IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2);
|
||||
} else {
|
||||
T1 = 0;
|
||||
T2 = 0;
|
||||
- IaInnerOpt = Option + 8;
|
||||
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 2))) - 4);
|
||||
+
|
||||
+ IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
|
||||
+ IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID);
|
||||
}
|
||||
|
||||
//
|
||||
@@ -653,7 +654,7 @@ Dhcp6UpdateIaInfo (
|
||||
Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
|
||||
|
||||
if (Option != NULL) {
|
||||
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 4)));
|
||||
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
|
||||
if (StsCode != Dhcp6StsSuccess) {
|
||||
return EFI_DEVICE_ERROR;
|
||||
}
|
||||
@@ -675,6 +676,87 @@ Dhcp6UpdateIaInfo (
|
||||
|
||||
|
||||
|
||||
+/**
|
||||
+ Seeks the Inner Options from a DHCP6 Option
|
||||
+
|
||||
+ @param[in] IaType The type of the IA option.
|
||||
+ @param[in] Option The pointer to the DHCP6 Option.
|
||||
+ @param[in] OptionLen The length of the DHCP6 Option.
|
||||
+ @param[out] IaInnerOpt The pointer to the IA inner option.
|
||||
+ @param[out] IaInnerLen The length of the IA inner option.
|
||||
+
|
||||
+ @retval EFI_SUCCESS Seek the inner option successfully.
|
||||
+ @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error,
|
||||
+ the pointers are not modified
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+Dhcp6SeekInnerOptionSafe (
|
||||
+ IN UINT16 IaType,
|
||||
+ IN UINT8 *Option,
|
||||
+ IN UINT32 OptionLen,
|
||||
+ OUT UINT8 **IaInnerOpt,
|
||||
+ OUT UINT16 *IaInnerLen
|
||||
+ )
|
||||
+{
|
||||
+ UINT16 IaInnerLenTmp;
|
||||
+ UINT8 *IaInnerOptTmp;
|
||||
+
|
||||
+ if (Option == NULL) {
|
||||
+ ASSERT (Option != NULL);
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ if (IaInnerOpt == NULL) {
|
||||
+ ASSERT (IaInnerOpt != NULL);
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ if (IaInnerLen == NULL) {
|
||||
+ ASSERT (IaInnerLen != NULL);
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ if (IaType == Dhcp6OptIana) {
|
||||
+ // Verify we have a fully formed IA_NA
|
||||
+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) {
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
|
||||
+
|
||||
+ // Verify the IaInnerLen is valid.
|
||||
+ IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option)));
|
||||
+ if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) {
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;
|
||||
+ } else if (IaType == Dhcp6OptIata) {
|
||||
+ // Verify the OptionLen is valid.
|
||||
+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) {
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
|
||||
+
|
||||
+ // Verify the IaInnerLen is valid.
|
||||
+ IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
|
||||
+ if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) {
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ IaInnerLenTmp -= DHCP6_SIZE_OF_IAID;
|
||||
+ } else {
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ *IaInnerOpt = IaInnerOptTmp;
|
||||
+ *IaInnerLen = IaInnerLenTmp;
|
||||
+
|
||||
+ return EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
/**
|
||||
Seek StatusCode Option in package. A Status Code option may appear in the
|
||||
options field of a DHCP message and/or in the options field of another option.
|
||||
@@ -695,9 +777,15 @@ Dhcp6SeekStsOption (
|
||||
OUT UINT8 **Option
|
||||
)
|
||||
{
|
||||
- UINT8 *IaInnerOpt;
|
||||
- UINT16 IaInnerLen;
|
||||
- UINT16 StsCode;
|
||||
+ UINT8 *IaInnerOpt;
|
||||
+ UINT16 IaInnerLen;
|
||||
+ UINT16 StsCode;
|
||||
+ UINT32 OptionLen;
|
||||
+
|
||||
+ // OptionLen is the length of the Options excluding the DHCP header.
|
||||
+ // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last
|
||||
+ // byte of the Option[] field.
|
||||
+ OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header);
|
||||
|
||||
//
|
||||
// Seek StatusCode option directly in DHCP message body. That is, search in
|
||||
@@ -705,12 +793,12 @@ Dhcp6SeekStsOption (
|
||||
//
|
||||
*Option = Dhcp6SeekOption (
|
||||
Packet->Dhcp6.Option,
|
||||
- Packet->Length - 4,
|
||||
+ OptionLen,
|
||||
Dhcp6OptStatusCode
|
||||
);
|
||||
|
||||
if (*Option != NULL) {
|
||||
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 4)));
|
||||
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (*Option))));
|
||||
if (StsCode != Dhcp6StsSuccess) {
|
||||
return EFI_DEVICE_ERROR;
|
||||
}
|
||||
@@ -721,7 +809,7 @@ Dhcp6SeekStsOption (
|
||||
//
|
||||
*Option = Dhcp6SeekIaOption (
|
||||
Packet->Dhcp6.Option,
|
||||
- Packet->Length - sizeof (EFI_DHCP6_HEADER),
|
||||
+ OptionLen,
|
||||
&Instance->Config->IaDescriptor
|
||||
);
|
||||
if (*Option == NULL) {
|
||||
@@ -729,52 +817,35 @@ Dhcp6SeekStsOption (
|
||||
}
|
||||
|
||||
//
|
||||
- // The format of the IA_NA option is:
|
||||
+ // Calculate the distance from Packet->Dhcp6.Option to the IA option.
|
||||
//
|
||||
- // 0 1 2 3
|
||||
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
- // | OPTION_IA_NA | option-len |
|
||||
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
- // | IAID (4 octets) |
|
||||
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
- // | T1 |
|
||||
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
- // | T2 |
|
||||
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
- // | |
|
||||
- // . IA_NA-options .
|
||||
- // . .
|
||||
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+ // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is
|
||||
+ // the size of the whole packet, including the DHCP header, and Packet->Length
|
||||
+ // is the length of the DHCP message body, excluding the DHCP header.
|
||||
//
|
||||
- // The format of the IA_TA option is:
|
||||
+ // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of
|
||||
+ // DHCP6 option area to the start of the IA option.
|
||||
//
|
||||
- // 0 1 2 3
|
||||
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
- // | OPTION_IA_TA | option-len |
|
||||
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
- // | IAID (4 octets) |
|
||||
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
- // | |
|
||||
- // . IA_TA-options .
|
||||
- // . .
|
||||
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
+ // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the
|
||||
+ // IA option to the end of the DHCP6 option area, thus subtract the space
|
||||
+ // up until this option
|
||||
//
|
||||
+ OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option);
|
||||
|
||||
//
|
||||
- // sizeof (option-code + option-len + IaId) = 8
|
||||
- // sizeof (option-code + option-len + IaId + T1) = 12
|
||||
- // sizeof (option-code + option-len + IaId + T1 + T2) = 16
|
||||
+ // Seek the inner option
|
||||
//
|
||||
- // The inner options still start with 2 bytes option-code and 2 bytes option-len.
|
||||
- //
|
||||
- if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
|
||||
- IaInnerOpt = *Option + 16;
|
||||
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 2))) - 12);
|
||||
- } else {
|
||||
- IaInnerOpt = *Option + 8;
|
||||
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 2))) - 4);
|
||||
+ if (EFI_ERROR (
|
||||
+ Dhcp6SeekInnerOptionSafe (
|
||||
+ Instance->Config->IaDescriptor.Type,
|
||||
+ *Option,
|
||||
+ OptionLen,
|
||||
+ &IaInnerOpt,
|
||||
+ &IaInnerLen
|
||||
+ )
|
||||
+ ))
|
||||
+ {
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
}
|
||||
|
||||
//
|
||||
@@ -798,7 +869,7 @@ Dhcp6SeekStsOption (
|
||||
//
|
||||
*Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
|
||||
if (*Option != NULL) {
|
||||
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 4)));
|
||||
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (*Option)))));
|
||||
if (StsCode != Dhcp6StsSuccess) {
|
||||
return EFI_DEVICE_ERROR;
|
||||
}
|
||||
@@ -1123,7 +1194,7 @@ Dhcp6SendRequestMsg (
|
||||
//
|
||||
Option = Dhcp6SeekOption (
|
||||
Instance->AdSelect->Dhcp6.Option,
|
||||
- Instance->AdSelect->Length - 4,
|
||||
+ Instance->AdSelect->Length - sizeof (EFI_DHCP6_HEADER),
|
||||
Dhcp6OptServerId
|
||||
);
|
||||
if (Option == NULL) {
|
||||
@@ -1309,7 +1380,7 @@ Dhcp6SendDeclineMsg (
|
||||
//
|
||||
Option = Dhcp6SeekOption (
|
||||
LastReply->Dhcp6.Option,
|
||||
- LastReply->Length - 4,
|
||||
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
|
||||
Dhcp6OptServerId
|
||||
);
|
||||
if (Option == NULL) {
|
||||
@@ -1469,7 +1540,7 @@ Dhcp6SendReleaseMsg (
|
||||
//
|
||||
Option = Dhcp6SeekOption (
|
||||
LastReply->Dhcp6.Option,
|
||||
- LastReply->Length - 4,
|
||||
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
|
||||
Dhcp6OptServerId
|
||||
);
|
||||
if (Option == NULL) {
|
||||
@@ -1695,7 +1766,7 @@ Dhcp6SendRenewRebindMsg (
|
||||
|
||||
Option = Dhcp6SeekOption (
|
||||
LastReply->Dhcp6.Option,
|
||||
- LastReply->Length - 4,
|
||||
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
|
||||
Dhcp6OptServerId
|
||||
);
|
||||
if (Option == NULL) {
|
||||
@@ -2235,7 +2306,7 @@ Dhcp6HandleReplyMsg (
|
||||
//
|
||||
Option = Dhcp6SeekOption (
|
||||
Packet->Dhcp6.Option,
|
||||
- Packet->Length - 4,
|
||||
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
|
||||
Dhcp6OptRapidCommit
|
||||
);
|
||||
|
||||
@@ -2383,7 +2454,7 @@ Dhcp6HandleReplyMsg (
|
||||
//
|
||||
// Any error status code option is found.
|
||||
//
|
||||
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 4)));
|
||||
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (Option)))));
|
||||
switch (StsCode) {
|
||||
case Dhcp6StsUnspecFail:
|
||||
//
|
||||
@@ -2514,7 +2585,7 @@ Dhcp6SelectAdvertiseMsg (
|
||||
//
|
||||
Option = Dhcp6SeekOption(
|
||||
AdSelect->Dhcp6.Option,
|
||||
- AdSelect->Length - 4,
|
||||
+ AdSelect->Length - sizeof (EFI_DHCP6_HEADER),
|
||||
Dhcp6OptServerUnicast
|
||||
);
|
||||
|
||||
@@ -2526,7 +2597,7 @@ Dhcp6SelectAdvertiseMsg (
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
|
||||
- CopyMem (Instance->Unicast, Option + 4, sizeof(EFI_IPv6_ADDRESS));
|
||||
+ CopyMem (Instance->Unicast, DHCP6_OFFSET_OF_OPT_DATA (Option), sizeof (EFI_IPv6_ADDRESS));
|
||||
}
|
||||
|
||||
//
|
||||
@@ -2580,7 +2651,7 @@ Dhcp6HandleAdvertiseMsg (
|
||||
//
|
||||
Option = Dhcp6SeekOption(
|
||||
Packet->Dhcp6.Option,
|
||||
- Packet->Length - 4,
|
||||
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
|
||||
Dhcp6OptRapidCommit
|
||||
);
|
||||
|
||||
@@ -2676,7 +2747,7 @@ Dhcp6HandleAdvertiseMsg (
|
||||
CopyMem (Instance->AdSelect, Packet, Packet->Size);
|
||||
|
||||
if (Option != NULL) {
|
||||
- Instance->AdPref = *(Option + 4);
|
||||
+ Instance->AdPref = *(DHCP6_OFFSET_OF_OPT_DATA (Option));
|
||||
}
|
||||
} else {
|
||||
//
|
||||
@@ -2747,11 +2818,11 @@ Dhcp6HandleStateful (
|
||||
//
|
||||
Option = Dhcp6SeekOption(
|
||||
Packet->Dhcp6.Option,
|
||||
- Packet->Length - 4,
|
||||
+ Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN,
|
||||
Dhcp6OptClientId
|
||||
);
|
||||
|
||||
- if (Option == NULL || CompareMem (Option + 4, ClientId->Duid, ClientId->Length) != 0) {
|
||||
+ if ((Option == NULL) || (CompareMem (DHCP6_OFFSET_OF_OPT_DATA (Option), ClientId->Duid, ClientId->Length) != 0)) {
|
||||
goto ON_CONTINUE;
|
||||
}
|
||||
|
||||
@@ -2760,7 +2831,7 @@ Dhcp6HandleStateful (
|
||||
//
|
||||
Option = Dhcp6SeekOption(
|
||||
Packet->Dhcp6.Option,
|
||||
- Packet->Length - 4,
|
||||
+ Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN,
|
||||
Dhcp6OptServerId
|
||||
);
|
||||
|
||||
@@ -2865,7 +2936,7 @@ Dhcp6HandleStateless (
|
||||
//
|
||||
Option = Dhcp6SeekOption (
|
||||
Packet->Dhcp6.Option,
|
||||
- Packet->Length - 4,
|
||||
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
|
||||
Dhcp6OptServerId
|
||||
);
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
1644
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
Normal file
1644
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
Normal file
File diff suppressed because it is too large
Load Diff
629
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
Normal file
629
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
Normal file
@ -0,0 +1,629 @@
|
||||
From f5274b449181cb37efce0f08ed5d75a6bf6e54a8 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Thu, 8 Feb 2024 10:35:14 -0500
|
||||
Subject: [PATCH 16/17] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230
|
||||
Unit Tests
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 50: CVE-2023-45230 and CVE-2023-45229
|
||||
RH-Jira: RHEL-21840 RHEL-21842
|
||||
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
|
||||
RH-Commit: [3/4] 43b8569c0586c7dbf66b19c5db335d0ce05829de (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21842
|
||||
CVE: CVE-2023-45230
|
||||
Upstream: Merged
|
||||
|
||||
commit 5f3658197bf29c83b3349b0ab1d99cdb0c3814bc
|
||||
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
|
||||
Date: Fri Jan 26 05:54:45 2024 +0800
|
||||
|
||||
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4535
|
||||
|
||||
Confirms that reported issue...
|
||||
|
||||
"Buffer overflow in the DHCPv6 client via a long Server ID option"
|
||||
|
||||
..has been corrected by the provided patch.
|
||||
|
||||
Tests the following functions to ensure they appropriately handle
|
||||
untrusted data (either too long or too small) to prevent a buffer
|
||||
overflow:
|
||||
|
||||
Dhcp6AppendOption
|
||||
Dhcp6AppendETOption
|
||||
Dhcp6AppendIaOption
|
||||
|
||||
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||||
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
.../GoogleTest/Dhcp6DxeGoogleTest.cpp | 20 +
|
||||
.../GoogleTest/Dhcp6DxeGoogleTest.inf | 43 ++
|
||||
.../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 478 ++++++++++++++++++
|
||||
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 +
|
||||
4 files changed, 542 insertions(+)
|
||||
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
|
||||
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
|
||||
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
|
||||
|
||||
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
|
||||
new file mode 100644
|
||||
index 0000000000..9aeced2f91
|
||||
--- /dev/null
|
||||
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
|
||||
@@ -0,0 +1,20 @@
|
||||
+/** @file
|
||||
+ Acts as the main entry point for the tests for the Dhcp6Dxe module.
|
||||
+
|
||||
+ Copyright (c) Microsoft Corporation
|
||||
+ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+**/
|
||||
+#include <gtest/gtest.h>
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////
|
||||
+// Run the tests
|
||||
+////////////////////////////////////////////////////////////////////////////////
|
||||
+int
|
||||
+main (
|
||||
+ int argc,
|
||||
+ char *argv[]
|
||||
+ )
|
||||
+{
|
||||
+ testing::InitGoogleTest (&argc, argv);
|
||||
+ return RUN_ALL_TESTS ();
|
||||
+}
|
||||
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
|
||||
new file mode 100644
|
||||
index 0000000000..8e9119a371
|
||||
--- /dev/null
|
||||
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
|
||||
@@ -0,0 +1,43 @@
|
||||
+## @file
|
||||
+# Unit test suite for the Dhcp6Dxe using Google Test
|
||||
+#
|
||||
+# Copyright (c) Microsoft Corporation.<BR>
|
||||
+# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+##
|
||||
+[Defines]
|
||||
+ INF_VERSION = 0x00010017
|
||||
+ BASE_NAME = Dhcp6DxeGoogleTest
|
||||
+ FILE_GUID = 1D2A4C65-38C8-4C2F-BB60-B5FA49625AA9
|
||||
+ VERSION_STRING = 1.0
|
||||
+ MODULE_TYPE = HOST_APPLICATION
|
||||
+#
|
||||
+# The following information is for reference only and not required by the build tools.
|
||||
+#
|
||||
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
|
||||
+#
|
||||
+[Sources]
|
||||
+ Dhcp6DxeGoogleTest.cpp
|
||||
+ Dhcp6IoGoogleTest.cpp
|
||||
+ ../Dhcp6Io.c
|
||||
+ ../Dhcp6Utility.c
|
||||
+
|
||||
+[Packages]
|
||||
+ MdePkg/MdePkg.dec
|
||||
+ MdeModulePkg/MdeModulePkg.dec
|
||||
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
|
||||
+ NetworkPkg/NetworkPkg.dec
|
||||
+
|
||||
+[LibraryClasses]
|
||||
+ GoogleTestLib
|
||||
+ DebugLib
|
||||
+ NetLib
|
||||
+ PcdLib
|
||||
+
|
||||
+[Protocols]
|
||||
+ gEfiDhcp6ServiceBindingProtocolGuid
|
||||
+
|
||||
+[Pcd]
|
||||
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
|
||||
+
|
||||
+[Guids]
|
||||
+ gZeroGuid
|
||||
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
|
||||
new file mode 100644
|
||||
index 0000000000..7ee40e4af4
|
||||
--- /dev/null
|
||||
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
|
||||
@@ -0,0 +1,478 @@
|
||||
+/** @file
|
||||
+ Tests for Dhcp6Io.c.
|
||||
+
|
||||
+ Copyright (c) Microsoft Corporation
|
||||
+ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+**/
|
||||
+#include <gtest/gtest.h>
|
||||
+
|
||||
+extern "C" {
|
||||
+ #include <Uefi.h>
|
||||
+ #include <Library/BaseLib.h>
|
||||
+ #include <Library/DebugLib.h>
|
||||
+ #include <Library/BaseMemoryLib.h>
|
||||
+ #include "../Dhcp6Impl.h"
|
||||
+ #include "../Dhcp6Utility.h"
|
||||
+}
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+// Defines
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+#define DHCP6_PACKET_MAX_LEN 1500
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+// Symbol Definitions
|
||||
+// These functions are not directly under test - but required to compile
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+// This definition is used by this test but is also required to compile
|
||||
+// by Dhcp6Io.c
|
||||
+EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress = {
|
||||
+ { 0xFF, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 2 }
|
||||
+};
|
||||
+
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+UdpIoSendDatagram (
|
||||
+ IN UDP_IO *UdpIo,
|
||||
+ IN NET_BUF *Packet,
|
||||
+ IN UDP_END_POINT *EndPoint OPTIONAL,
|
||||
+ IN EFI_IP_ADDRESS *Gateway OPTIONAL,
|
||||
+ IN UDP_IO_CALLBACK CallBack,
|
||||
+ IN VOID *Context
|
||||
+ )
|
||||
+{
|
||||
+ return EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+UdpIoRecvDatagram (
|
||||
+ IN UDP_IO *UdpIo,
|
||||
+ IN UDP_IO_CALLBACK CallBack,
|
||||
+ IN VOID *Context,
|
||||
+ IN UINT32 HeadLen
|
||||
+ )
|
||||
+{
|
||||
+ return EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+// Dhcp6AppendOptionTest Tests
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+class Dhcp6AppendOptionTest : public ::testing::Test {
|
||||
+public:
|
||||
+ UINT8 *Buffer = NULL;
|
||||
+ EFI_DHCP6_PACKET *Packet;
|
||||
+
|
||||
+protected:
|
||||
+ // Add any setup code if needed
|
||||
+ virtual void
|
||||
+ SetUp (
|
||||
+ )
|
||||
+ {
|
||||
+ // Initialize any resources or variables
|
||||
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
|
||||
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
|
||||
+
|
||||
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
|
||||
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
|
||||
+ }
|
||||
+
|
||||
+ // Add any cleanup code if needed
|
||||
+ virtual void
|
||||
+ TearDown (
|
||||
+ )
|
||||
+ {
|
||||
+ // Clean up any resources or variables
|
||||
+ if (Buffer != NULL) {
|
||||
+ FreePool (Buffer);
|
||||
+ }
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+// Test Description:
|
||||
+// Attempt to append an option to a packet that is too small by a duid that is too large
|
||||
+TEST_F (Dhcp6AppendOptionTest, InvalidDataExpectBufferTooSmall) {
|
||||
+ UINT8 *Cursor;
|
||||
+ EFI_DHCP6_DUID *UntrustedDuid;
|
||||
+ EFI_STATUS Status;
|
||||
+
|
||||
+ UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
|
||||
+ ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);
|
||||
+
|
||||
+ UntrustedDuid->Length = NTOHS (0xFFFF);
|
||||
+
|
||||
+ Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option;
|
||||
+
|
||||
+ Status = Dhcp6AppendOption (
|
||||
+ Dhcp6AppendOptionTest::Packet,
|
||||
+ &Cursor,
|
||||
+ HTONS (Dhcp6OptServerId),
|
||||
+ UntrustedDuid->Length,
|
||||
+ UntrustedDuid->Duid
|
||||
+ );
|
||||
+
|
||||
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
|
||||
+}
|
||||
+
|
||||
+// Test Description:
|
||||
+// Attempt to append an option to a packet that is large enough
|
||||
+TEST_F (Dhcp6AppendOptionTest, ValidDataExpectSuccess) {
|
||||
+ UINT8 *Cursor;
|
||||
+ EFI_DHCP6_DUID *UntrustedDuid;
|
||||
+ EFI_STATUS Status;
|
||||
+ UINTN OriginalLength;
|
||||
+
|
||||
+ UINT8 Duid[6] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 };
|
||||
+
|
||||
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
|
||||
+ OriginalLength = Packet->Length;
|
||||
+
|
||||
+ UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
|
||||
+ ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);
|
||||
+
|
||||
+ UntrustedDuid->Length = NTOHS (sizeof (Duid));
|
||||
+ CopyMem (UntrustedDuid->Duid, Duid, sizeof (Duid));
|
||||
+
|
||||
+ Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option;
|
||||
+
|
||||
+ Status = Dhcp6AppendOption (
|
||||
+ Dhcp6AppendOptionTest::Packet,
|
||||
+ &Cursor,
|
||||
+ HTONS (Dhcp6OptServerId),
|
||||
+ UntrustedDuid->Length,
|
||||
+ UntrustedDuid->Duid
|
||||
+ );
|
||||
+
|
||||
+ ASSERT_EQ (Status, EFI_SUCCESS);
|
||||
+
|
||||
+ // verify that the pointer to cursor moved by the expected amount
|
||||
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendOptionTest::Packet->Dhcp6.Option + sizeof (Duid) + 4);
|
||||
+
|
||||
+ // verify that the length of the packet is now the expected amount
|
||||
+ ASSERT_EQ (Dhcp6AppendOptionTest::Packet->Length, OriginalLength + sizeof (Duid) + 4);
|
||||
+}
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+// Dhcp6AppendETOption Tests
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+class Dhcp6AppendETOptionTest : public ::testing::Test {
|
||||
+public:
|
||||
+ UINT8 *Buffer = NULL;
|
||||
+ EFI_DHCP6_PACKET *Packet;
|
||||
+
|
||||
+protected:
|
||||
+ // Add any setup code if needed
|
||||
+ virtual void
|
||||
+ SetUp (
|
||||
+ )
|
||||
+ {
|
||||
+ // Initialize any resources or variables
|
||||
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
|
||||
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
|
||||
+
|
||||
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
|
||||
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
|
||||
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
|
||||
+ }
|
||||
+
|
||||
+ // Add any cleanup code if needed
|
||||
+ virtual void
|
||||
+ TearDown (
|
||||
+ )
|
||||
+ {
|
||||
+ // Clean up any resources or variables
|
||||
+ if (Buffer != NULL) {
|
||||
+ FreePool (Buffer);
|
||||
+ }
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+// Test Description:
|
||||
+// Attempt to append an option to a packet that is too small by a duid that is too large
|
||||
+TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) {
|
||||
+ UINT8 *Cursor;
|
||||
+ EFI_STATUS Status;
|
||||
+ DHCP6_INSTANCE Instance;
|
||||
+ UINT16 ElapsedTimeVal;
|
||||
+ UINT16 *ElapsedTime;
|
||||
+
|
||||
+ Cursor = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option;
|
||||
+ ElapsedTime = &ElapsedTimeVal;
|
||||
+
|
||||
+ Packet->Length = Packet->Size - 2;
|
||||
+
|
||||
+ Status = Dhcp6AppendETOption (
|
||||
+ Dhcp6AppendETOptionTest::Packet,
|
||||
+ &Cursor,
|
||||
+ &Instance, // Instance is not used in this function
|
||||
+ &ElapsedTime
|
||||
+ );
|
||||
+
|
||||
+ // verify that we error out because the packet is too small for the option header
|
||||
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
|
||||
+
|
||||
+ // reset the length
|
||||
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
|
||||
+}
|
||||
+
|
||||
+// Test Description:
|
||||
+// Attempt to append an option to a packet that is large enough
|
||||
+TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) {
|
||||
+ UINT8 *Cursor;
|
||||
+ EFI_STATUS Status;
|
||||
+ DHCP6_INSTANCE Instance;
|
||||
+ UINT16 ElapsedTimeVal;
|
||||
+ UINT16 *ElapsedTime;
|
||||
+ UINTN ExpectedSize;
|
||||
+ UINTN OriginalLength;
|
||||
+
|
||||
+ Cursor = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option;
|
||||
+ ElapsedTime = &ElapsedTimeVal;
|
||||
+ ExpectedSize = 6;
|
||||
+ OriginalLength = Packet->Length;
|
||||
+
|
||||
+ Status = Dhcp6AppendETOption (
|
||||
+ Dhcp6AppendETOptionTest::Packet,
|
||||
+ &Cursor,
|
||||
+ &Instance, // Instance is not used in this function
|
||||
+ &ElapsedTime
|
||||
+ );
|
||||
+
|
||||
+ // verify that the status is EFI_SUCCESS
|
||||
+ ASSERT_EQ (Status, EFI_SUCCESS);
|
||||
+
|
||||
+ // verify that the pointer to cursor moved by the expected amount
|
||||
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendETOptionTest::Packet->Dhcp6.Option + ExpectedSize);
|
||||
+
|
||||
+ // verify that the length of the packet is now the expected amount
|
||||
+ ASSERT_EQ (Dhcp6AppendETOptionTest::Packet->Length, OriginalLength + ExpectedSize);
|
||||
+}
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+// Dhcp6AppendIaOption Tests
|
||||
+////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+class Dhcp6AppendIaOptionTest : public ::testing::Test {
|
||||
+public:
|
||||
+ UINT8 *Buffer = NULL;
|
||||
+ EFI_DHCP6_PACKET *Packet;
|
||||
+ EFI_DHCP6_IA *Ia;
|
||||
+
|
||||
+protected:
|
||||
+ // Add any setup code if needed
|
||||
+ virtual void
|
||||
+ SetUp (
|
||||
+ )
|
||||
+ {
|
||||
+ // Initialize any resources or variables
|
||||
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
|
||||
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
|
||||
+
|
||||
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
|
||||
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
|
||||
+
|
||||
+ Ia = (EFI_DHCP6_IA *)AllocateZeroPool (sizeof (EFI_DHCP6_IA) + sizeof (EFI_DHCP6_IA_ADDRESS) * 2);
|
||||
+ ASSERT_NE (Ia, (EFI_DHCP6_IA *)NULL);
|
||||
+
|
||||
+ CopyMem (Ia->IaAddress, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS));
|
||||
+ CopyMem (Ia->IaAddress + 1, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS));
|
||||
+
|
||||
+ Ia->IaAddressCount = 2;
|
||||
+ }
|
||||
+
|
||||
+ // Add any cleanup code if needed
|
||||
+ virtual void
|
||||
+ TearDown (
|
||||
+ )
|
||||
+ {
|
||||
+ // Clean up any resources or variables
|
||||
+ if (Buffer != NULL) {
|
||||
+ FreePool (Buffer);
|
||||
+ }
|
||||
+
|
||||
+ if (Ia != NULL) {
|
||||
+ FreePool (Ia);
|
||||
+ }
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+// Test Description:
|
||||
+// Attempt to append an option to a packet that doesn't have enough space
|
||||
+// for the option header
|
||||
+TEST_F (Dhcp6AppendIaOptionTest, IaNaInvalidDataExpectBufferTooSmall) {
|
||||
+ UINT8 *Cursor;
|
||||
+ EFI_STATUS Status;
|
||||
+
|
||||
+ Packet->Length = Packet->Size - 2;
|
||||
+
|
||||
+ Ia->Descriptor.Type = Dhcp6OptIana;
|
||||
+ Ia->Descriptor.IaId = 0x12345678;
|
||||
+
|
||||
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
|
||||
+
|
||||
+ Status = Dhcp6AppendIaOption (
|
||||
+ Dhcp6AppendIaOptionTest::Packet,
|
||||
+ &Cursor,
|
||||
+ Ia,
|
||||
+ 0x12345678,
|
||||
+ 0x11111111,
|
||||
+ Dhcp6OptIana
|
||||
+ );
|
||||
+
|
||||
+ // verify that we error out because the packet is too small for the option header
|
||||
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
|
||||
+
|
||||
+ // reset the length
|
||||
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
|
||||
+}
|
||||
+
|
||||
+// Test Description:
|
||||
+// Attempt to append an option to a packet that doesn't have enough space
|
||||
+// for the option header
|
||||
+TEST_F (Dhcp6AppendIaOptionTest, IaTaInvalidDataExpectBufferTooSmall) {
|
||||
+ UINT8 *Cursor;
|
||||
+ EFI_STATUS Status;
|
||||
+
|
||||
+ // Use up nearly all the space in the packet
|
||||
+ Packet->Length = Packet->Size - 2;
|
||||
+
|
||||
+ Ia->Descriptor.Type = Dhcp6OptIata;
|
||||
+ Ia->Descriptor.IaId = 0x12345678;
|
||||
+
|
||||
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
|
||||
+
|
||||
+ Status = Dhcp6AppendIaOption (
|
||||
+ Dhcp6AppendIaOptionTest::Packet,
|
||||
+ &Cursor,
|
||||
+ Ia,
|
||||
+ 0,
|
||||
+ 0,
|
||||
+ Dhcp6OptIata
|
||||
+ );
|
||||
+
|
||||
+ // verify that we error out because the packet is too small for the option header
|
||||
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
|
||||
+
|
||||
+ // reset the length
|
||||
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
|
||||
+}
|
||||
+
|
||||
+TEST_F (Dhcp6AppendIaOptionTest, IaNaValidDataExpectSuccess) {
|
||||
+ UINT8 *Cursor;
|
||||
+ EFI_STATUS Status;
|
||||
+ UINTN ExpectedSize;
|
||||
+ UINTN OriginalLength;
|
||||
+
|
||||
+ //
|
||||
+ // 2 bytes for the option header type
|
||||
+ //
|
||||
+ ExpectedSize = 2;
|
||||
+ //
|
||||
+ // 2 bytes for the option header length
|
||||
+ //
|
||||
+ ExpectedSize += 2;
|
||||
+ //
|
||||
+ // 4 bytes for the IAID
|
||||
+ //
|
||||
+ ExpectedSize += 4;
|
||||
+ //
|
||||
+ // + 4 bytes for the T1
|
||||
+ //
|
||||
+ ExpectedSize += 4;
|
||||
+ //
|
||||
+ // + 4 bytes for the T2
|
||||
+ //
|
||||
+ ExpectedSize += 4;
|
||||
+ //
|
||||
+ // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
|
||||
+ // + 2 bytes for the option header type
|
||||
+ // + 2 bytes for the option header length
|
||||
+ // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address
|
||||
+ //
|
||||
+ ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
|
||||
+
|
||||
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
|
||||
+
|
||||
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
|
||||
+ OriginalLength = Packet->Length;
|
||||
+
|
||||
+ Ia->Descriptor.Type = Dhcp6OptIana;
|
||||
+ Ia->Descriptor.IaId = 0x12345678;
|
||||
+
|
||||
+ Status = Dhcp6AppendIaOption (
|
||||
+ Dhcp6AppendIaOptionTest::Packet,
|
||||
+ &Cursor,
|
||||
+ Ia,
|
||||
+ 0x12345678,
|
||||
+ 0x12345678,
|
||||
+ Dhcp6OptIana
|
||||
+ );
|
||||
+
|
||||
+ // verify that the pointer to cursor moved by the expected amount
|
||||
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize);
|
||||
+
|
||||
+ // verify that the length of the packet is now the expected amount
|
||||
+ ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize);
|
||||
+
|
||||
+ // verify that the status is EFI_SUCCESS
|
||||
+ ASSERT_EQ (Status, EFI_SUCCESS);
|
||||
+}
|
||||
+
|
||||
+TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) {
|
||||
+ UINT8 *Cursor;
|
||||
+ EFI_STATUS Status;
|
||||
+ UINTN ExpectedSize;
|
||||
+ UINTN OriginalLength;
|
||||
+
|
||||
+ //
|
||||
+ // 2 bytes for the option header type
|
||||
+ //
|
||||
+ ExpectedSize = 2;
|
||||
+ //
|
||||
+ // 2 bytes for the option header length
|
||||
+ //
|
||||
+ ExpectedSize += 2;
|
||||
+ //
|
||||
+ // 4 bytes for the IAID
|
||||
+ //
|
||||
+ ExpectedSize += 4;
|
||||
+ //
|
||||
+ // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
|
||||
+ // + 2 bytes for the option header type
|
||||
+ // + 2 bytes for the option header length
|
||||
+ // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address
|
||||
+ //
|
||||
+ ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
|
||||
+
|
||||
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
|
||||
+
|
||||
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
|
||||
+ OriginalLength = Packet->Length;
|
||||
+
|
||||
+ Ia->Descriptor.Type = Dhcp6OptIata;
|
||||
+ Ia->Descriptor.IaId = 0x12345678;
|
||||
+
|
||||
+ Status = Dhcp6AppendIaOption (
|
||||
+ Dhcp6AppendIaOptionTest::Packet,
|
||||
+ &Cursor,
|
||||
+ Ia,
|
||||
+ 0,
|
||||
+ 0,
|
||||
+ Dhcp6OptIata
|
||||
+ );
|
||||
+
|
||||
+ // verify that the pointer to cursor moved by the expected amount
|
||||
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize);
|
||||
+
|
||||
+ // verify that the length of the packet is now the expected amount
|
||||
+ ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize);
|
||||
+
|
||||
+ // verify that the status is EFI_SUCCESS
|
||||
+ ASSERT_EQ (Status, EFI_SUCCESS);
|
||||
+}
|
||||
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
|
||||
index 1aeca5c5b3..20bc90b172 100644
|
||||
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
|
||||
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
|
||||
@@ -24,6 +24,7 @@
|
||||
#
|
||||
# Build HOST_APPLICATION that tests NetworkPkg
|
||||
#
|
||||
+ NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
|
||||
|
||||
# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
|
||||
[LibraryClasses]
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,68 @@
|
||||
From 2794a967f43f2bbdfcd2cb5197ac8cad4b13c3de Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Wed, 17 Jan 2024 12:20:52 -0500
|
||||
Subject: [PATCH 08/17] SecurityPkg: Adding CVE 2022-36763 to
|
||||
SecurityFixes.yaml
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [8/13] 74117caf760e403566f6511332b2c0f41483f28c (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21154
|
||||
Upstream: Merged
|
||||
CVE: CVE-2022-36763
|
||||
|
||||
commit 1ddcb9fc6b4164e882687b031e8beacfcf7df29e
|
||||
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Date: Fri Jan 12 02:16:03 2024 +0800
|
||||
|
||||
SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml
|
||||
|
||||
This creates / adds a security file that tracks the security fixes
|
||||
found in this package and can be used to find the fixes that were
|
||||
applied.
|
||||
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
SecurityPkg/SecurityFixes.yaml | 22 ++++++++++++++++++++++
|
||||
1 file changed, 22 insertions(+)
|
||||
create mode 100644 SecurityPkg/SecurityFixes.yaml
|
||||
|
||||
diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
|
||||
new file mode 100644
|
||||
index 0000000000..f9e3e7be74
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/SecurityFixes.yaml
|
||||
@@ -0,0 +1,22 @@
|
||||
+## @file
|
||||
+# Security Fixes for SecurityPkg
|
||||
+#
|
||||
+# Copyright (c) Microsoft Corporation
|
||||
+# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+##
|
||||
+CVE_2022_36763:
|
||||
+ commit_titles:
|
||||
+ - "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763"
|
||||
+ - "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763"
|
||||
+ - "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml"
|
||||
+ cve: CVE-2022-36763
|
||||
+ date_reported: 2022-10-25 11:31 UTC
|
||||
+ description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable()
|
||||
+ note: This patch is related to and supersedes TCBZ2168
|
||||
+ files_impacted:
|
||||
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
|
||||
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
|
||||
+ links:
|
||||
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
|
||||
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
|
||||
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
|
||||
--
|
||||
2.41.0
|
||||
|
403
edk2-SecurityPkg-Change-OPTIONAL-keyword-usage-style.patch
Normal file
403
edk2-SecurityPkg-Change-OPTIONAL-keyword-usage-style.patch
Normal file
@ -0,0 +1,403 @@
|
||||
From e2ccaef3baa2eb045019558c325bb94cabf65e1a Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Wed, 7 Feb 2024 11:56:37 -0500
|
||||
Subject: [PATCH 02/17] SecurityPkg: Change OPTIONAL keyword usage style
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [2/13] 6a2141d871e3efc3aeea1994ab9c325614ddce57 (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21154
|
||||
CVE: CVE-2022-36763
|
||||
Upstream: Merged
|
||||
|
||||
commit 948f4003ee399241a40dc147a738f05ad2e37375
|
||||
Author: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
Date: Thu Dec 2 18:00:56 2021 -0800
|
||||
|
||||
SecurityPkg: Change OPTIONAL keyword usage style
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3760
|
||||
|
||||
Update all use of ', OPTIONAL' to ' OPTIONAL,' for function params.
|
||||
|
||||
Cc: Andrew Fish <afish@apple.com>
|
||||
Cc: Leif Lindholm <leif@nuviainc.com>
|
||||
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
|
||||
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
SecurityPkg/Include/Library/Tcg2PpVendorLib.h | 2 +-
|
||||
SecurityPkg/Include/Library/Tpm2CommandLib.h | 14 +++++++-------
|
||||
SecurityPkg/Library/AuthVariableLib/AuthService.c | 6 +++---
|
||||
.../DxeImageAuthenticationStatusLib.c | 2 +-
|
||||
.../DxeImageVerificationLib.c | 2 +-
|
||||
.../DxeRsa2048Sha256GuidedSectionExtractLib.c | 2 +-
|
||||
.../DxeTcg2PhysicalPresenceLib.c | 4 ++--
|
||||
.../DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c | 2 +-
|
||||
.../DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c | 2 +-
|
||||
.../PeiRsa2048Sha256GuidedSectionExtractLib.c | 2 +-
|
||||
.../Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c | 2 +-
|
||||
.../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 2 +-
|
||||
SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c | 2 +-
|
||||
SecurityPkg/Library/Tpm2CommandLib/Tpm2Hierarchy.c | 2 +-
|
||||
SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 2 +-
|
||||
SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 6 +++---
|
||||
.../RandomNumberGenerator/RngDxe/AArch64/RngDxe.c | 2 +-
|
||||
.../RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 2 +-
|
||||
.../RandomNumberGenerator/RngDxe/RngDxeInternals.h | 2 +-
|
||||
SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c | 2 +-
|
||||
20 files changed, 31 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Include/Library/Tcg2PpVendorLib.h b/SecurityPkg/Include/Library/Tcg2PpVendorLib.h
|
||||
index 569eba6874..914517f034 100644
|
||||
--- a/SecurityPkg/Include/Library/Tcg2PpVendorLib.h
|
||||
+++ b/SecurityPkg/Include/Library/Tcg2PpVendorLib.h
|
||||
@@ -40,7 +40,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
UINT32
|
||||
EFIAPI
|
||||
Tcg2PpVendorLibExecutePendingRequest (
|
||||
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
|
||||
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
|
||||
IN UINT32 OperationRequest,
|
||||
IN OUT UINT32 *ManagementFlags,
|
||||
OUT BOOLEAN *ResetRequired
|
||||
diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h b/SecurityPkg/Include/Library/Tpm2CommandLib.h
|
||||
index ee8eb62295..ad3b982d48 100644
|
||||
--- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
|
||||
+++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
|
||||
@@ -186,7 +186,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
Tpm2ClearControl (
|
||||
IN TPMI_RH_CLEAR AuthHandle,
|
||||
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
|
||||
IN TPMI_YES_NO Disable
|
||||
);
|
||||
|
||||
@@ -340,7 +340,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
Tpm2NvDefineSpace (
|
||||
IN TPMI_RH_PROVISION AuthHandle,
|
||||
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
|
||||
IN TPM2B_AUTH *Auth,
|
||||
IN TPM2B_NV_PUBLIC *NvPublic
|
||||
);
|
||||
@@ -383,7 +383,7 @@ EFIAPI
|
||||
Tpm2NvRead (
|
||||
IN TPMI_RH_NV_AUTH AuthHandle,
|
||||
IN TPMI_RH_NV_INDEX NvIndex,
|
||||
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
|
||||
IN UINT16 Size,
|
||||
IN UINT16 Offset,
|
||||
IN OUT TPM2B_MAX_BUFFER *OutData
|
||||
@@ -407,7 +407,7 @@ EFIAPI
|
||||
Tpm2NvWrite (
|
||||
IN TPMI_RH_NV_AUTH AuthHandle,
|
||||
IN TPMI_RH_NV_INDEX NvIndex,
|
||||
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
|
||||
IN TPM2B_MAX_BUFFER *InData,
|
||||
IN UINT16 Offset
|
||||
);
|
||||
@@ -566,7 +566,7 @@ Tpm2PcrAllocate (
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
Tpm2PcrAllocateBanks (
|
||||
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
|
||||
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
|
||||
IN UINT32 SupportedPCRBanks,
|
||||
IN UINT32 PCRBanks
|
||||
);
|
||||
@@ -908,7 +908,7 @@ EFIAPI
|
||||
Tpm2PolicySecret (
|
||||
IN TPMI_DH_ENTITY AuthHandle,
|
||||
IN TPMI_SH_POLICY PolicySession,
|
||||
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
|
||||
IN TPM2B_NONCE *NonceTPM,
|
||||
IN TPM2B_DIGEST *CpHashA,
|
||||
IN TPM2B_NONCE *PolicyRef,
|
||||
@@ -1004,7 +1004,7 @@ Tpm2ReadPublic (
|
||||
UINT32
|
||||
EFIAPI
|
||||
CopyAuthSessionCommand (
|
||||
- IN TPMS_AUTH_COMMAND *AuthSessionIn, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSessionIn OPTIONAL,
|
||||
OUT UINT8 *AuthSessionOut
|
||||
);
|
||||
|
||||
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
|
||||
index aa9ebaf3be..3059e5d256 100644
|
||||
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
|
||||
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
|
||||
@@ -1183,9 +1183,9 @@ FindCertsFromDb (
|
||||
IN EFI_GUID *VendorGuid,
|
||||
IN UINT8 *Data,
|
||||
IN UINTN DataSize,
|
||||
- OUT UINT32 *CertOffset, OPTIONAL
|
||||
- OUT UINT32 *CertDataSize, OPTIONAL
|
||||
- OUT UINT32 *CertNodeOffset,OPTIONAL
|
||||
+ OUT UINT32 *CertOffset OPTIONAL,
|
||||
+ OUT UINT32 *CertDataSize OPTIONAL,
|
||||
+ OUT UINT32 *CertNodeOffset OPTIONAL,
|
||||
OUT UINT32 *CertNodeSize OPTIONAL
|
||||
)
|
||||
{
|
||||
diff --git a/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c b/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c
|
||||
index ec77151c9c..9acff2ae7d 100644
|
||||
--- a/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c
|
||||
@@ -32,7 +32,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
DxeImageAuthenticationStatusHandler (
|
||||
IN UINT32 AuthenticationStatus,
|
||||
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File, OPTIONAL
|
||||
+ IN CONST EFI_DEVICE_PATH_PROTOCOL *File OPTIONAL,
|
||||
IN VOID *FileBuffer,
|
||||
IN UINTN FileSize,
|
||||
IN BOOLEAN BootPolicy
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index 1252927664..0a12692454 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1636,7 +1636,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
DxeImageVerificationHandler (
|
||||
IN UINT32 AuthenticationStatus,
|
||||
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File, OPTIONAL
|
||||
+ IN CONST EFI_DEVICE_PATH_PROTOCOL *File OPTIONAL,
|
||||
IN VOID *FileBuffer,
|
||||
IN UINTN FileSize,
|
||||
IN BOOLEAN BootPolicy
|
||||
diff --git a/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c b/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c
|
||||
index 28807d4d98..5124b884c9 100644
|
||||
--- a/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c
|
||||
+++ b/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c
|
||||
@@ -123,7 +123,7 @@ EFIAPI
|
||||
Rsa2048Sha256GuidedSectionHandler (
|
||||
IN CONST VOID *InputSection,
|
||||
OUT VOID **OutputBuffer,
|
||||
- IN VOID *ScratchBuffer, OPTIONAL
|
||||
+ IN VOID *ScratchBuffer OPTIONAL,
|
||||
OUT UINT32 *AuthenticationStatus
|
||||
)
|
||||
{
|
||||
diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
|
||||
index fce5c0af50..d92658f80d 100644
|
||||
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
|
||||
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
|
||||
@@ -147,7 +147,7 @@ Tpm2CommandChangeEps (
|
||||
**/
|
||||
UINT32
|
||||
Tcg2ExecutePhysicalPresence (
|
||||
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
|
||||
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
|
||||
IN UINT32 CommandCode,
|
||||
IN UINT32 CommandParameter,
|
||||
IN OUT EFI_TCG2_PHYSICAL_PRESENCE_FLAGS *PpiFlags
|
||||
@@ -720,7 +720,7 @@ Tcg2HaveValidTpmRequest (
|
||||
**/
|
||||
VOID
|
||||
Tcg2ExecutePendingTpmRequest (
|
||||
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
|
||||
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
|
||||
IN OUT EFI_TCG2_PHYSICAL_PRESENCE *TcgPpData,
|
||||
IN OUT EFI_TCG2_PHYSICAL_PRESENCE_FLAGS *Flags
|
||||
)
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
index a531385f81..95682ac567 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
@@ -416,7 +416,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
DxeTpm2MeasureBootHandler (
|
||||
IN UINT32 AuthenticationStatus,
|
||||
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File, OPTIONAL
|
||||
+ IN CONST EFI_DEVICE_PATH_PROTOCOL *File OPTIONAL,
|
||||
IN VOID *FileBuffer,
|
||||
IN UINTN FileSize,
|
||||
IN BOOLEAN BootPolicy
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
index 4e74cd9db6..27c0ea48ca 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
@@ -710,7 +710,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
DxeTpmMeasureBootHandler (
|
||||
IN UINT32 AuthenticationStatus,
|
||||
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File, OPTIONAL
|
||||
+ IN CONST EFI_DEVICE_PATH_PROTOCOL *File OPTIONAL,
|
||||
IN VOID *FileBuffer,
|
||||
IN UINTN FileSize,
|
||||
IN BOOLEAN BootPolicy
|
||||
diff --git a/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c b/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c
|
||||
index a759183d20..96638e26aa 100644
|
||||
--- a/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c
|
||||
+++ b/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c
|
||||
@@ -121,7 +121,7 @@ EFIAPI
|
||||
Rsa2048Sha256GuidedSectionHandler (
|
||||
IN CONST VOID *InputSection,
|
||||
OUT VOID **OutputBuffer,
|
||||
- IN VOID *ScratchBuffer, OPTIONAL
|
||||
+ IN VOID *ScratchBuffer OPTIONAL,
|
||||
OUT UINT32 *AuthenticationStatus
|
||||
)
|
||||
{
|
||||
diff --git a/SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c b/SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c
|
||||
index 895d05a28d..aa3dcb6beb 100644
|
||||
--- a/SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c
|
||||
+++ b/SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c
|
||||
@@ -30,7 +30,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
UINT32
|
||||
EFIAPI
|
||||
Tcg2PpVendorLibExecutePendingRequest (
|
||||
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
|
||||
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
|
||||
IN UINT32 OperationRequest,
|
||||
IN OUT UINT32 *ManagementFlags,
|
||||
OUT BOOLEAN *ResetRequired
|
||||
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
|
||||
index 0404c0f321..53983d745b 100644
|
||||
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
|
||||
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
|
||||
@@ -90,7 +90,7 @@ EFIAPI
|
||||
Tpm2PolicySecret (
|
||||
IN TPMI_DH_ENTITY AuthHandle,
|
||||
IN TPMI_SH_POLICY PolicySession,
|
||||
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
|
||||
IN TPM2B_NONCE *NonceTPM,
|
||||
IN TPM2B_DIGEST *CpHashA,
|
||||
IN TPM2B_NONCE *PolicyRef,
|
||||
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
|
||||
index 13eeb6ec18..44115cded3 100644
|
||||
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
|
||||
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
|
||||
@@ -84,7 +84,7 @@ GetHashMaskFromAlgo (
|
||||
UINT32
|
||||
EFIAPI
|
||||
CopyAuthSessionCommand (
|
||||
- IN TPMS_AUTH_COMMAND *AuthSessionIn, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSessionIn OPTIONAL,
|
||||
OUT UINT8 *AuthSessionOut
|
||||
)
|
||||
{
|
||||
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Hierarchy.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Hierarchy.c
|
||||
index 043d358a06..957d694431 100644
|
||||
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Hierarchy.c
|
||||
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Hierarchy.c
|
||||
@@ -305,7 +305,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
Tpm2ClearControl (
|
||||
IN TPMI_RH_CLEAR AuthHandle,
|
||||
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
|
||||
IN TPMI_YES_NO Disable
|
||||
)
|
||||
{
|
||||
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
|
||||
index 8c87de0b0c..d232fe725d 100644
|
||||
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
|
||||
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
|
||||
@@ -566,7 +566,7 @@ Done:
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
Tpm2PcrAllocateBanks (
|
||||
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
|
||||
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
|
||||
IN UINT32 SupportedPCRBanks,
|
||||
IN UINT32 PCRBanks
|
||||
)
|
||||
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
|
||||
index fb46af0fed..d9171fb9a0 100644
|
||||
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
|
||||
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
|
||||
@@ -281,7 +281,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
Tpm2NvDefineSpace (
|
||||
IN TPMI_RH_PROVISION AuthHandle,
|
||||
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
|
||||
IN TPM2B_AUTH *Auth,
|
||||
IN TPM2B_NV_PUBLIC *NvPublic
|
||||
)
|
||||
@@ -525,7 +525,7 @@ EFIAPI
|
||||
Tpm2NvRead (
|
||||
IN TPMI_RH_NV_AUTH AuthHandle,
|
||||
IN TPMI_RH_NV_INDEX NvIndex,
|
||||
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
|
||||
IN UINT16 Size,
|
||||
IN UINT16 Offset,
|
||||
IN OUT TPM2B_MAX_BUFFER *OutData
|
||||
@@ -670,7 +670,7 @@ EFIAPI
|
||||
Tpm2NvWrite (
|
||||
IN TPMI_RH_NV_AUTH AuthHandle,
|
||||
IN TPMI_RH_NV_INDEX NvIndex,
|
||||
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
|
||||
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
|
||||
IN TPM2B_MAX_BUFFER *InData,
|
||||
IN UINT16 Offset
|
||||
)
|
||||
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
|
||||
index 282fdca9d3..1cdc842966 100644
|
||||
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
|
||||
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
|
||||
@@ -53,7 +53,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
RngGetRNG (
|
||||
IN EFI_RNG_PROTOCOL *This,
|
||||
- IN EFI_RNG_ALGORITHM *RNGAlgorithm, OPTIONAL
|
||||
+ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL,
|
||||
IN UINTN RNGValueLength,
|
||||
OUT UINT8 *RNGValue
|
||||
)
|
||||
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
|
||||
index d0e6b7de06..834123b945 100644
|
||||
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
|
||||
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
|
||||
@@ -49,7 +49,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
RngGetRNG (
|
||||
IN EFI_RNG_PROTOCOL *This,
|
||||
- IN EFI_RNG_ALGORITHM *RNGAlgorithm, OPTIONAL
|
||||
+ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL,
|
||||
IN UINTN RNGValueLength,
|
||||
OUT UINT8 *RNGValue
|
||||
)
|
||||
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
|
||||
index 2660ed5875..25cccbe92c 100644
|
||||
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
|
||||
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
|
||||
@@ -67,7 +67,7 @@ EFI_STATUS
|
||||
EFIAPI
|
||||
RngGetRNG (
|
||||
IN EFI_RNG_PROTOCOL *This,
|
||||
- IN EFI_RNG_ALGORITHM *RNGAlgorithm, OPTIONAL
|
||||
+ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL,
|
||||
IN UINTN RNGValueLength,
|
||||
OUT UINT8 *RNGValue
|
||||
);
|
||||
diff --git a/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c b/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c
|
||||
index 68cd62307c..09cb4b0ee9 100644
|
||||
--- a/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c
|
||||
+++ b/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c
|
||||
@@ -56,7 +56,7 @@ HII_VENDOR_DEVICE_PATH mTcgHiiVendorDevicePath = {
|
||||
EFI_STATUS
|
||||
GetTpmState (
|
||||
IN EFI_TCG_PROTOCOL *TcgProtocol,
|
||||
- OUT BOOLEAN *TpmEnable, OPTIONAL
|
||||
+ OUT BOOLEAN *TpmEnable OPTIONAL,
|
||||
OUT BOOLEAN *TpmActivate OPTIONAL
|
||||
)
|
||||
{
|
||||
--
|
||||
2.41.0
|
||||
|
2923
edk2-SecurityPkg-Change-use-of-EFI_D_-to-DEBUG_.patch
Normal file
2923
edk2-SecurityPkg-Change-use-of-EFI_D_-to-DEBUG_.patch
Normal file
File diff suppressed because it is too large
Load Diff
272
edk2-SecurityPkg-DxeTpm2MeasureBootLib-SEC-PATCH-4118-2.patch
Normal file
272
edk2-SecurityPkg-DxeTpm2MeasureBootLib-SEC-PATCH-4118-2.patch
Normal file
@ -0,0 +1,272 @@
|
||||
From 7b5040e857f1a16bed935f7944bda8bc6f6999ac Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Tue, 13 Feb 2024 16:30:10 -0500
|
||||
Subject: [PATCH 11/17] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH
|
||||
4117/4118 symbol rename
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [11/13] 45fc2658aaa726b57219789bb1af64f5c4e2cfdc (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21156
|
||||
CVE: CVE-2022-36764
|
||||
Upstream: Merged
|
||||
|
||||
commit 40adbb7f628dee79156c679fb0857968b61b7620
|
||||
Author: Doug Flick <dougflick@microsoft.com>
|
||||
Date: Wed Jan 17 14:47:20 2024 -0800
|
||||
|
||||
SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename
|
||||
|
||||
Updates the sanitation function names to be lib unique names
|
||||
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Cc: Rahul Kumar <rahul1.kumar@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Message-Id: <7b18434c8a8b561654efd40ced3becb8b378c8f1.1705529990.git.doug.edk2@gmail.com>
|
||||
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
.../DxeTpm2MeasureBootLib.c | 8 +++---
|
||||
.../DxeTpm2MeasureBootLibSanitization.c | 8 +++---
|
||||
.../DxeTpm2MeasureBootLibSanitization.h | 8 +++---
|
||||
.../DxeTpm2MeasureBootLibSanitizationTest.c | 26 +++++++++----------
|
||||
4 files changed, 25 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
index f06926e631..8f8bef1d0b 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
@@ -197,7 +197,7 @@ Tcg2MeasureGptTable (
|
||||
BlockIo->Media->BlockSize,
|
||||
(UINT8 *)PrimaryHeader
|
||||
);
|
||||
- if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
|
||||
+ if (EFI_ERROR (Status) || EFI_ERROR (Tpm2SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
|
||||
DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
|
||||
FreePool (PrimaryHeader);
|
||||
return EFI_DEVICE_ERROR;
|
||||
@@ -206,7 +206,7 @@ Tcg2MeasureGptTable (
|
||||
//
|
||||
// Read the partition entry.
|
||||
//
|
||||
- Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
|
||||
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
|
||||
if (EFI_ERROR (Status)) {
|
||||
FreePool (PrimaryHeader);
|
||||
return EFI_BAD_BUFFER_SIZE;
|
||||
@@ -245,7 +245,7 @@ Tcg2MeasureGptTable (
|
||||
//
|
||||
// Prepare Data for Measurement (CcProtocol and Tcg2Protocol)
|
||||
//
|
||||
- Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
|
||||
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
|
||||
if (EFI_ERROR (Status)) {
|
||||
FreePool (PrimaryHeader);
|
||||
FreePool (EntryPtr);
|
||||
@@ -414,7 +414,7 @@ Tcg2MeasurePeImage (
|
||||
}
|
||||
|
||||
FilePathSize = (UINT32)GetDevicePathSize (FilePath);
|
||||
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
+ Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return EFI_UNSUPPORTED;
|
||||
}
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
|
||||
index 2a4d52c6d5..809a3bfd89 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
|
||||
@@ -63,7 +63,7 @@
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
-SanitizeEfiPartitionTableHeader (
|
||||
+Tpm2SanitizeEfiPartitionTableHeader (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
|
||||
)
|
||||
@@ -169,7 +169,7 @@ SanitizeEfiPartitionTableHeader (
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
-SanitizePrimaryHeaderAllocationSize (
|
||||
+Tpm2SanitizePrimaryHeaderAllocationSize (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
OUT UINT32 *AllocationSize
|
||||
)
|
||||
@@ -221,7 +221,7 @@ SanitizePrimaryHeaderAllocationSize (
|
||||
One of the passed parameters was invalid.
|
||||
**/
|
||||
EFI_STATUS
|
||||
-SanitizePrimaryHeaderGptEventSize (
|
||||
+Tpm2SanitizePrimaryHeaderGptEventSize (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
IN UINTN NumberOfPartition,
|
||||
OUT UINT32 *EventSize
|
||||
@@ -292,7 +292,7 @@ SanitizePrimaryHeaderGptEventSize (
|
||||
One of the passed parameters was invalid.
|
||||
**/
|
||||
EFI_STATUS
|
||||
-SanitizePeImageEventSize (
|
||||
+Tpm2SanitizePeImageEventSize (
|
||||
IN UINT32 FilePathSize,
|
||||
OUT UINT32 *EventSize
|
||||
)
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
|
||||
index 8f72ba4240..8526bc7537 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
|
||||
@@ -54,7 +54,7 @@
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
-SanitizeEfiPartitionTableHeader (
|
||||
+Tpm2SanitizeEfiPartitionTableHeader (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
|
||||
);
|
||||
@@ -78,7 +78,7 @@ SanitizeEfiPartitionTableHeader (
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
-SanitizePrimaryHeaderAllocationSize (
|
||||
+Tpm2SanitizePrimaryHeaderAllocationSize (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
OUT UINT32 *AllocationSize
|
||||
);
|
||||
@@ -107,7 +107,7 @@ SanitizePrimaryHeaderAllocationSize (
|
||||
One of the passed parameters was invalid.
|
||||
**/
|
||||
EFI_STATUS
|
||||
-SanitizePrimaryHeaderGptEventSize (
|
||||
+Tpm2SanitizePrimaryHeaderGptEventSize (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
IN UINTN NumberOfPartition,
|
||||
OUT UINT32 *EventSize
|
||||
@@ -131,7 +131,7 @@ SanitizePrimaryHeaderGptEventSize (
|
||||
One of the passed parameters was invalid.
|
||||
**/
|
||||
EFI_STATUS
|
||||
-SanitizePeImageEventSize (
|
||||
+Tpm2SanitizePeImageEventSize (
|
||||
IN UINT32 FilePathSize,
|
||||
OUT UINT32 *EventSize
|
||||
);
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
|
||||
index 820e99aeb9..50a68e1076 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
|
||||
@@ -84,27 +84,27 @@ TestSanitizeEfiPartitionTableHeader (
|
||||
PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
|
||||
|
||||
// Test that a normal PrimaryHeader passes validation
|
||||
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
UT_ASSERT_NOT_EFI_ERROR (Status);
|
||||
|
||||
// Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
|
||||
// Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
|
||||
PrimaryHeader.NumberOfPartitionEntries = 0;
|
||||
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
|
||||
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
|
||||
|
||||
// Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
|
||||
// Should print "Invalid Partition Table Header Size!"
|
||||
PrimaryHeader.Header.HeaderSize = 0;
|
||||
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
|
||||
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
|
||||
|
||||
// Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
|
||||
// should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
|
||||
PrimaryHeader.SizeOfPartitionEntry = 1;
|
||||
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
|
||||
|
||||
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
@@ -137,7 +137,7 @@ TestSanitizePrimaryHeaderAllocationSize (
|
||||
PrimaryHeader.NumberOfPartitionEntries = 5;
|
||||
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
|
||||
|
||||
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
UT_ASSERT_NOT_EFI_ERROR (Status);
|
||||
|
||||
// Test that the allocation size is correct compared to the existing logic
|
||||
@@ -146,19 +146,19 @@ TestSanitizePrimaryHeaderAllocationSize (
|
||||
// Test that an overflow is detected
|
||||
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
|
||||
PrimaryHeader.SizeOfPartitionEntry = 5;
|
||||
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
// Test the inverse
|
||||
PrimaryHeader.NumberOfPartitionEntries = 5;
|
||||
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
|
||||
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
// Test the worst case scenario
|
||||
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
|
||||
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
|
||||
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
@@ -196,7 +196,7 @@ TestSanitizePrimaryHeaderGptEventSize (
|
||||
NumberOfPartition = 13;
|
||||
|
||||
// that the primary event size is correct
|
||||
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
UT_ASSERT_NOT_EFI_ERROR (Status);
|
||||
|
||||
// Calculate the existing logic event size
|
||||
@@ -207,12 +207,12 @@ TestSanitizePrimaryHeaderGptEventSize (
|
||||
UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
|
||||
|
||||
// Tests that the primary event size may not overflow
|
||||
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
|
||||
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
// Test that the size of partition entries may not overflow
|
||||
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
|
||||
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
@@ -245,7 +245,7 @@ TestSanitizePeImageEventSize (
|
||||
FilePathSize = 255;
|
||||
|
||||
// Test that a normal PE image passes validation
|
||||
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
+ Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
|
||||
|
||||
// Test that the event size is correct compared to the existing logic
|
||||
@@ -258,7 +258,7 @@ TestSanitizePeImageEventSize (
|
||||
}
|
||||
|
||||
// Test that the event size may not overflow
|
||||
- Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
|
||||
+ Status = Tpm2SanitizePeImageEventSize (MAX_UINT32, &EventSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
--
|
||||
2.41.0
|
||||
|
1066
edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
Normal file
1066
edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
Normal file
File diff suppressed because it is too large
Load Diff
286
edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-418.patch
Normal file
286
edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-418.patch
Normal file
@ -0,0 +1,286 @@
|
||||
From 7c3fefb0c857acb9e7e14b150c4c3131e78fbb63 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Wed, 7 Feb 2024 15:43:10 -0500
|
||||
Subject: [PATCH 09/17] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118
|
||||
- CVE 2022-36764
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [9/13] c7890fc5c5d7fef2fc1daa931ea2d48f3a76b9e3 (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21156
|
||||
CVE: CVE-2022-36764
|
||||
Upstream: Merged
|
||||
|
||||
commit c7b27944218130cca3bbb20314ba5b88b5de4aa4
|
||||
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Date: Fri Jan 12 02:16:04 2024 +0800
|
||||
|
||||
SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
|
||||
|
||||
This commit contains the patch files and tests for DxeTpm2MeasureBootLib
|
||||
CVE 2022-36764.
|
||||
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
.../DxeTpm2MeasureBootLib.c | 15 +++--
|
||||
.../DxeTpm2MeasureBootLibSanitization.c | 46 +++++++++++++-
|
||||
.../DxeTpm2MeasureBootLibSanitization.h | 28 ++++++++-
|
||||
.../DxeTpm2MeasureBootLibSanitizationTest.c | 60 ++++++++++++++++---
|
||||
4 files changed, 133 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
index 476c8d543f..f06926e631 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
@@ -372,7 +372,6 @@ Exit:
|
||||
@retval EFI_OUT_OF_RESOURCES No enough resource to measure image.
|
||||
@retval EFI_UNSUPPORTED ImageType is unsupported or PE image is mal-format.
|
||||
@retval other error value
|
||||
-
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
@@ -399,6 +398,7 @@ Tcg2MeasurePeImage (
|
||||
Status = EFI_UNSUPPORTED;
|
||||
ImageLoad = NULL;
|
||||
EventPtr = NULL;
|
||||
+ Tcg2Event = NULL;
|
||||
|
||||
Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
|
||||
CcProtocol = MeasureBootProtocols->CcProtocol;
|
||||
@@ -413,19 +413,24 @@ Tcg2MeasurePeImage (
|
||||
return EFI_UNSUPPORTED;
|
||||
}
|
||||
|
||||
- FilePathSize = (UINT32) GetDevicePathSize (FilePath);
|
||||
+ FilePathSize = (UINT32)GetDevicePathSize (FilePath);
|
||||
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
|
||||
//
|
||||
// Determine destination PCR by BootPolicy
|
||||
//
|
||||
- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
|
||||
- EventPtr = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
|
||||
+ // from a malicious GPT disk partition
|
||||
+ EventPtr = AllocateZeroPool (EventSize);
|
||||
if (EventPtr == NULL) {
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
|
||||
Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;
|
||||
- Tcg2Event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
|
||||
+ Tcg2Event->Size = EventSize;
|
||||
+ Tcg2Event->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER);
|
||||
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
|
||||
ImageLoad = (EFI_IMAGE_LOAD_EVENT *) Tcg2Event->Event;
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
|
||||
index e2309655d3..2a4d52c6d5 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
|
||||
@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader (
|
||||
}
|
||||
|
||||
/**
|
||||
- This function will validate that the allocation size from the primary header is sane
|
||||
+ This function will validate that the allocation size from the primary header is sane
|
||||
It will check the following:
|
||||
- AllocationSize does not overflow
|
||||
|
||||
@@ -273,3 +273,47 @@ SanitizePrimaryHeaderGptEventSize (
|
||||
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
+
|
||||
+/**
|
||||
+ This function will validate that the PeImage Event Size from the loaded image is sane
|
||||
+ It will check the following:
|
||||
+ - EventSize does not overflow
|
||||
+
|
||||
+ @param[in] FilePathSize - Size of the file path.
|
||||
+ @param[out] EventSize - Pointer to the event size.
|
||||
+
|
||||
+ @retval EFI_SUCCESS
|
||||
+ The event size is valid.
|
||||
+
|
||||
+ @retval EFI_OUT_OF_RESOURCES
|
||||
+ Overflow would have occurred.
|
||||
+
|
||||
+ @retval EFI_INVALID_PARAMETER
|
||||
+ One of the passed parameters was invalid.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+SanitizePeImageEventSize (
|
||||
+ IN UINT32 FilePathSize,
|
||||
+ OUT UINT32 *EventSize
|
||||
+ )
|
||||
+{
|
||||
+ EFI_STATUS Status;
|
||||
+
|
||||
+ // Replacing logic:
|
||||
+ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
|
||||
+ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
|
||||
+ return EFI_BAD_BUFFER_SIZE;
|
||||
+ }
|
||||
+
|
||||
+ // Replacing logic:
|
||||
+ // EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)
|
||||
+ Status = SafeUint32Add (*EventSize, OFFSET_OF (EFI_TCG2_EVENT, Event), EventSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
|
||||
+ return EFI_BAD_BUFFER_SIZE;
|
||||
+ }
|
||||
+
|
||||
+ return EFI_SUCCESS;
|
||||
+}
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
|
||||
index 048b738987..8f72ba4240 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
|
||||
@@ -9,6 +9,9 @@
|
||||
Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
|
||||
partition data carefully.
|
||||
|
||||
+ Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its
|
||||
+ data structure within this image buffer before use.
|
||||
+
|
||||
Copyright (c) Microsoft Corporation.<BR>
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
@@ -110,4 +113,27 @@ SanitizePrimaryHeaderGptEventSize (
|
||||
OUT UINT32 *EventSize
|
||||
);
|
||||
|
||||
-#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
|
||||
+/**
|
||||
+ This function will validate that the PeImage Event Size from the loaded image is sane
|
||||
+ It will check the following:
|
||||
+ - EventSize does not overflow
|
||||
+
|
||||
+ @param[in] FilePathSize - Size of the file path.
|
||||
+ @param[out] EventSize - Pointer to the event size.
|
||||
+
|
||||
+ @retval EFI_SUCCESS
|
||||
+ The event size is valid.
|
||||
+
|
||||
+ @retval EFI_OUT_OF_RESOURCES
|
||||
+ Overflow would have occurred.
|
||||
+
|
||||
+ @retval EFI_INVALID_PARAMETER
|
||||
+ One of the passed parameters was invalid.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+SanitizePeImageEventSize (
|
||||
+ IN UINT32 FilePathSize,
|
||||
+ OUT UINT32 *EventSize
|
||||
+ );
|
||||
+
|
||||
+#endif // DXE_TPM2_MEASURE_BOOT_LIB_VALIDATION_
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
|
||||
index 3eb9763e3c..820e99aeb9 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
|
||||
@@ -72,10 +72,10 @@ TestSanitizeEfiPartitionTableHeader (
|
||||
PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
|
||||
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
|
||||
PrimaryHeader.MyLBA = 1;
|
||||
- PrimaryHeader.AlternateLBA = 2;
|
||||
- PrimaryHeader.FirstUsableLBA = 3;
|
||||
- PrimaryHeader.LastUsableLBA = 4;
|
||||
- PrimaryHeader.PartitionEntryLBA = 5;
|
||||
+ PrimaryHeader.PartitionEntryLBA = 2;
|
||||
+ PrimaryHeader.AlternateLBA = 3;
|
||||
+ PrimaryHeader.FirstUsableLBA = 4;
|
||||
+ PrimaryHeader.LastUsableLBA = 5;
|
||||
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
|
||||
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
|
||||
PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
|
||||
@@ -187,11 +187,6 @@ TestSanitizePrimaryHeaderGptEventSize (
|
||||
EFI_STATUS Status;
|
||||
EFI_PARTITION_TABLE_HEADER PrimaryHeader;
|
||||
UINTN NumberOfPartition;
|
||||
- EFI_GPT_DATA *GptData;
|
||||
- EFI_TCG2_EVENT *Tcg2Event;
|
||||
-
|
||||
- Tcg2Event = NULL;
|
||||
- GptData = NULL;
|
||||
|
||||
// Test that a normal PrimaryHeader passes validation
|
||||
PrimaryHeader.NumberOfPartitionEntries = 5;
|
||||
@@ -225,6 +220,52 @@ TestSanitizePrimaryHeaderGptEventSize (
|
||||
return UNIT_TEST_PASSED;
|
||||
}
|
||||
|
||||
+/**
|
||||
+ This function tests the SanitizePeImageEventSize function.
|
||||
+ It's intent is to test that the untrusted input from a file path when generating a
|
||||
+ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
|
||||
+ the event size when allocating space
|
||||
+
|
||||
+ @param[in] Context The unit test context.
|
||||
+
|
||||
+ @retval UNIT_TEST_PASSED The test passed.
|
||||
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
|
||||
+**/
|
||||
+UNIT_TEST_STATUS
|
||||
+EFIAPI
|
||||
+TestSanitizePeImageEventSize (
|
||||
+ IN UNIT_TEST_CONTEXT Context
|
||||
+ )
|
||||
+{
|
||||
+ UINT32 EventSize;
|
||||
+ UINTN ExistingLogicEventSize;
|
||||
+ UINT32 FilePathSize;
|
||||
+ EFI_STATUS Status;
|
||||
+
|
||||
+ FilePathSize = 255;
|
||||
+
|
||||
+ // Test that a normal PE image passes validation
|
||||
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
+ UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
|
||||
+
|
||||
+ // Test that the event size is correct compared to the existing logic
|
||||
+ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
|
||||
+ ExistingLogicEventSize += OFFSET_OF (EFI_TCG2_EVENT, Event);
|
||||
+
|
||||
+ if (EventSize != ExistingLogicEventSize) {
|
||||
+ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
|
||||
+ return UNIT_TEST_ERROR_TEST_FAILED;
|
||||
+ }
|
||||
+
|
||||
+ // Test that the event size may not overflow
|
||||
+ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
|
||||
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
+
|
||||
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
+
|
||||
+ return UNIT_TEST_PASSED;
|
||||
+}
|
||||
+
|
||||
// *--------------------------------------------------------------------*
|
||||
// * Unit Test Code Main Function
|
||||
// *--------------------------------------------------------------------*
|
||||
@@ -267,6 +308,7 @@ UefiTestMain (
|
||||
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
|
||||
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
|
||||
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
|
||||
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
|
||||
|
||||
Status = RunAllTestSuites (Framework);
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
279
edk2-SecurityPkg-DxeTpmMeasureBootLib-SEC-PATCH-4117-2.patch
Normal file
279
edk2-SecurityPkg-DxeTpmMeasureBootLib-SEC-PATCH-4117-2.patch
Normal file
@ -0,0 +1,279 @@
|
||||
From ac25c501c8d97c7520a7c75ae708fb4c43bae035 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Tue, 13 Feb 2024 16:30:10 -0500
|
||||
Subject: [PATCH 12/17] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH
|
||||
4117/4118 symbol rename
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [12/13] 6ef41050fb68f984a5ae6104ccc102afb5290f9f (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21156
|
||||
CVE: CVE-2022-36764
|
||||
Upstream: Merged
|
||||
|
||||
commit 326db0c9072004dea89427ea3a44393a84966f2b
|
||||
Author: Doug Flick <dougflick@microsoft.com>
|
||||
Date: Wed Jan 17 14:47:21 2024 -0800
|
||||
|
||||
SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename
|
||||
|
||||
Updates the sanitation function names to be lib unique names
|
||||
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Cc: Rahul Kumar <rahul1.kumar@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Message-Id: <355aa846a99ca6ac0f7574cf5982661da0d9fea6.1705529990.git.doug.edk2@gmail.com>
|
||||
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
.../DxeTpmMeasureBootLib.c | 8 +++---
|
||||
.../DxeTpmMeasureBootLibSanitization.c | 10 +++----
|
||||
.../DxeTpmMeasureBootLibSanitization.h | 8 +++---
|
||||
.../DxeTpmMeasureBootLibSanitizationTest.c | 26 +++++++++----------
|
||||
4 files changed, 26 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
index 1598015176..c39018d7e4 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
@@ -171,7 +171,7 @@ TcgMeasureGptTable (
|
||||
BlockIo->Media->BlockSize,
|
||||
(UINT8 *)PrimaryHeader
|
||||
);
|
||||
- if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
|
||||
+ if (EFI_ERROR (Status) || EFI_ERROR (TpmSanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
|
||||
DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
|
||||
FreePool (PrimaryHeader);
|
||||
return EFI_DEVICE_ERROR;
|
||||
@@ -179,7 +179,7 @@ TcgMeasureGptTable (
|
||||
//
|
||||
// Read the partition entry.
|
||||
//
|
||||
- Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
|
||||
+ Status = TpmSanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
|
||||
if (EFI_ERROR (Status)) {
|
||||
FreePool (PrimaryHeader);
|
||||
return EFI_DEVICE_ERROR;
|
||||
@@ -218,7 +218,7 @@ TcgMeasureGptTable (
|
||||
//
|
||||
// Prepare Data for Measurement
|
||||
//
|
||||
- Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
+ Status = TpmSanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize);
|
||||
if (TcgEvent == NULL) {
|
||||
FreePool (PrimaryHeader);
|
||||
@@ -344,7 +344,7 @@ TcgMeasurePeImage (
|
||||
|
||||
// Determine destination PCR by BootPolicy
|
||||
//
|
||||
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
+ Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return EFI_UNSUPPORTED;
|
||||
}
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
|
||||
index bcf8c6de6f..7f17af56cd 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/** @file
|
||||
- The library instance provides security service of TPM2 measure boot and
|
||||
+ The library instance provides security service of TPM measure boot and
|
||||
Confidential Computing (CC) measure boot.
|
||||
|
||||
Caution: This file requires additional review when modified.
|
||||
@@ -63,7 +63,7 @@
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
-SanitizeEfiPartitionTableHeader (
|
||||
+TpmSanitizeEfiPartitionTableHeader (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
|
||||
)
|
||||
@@ -145,7 +145,7 @@ SanitizeEfiPartitionTableHeader (
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
-SanitizePrimaryHeaderAllocationSize (
|
||||
+TpmSanitizePrimaryHeaderAllocationSize (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
OUT UINT32 *AllocationSize
|
||||
)
|
||||
@@ -194,7 +194,7 @@ SanitizePrimaryHeaderAllocationSize (
|
||||
One of the passed parameters was invalid.
|
||||
**/
|
||||
EFI_STATUS
|
||||
-SanitizePrimaryHeaderGptEventSize (
|
||||
+TpmSanitizePrimaryHeaderGptEventSize (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
IN UINTN NumberOfPartition,
|
||||
OUT UINT32 *EventSize
|
||||
@@ -258,7 +258,7 @@ SanitizePrimaryHeaderGptEventSize (
|
||||
One of the passed parameters was invalid.
|
||||
**/
|
||||
EFI_STATUS
|
||||
-SanitizePeImageEventSize (
|
||||
+TpmSanitizePeImageEventSize (
|
||||
IN UINT32 FilePathSize,
|
||||
OUT UINT32 *EventSize
|
||||
)
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
|
||||
index 2248495813..db6e9c3752 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
|
||||
@@ -53,7 +53,7 @@
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
-SanitizeEfiPartitionTableHeader (
|
||||
+TpmSanitizeEfiPartitionTableHeader (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
|
||||
);
|
||||
@@ -77,7 +77,7 @@ SanitizeEfiPartitionTableHeader (
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
-SanitizePrimaryHeaderAllocationSize (
|
||||
+TpmSanitizePrimaryHeaderAllocationSize (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
OUT UINT32 *AllocationSize
|
||||
);
|
||||
@@ -105,7 +105,7 @@ SanitizePrimaryHeaderAllocationSize (
|
||||
One of the passed parameters was invalid.
|
||||
**/
|
||||
EFI_STATUS
|
||||
-SanitizePrimaryHeaderGptEventSize (
|
||||
+TpmSanitizePrimaryHeaderGptEventSize (
|
||||
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
IN UINTN NumberOfPartition,
|
||||
OUT UINT32 *EventSize
|
||||
@@ -129,7 +129,7 @@ SanitizePrimaryHeaderGptEventSize (
|
||||
One of the passed parameters was invalid.
|
||||
**/
|
||||
EFI_STATUS
|
||||
-SanitizePeImageEventSize (
|
||||
+TpmSanitizePeImageEventSize (
|
||||
IN UINT32 FilePathSize,
|
||||
OUT UINT32 *EventSize
|
||||
);
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
|
||||
index c41498be45..de1740af41 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
|
||||
@@ -83,27 +83,27 @@ TestSanitizeEfiPartitionTableHeader (
|
||||
PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
|
||||
|
||||
// Test that a normal PrimaryHeader passes validation
|
||||
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
UT_ASSERT_NOT_EFI_ERROR (Status);
|
||||
|
||||
// Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
|
||||
// Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
|
||||
PrimaryHeader.NumberOfPartitionEntries = 0;
|
||||
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
|
||||
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
|
||||
|
||||
// Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
|
||||
// Should print "Invalid Partition Table Header Size!"
|
||||
PrimaryHeader.Header.HeaderSize = 0;
|
||||
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
|
||||
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
|
||||
|
||||
// Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
|
||||
// should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
|
||||
PrimaryHeader.SizeOfPartitionEntry = 1;
|
||||
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
|
||||
|
||||
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
@@ -136,7 +136,7 @@ TestSanitizePrimaryHeaderAllocationSize (
|
||||
PrimaryHeader.NumberOfPartitionEntries = 5;
|
||||
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
|
||||
|
||||
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
UT_ASSERT_NOT_EFI_ERROR (Status);
|
||||
|
||||
// Test that the allocation size is correct compared to the existing logic
|
||||
@@ -145,19 +145,19 @@ TestSanitizePrimaryHeaderAllocationSize (
|
||||
// Test that an overflow is detected
|
||||
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
|
||||
PrimaryHeader.SizeOfPartitionEntry = 5;
|
||||
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
// Test the inverse
|
||||
PrimaryHeader.NumberOfPartitionEntries = 5;
|
||||
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
|
||||
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
// Test the worst case scenario
|
||||
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
|
||||
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
|
||||
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
@@ -195,7 +195,7 @@ TestSanitizePrimaryHeaderGptEventSize (
|
||||
NumberOfPartition = 13;
|
||||
|
||||
// that the primary event size is correct
|
||||
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
UT_ASSERT_NOT_EFI_ERROR (Status);
|
||||
|
||||
// Calculate the existing logic event size
|
||||
@@ -206,12 +206,12 @@ TestSanitizePrimaryHeaderGptEventSize (
|
||||
UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
|
||||
|
||||
// Tests that the primary event size may not overflow
|
||||
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
|
||||
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
// Test that the size of partition entries may not overflow
|
||||
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
|
||||
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
|
||||
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
@@ -269,7 +269,7 @@ TestSanitizePeImageEventSize (
|
||||
FilePathSize = 255;
|
||||
|
||||
// Test that a normal PE image passes validation
|
||||
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
+ Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
if (EFI_ERROR (Status)) {
|
||||
UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
|
||||
goto Exit;
|
||||
@@ -285,7 +285,7 @@ TestSanitizePeImageEventSize (
|
||||
}
|
||||
|
||||
// Test that the event size may not overflow
|
||||
- Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
|
||||
+ Status = TpmSanitizePeImageEventSize (MAX_UINT32, &EventSize);
|
||||
if (Status != EFI_BAD_BUFFER_SIZE) {
|
||||
UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
|
||||
goto Exit;
|
||||
--
|
||||
2.41.0
|
||||
|
960
edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
Normal file
960
edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
Normal file
@ -0,0 +1,960 @@
|
||||
From cb36d95002013ae8d4e5120383cd756a2a6c4124 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Wed, 17 Jan 2024 12:20:52 -0500
|
||||
Subject: [PATCH 07/17] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117
|
||||
- CVE 2022-36763
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [7/13] f5a5d2b0a33dc1efdb83e501eda2716df0e904a0 (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21154
|
||||
CVE: CVE-2022-36763
|
||||
Upstream: Merged
|
||||
Conflicts: We get function definiton clash for the following three functions:
|
||||
- SanitizeEfiPartitionTableHeader()
|
||||
- SanitizePrimaryHeaderAllocationSize()
|
||||
- SanitizePrimaryHeaderGptEventSize()
|
||||
Those are are defined both in
|
||||
- SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitazion.c
|
||||
and
|
||||
- SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitazion.c
|
||||
Closer investigation reveals that they are identical in functionality (although
|
||||
not in comment style).
|
||||
I chose to leave them as is now, meaning that this package will be
|
||||
unbuildable until I add a commit renaming these symbols later in
|
||||
this series.
|
||||
|
||||
commit 4776a1b39ee08fc45c70c1eab5a0195f325000d3
|
||||
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Date: Fri Jan 12 02:16:02 2024 +0800
|
||||
|
||||
SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763
|
||||
|
||||
This commit contains the patch files and tests for DxeTpmMeasureBootLib
|
||||
CVE 2022-36763.
|
||||
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
.../DxeTpmMeasureBootLib.c | 74 +++--
|
||||
.../DxeTpmMeasureBootLib.inf | 4 +-
|
||||
.../DxeTpmMeasureBootLibSanitization.c | 242 ++++++++++++++
|
||||
.../DxeTpmMeasureBootLibSanitization.h | 114 +++++++
|
||||
.../DxeTpmMeasureBootLibSanitizationTest.c | 301 ++++++++++++++++++
|
||||
...eTpmMeasureBootLibSanitizationTestHost.inf | 28 ++
|
||||
SecurityPkg/SecurityPkg.ci.yaml | 1 +
|
||||
SecurityPkg/Test/SecurityPkgHostTest.dsc | 1 +
|
||||
8 files changed, 734 insertions(+), 31 deletions(-)
|
||||
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
|
||||
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
|
||||
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
|
||||
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
index 27c0ea48ca..d44422dee8 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
@@ -18,6 +18,8 @@
|
||||
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
+Copyright (c) Microsoft Corporation.<BR>
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
**/
|
||||
|
||||
#include <PiDxe.h>
|
||||
@@ -40,6 +42,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
#include <Library/SecurityManagementLib.h>
|
||||
#include <Library/HobLib.h>
|
||||
|
||||
+#include "DxeTpmMeasureBootLibSanitization.h"
|
||||
+
|
||||
//
|
||||
// Flag to check GPT partition. It only need be measured once.
|
||||
//
|
||||
@@ -123,19 +127,22 @@ TcgMeasureGptTable (
|
||||
IN EFI_HANDLE GptHandle
|
||||
)
|
||||
{
|
||||
- EFI_STATUS Status;
|
||||
- EFI_BLOCK_IO_PROTOCOL *BlockIo;
|
||||
- EFI_DISK_IO_PROTOCOL *DiskIo;
|
||||
- EFI_PARTITION_TABLE_HEADER *PrimaryHeader;
|
||||
- EFI_PARTITION_ENTRY *PartitionEntry;
|
||||
- UINT8 *EntryPtr;
|
||||
- UINTN NumberOfPartition;
|
||||
- UINT32 Index;
|
||||
- TCG_PCR_EVENT *TcgEvent;
|
||||
- EFI_GPT_DATA *GptData;
|
||||
- UINT32 EventSize;
|
||||
- UINT32 EventNumber;
|
||||
- EFI_PHYSICAL_ADDRESS EventLogLastEntry;
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_BLOCK_IO_PROTOCOL *BlockIo;
|
||||
+ EFI_DISK_IO_PROTOCOL *DiskIo;
|
||||
+ EFI_PARTITION_TABLE_HEADER *PrimaryHeader;
|
||||
+ EFI_PARTITION_ENTRY *PartitionEntry;
|
||||
+ UINT8 *EntryPtr;
|
||||
+ UINTN NumberOfPartition;
|
||||
+ UINT32 Index;
|
||||
+ TCG_PCR_EVENT *TcgEvent;
|
||||
+ EFI_GPT_DATA *GptData;
|
||||
+ UINT32 EventSize;
|
||||
+ UINT32 EventNumber;
|
||||
+ EFI_PHYSICAL_ADDRESS EventLogLastEntry;
|
||||
+ UINT32 AllocSize;
|
||||
+
|
||||
+ GptData = NULL;
|
||||
|
||||
if (mMeasureGptCount > 0) {
|
||||
return EFI_SUCCESS;
|
||||
@@ -163,15 +170,21 @@ TcgMeasureGptTable (
|
||||
BlockIo->Media->BlockSize,
|
||||
(UINT8 *)PrimaryHeader
|
||||
);
|
||||
- if (EFI_ERROR (Status)) {
|
||||
- DEBUG ((DEBUG_ERROR, "Failed to Read Partition Table Header!\n"));
|
||||
+ if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
|
||||
FreePool (PrimaryHeader);
|
||||
return EFI_DEVICE_ERROR;
|
||||
}
|
||||
//
|
||||
// Read the partition entry.
|
||||
//
|
||||
- EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry);
|
||||
+ Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ FreePool (PrimaryHeader);
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ EntryPtr = (UINT8 *)AllocatePool (AllocSize);
|
||||
if (EntryPtr == NULL) {
|
||||
FreePool (PrimaryHeader);
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
@@ -179,8 +192,8 @@ TcgMeasureGptTable (
|
||||
Status = DiskIo->ReadDisk (
|
||||
DiskIo,
|
||||
BlockIo->Media->MediaId,
|
||||
- MultU64x32(PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
|
||||
- PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry,
|
||||
+ MultU64x32 (PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
|
||||
+ AllocSize,
|
||||
EntryPtr
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
@@ -204,19 +217,18 @@ TcgMeasureGptTable (
|
||||
//
|
||||
// Prepare Data for Measurement
|
||||
//
|
||||
- EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
|
||||
- + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
|
||||
- TcgEvent = (TCG_PCR_EVENT *) AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT_HDR));
|
||||
+ Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
+ TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize);
|
||||
if (TcgEvent == NULL) {
|
||||
FreePool (PrimaryHeader);
|
||||
FreePool (EntryPtr);
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
|
||||
- TcgEvent->PCRIndex = 5;
|
||||
- TcgEvent->EventType = EV_EFI_GPT_EVENT;
|
||||
- TcgEvent->EventSize = EventSize;
|
||||
- GptData = (EFI_GPT_DATA *) TcgEvent->Event;
|
||||
+ TcgEvent->PCRIndex = 5;
|
||||
+ TcgEvent->EventType = EV_EFI_GPT_EVENT;
|
||||
+ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
|
||||
+ GptData = (EFI_GPT_DATA *)TcgEvent->Event;
|
||||
|
||||
//
|
||||
// Copy the EFI_PARTITION_TABLE_HEADER and NumberOfPartition
|
||||
@@ -354,11 +366,13 @@ TcgMeasurePeImage (
|
||||
TcgEvent->PCRIndex = 2;
|
||||
break;
|
||||
default:
|
||||
- DEBUG ((
|
||||
- DEBUG_ERROR,
|
||||
- "TcgMeasurePeImage: Unknown subsystem type %d",
|
||||
- ImageType
|
||||
- ));
|
||||
+ DEBUG (
|
||||
+ (
|
||||
+ DEBUG_ERROR,
|
||||
+ "TcgMeasurePeImage: Unknown subsystem type %d",
|
||||
+ ImageType
|
||||
+ )
|
||||
+ );
|
||||
goto Finish;
|
||||
}
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
|
||||
index ebab6f7c1e..414c654d15 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
|
||||
@@ -32,6 +32,8 @@
|
||||
|
||||
[Sources]
|
||||
DxeTpmMeasureBootLib.c
|
||||
+ DxeTpmMeasureBootLibSanitization.c
|
||||
+ DxeTpmMeasureBootLibSanitization.h
|
||||
|
||||
[Packages]
|
||||
MdePkg/MdePkg.dec
|
||||
@@ -41,6 +43,7 @@
|
||||
|
||||
[LibraryClasses]
|
||||
BaseMemoryLib
|
||||
+ SafeIntLib
|
||||
DebugLib
|
||||
MemoryAllocationLib
|
||||
DevicePathLib
|
||||
@@ -59,4 +62,3 @@
|
||||
gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES
|
||||
gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
|
||||
gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES
|
||||
-
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
|
||||
new file mode 100644
|
||||
index 0000000000..37cd3ed0ea
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
|
||||
@@ -0,0 +1,242 @@
|
||||
+/** @file
|
||||
+ The library instance provides security service of TPM2 measure boot and
|
||||
+ Confidential Computing (CC) measure boot.
|
||||
+
|
||||
+ Caution: This file requires additional review when modified.
|
||||
+ This library will have external input - PE/COFF image and GPT partition.
|
||||
+ This external input must be validated carefully to avoid security issue like
|
||||
+ buffer overflow, integer overflow.
|
||||
+
|
||||
+ This file will pull out the validation logic from the following functions, in an
|
||||
+ attempt to validate the untrusted input in the form of unit tests
|
||||
+
|
||||
+ These are those functions:
|
||||
+
|
||||
+ DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
|
||||
+ read is within the image buffer.
|
||||
+
|
||||
+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
|
||||
+ partition data carefully.
|
||||
+
|
||||
+ Copyright (c) Microsoft Corporation.<BR>
|
||||
+ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+**/
|
||||
+#include <Uefi.h>
|
||||
+#include <Uefi/UefiSpec.h>
|
||||
+#include <Library/SafeIntLib.h>
|
||||
+#include <Library/UefiLib.h>
|
||||
+#include <Library/DebugLib.h>
|
||||
+#include <Library/BaseLib.h>
|
||||
+#include <IndustryStandard/UefiTcgPlatform.h>
|
||||
+#include <Protocol/BlockIo.h>
|
||||
+#include <Library/MemoryAllocationLib.h>
|
||||
+
|
||||
+#include "DxeTpmMeasureBootLibSanitization.h"
|
||||
+
|
||||
+#define GPT_HEADER_REVISION_V1 0x00010000
|
||||
+
|
||||
+/**
|
||||
+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
|
||||
+ However this function will not attempt to verify the validity of the GPT partition
|
||||
+ It will check the following:
|
||||
+ - Signature
|
||||
+ - Revision
|
||||
+ - AlternateLBA
|
||||
+ - FirstUsableLBA
|
||||
+ - LastUsableLBA
|
||||
+ - PartitionEntryLBA
|
||||
+ - NumberOfPartitionEntries
|
||||
+ - SizeOfPartitionEntry
|
||||
+ - BlockIo
|
||||
+
|
||||
+ @param[in] PrimaryHeader
|
||||
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
|
||||
+
|
||||
+ @param[in] BlockIo
|
||||
+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
|
||||
+
|
||||
+ @retval EFI_SUCCESS
|
||||
+ The EFI_PARTITION_TABLE_HEADER structure is valid.
|
||||
+
|
||||
+ @retval EFI_INVALID_PARAMETER
|
||||
+ The EFI_PARTITION_TABLE_HEADER structure is invalid.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+SanitizeEfiPartitionTableHeader (
|
||||
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
|
||||
+ )
|
||||
+{
|
||||
+ // Verify that the input parameters are safe to use
|
||||
+ if (PrimaryHeader == NULL) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ if ((BlockIo == NULL) || (BlockIo->Media == NULL)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Invalid BlockIo!\n"));
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ // The signature must be EFI_PTAB_HEADER_ID ("EFI PART" in ASCII)
|
||||
+ if (PrimaryHeader->Header.Signature != EFI_PTAB_HEADER_ID) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ // The version must be GPT_HEADER_REVISION_V1 (0x00010000)
|
||||
+ if (PrimaryHeader->Header.Revision != GPT_HEADER_REVISION_V1) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header Revision!\n"));
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ // The HeaderSize must be greater than or equal to 92 and must be less than or equal to the logical block size
|
||||
+ if ((PrimaryHeader->Header.HeaderSize < sizeof (EFI_PARTITION_TABLE_HEADER)) || (PrimaryHeader->Header.HeaderSize > BlockIo->Media->BlockSize)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header HeaderSize!\n"));
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ // check that the PartitionEntryLBA greater than the Max LBA
|
||||
+ // This will be used later for multiplication
|
||||
+ if (PrimaryHeader->PartitionEntryLBA > DivU64x32 (MAX_UINT64, BlockIo->Media->BlockSize)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header PartitionEntryLBA!\n"));
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ // Check that the number of partition entries is greater than zero
|
||||
+ if (PrimaryHeader->NumberOfPartitionEntries == 0) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ // SizeOfPartitionEntry must be 128, 256, 512... improper size may lead to accessing uninitialized memory
|
||||
+ if ((PrimaryHeader->SizeOfPartitionEntry < 128) || ((PrimaryHeader->SizeOfPartitionEntry & (PrimaryHeader->SizeOfPartitionEntry - 1)) != 0)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!\n"));
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ // This check is to prevent overflow when calculating the allocation size for the partition entries
|
||||
+ // This check will be used later for multiplication
|
||||
+ if (PrimaryHeader->NumberOfPartitionEntries > DivU64x32 (MAX_UINT64, PrimaryHeader->SizeOfPartitionEntry)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ return EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ This function will validate that the allocation size from the primary header is sane
|
||||
+ It will check the following:
|
||||
+ - AllocationSize does not overflow
|
||||
+
|
||||
+ @param[in] PrimaryHeader
|
||||
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
|
||||
+
|
||||
+ @param[out] AllocationSize
|
||||
+ Pointer to the allocation size.
|
||||
+
|
||||
+ @retval EFI_SUCCESS
|
||||
+ The allocation size is valid.
|
||||
+
|
||||
+ @retval EFI_OUT_OF_RESOURCES
|
||||
+ The allocation size is invalid.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+SanitizePrimaryHeaderAllocationSize (
|
||||
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
+ OUT UINT32 *AllocationSize
|
||||
+ )
|
||||
+{
|
||||
+ EFI_STATUS Status;
|
||||
+
|
||||
+ if (PrimaryHeader == NULL) {
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ if (AllocationSize == NULL) {
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ // Replacing logic:
|
||||
+ // PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry;
|
||||
+ Status = SafeUint32Mult (PrimaryHeader->NumberOfPartitionEntries, PrimaryHeader->SizeOfPartitionEntry, AllocationSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Allocation Size would have overflowed!\n"));
|
||||
+ return EFI_BAD_BUFFER_SIZE;
|
||||
+ }
|
||||
+
|
||||
+ return EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ This function will validate that the Gpt Event Size calculated from the primary header is sane
|
||||
+ It will check the following:
|
||||
+ - EventSize does not overflow
|
||||
+
|
||||
+ Important: This function includes the entire length of the allocated space, including the
|
||||
+ TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract
|
||||
+ the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing.
|
||||
+
|
||||
+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
|
||||
+ @param[in] NumberOfPartition - Number of partitions.
|
||||
+ @param[out] EventSize - Pointer to the event size.
|
||||
+
|
||||
+ @retval EFI_SUCCESS
|
||||
+ The event size is valid.
|
||||
+
|
||||
+ @retval EFI_OUT_OF_RESOURCES
|
||||
+ Overflow would have occurred.
|
||||
+
|
||||
+ @retval EFI_INVALID_PARAMETER
|
||||
+ One of the passed parameters was invalid.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+SanitizePrimaryHeaderGptEventSize (
|
||||
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
+ IN UINTN NumberOfPartition,
|
||||
+ OUT UINT32 *EventSize
|
||||
+ )
|
||||
+{
|
||||
+ EFI_STATUS Status;
|
||||
+ UINT32 SafeNumberOfPartitions;
|
||||
+
|
||||
+ if (PrimaryHeader == NULL) {
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ if (EventSize == NULL) {
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ // We shouldn't even attempt to perform the multiplication if the number of partitions is greater than the maximum value of UINT32
|
||||
+ Status = SafeUintnToUint32 (NumberOfPartition, &SafeNumberOfPartitions);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "NumberOfPartition would have overflowed!\n"));
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ // Replacing logic:
|
||||
+ // (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry + sizeof (TCG_PCR_EVENT_HDR));
|
||||
+ Status = SafeUint32Mult (SafeNumberOfPartitions, PrimaryHeader->SizeOfPartitionEntry, EventSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed!\n"));
|
||||
+ return EFI_BAD_BUFFER_SIZE;
|
||||
+ }
|
||||
+
|
||||
+ Status = SafeUint32Add (
|
||||
+ sizeof (TCG_PCR_EVENT_HDR) +
|
||||
+ OFFSET_OF (EFI_GPT_DATA, Partitions),
|
||||
+ *EventSize,
|
||||
+ EventSize
|
||||
+ );
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed because of GPTData!\n"));
|
||||
+ return EFI_BAD_BUFFER_SIZE;
|
||||
+ }
|
||||
+
|
||||
+ return EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
|
||||
new file mode 100644
|
||||
index 0000000000..0d9d00c281
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
|
||||
@@ -0,0 +1,114 @@
|
||||
+/** @file
|
||||
+ This file includes the function prototypes for the sanitization functions.
|
||||
+
|
||||
+ These are those functions:
|
||||
+
|
||||
+ DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
|
||||
+ read is within the image buffer.
|
||||
+
|
||||
+ TcgMeasurePeImage() function will accept untrusted PE/COFF image and validate its
|
||||
+ data structure within this image buffer before use.
|
||||
+
|
||||
+ TcgMeasureGptTable() function will receive untrusted GPT partition table, and parse
|
||||
+ partition data carefully.
|
||||
+
|
||||
+ Copyright (c) Microsoft Corporation.<BR>
|
||||
+ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#ifndef DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
|
||||
+#define DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
|
||||
+
|
||||
+#include <Uefi.h>
|
||||
+#include <Uefi/UefiSpec.h>
|
||||
+#include <Protocol/BlockIo.h>
|
||||
+#include <IndustryStandard/UefiTcgPlatform.h>
|
||||
+
|
||||
+/**
|
||||
+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
|
||||
+ However this function will not attempt to verify the validity of the GPT partition
|
||||
+ It will check the following:
|
||||
+ - Signature
|
||||
+ - Revision
|
||||
+ - AlternateLBA
|
||||
+ - FirstUsableLBA
|
||||
+ - LastUsableLBA
|
||||
+ - PartitionEntryLBA
|
||||
+ - NumberOfPartitionEntries
|
||||
+ - SizeOfPartitionEntry
|
||||
+ - BlockIo
|
||||
+
|
||||
+ @param[in] PrimaryHeader
|
||||
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
|
||||
+
|
||||
+ @param[in] BlockIo
|
||||
+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
|
||||
+
|
||||
+ @retval EFI_SUCCESS
|
||||
+ The EFI_PARTITION_TABLE_HEADER structure is valid.
|
||||
+
|
||||
+ @retval EFI_INVALID_PARAMETER
|
||||
+ The EFI_PARTITION_TABLE_HEADER structure is invalid.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+SanitizeEfiPartitionTableHeader (
|
||||
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
|
||||
+ );
|
||||
+
|
||||
+/**
|
||||
+ This function will validate that the allocation size from the primary header is sane
|
||||
+ It will check the following:
|
||||
+ - AllocationSize does not overflow
|
||||
+
|
||||
+ @param[in] PrimaryHeader
|
||||
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
|
||||
+
|
||||
+ @param[out] AllocationSize
|
||||
+ Pointer to the allocation size.
|
||||
+
|
||||
+ @retval EFI_SUCCESS
|
||||
+ The allocation size is valid.
|
||||
+
|
||||
+ @retval EFI_OUT_OF_RESOURCES
|
||||
+ The allocation size is invalid.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+SanitizePrimaryHeaderAllocationSize (
|
||||
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
+ OUT UINT32 *AllocationSize
|
||||
+ );
|
||||
+
|
||||
+/**
|
||||
+ This function will validate that the Gpt Event Size calculated from the primary header is sane
|
||||
+ It will check the following:
|
||||
+ - EventSize does not overflow
|
||||
+
|
||||
+ Important: This function includes the entire length of the allocated space, including the
|
||||
+ TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract
|
||||
+ the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing.
|
||||
+
|
||||
+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
|
||||
+ @param[in] NumberOfPartition - Number of partitions.
|
||||
+ @param[out] EventSize - Pointer to the event size.
|
||||
+
|
||||
+ @retval EFI_SUCCESS
|
||||
+ The event size is valid.
|
||||
+
|
||||
+ @retval EFI_OUT_OF_RESOURCES
|
||||
+ Overflow would have occurred.
|
||||
+
|
||||
+ @retval EFI_INVALID_PARAMETER
|
||||
+ One of the passed parameters was invalid.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+SanitizePrimaryHeaderGptEventSize (
|
||||
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
|
||||
+ IN UINTN NumberOfPartition,
|
||||
+ OUT UINT32 *EventSize
|
||||
+ );
|
||||
+
|
||||
+#endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
|
||||
new file mode 100644
|
||||
index 0000000000..eeb928cdb0
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
|
||||
@@ -0,0 +1,301 @@
|
||||
+/** @file
|
||||
+This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
|
||||
+
|
||||
+Copyright (c) Microsoft Corporation.<BR>
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+**/
|
||||
+
|
||||
+#include <Uefi.h>
|
||||
+#include <Library/UefiLib.h>
|
||||
+#include <Library/DebugLib.h>
|
||||
+#include <Library/UnitTestLib.h>
|
||||
+#include <Protocol/BlockIo.h>
|
||||
+#include <Library/MemoryAllocationLib.h>
|
||||
+#include <Library/BaseMemoryLib.h>
|
||||
+#include <IndustryStandard/UefiTcgPlatform.h>
|
||||
+
|
||||
+#include "../DxeTpmMeasureBootLibSanitization.h"
|
||||
+
|
||||
+#define UNIT_TEST_NAME "DxeTpmMeasureBootLibSanitizationTest"
|
||||
+#define UNIT_TEST_VERSION "1.0"
|
||||
+
|
||||
+#define DEFAULT_PRIMARY_TABLE_HEADER_REVISION 0x00010000
|
||||
+#define DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES 1
|
||||
+#define DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY 128
|
||||
+
|
||||
+/**
|
||||
+ This function tests the SanitizeEfiPartitionTableHeader function.
|
||||
+ It's intent is to test that a malicious EFI_PARTITION_TABLE_HEADER
|
||||
+ structure will not cause undefined or unexpected behavior.
|
||||
+
|
||||
+ In general the TPM should still be able to measure the data, but
|
||||
+ be the header should be sanitized to prevent any unexpected behavior.
|
||||
+
|
||||
+ @param[in] Context The unit test context.
|
||||
+
|
||||
+ @retval UNIT_TEST_PASSED The test passed.
|
||||
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
|
||||
+**/
|
||||
+UNIT_TEST_STATUS
|
||||
+EFIAPI
|
||||
+TestSanitizeEfiPartitionTableHeader (
|
||||
+ IN UNIT_TEST_CONTEXT Context
|
||||
+ )
|
||||
+{
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
|
||||
+ EFI_BLOCK_IO_PROTOCOL BlockIo;
|
||||
+ EFI_BLOCK_IO_MEDIA BlockMedia;
|
||||
+
|
||||
+ // Generate EFI_BLOCK_IO_MEDIA test data
|
||||
+ BlockMedia.MediaId = 1;
|
||||
+ BlockMedia.RemovableMedia = FALSE;
|
||||
+ BlockMedia.MediaPresent = TRUE;
|
||||
+ BlockMedia.LogicalPartition = FALSE;
|
||||
+ BlockMedia.ReadOnly = FALSE;
|
||||
+ BlockMedia.WriteCaching = FALSE;
|
||||
+ BlockMedia.BlockSize = 512;
|
||||
+ BlockMedia.IoAlign = 1;
|
||||
+ BlockMedia.LastBlock = 0;
|
||||
+
|
||||
+ // Generate EFI_BLOCK_IO_PROTOCOL test data
|
||||
+ BlockIo.Revision = 1;
|
||||
+ BlockIo.Media = &BlockMedia;
|
||||
+ BlockIo.Reset = NULL;
|
||||
+ BlockIo.ReadBlocks = NULL;
|
||||
+ BlockIo.WriteBlocks = NULL;
|
||||
+ BlockIo.FlushBlocks = NULL;
|
||||
+
|
||||
+ // Geneate EFI_PARTITION_TABLE_HEADER test data
|
||||
+ PrimaryHeader.Header.Signature = EFI_PTAB_HEADER_ID;
|
||||
+ PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
|
||||
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
|
||||
+ PrimaryHeader.MyLBA = 1;
|
||||
+ PrimaryHeader.AlternateLBA = 2;
|
||||
+ PrimaryHeader.FirstUsableLBA = 3;
|
||||
+ PrimaryHeader.LastUsableLBA = 4;
|
||||
+ PrimaryHeader.PartitionEntryLBA = 5;
|
||||
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
|
||||
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
|
||||
+ PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
|
||||
+
|
||||
+ // Calculate the CRC32 of the PrimaryHeader
|
||||
+ PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
|
||||
+
|
||||
+ // Test that a normal PrimaryHeader passes validation
|
||||
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ UT_ASSERT_NOT_EFI_ERROR (Status);
|
||||
+
|
||||
+ // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
|
||||
+ // Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
|
||||
+ PrimaryHeader.NumberOfPartitionEntries = 0;
|
||||
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
|
||||
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
|
||||
+
|
||||
+ // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
|
||||
+ // Should print "Invalid Partition Table Header Size!"
|
||||
+ PrimaryHeader.Header.HeaderSize = 0;
|
||||
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
|
||||
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
|
||||
+
|
||||
+ // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
|
||||
+ // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
|
||||
+ PrimaryHeader.SizeOfPartitionEntry = 1;
|
||||
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
|
||||
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
|
||||
+
|
||||
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
+
|
||||
+ return UNIT_TEST_PASSED;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ This function tests the SanitizePrimaryHeaderAllocationSize function.
|
||||
+ It's intent is to test that the untrusted input from a EFI_PARTITION_TABLE_HEADER
|
||||
+ structure will not cause an overflow when calculating the allocation size.
|
||||
+
|
||||
+ @param[in] Context The unit test context.
|
||||
+
|
||||
+ @retval UNIT_TEST_PASSED The test passed.
|
||||
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
|
||||
+**/
|
||||
+UNIT_TEST_STATUS
|
||||
+EFIAPI
|
||||
+TestSanitizePrimaryHeaderAllocationSize (
|
||||
+ IN UNIT_TEST_CONTEXT Context
|
||||
+ )
|
||||
+{
|
||||
+ UINT32 AllocationSize;
|
||||
+
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
|
||||
+
|
||||
+ // Test that a normal PrimaryHeader passes validation
|
||||
+ PrimaryHeader.NumberOfPartitionEntries = 5;
|
||||
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
|
||||
+
|
||||
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ UT_ASSERT_NOT_EFI_ERROR (Status);
|
||||
+
|
||||
+ // Test that the allocation size is correct compared to the existing logic
|
||||
+ UT_ASSERT_EQUAL (AllocationSize, PrimaryHeader.NumberOfPartitionEntries * PrimaryHeader.SizeOfPartitionEntry);
|
||||
+
|
||||
+ // Test that an overflow is detected
|
||||
+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
|
||||
+ PrimaryHeader.SizeOfPartitionEntry = 5;
|
||||
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
+
|
||||
+ // Test the inverse
|
||||
+ PrimaryHeader.NumberOfPartitionEntries = 5;
|
||||
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
|
||||
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
+
|
||||
+ // Test the worst case scenario
|
||||
+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
|
||||
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
|
||||
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
|
||||
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
+
|
||||
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
+
|
||||
+ return UNIT_TEST_PASSED;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ This function tests the SanitizePrimaryHeaderGptEventSize function.
|
||||
+ It's intent is to test that the untrusted input from a EFI_GPT_DATA structure
|
||||
+ will not cause an overflow when calculating the event size.
|
||||
+
|
||||
+ @param[in] Context The unit test context.
|
||||
+
|
||||
+ @retval UNIT_TEST_PASSED The test passed.
|
||||
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
|
||||
+**/
|
||||
+UNIT_TEST_STATUS
|
||||
+EFIAPI
|
||||
+TestSanitizePrimaryHeaderGptEventSize (
|
||||
+ IN UNIT_TEST_CONTEXT Context
|
||||
+ )
|
||||
+{
|
||||
+ UINT32 EventSize;
|
||||
+ UINT32 ExistingLogicEventSize;
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
|
||||
+ UINTN NumberOfPartition;
|
||||
+ EFI_GPT_DATA *GptData;
|
||||
+
|
||||
+ GptData = NULL;
|
||||
+
|
||||
+ // Test that a normal PrimaryHeader passes validation
|
||||
+ PrimaryHeader.NumberOfPartitionEntries = 5;
|
||||
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
|
||||
+
|
||||
+ // set the number of partitions
|
||||
+ NumberOfPartition = 13;
|
||||
+
|
||||
+ // that the primary event size is correct
|
||||
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
+ UT_ASSERT_NOT_EFI_ERROR (Status);
|
||||
+
|
||||
+ // Calculate the existing logic event size
|
||||
+ ExistingLogicEventSize = (UINT32)(sizeof (TCG_PCR_EVENT_HDR) + OFFSET_OF (EFI_GPT_DATA, Partitions)
|
||||
+ + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry);
|
||||
+
|
||||
+ // Check that the event size is correct
|
||||
+ UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
|
||||
+
|
||||
+ // Tests that the primary event size may not overflow
|
||||
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
|
||||
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
+
|
||||
+ // Test that the size of partition entries may not overflow
|
||||
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
|
||||
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
|
||||
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
|
||||
+
|
||||
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
+
|
||||
+ return UNIT_TEST_PASSED;
|
||||
+}
|
||||
+
|
||||
+// *--------------------------------------------------------------------*
|
||||
+// * Unit Test Code Main Function
|
||||
+// *--------------------------------------------------------------------*
|
||||
+
|
||||
+/**
|
||||
+ This function acts as the entry point for the unit tests.
|
||||
+
|
||||
+ @param argc - The number of command line arguments
|
||||
+ @param argv - The command line arguments
|
||||
+
|
||||
+ @return int - The status of the test
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+UefiTestMain (
|
||||
+ VOID
|
||||
+ )
|
||||
+{
|
||||
+ EFI_STATUS Status;
|
||||
+ UNIT_TEST_FRAMEWORK_HANDLE Framework;
|
||||
+ UNIT_TEST_SUITE_HANDLE TcgMeasureBootLibValidationTestSuite;
|
||||
+
|
||||
+ Framework = NULL;
|
||||
+
|
||||
+ DEBUG ((DEBUG_INFO, "%a: TestMain() - Start\n", UNIT_TEST_NAME));
|
||||
+
|
||||
+ Status = InitUnitTestFramework (&Framework, UNIT_TEST_NAME, gEfiCallerBaseName, UNIT_TEST_VERSION);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a: Failed in InitUnitTestFramework. Status = %r\n", UNIT_TEST_NAME, Status));
|
||||
+ goto EXIT;
|
||||
+ }
|
||||
+
|
||||
+ Status = CreateUnitTestSuite (&TcgMeasureBootLibValidationTestSuite, Framework, "TcgMeasureBootLibValidationTestSuite", "Common.TcgMeasureBootLibValidation", NULL, NULL);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "%s: Failed in CreateUnitTestSuite for TcgMeasureBootLibValidationTestSuite\n", UNIT_TEST_NAME));
|
||||
+ Status = EFI_OUT_OF_RESOURCES;
|
||||
+ goto EXIT;
|
||||
+ }
|
||||
+
|
||||
+ // -----------Suite---------------------------------Description----------------------------Class----------------------------------Test Function------------------------Pre---Clean-Context
|
||||
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
|
||||
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
|
||||
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
|
||||
+
|
||||
+ Status = RunAllTestSuites (Framework);
|
||||
+
|
||||
+EXIT:
|
||||
+ if (Framework != NULL) {
|
||||
+ FreeUnitTestFramework (Framework);
|
||||
+ }
|
||||
+
|
||||
+ DEBUG ((DEBUG_INFO, "%a: TestMain() - End\n", UNIT_TEST_NAME));
|
||||
+ return Status;
|
||||
+}
|
||||
+
|
||||
+///
|
||||
+/// Avoid ECC error for function name that starts with lower case letter
|
||||
+///
|
||||
+#define DxeTpmMeasureBootLibUnitTestMain main
|
||||
+
|
||||
+/**
|
||||
+ Standard POSIX C entry point for host based unit test execution.
|
||||
+
|
||||
+ @param[in] Argc Number of arguments
|
||||
+ @param[in] Argv Array of pointers to arguments
|
||||
+
|
||||
+ @retval 0 Success
|
||||
+ @retval other Error
|
||||
+**/
|
||||
+INT32
|
||||
+DxeTpmMeasureBootLibUnitTestMain (
|
||||
+ IN INT32 Argc,
|
||||
+ IN CHAR8 *Argv[]
|
||||
+ )
|
||||
+{
|
||||
+ return (INT32)UefiTestMain ();
|
||||
+}
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
|
||||
new file mode 100644
|
||||
index 0000000000..47b0811b00
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
|
||||
@@ -0,0 +1,28 @@
|
||||
+## @file
|
||||
+# This file builds the unit tests for DxeTpmMeasureBootLib
|
||||
+#
|
||||
+# Copyright (C) Microsoft Corporation.<BR>
|
||||
+# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+##
|
||||
+
|
||||
+[Defines]
|
||||
+ INF_VERSION = 0x00010006
|
||||
+ BASE_NAME = DxeTpmMeasuredBootLibTest
|
||||
+ FILE_GUID = eb01bc38-309c-4d3e-967e-9f078c90772f
|
||||
+ MODULE_TYPE = HOST_APPLICATION
|
||||
+ VERSION_STRING = 1.0
|
||||
+ ENTRY_POINT = main
|
||||
+
|
||||
+[Sources]
|
||||
+ DxeTpmMeasureBootLibSanitizationTest.c
|
||||
+ ../DxeTpmMeasureBootLibSanitization.c
|
||||
+
|
||||
+[Packages]
|
||||
+ MdePkg/MdePkg.dec
|
||||
+
|
||||
+[LibraryClasses]
|
||||
+ BaseLib
|
||||
+ DebugLib
|
||||
+ UnitTestLib
|
||||
+ PrintLib
|
||||
+ SafeIntLib
|
||||
diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml
|
||||
index aa8496d6d9..26865cb15a 100644
|
||||
--- a/SecurityPkg/SecurityPkg.ci.yaml
|
||||
+++ b/SecurityPkg/SecurityPkg.ci.yaml
|
||||
@@ -17,6 +17,7 @@
|
||||
"ExceptionList": [
|
||||
"8005", "gRT",
|
||||
"8001", "DxeTpm2MeasureBootLibUnitTestMain",
|
||||
+ "8001", "DxeTpmMeasureBootLibUnitTestMain"
|
||||
],
|
||||
## Both file path and directory path are accepted.
|
||||
"IgnoreFiles": [
|
||||
diff --git a/SecurityPkg/Test/SecurityPkgHostTest.dsc b/SecurityPkg/Test/SecurityPkgHostTest.dsc
|
||||
index 788c1ab6fe..1655e573ea 100644
|
||||
--- a/SecurityPkg/Test/SecurityPkgHostTest.dsc
|
||||
+++ b/SecurityPkg/Test/SecurityPkgHostTest.dsc
|
||||
@@ -27,6 +27,7 @@
|
||||
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf
|
||||
SecurityPkg/Test/Mock/Library/GoogleTest/MockPlatformPKProtectionLib/MockPlatformPKProtectionLib.inf
|
||||
SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
|
||||
+ SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
|
||||
|
||||
#
|
||||
# Build SecurityPkg HOST_APPLICATION Tests
|
||||
--
|
||||
2.41.0
|
||||
|
307
edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
Normal file
307
edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
Normal file
@ -0,0 +1,307 @@
|
||||
From f6f72373630d901f331df719a0fb55e8f1143c4f Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Wed, 7 Feb 2024 15:43:10 -0500
|
||||
Subject: [PATCH 10/17] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118
|
||||
- CVE 2022-36764
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [10/13] 5ed702e16f390c79d1abb0ec0b04d886e0094c0b (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21156
|
||||
CVE: CVE-2022-36764
|
||||
Upstream: Merged
|
||||
Conflicts: We get function definiton clash for the following three functions:
|
||||
- SanitizePeImageEventSize()
|
||||
This is defined both in
|
||||
- SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitazion.c
|
||||
and
|
||||
- SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitazion.c
|
||||
Closer investigation reveals that they are identical in functionality (although
|
||||
not in comment style).
|
||||
I chose to leave them as is now, meaning that this package will be
|
||||
unbuildable until I add a commit renaming these symbols later in
|
||||
this series.
|
||||
|
||||
commit 0d341c01eeabe0ab5e76693b36e728b8f538a40e
|
||||
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Date: Fri Jan 12 02:16:05 2024 +0800
|
||||
|
||||
SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
|
||||
|
||||
This commit contains the patch files and tests for DxeTpmMeasureBootLib
|
||||
CVE 2022-36764.
|
||||
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
.../DxeTpmMeasureBootLib.c | 17 ++--
|
||||
.../DxeTpmMeasureBootLibSanitization.c | 44 +++++++++
|
||||
.../DxeTpmMeasureBootLibSanitization.h | 23 +++++
|
||||
.../DxeTpmMeasureBootLibSanitizationTest.c | 98 +++++++++++++++++--
|
||||
4 files changed, 170 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
index d44422dee8..1598015176 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
|
||||
@@ -17,6 +17,7 @@
|
||||
|
||||
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+Copyright (c) Microsoft Corporation.<BR>
|
||||
|
||||
Copyright (c) Microsoft Corporation.<BR>
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
@@ -338,19 +339,23 @@ TcgMeasurePeImage (
|
||||
ImageLoad = NULL;
|
||||
SectionHeader = NULL;
|
||||
Sha1Ctx = NULL;
|
||||
- FilePathSize = (UINT32) GetDevicePathSize (FilePath);
|
||||
+ TcgEvent = NULL;
|
||||
+ FilePathSize = (UINT32)GetDevicePathSize (FilePath);
|
||||
|
||||
- //
|
||||
// Determine destination PCR by BootPolicy
|
||||
//
|
||||
- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
|
||||
- TcgEvent = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT));
|
||||
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
+ TcgEvent = AllocateZeroPool (EventSize);
|
||||
if (TcgEvent == NULL) {
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
|
||||
- TcgEvent->EventSize = EventSize;
|
||||
- ImageLoad = (EFI_IMAGE_LOAD_EVENT *) TcgEvent->Event;
|
||||
+ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
|
||||
+ ImageLoad = (EFI_IMAGE_LOAD_EVENT *)TcgEvent->Event;
|
||||
|
||||
switch (ImageType) {
|
||||
case EFI_IMAGE_SUBSYSTEM_EFI_APPLICATION:
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
|
||||
index 37cd3ed0ea..bcf8c6de6f 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
|
||||
@@ -240,3 +240,47 @@ SanitizePrimaryHeaderGptEventSize (
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
+/**
|
||||
+ This function will validate that the PeImage Event Size from the loaded image is sane
|
||||
+ It will check the following:
|
||||
+ - EventSize does not overflow
|
||||
+
|
||||
+ @param[in] FilePathSize - Size of the file path.
|
||||
+ @param[out] EventSize - Pointer to the event size.
|
||||
+
|
||||
+ @retval EFI_SUCCESS
|
||||
+ The event size is valid.
|
||||
+
|
||||
+ @retval EFI_OUT_OF_RESOURCES
|
||||
+ Overflow would have occurred.
|
||||
+
|
||||
+ @retval EFI_INVALID_PARAMETER
|
||||
+ One of the passed parameters was invalid.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+SanitizePeImageEventSize (
|
||||
+ IN UINT32 FilePathSize,
|
||||
+ OUT UINT32 *EventSize
|
||||
+ )
|
||||
+{
|
||||
+ EFI_STATUS Status;
|
||||
+
|
||||
+ // Replacing logic:
|
||||
+ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
|
||||
+ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
|
||||
+ return EFI_BAD_BUFFER_SIZE;
|
||||
+ }
|
||||
+
|
||||
+ // Replacing logic:
|
||||
+ // EventSize + sizeof (TCG_PCR_EVENT_HDR)
|
||||
+ Status = SafeUint32Add (*EventSize, sizeof (TCG_PCR_EVENT_HDR), EventSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
|
||||
+ return EFI_BAD_BUFFER_SIZE;
|
||||
+ }
|
||||
+
|
||||
+ return EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
|
||||
index 0d9d00c281..2248495813 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
|
||||
@@ -111,4 +111,27 @@ SanitizePrimaryHeaderGptEventSize (
|
||||
OUT UINT32 *EventSize
|
||||
);
|
||||
|
||||
+/**
|
||||
+ This function will validate that the PeImage Event Size from the loaded image is sane
|
||||
+ It will check the following:
|
||||
+ - EventSize does not overflow
|
||||
+
|
||||
+ @param[in] FilePathSize - Size of the file path.
|
||||
+ @param[out] EventSize - Pointer to the event size.
|
||||
+
|
||||
+ @retval EFI_SUCCESS
|
||||
+ The event size is valid.
|
||||
+
|
||||
+ @retval EFI_OUT_OF_RESOURCES
|
||||
+ Overflow would have occurred.
|
||||
+
|
||||
+ @retval EFI_INVALID_PARAMETER
|
||||
+ One of the passed parameters was invalid.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+SanitizePeImageEventSize (
|
||||
+ IN UINT32 FilePathSize,
|
||||
+ OUT UINT32 *EventSize
|
||||
+ );
|
||||
+
|
||||
#endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
|
||||
index eeb928cdb0..c41498be45 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
|
||||
@@ -1,8 +1,8 @@
|
||||
/** @file
|
||||
-This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
|
||||
+ This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
|
||||
|
||||
-Copyright (c) Microsoft Corporation.<BR>
|
||||
-SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+ Copyright (c) Microsoft Corporation.<BR>
|
||||
+ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
**/
|
||||
|
||||
#include <Uefi.h>
|
||||
@@ -186,9 +186,6 @@ TestSanitizePrimaryHeaderGptEventSize (
|
||||
EFI_STATUS Status;
|
||||
EFI_PARTITION_TABLE_HEADER PrimaryHeader;
|
||||
UINTN NumberOfPartition;
|
||||
- EFI_GPT_DATA *GptData;
|
||||
-
|
||||
- GptData = NULL;
|
||||
|
||||
// Test that a normal PrimaryHeader passes validation
|
||||
PrimaryHeader.NumberOfPartitionEntries = 5;
|
||||
@@ -222,6 +219,94 @@ TestSanitizePrimaryHeaderGptEventSize (
|
||||
return UNIT_TEST_PASSED;
|
||||
}
|
||||
|
||||
+/**
|
||||
+ This function tests the SanitizePeImageEventSize function.
|
||||
+ It's intent is to test that the untrusted input from a file path for an
|
||||
+ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
|
||||
+ the event size when allocating space.
|
||||
+
|
||||
+ @param[in] Context The unit test context.
|
||||
+
|
||||
+ @retval UNIT_TEST_PASSED The test passed.
|
||||
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
|
||||
+**/
|
||||
+UNIT_TEST_STATUS
|
||||
+EFIAPI
|
||||
+TestSanitizePeImageEventSize (
|
||||
+ IN UNIT_TEST_CONTEXT Context
|
||||
+ )
|
||||
+{
|
||||
+ UINT32 EventSize;
|
||||
+ UINTN ExistingLogicEventSize;
|
||||
+ UINT32 FilePathSize;
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_DEVICE_PATH_PROTOCOL DevicePath;
|
||||
+ EFI_IMAGE_LOAD_EVENT *ImageLoadEvent;
|
||||
+ UNIT_TEST_STATUS TestStatus;
|
||||
+
|
||||
+ TestStatus = UNIT_TEST_ERROR_TEST_FAILED;
|
||||
+
|
||||
+ // Generate EFI_DEVICE_PATH_PROTOCOL test data
|
||||
+ DevicePath.Type = 0;
|
||||
+ DevicePath.SubType = 0;
|
||||
+ DevicePath.Length[0] = 0;
|
||||
+ DevicePath.Length[1] = 0;
|
||||
+
|
||||
+ // Generate EFI_IMAGE_LOAD_EVENT test data
|
||||
+ ImageLoadEvent = AllocateZeroPool (sizeof (EFI_IMAGE_LOAD_EVENT) + sizeof (EFI_DEVICE_PATH_PROTOCOL));
|
||||
+ if (ImageLoadEvent == NULL) {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a: AllocateZeroPool failed\n", __func__));
|
||||
+ goto Exit;
|
||||
+ }
|
||||
+
|
||||
+ // Populate EFI_IMAGE_LOAD_EVENT54 test data
|
||||
+ ImageLoadEvent->ImageLocationInMemory = (EFI_PHYSICAL_ADDRESS)0x12345678;
|
||||
+ ImageLoadEvent->ImageLengthInMemory = 0x1000;
|
||||
+ ImageLoadEvent->ImageLinkTimeAddress = (UINTN)ImageLoadEvent;
|
||||
+ ImageLoadEvent->LengthOfDevicePath = sizeof (EFI_DEVICE_PATH_PROTOCOL);
|
||||
+ CopyMem (ImageLoadEvent->DevicePath, &DevicePath, sizeof (EFI_DEVICE_PATH_PROTOCOL));
|
||||
+
|
||||
+ FilePathSize = 255;
|
||||
+
|
||||
+ // Test that a normal PE image passes validation
|
||||
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
|
||||
+ goto Exit;
|
||||
+ }
|
||||
+
|
||||
+ // Test that the event size is correct compared to the existing logic
|
||||
+ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
|
||||
+ ExistingLogicEventSize += sizeof (TCG_PCR_EVENT_HDR);
|
||||
+
|
||||
+ if (EventSize != ExistingLogicEventSize) {
|
||||
+ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
|
||||
+ goto Exit;
|
||||
+ }
|
||||
+
|
||||
+ // Test that the event size may not overflow
|
||||
+ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
|
||||
+ if (Status != EFI_BAD_BUFFER_SIZE) {
|
||||
+ UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
|
||||
+ goto Exit;
|
||||
+ }
|
||||
+
|
||||
+ TestStatus = UNIT_TEST_PASSED;
|
||||
+Exit:
|
||||
+
|
||||
+ if (ImageLoadEvent != NULL) {
|
||||
+ FreePool (ImageLoadEvent);
|
||||
+ }
|
||||
+
|
||||
+ if (TestStatus == UNIT_TEST_ERROR_TEST_FAILED) {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a: Test failed\n", __func__));
|
||||
+ } else {
|
||||
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
|
||||
+ }
|
||||
+
|
||||
+ return TestStatus;
|
||||
+}
|
||||
+
|
||||
// *--------------------------------------------------------------------*
|
||||
// * Unit Test Code Main Function
|
||||
// *--------------------------------------------------------------------*
|
||||
@@ -265,6 +350,7 @@ UefiTestMain (
|
||||
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
|
||||
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
|
||||
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
|
||||
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
|
||||
|
||||
Status = RunAllTestSuites (Framework);
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
584
edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpm2.patch
Normal file
584
edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpm2.patch
Normal file
@ -0,0 +1,584 @@
|
||||
From e138f66708415704ad1133938c0dce5243795656 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Tue, 13 Feb 2024 16:30:10 -0500
|
||||
Subject: [PATCH 04/17] SecurityPkg: Support CcMeasurementProtocol in
|
||||
DxeTpm2MeasureBootLib
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [4/13] 8038fb605dbdaccfd40cb9d9d56db559ee9df639 (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21154
|
||||
CVE: CVE-2022-36763
|
||||
Upstream: Merged
|
||||
Conflicts: Only cosmetic, due to the uncrustify changes made
|
||||
in the newer version.
|
||||
|
||||
commit a124cd4ef92a349a6c823ea6701fcfd3a17db255
|
||||
Author: Min Xu <min.m.xu@intel.com>
|
||||
Date: Sat Dec 11 21:08:41 2021 +0800
|
||||
|
||||
SecurityPkg: Support CcMeasurementProtocol in DxeTpm2MeasureBootLib
|
||||
|
||||
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3625
|
||||
|
||||
DxeTpm2MeasureBootLib supports TPM2 based measure boot. After
|
||||
CcMeasurementProtocol is introduced, CC based measure boot needs to
|
||||
be supported in DxeTpm2MeasureBootLib as well.
|
||||
|
||||
There are 2 major changes in this commit.
|
||||
|
||||
1. A platform should have only one RTS/RTR. Only one of (virtual)TPM1.2,
|
||||
(virtual)TPM2.0 and CC MR exists. Then only one TCG_SERVICE_PROTOCOL,
|
||||
TCG2_PROTOCOL, CC_MEASUREMENT_PROTOCOL is exposed. In this library when
|
||||
do measure boot only one of TCG2_PROTOCOL / CC_MEASUREMENT_PROTOCOL
|
||||
will be called. MEASURE_BOOT_PROTOCOLS is defined to store the instances
|
||||
of TCG2 protocol and CC Measurement protocol.
|
||||
|
||||
2. CcEvent is similar to Tcg2Event except the MrIndex and PcrIndex.
|
||||
So in the code Tcg2Event will be first created and intialized. If
|
||||
CcMeasurementProtocol is called to do the measure boot, then CcEvent
|
||||
points to Tcg2Event and the MrIndex is adjusted.
|
||||
|
||||
Cc: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
Cc: Liming Gao <gaoliming@byosoft.com.cn>
|
||||
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Sami Mujawar <sami.mujawar@arm.com>
|
||||
Cc: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
|
||||
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Signed-off-by: Min Xu <min.m.xu@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
.../DxeTpm2MeasureBootLib.c | 347 ++++++++++++++----
|
||||
.../DxeTpm2MeasureBootLib.inf | 3 +-
|
||||
2 files changed, 271 insertions(+), 79 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
index 95682ac567..7abacdbc0a 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
|
||||
@@ -1,5 +1,6 @@
|
||||
/** @file
|
||||
- The library instance provides security service of TPM2 measure boot.
|
||||
+ The library instance provides security service of TPM2 measure boot and
|
||||
+ Confidential Computing (CC) measure boot.
|
||||
|
||||
Caution: This file requires additional review when modified.
|
||||
This library will have external input - PE/COFF image and GPT partition.
|
||||
@@ -41,6 +42,12 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
#include <Library/PeCoffLib.h>
|
||||
#include <Library/SecurityManagementLib.h>
|
||||
#include <Library/HobLib.h>
|
||||
+#include <Protocol/CcMeasurement.h>
|
||||
+
|
||||
+typedef struct {
|
||||
+ EFI_TCG2_PROTOCOL *Tcg2Protocol;
|
||||
+ EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
|
||||
+} MEASURE_BOOT_PROTOCOLS;
|
||||
|
||||
//
|
||||
// Flag to check GPT partition. It only need be measured once.
|
||||
@@ -109,7 +116,7 @@ DxeTpm2MeasureBootLibImageRead (
|
||||
Caution: This function may receive untrusted input.
|
||||
The GPT partition table is external input, so this function should parse partition data carefully.
|
||||
|
||||
- @param Tcg2Protocol Pointer to the located TCG2 protocol instance.
|
||||
+ @param MeasureBootProtocols Pointer to the located MeasureBoot protocol instances (i.e. TCG2/CC protocol).
|
||||
@param GptHandle Handle that GPT partition was installed.
|
||||
|
||||
@retval EFI_SUCCESS Successfully measure GPT table.
|
||||
@@ -121,26 +128,48 @@ DxeTpm2MeasureBootLibImageRead (
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
Tcg2MeasureGptTable (
|
||||
- IN EFI_TCG2_PROTOCOL *Tcg2Protocol,
|
||||
- IN EFI_HANDLE GptHandle
|
||||
+ IN MEASURE_BOOT_PROTOCOLS *MeasureBootProtocols,
|
||||
+ IN EFI_HANDLE GptHandle
|
||||
)
|
||||
{
|
||||
- EFI_STATUS Status;
|
||||
- EFI_BLOCK_IO_PROTOCOL *BlockIo;
|
||||
- EFI_DISK_IO_PROTOCOL *DiskIo;
|
||||
- EFI_PARTITION_TABLE_HEADER *PrimaryHeader;
|
||||
- EFI_PARTITION_ENTRY *PartitionEntry;
|
||||
- UINT8 *EntryPtr;
|
||||
- UINTN NumberOfPartition;
|
||||
- UINT32 Index;
|
||||
- EFI_TCG2_EVENT *Tcg2Event;
|
||||
- EFI_GPT_DATA *GptData;
|
||||
- UINT32 EventSize;
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_BLOCK_IO_PROTOCOL *BlockIo;
|
||||
+ EFI_DISK_IO_PROTOCOL *DiskIo;
|
||||
+ EFI_PARTITION_TABLE_HEADER *PrimaryHeader;
|
||||
+ EFI_PARTITION_ENTRY *PartitionEntry;
|
||||
+ UINT8 *EntryPtr;
|
||||
+ UINTN NumberOfPartition;
|
||||
+ UINT32 Index;
|
||||
+ UINT8 *EventPtr;
|
||||
+ EFI_TCG2_EVENT *Tcg2Event;
|
||||
+ EFI_CC_EVENT *CcEvent;
|
||||
+ EFI_GPT_DATA *GptData;
|
||||
+ UINT32 EventSize;
|
||||
+ EFI_TCG2_PROTOCOL *Tcg2Protocol;
|
||||
+ EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
|
||||
+ EFI_CC_MR_INDEX MrIndex;
|
||||
|
||||
if (mTcg2MeasureGptCount > 0) {
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
+ PrimaryHeader = NULL;
|
||||
+ EntryPtr = NULL;
|
||||
+ EventPtr = NULL;
|
||||
+
|
||||
+ Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
|
||||
+ CcProtocol = MeasureBootProtocols->CcProtocol;
|
||||
+
|
||||
+ if ((Tcg2Protocol == NULL) && (CcProtocol == NULL)) {
|
||||
+ ASSERT (FALSE);
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
+ if (sizeof (EFI_CC_EVENT) != sizeof (EFI_TCG2_EVENT)) {
|
||||
+ ASSERT (FALSE);
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
Status = gBS->HandleProtocol (GptHandle, &gEfiBlockIoProtocolGuid, (VOID**)&BlockIo);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return EFI_UNSUPPORTED;
|
||||
@@ -168,6 +197,16 @@ Tcg2MeasureGptTable (
|
||||
FreePool (PrimaryHeader);
|
||||
return EFI_DEVICE_ERROR;
|
||||
}
|
||||
+
|
||||
+ //
|
||||
+ // PrimaryHeader->SizeOfPartitionEntry should not be zero
|
||||
+ //
|
||||
+ if (PrimaryHeader->SizeOfPartitionEntry == 0) {
|
||||
+ DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry should not be zero!\n"));
|
||||
+ FreePool (PrimaryHeader);
|
||||
+ return EFI_BAD_BUFFER_SIZE;
|
||||
+ }
|
||||
+
|
||||
//
|
||||
// Read the partition entry.
|
||||
//
|
||||
@@ -202,11 +241,17 @@ Tcg2MeasureGptTable (
|
||||
}
|
||||
|
||||
//
|
||||
- // Prepare Data for Measurement
|
||||
+ // Prepare Data for Measurement (CcProtocol and Tcg2Protocol)
|
||||
//
|
||||
EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
|
||||
+ NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
|
||||
- Tcg2Event = (EFI_TCG2_EVENT *) AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event));
|
||||
+ EventPtr = (UINT8 *)AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
|
||||
+ if (EventPtr == NULL) {
|
||||
+ Status = EFI_OUT_OF_RESOURCES;
|
||||
+ goto Exit;
|
||||
+ }
|
||||
+
|
||||
+ Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;
|
||||
if (Tcg2Event == NULL) {
|
||||
FreePool (PrimaryHeader);
|
||||
FreePool (EntryPtr);
|
||||
@@ -243,22 +288,66 @@ Tcg2MeasureGptTable (
|
||||
}
|
||||
|
||||
//
|
||||
- // Measure the GPT data
|
||||
+ // Only one of TCG2_PROTOCOL or CC_MEASUREMENT_PROTOCOL is exposed.
|
||||
+ // So Measure the GPT data with one of the protocol.
|
||||
//
|
||||
- Status = Tcg2Protocol->HashLogExtendEvent (
|
||||
- Tcg2Protocol,
|
||||
- 0,
|
||||
- (EFI_PHYSICAL_ADDRESS) (UINTN) (VOID *) GptData,
|
||||
- (UINT64) EventSize,
|
||||
- Tcg2Event
|
||||
- );
|
||||
- if (!EFI_ERROR (Status)) {
|
||||
- mTcg2MeasureGptCount++;
|
||||
+ if (CcProtocol != NULL) {
|
||||
+ //
|
||||
+ // EFI_CC_EVENT share the same data structure with EFI_TCG2_EVENT
|
||||
+ // except the MrIndex and PCRIndex in Header.
|
||||
+ // Tcg2Event has been created and initialized before. So only the MrIndex need
|
||||
+ // be adjusted.
|
||||
+ //
|
||||
+ Status = CcProtocol->MapPcrToMrIndex (CcProtocol, Tcg2Event->Header.PCRIndex, &MrIndex);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Cannot map PcrIndex(%d) to MrIndex\n", Tcg2Event->Header.PCRIndex));
|
||||
+ goto Exit;
|
||||
+ }
|
||||
+
|
||||
+ CcEvent = (EFI_CC_EVENT *)EventPtr;
|
||||
+ CcEvent->Header.MrIndex = MrIndex;
|
||||
+ Status = CcProtocol->HashLogExtendEvent (
|
||||
+ CcProtocol,
|
||||
+ 0,
|
||||
+ (EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData,
|
||||
+ (UINT64)EventSize,
|
||||
+ CcEvent
|
||||
+ );
|
||||
+ if (!EFI_ERROR (Status)) {
|
||||
+ mTcg2MeasureGptCount++;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Cc MeasureGptTable - %r\n", Status));
|
||||
+ } else if (Tcg2Protocol != NULL) {
|
||||
+ //
|
||||
+ // If Tcg2Protocol is installed, then Measure GPT data with this protocol.
|
||||
+ //
|
||||
+ Status = Tcg2Protocol->HashLogExtendEvent (
|
||||
+ Tcg2Protocol,
|
||||
+ 0,
|
||||
+ (EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData,
|
||||
+ (UINT64)EventSize,
|
||||
+ Tcg2Event
|
||||
+ );
|
||||
+ if (!EFI_ERROR (Status)) {
|
||||
+ mTcg2MeasureGptCount++;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Tcg2 MeasureGptTable - %r\n", Status));
|
||||
}
|
||||
|
||||
- FreePool (PrimaryHeader);
|
||||
- FreePool (EntryPtr);
|
||||
- FreePool (Tcg2Event);
|
||||
+Exit:
|
||||
+ if (PrimaryHeader != NULL) {
|
||||
+ FreePool (PrimaryHeader);
|
||||
+ }
|
||||
+
|
||||
+ if (EntryPtr != NULL) {
|
||||
+ FreePool (EntryPtr);
|
||||
+ }
|
||||
+
|
||||
+ if (EventPtr != NULL) {
|
||||
+ FreePool (EventPtr);
|
||||
+ }
|
||||
|
||||
return Status;
|
||||
}
|
||||
@@ -271,12 +360,12 @@ Tcg2MeasureGptTable (
|
||||
PE/COFF image is external input, so this function will validate its data structure
|
||||
within this image buffer before use.
|
||||
|
||||
- @param[in] Tcg2Protocol Pointer to the located TCG2 protocol instance.
|
||||
- @param[in] ImageAddress Start address of image buffer.
|
||||
- @param[in] ImageSize Image size
|
||||
- @param[in] LinkTimeBase Address that the image is loaded into memory.
|
||||
- @param[in] ImageType Image subsystem type.
|
||||
- @param[in] FilePath File path is corresponding to the input image.
|
||||
+ @param[in] MeasureBootProtocols Pointer to the located MeasureBoot protocol instances.
|
||||
+ @param[in] ImageAddress Start address of image buffer.
|
||||
+ @param[in] ImageSize Image size
|
||||
+ @param[in] LinkTimeBase Address that the image is loaded into memory.
|
||||
+ @param[in] ImageType Image subsystem type.
|
||||
+ @param[in] FilePath File path is corresponding to the input image.
|
||||
|
||||
@retval EFI_SUCCESS Successfully measure image.
|
||||
@retval EFI_OUT_OF_RESOURCES No enough resource to measure image.
|
||||
@@ -287,7 +376,7 @@ Tcg2MeasureGptTable (
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
Tcg2MeasurePeImage (
|
||||
- IN EFI_TCG2_PROTOCOL *Tcg2Protocol,
|
||||
+ IN MEASURE_BOOT_PROTOCOLS *MeasureBootProtocols,
|
||||
IN EFI_PHYSICAL_ADDRESS ImageAddress,
|
||||
IN UINTN ImageSize,
|
||||
IN UINTN LinkTimeBase,
|
||||
@@ -295,26 +384,46 @@ Tcg2MeasurePeImage (
|
||||
IN EFI_DEVICE_PATH_PROTOCOL *FilePath
|
||||
)
|
||||
{
|
||||
- EFI_STATUS Status;
|
||||
- EFI_TCG2_EVENT *Tcg2Event;
|
||||
- EFI_IMAGE_LOAD_EVENT *ImageLoad;
|
||||
- UINT32 FilePathSize;
|
||||
- UINT32 EventSize;
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_TCG2_EVENT *Tcg2Event;
|
||||
+ EFI_IMAGE_LOAD_EVENT *ImageLoad;
|
||||
+ UINT32 FilePathSize;
|
||||
+ UINT32 EventSize;
|
||||
+ EFI_CC_EVENT *CcEvent;
|
||||
+ EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
|
||||
+ EFI_TCG2_PROTOCOL *Tcg2Protocol;
|
||||
+ UINT8 *EventPtr;
|
||||
+ EFI_CC_MR_INDEX MrIndex;
|
||||
+
|
||||
+ Status = EFI_UNSUPPORTED;
|
||||
+ ImageLoad = NULL;
|
||||
+ EventPtr = NULL;
|
||||
+
|
||||
+ Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
|
||||
+ CcProtocol = MeasureBootProtocols->CcProtocol;
|
||||
+
|
||||
+ if ((Tcg2Protocol == NULL) && (CcProtocol == NULL)) {
|
||||
+ ASSERT (FALSE);
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
+ if (sizeof (EFI_CC_EVENT) != sizeof (EFI_TCG2_EVENT)) {
|
||||
+ ASSERT (FALSE);
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
|
||||
- Status = EFI_UNSUPPORTED;
|
||||
- ImageLoad = NULL;
|
||||
FilePathSize = (UINT32) GetDevicePathSize (FilePath);
|
||||
|
||||
//
|
||||
// Determine destination PCR by BootPolicy
|
||||
//
|
||||
EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
|
||||
- Tcg2Event = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event));
|
||||
- if (Tcg2Event == NULL) {
|
||||
+ EventPtr = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
|
||||
+ if (EventPtr == NULL) {
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
|
||||
- Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event);
|
||||
+ Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;
|
||||
Tcg2Event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
|
||||
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
|
||||
ImageLoad = (EFI_IMAGE_LOAD_EVENT *) Tcg2Event->Event;
|
||||
@@ -352,13 +461,35 @@ Tcg2MeasurePeImage (
|
||||
//
|
||||
// Log the PE data
|
||||
//
|
||||
- Status = Tcg2Protocol->HashLogExtendEvent (
|
||||
- Tcg2Protocol,
|
||||
- PE_COFF_IMAGE,
|
||||
- ImageAddress,
|
||||
- ImageSize,
|
||||
- Tcg2Event
|
||||
- );
|
||||
+ if (CcProtocol != NULL) {
|
||||
+ Status = CcProtocol->MapPcrToMrIndex (CcProtocol, Tcg2Event->Header.PCRIndex, &MrIndex);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Cannot map PcrIndex(%d) to MrIndex\n", Tcg2Event->Header.PCRIndex));
|
||||
+ goto Finish;
|
||||
+ }
|
||||
+
|
||||
+ CcEvent = (EFI_CC_EVENT *)EventPtr;
|
||||
+ CcEvent->Header.MrIndex = MrIndex;
|
||||
+
|
||||
+ Status = CcProtocol->HashLogExtendEvent (
|
||||
+ CcProtocol,
|
||||
+ PE_COFF_IMAGE,
|
||||
+ ImageAddress,
|
||||
+ ImageSize,
|
||||
+ CcEvent
|
||||
+ );
|
||||
+ DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Cc MeasurePeImage - %r\n", Status));
|
||||
+ } else if (Tcg2Protocol != NULL) {
|
||||
+ Status = Tcg2Protocol->HashLogExtendEvent (
|
||||
+ Tcg2Protocol,
|
||||
+ PE_COFF_IMAGE,
|
||||
+ ImageAddress,
|
||||
+ ImageSize,
|
||||
+ Tcg2Event
|
||||
+ );
|
||||
+ DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Tcg2 MeasurePeImage - %r\n", Status));
|
||||
+ }
|
||||
+
|
||||
if (Status == EFI_VOLUME_FULL) {
|
||||
//
|
||||
// Volume full here means the image is hashed and its result is extended to PCR.
|
||||
@@ -369,11 +500,77 @@ Tcg2MeasurePeImage (
|
||||
}
|
||||
|
||||
Finish:
|
||||
- FreePool (Tcg2Event);
|
||||
+ if (EventPtr != NULL) {
|
||||
+ FreePool (EventPtr);
|
||||
+ }
|
||||
|
||||
return Status;
|
||||
}
|
||||
|
||||
+/**
|
||||
+ Get the measure boot protocols.
|
||||
+
|
||||
+ There are 2 measure boot, TCG2 protocol based and Cc measurement protocol based.
|
||||
+
|
||||
+ @param MeasureBootProtocols Pointer to the located measure boot protocol instances.
|
||||
+
|
||||
+ @retval EFI_SUCCESS Sucessfully locate the measure boot protocol instances (at least one instance).
|
||||
+ @retval EFI_UNSUPPORTED Measure boot is not supported.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+GetMeasureBootProtocols (
|
||||
+ MEASURE_BOOT_PROTOCOLS *MeasureBootProtocols
|
||||
+ )
|
||||
+{
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_TCG2_PROTOCOL *Tcg2Protocol;
|
||||
+ EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
|
||||
+ EFI_TCG2_BOOT_SERVICE_CAPABILITY Tcg2ProtocolCapability;
|
||||
+ EFI_CC_BOOT_SERVICE_CAPABILITY CcProtocolCapability;
|
||||
+
|
||||
+ CcProtocol = NULL;
|
||||
+ Status = gBS->LocateProtocol (&gEfiCcMeasurementProtocolGuid, NULL, (VOID **)&CcProtocol);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ //
|
||||
+ // Cc Measurement protocol is not installed.
|
||||
+ //
|
||||
+ DEBUG ((DEBUG_VERBOSE, "CcMeasurementProtocol is not installed. - %r\n", Status));
|
||||
+ } else {
|
||||
+ ZeroMem (&CcProtocolCapability, sizeof (CcProtocolCapability));
|
||||
+ CcProtocolCapability.Size = sizeof (CcProtocolCapability);
|
||||
+ Status = CcProtocol->GetCapability (CcProtocol, &CcProtocolCapability);
|
||||
+ if (EFI_ERROR (Status) || (CcProtocolCapability.CcType.Type == EFI_CC_TYPE_NONE)) {
|
||||
+ DEBUG ((DEBUG_ERROR, " CcProtocol->GetCapability returns : %x, %r\n", CcProtocolCapability.CcType.Type, Status));
|
||||
+ CcProtocol = NULL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ Tcg2Protocol = NULL;
|
||||
+ Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **)&Tcg2Protocol);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ //
|
||||
+ // Tcg2 protocol is not installed. So, TPM2 is not present.
|
||||
+ //
|
||||
+ DEBUG ((DEBUG_VERBOSE, "Tcg2Protocol is not installed. - %r\n", Status));
|
||||
+ } else {
|
||||
+ Tcg2ProtocolCapability.Size = (UINT8)sizeof (Tcg2ProtocolCapability);
|
||||
+ Status = Tcg2Protocol->GetCapability (Tcg2Protocol, &Tcg2ProtocolCapability);
|
||||
+ if (EFI_ERROR (Status) || (!Tcg2ProtocolCapability.TPMPresentFlag)) {
|
||||
+ //
|
||||
+ // TPM device doesn't work or activate.
|
||||
+ //
|
||||
+ DEBUG ((DEBUG_ERROR, "TPMPresentFlag=FALSE %r\n", Status));
|
||||
+ Tcg2Protocol = NULL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ MeasureBootProtocols->Tcg2Protocol = Tcg2Protocol;
|
||||
+ MeasureBootProtocols->CcProtocol = CcProtocol;
|
||||
+
|
||||
+ return (Tcg2Protocol == NULL && CcProtocol == NULL) ? EFI_UNSUPPORTED : EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
/**
|
||||
The security handler is used to abstract platform-specific policy
|
||||
from the DXE core response to an attempt to use a file that returns a
|
||||
@@ -422,9 +619,8 @@ DxeTpm2MeasureBootHandler (
|
||||
IN BOOLEAN BootPolicy
|
||||
)
|
||||
{
|
||||
- EFI_TCG2_PROTOCOL *Tcg2Protocol;
|
||||
+ MEASURE_BOOT_PROTOCOLS MeasureBootProtocols;
|
||||
EFI_STATUS Status;
|
||||
- EFI_TCG2_BOOT_SERVICE_CAPABILITY ProtocolCapability;
|
||||
EFI_DEVICE_PATH_PROTOCOL *DevicePathNode;
|
||||
EFI_DEVICE_PATH_PROTOCOL *OrigDevicePathNode;
|
||||
EFI_HANDLE Handle;
|
||||
@@ -435,29 +631,25 @@ DxeTpm2MeasureBootHandler (
|
||||
EFI_PHYSICAL_ADDRESS FvAddress;
|
||||
UINT32 Index;
|
||||
|
||||
- Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);
|
||||
+ MeasureBootProtocols.Tcg2Protocol = NULL;
|
||||
+ MeasureBootProtocols.CcProtocol = NULL;
|
||||
+
|
||||
+ Status = GetMeasureBootProtocols (&MeasureBootProtocols);
|
||||
+
|
||||
if (EFI_ERROR (Status)) {
|
||||
//
|
||||
- // Tcg2 protocol is not installed. So, TPM2 is not present.
|
||||
+ // None of Measured boot protocols (Tcg2, Cc) is installed.
|
||||
// Don't do any measurement, and directly return EFI_SUCCESS.
|
||||
//
|
||||
- DEBUG ((DEBUG_VERBOSE, "DxeTpm2MeasureBootHandler - Tcg2 - %r\n", Status));
|
||||
+ DEBUG ((DEBUG_INFO, "None of Tcg2Protocol/CcMeasurementProtocol is installed.\n"));
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
-
|
||||
- ProtocolCapability.Size = (UINT8) sizeof (ProtocolCapability);
|
||||
- Status = Tcg2Protocol->GetCapability (
|
||||
- Tcg2Protocol,
|
||||
- &ProtocolCapability
|
||||
- );
|
||||
- if (EFI_ERROR (Status) || (!ProtocolCapability.TPMPresentFlag)) {
|
||||
- //
|
||||
- // TPM device doesn't work or activate.
|
||||
- //
|
||||
- DEBUG ((DEBUG_ERROR, "DxeTpm2MeasureBootHandler (%r) - TPMPresentFlag - %x\n", Status, ProtocolCapability.TPMPresentFlag));
|
||||
- return EFI_SUCCESS;
|
||||
- }
|
||||
-
|
||||
+ DEBUG ((
|
||||
+ DEBUG_INFO,
|
||||
+ "Tcg2Protocol = %p, CcMeasurementProtocol = %p\n",
|
||||
+ MeasureBootProtocols.Tcg2Protocol,
|
||||
+ MeasureBootProtocols.CcProtocol
|
||||
+ ));
|
||||
//
|
||||
// Copy File Device Path
|
||||
//
|
||||
@@ -502,8 +694,8 @@ DxeTpm2MeasureBootHandler (
|
||||
//
|
||||
// Measure GPT disk.
|
||||
//
|
||||
- Status = Tcg2MeasureGptTable (Tcg2Protocol, Handle);
|
||||
- DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Tcg2MeasureGptTable - %r\n", Status));
|
||||
+ Status = Tcg2MeasureGptTable (&MeasureBootProtocols, Handle);
|
||||
+
|
||||
if (!EFI_ERROR (Status)) {
|
||||
//
|
||||
// GPT disk check done.
|
||||
@@ -647,14 +839,13 @@ DxeTpm2MeasureBootHandler (
|
||||
// Measure PE image into TPM log.
|
||||
//
|
||||
Status = Tcg2MeasurePeImage (
|
||||
- Tcg2Protocol,
|
||||
+ &MeasureBootProtocols,
|
||||
(EFI_PHYSICAL_ADDRESS) (UINTN) FileBuffer,
|
||||
FileSize,
|
||||
(UINTN) ImageContext.ImageAddress,
|
||||
ImageContext.ImageType,
|
||||
DevicePathNode
|
||||
);
|
||||
- DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Tcg2MeasurePeImage - %r\n", Status));
|
||||
}
|
||||
|
||||
//
|
||||
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
|
||||
index 2506abbe7c..6dca79a20c 100644
|
||||
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
|
||||
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
|
||||
@@ -1,5 +1,5 @@
|
||||
## @file
|
||||
-# Provides security service for TPM 2.0 measured boot
|
||||
+# Provides security service for TPM 2.0 measured boot and Confidential Computing measure boot.
|
||||
#
|
||||
# Spec Compliance Info:
|
||||
# "TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 Level 00 Revision 1.03 v51"
|
||||
@@ -61,6 +61,7 @@
|
||||
|
||||
[Protocols]
|
||||
gEfiTcg2ProtocolGuid ## SOMETIMES_CONSUMES
|
||||
+ gEfiCcMeasurementProtocolGuid ## SOMETIMES_CONSUMES
|
||||
gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES
|
||||
gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
|
||||
gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES
|
||||
--
|
||||
2.41.0
|
||||
|
255
edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpmM.patch
Normal file
255
edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpmM.patch
Normal file
@ -0,0 +1,255 @@
|
||||
From a35a08c5c8d9308ba2b63a15a40e4ddc3e265dbd Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Tue, 13 Feb 2024 16:30:10 -0500
|
||||
Subject: [PATCH 05/17] SecurityPkg: Support CcMeasurementProtocol in
|
||||
DxeTpmMeasurementLib
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [5/13] fa844740ca589cabb52ae7dfa0dd329315dc168f (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21154
|
||||
CVE: CVE-2022-36763
|
||||
Upstream: Merged
|
||||
Conflicts: Only cosmetic, due to the uncrustify changes made
|
||||
in the newer version.
|
||||
|
||||
commit 314ff1dc8c9a9597280b50e44a5c861cb6a58517 (HEAD -> CVE-2022-36763_RHEL-21154_rhel-8.10.0)
|
||||
Author: Min Xu <min.m.xu@intel.com>
|
||||
Date: Sat Dec 11 21:08:42 2021 +0800
|
||||
|
||||
SecurityPkg: Support CcMeasurementProtocol in DxeTpmMeasurementLib
|
||||
|
||||
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3625
|
||||
|
||||
DxeTpmMeasurementLib supports TPM based measurement in DXE phase.
|
||||
After CcMeasurementProtocol is introduced, CC based measurement needs
|
||||
to be supported in DxeTpmMeasurementLib as well.
|
||||
|
||||
A platform should have only one RTS/RTR. Only one of (virtual)TPM1.2,
|
||||
(virtual)TPM2.0 and CC MR exists. Then only one TCG_SERVICE_PROTOCOL,
|
||||
TCG2_PROTOCOL, CC_MEASUREMENT_PROTOCOL is exposed.
|
||||
|
||||
In this library when do measurement only one of above 3 protocols will
|
||||
be called.
|
||||
|
||||
Cc: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
Cc: Liming Gao <gaoliming@byosoft.com.cn>
|
||||
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Sami Mujawar <sami.mujawar@arm.com>
|
||||
Cc: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
|
||||
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Signed-off-by: Min Xu <min.m.xu@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
.../DxeTpmMeasurementLib.c | 122 +++++++++++++++---
|
||||
.../DxeTpmMeasurementLib.inf | 9 +-
|
||||
2 files changed, 111 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c
|
||||
index 061136ee78..802bc3c3cd 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c
|
||||
@@ -1,5 +1,6 @@
|
||||
/** @file
|
||||
- This library is used by other modules to measure data to TPM.
|
||||
+ This library is used by other modules to measure data to TPM and Confidential
|
||||
+ Computing (CC) measure registers.
|
||||
|
||||
Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved. <BR>
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
@@ -19,6 +20,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
#include <Guid/Acpi.h>
|
||||
#include <IndustryStandard/Acpi.h>
|
||||
+#include <Protocol/CcMeasurement.h>
|
||||
|
||||
|
||||
|
||||
@@ -37,6 +39,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
@retval EFI_OUT_OF_RESOURCES Out of memory.
|
||||
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
|
||||
**/
|
||||
+STATIC
|
||||
EFI_STATUS
|
||||
Tpm12MeasureAndLogData (
|
||||
IN UINT32 PcrIndex,
|
||||
@@ -103,6 +106,7 @@ Tpm12MeasureAndLogData (
|
||||
@retval EFI_OUT_OF_RESOURCES Out of memory.
|
||||
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
|
||||
**/
|
||||
+STATIC
|
||||
EFI_STATUS
|
||||
Tpm20MeasureAndLogData (
|
||||
IN UINT32 PcrIndex,
|
||||
@@ -149,6 +153,73 @@ Tpm20MeasureAndLogData (
|
||||
return Status;
|
||||
}
|
||||
|
||||
+/**
|
||||
+ Cc measure and log data, and extend the measurement result into a
|
||||
+ specific CC MR.
|
||||
+
|
||||
+ @param[in] CcProtocol Instance of CC measurement protocol
|
||||
+ @param[in] PcrIndex PCR Index.
|
||||
+ @param[in] EventType Event type.
|
||||
+ @param[in] EventLog Measurement event log.
|
||||
+ @param[in] LogLen Event log length in bytes.
|
||||
+ @param[in] HashData The start of the data buffer to be hashed, extended.
|
||||
+ @param[in] HashDataLen The length, in bytes, of the buffer referenced by HashData
|
||||
+
|
||||
+ @retval EFI_SUCCESS Operation completed successfully.
|
||||
+ @retval EFI_UNSUPPORTED CC guest not available.
|
||||
+ @retval EFI_OUT_OF_RESOURCES Out of memory.
|
||||
+ @retval EFI_DEVICE_ERROR The operation was unsuccessful.
|
||||
+ @retval EFI_INVALID_PARAMETER The input parameter is invalid.
|
||||
+**/
|
||||
+STATIC
|
||||
+EFI_STATUS
|
||||
+CcMeasureAndLogData (
|
||||
+ IN EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol,
|
||||
+ IN UINT32 PcrIndex,
|
||||
+ IN UINT32 EventType,
|
||||
+ IN VOID *EventLog,
|
||||
+ IN UINT32 LogLen,
|
||||
+ IN VOID *HashData,
|
||||
+ IN UINT64 HashDataLen
|
||||
+ )
|
||||
+{
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_CC_EVENT *EfiCcEvent;
|
||||
+ EFI_CC_MR_INDEX MrIndex;
|
||||
+
|
||||
+ if (CcProtocol == NULL) {
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ Status = CcProtocol->MapPcrToMrIndex (CcProtocol, PcrIndex, &MrIndex);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ return Status;
|
||||
+ }
|
||||
+
|
||||
+ EfiCcEvent = (EFI_CC_EVENT *)AllocateZeroPool (LogLen + sizeof (EFI_CC_EVENT));
|
||||
+ if (EfiCcEvent == NULL) {
|
||||
+ return EFI_OUT_OF_RESOURCES;
|
||||
+ }
|
||||
+
|
||||
+ EfiCcEvent->Size = (UINT32)LogLen + sizeof (EFI_CC_EVENT) - sizeof (EfiCcEvent->Event);
|
||||
+ EfiCcEvent->Header.HeaderSize = sizeof (EFI_CC_EVENT_HEADER);
|
||||
+ EfiCcEvent->Header.HeaderVersion = EFI_CC_EVENT_HEADER_VERSION;
|
||||
+ EfiCcEvent->Header.MrIndex = MrIndex;
|
||||
+ EfiCcEvent->Header.EventType = EventType;
|
||||
+ CopyMem (&EfiCcEvent->Event[0], EventLog, LogLen);
|
||||
+
|
||||
+ Status = CcProtocol->HashLogExtendEvent (
|
||||
+ CcProtocol,
|
||||
+ 0,
|
||||
+ (EFI_PHYSICAL_ADDRESS)(UINTN)HashData,
|
||||
+ HashDataLen,
|
||||
+ EfiCcEvent
|
||||
+ );
|
||||
+ FreePool (EfiCcEvent);
|
||||
+
|
||||
+ return Status;
|
||||
+}
|
||||
+
|
||||
/**
|
||||
Tpm measure and log data, and extend the measurement result into a specific PCR.
|
||||
|
||||
@@ -175,25 +246,16 @@ TpmMeasureAndLogData (
|
||||
IN UINT64 HashDataLen
|
||||
)
|
||||
{
|
||||
- EFI_STATUS Status;
|
||||
-
|
||||
- //
|
||||
- // Try to measure using Tpm20 protocol
|
||||
- //
|
||||
- Status = Tpm20MeasureAndLogData(
|
||||
- PcrIndex,
|
||||
- EventType,
|
||||
- EventLog,
|
||||
- LogLen,
|
||||
- HashData,
|
||||
- HashDataLen
|
||||
- );
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
|
||||
|
||||
- if (EFI_ERROR (Status)) {
|
||||
+ Status = gBS->LocateProtocol (&gEfiCcMeasurementProtocolGuid, NULL, (VOID **)&CcProtocol);
|
||||
+ if (!EFI_ERROR (Status)) {
|
||||
//
|
||||
- // Try to measure using Tpm1.2 protocol
|
||||
+ // Try to measure using Cc measurement protocol
|
||||
//
|
||||
- Status = Tpm12MeasureAndLogData(
|
||||
+ Status = CcMeasureAndLogData (
|
||||
+ CcProtocol,
|
||||
PcrIndex,
|
||||
EventType,
|
||||
EventLog,
|
||||
@@ -201,6 +263,32 @@ TpmMeasureAndLogData (
|
||||
HashData,
|
||||
HashDataLen
|
||||
);
|
||||
+ } else {
|
||||
+ //
|
||||
+ // Try to measure using Tpm20 protocol
|
||||
+ //
|
||||
+ Status = Tpm20MeasureAndLogData (
|
||||
+ PcrIndex,
|
||||
+ EventType,
|
||||
+ EventLog,
|
||||
+ LogLen,
|
||||
+ HashData,
|
||||
+ HashDataLen
|
||||
+ );
|
||||
+
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ //
|
||||
+ // Try to measure using Tpm1.2 protocol
|
||||
+ //
|
||||
+ Status = Tpm12MeasureAndLogData (
|
||||
+ PcrIndex,
|
||||
+ EventType,
|
||||
+ EventLog,
|
||||
+ LogLen,
|
||||
+ HashData,
|
||||
+ HashDataLen
|
||||
+ );
|
||||
+ }
|
||||
}
|
||||
|
||||
return Status;
|
||||
diff --git a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
|
||||
index 7d41bc41f9..3af3d4e33b 100644
|
||||
--- a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
|
||||
+++ b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
|
||||
@@ -1,5 +1,7 @@
|
||||
## @file
|
||||
-# Provides TPM measurement functions for TPM1.2 and TPM 2.0
|
||||
+# Provides below measurement functions:
|
||||
+# 1. TPM measurement functions for TPM1.2 and TPM 2.0
|
||||
+# 2. Confidential Computing (CC) measurement functions
|
||||
#
|
||||
# This library provides TpmMeasureAndLogData() to measure and log data, and
|
||||
# extend the measurement result into a specific PCR.
|
||||
@@ -40,5 +42,6 @@
|
||||
UefiBootServicesTableLib
|
||||
|
||||
[Protocols]
|
||||
- gEfiTcgProtocolGuid ## SOMETIMES_CONSUMES
|
||||
- gEfiTcg2ProtocolGuid ## SOMETIMES_CONSUMES
|
||||
+ gEfiTcgProtocolGuid ## SOMETIMES_CONSUMES
|
||||
+ gEfiTcg2ProtocolGuid ## SOMETIMES_CONSUMES
|
||||
+ gEfiCcMeasurementProtocolGuid ## SOMETIMES_CONSUMES
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,84 @@
|
||||
From fa892c7112cfb5aa742f358544da3788a831e431 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Tue, 13 Feb 2024 16:30:10 -0500
|
||||
Subject: [PATCH 13/17] SecurityPkg: : Updating SecurityFixes.yaml after symbol
|
||||
rename
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
|
||||
RH-Jira: RHEL-21154 RHEL-21156
|
||||
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
RH-Commit: [13/13] 3bf59dbb583b67eddb54361781054cc650398309 (jmaloy/jons_fork)
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-21156
|
||||
CVE: CVE-2022-36764
|
||||
Upstream: Merged
|
||||
|
||||
commit 264636d8e6983e0f6dc6be2fca9d84ec81315954
|
||||
Author: Doug Flick <dougflick@microsoft.com>
|
||||
Date: Wed Jan 17 14:47:22 2024 -0800
|
||||
|
||||
SecurityPkg: : Updating SecurityFixes.yaml after symbol rename
|
||||
|
||||
Adding the new commit titles for the symbol renames
|
||||
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Cc: Rahul Kumar <rahul1.kumar@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Message-Id: <5e0e851e97459e183420178888d4fcdadc2f1ae1.1705529990.git.doug.edk2@gmail.com>
|
||||
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
SecurityPkg/SecurityFixes.yaml | 31 ++++++++++++++++++++++++++-----
|
||||
1 file changed, 26 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
|
||||
index f9e3e7be74..dc1bb83489 100644
|
||||
--- a/SecurityPkg/SecurityFixes.yaml
|
||||
+++ b/SecurityPkg/SecurityFixes.yaml
|
||||
@@ -9,14 +9,35 @@ CVE_2022_36763:
|
||||
- "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763"
|
||||
- "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763"
|
||||
- "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml"
|
||||
+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
|
||||
+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
|
||||
+ - "SecurityPkg: : Updating SecurityFixes.yaml after symbol rename"
|
||||
cve: CVE-2022-36763
|
||||
date_reported: 2022-10-25 11:31 UTC
|
||||
description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable()
|
||||
note: This patch is related to and supersedes TCBZ2168
|
||||
files_impacted:
|
||||
- - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
|
||||
- - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
|
||||
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
|
||||
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
|
||||
links:
|
||||
- - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
|
||||
- - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
|
||||
- - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
|
||||
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
|
||||
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
|
||||
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
|
||||
+CVE_2022_36764:
|
||||
+ commit_titles:
|
||||
+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
|
||||
+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
|
||||
+ - "SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml"
|
||||
+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
|
||||
+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
|
||||
+ - "SecurityPkg: : Updating SecurityFixes.yaml after symbol rename"
|
||||
+ cve: CVE-2022-36764
|
||||
+ date_reported: 2022-10-25 12:23 UTC
|
||||
+ description: Heap Buffer Overflow in Tcg2MeasurePeImage()
|
||||
+ note:
|
||||
+ files_impacted:
|
||||
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
|
||||
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
|
||||
+ links:
|
||||
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4118
|
||||
+
|
||||
--
|
||||
2.41.0
|
||||
|
80
edk2.spec
80
edk2.spec
@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
|
||||
|
||||
Name: edk2
|
||||
Version: %{GITDATE}git%{GITCOMMIT}
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
Summary: UEFI firmware for 64-bit virtual machines
|
||||
Group: Applications/Emulators
|
||||
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
||||
@ -100,6 +100,57 @@ Patch48: edk2-OvmfPkg-VirtNorFlashDxe-move-DoErase-code-block-into.patch
|
||||
Patch49: edk2-ArmVirtPkg-ArmVirtQemu-migrate-to-OVMF-s-VirtNorFlas.patch
|
||||
# For RHEL-17587 - [rhel8] guest fails to boot due to ASSERT error
|
||||
Patch50: edk2-OvmfPkg-clone-NorFlashPlatformLib-into-VirtNorFlashP.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch51: edk2-SecurityPkg-Change-use-of-EFI_D_-to-DEBUG_.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch52: edk2-SecurityPkg-Change-OPTIONAL-keyword-usage-style.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch53: edk2-MdePkg-Introduce-CcMeasurementProtocol-for-CC-Guest-.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch54: edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpm2.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch55: edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpmM.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch56: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch57: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch58: edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch59: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-418.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch60: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch61: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SEC-PATCH-4118-2.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch62: edk2-SecurityPkg-DxeTpmMeasureBootLib-SEC-PATCH-4117-2.patch
|
||||
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
|
||||
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
|
||||
Patch63: edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch
|
||||
# For RHEL-21840 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]
|
||||
# For RHEL-21842 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8]
|
||||
Patch64: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
|
||||
# For RHEL-21840 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]
|
||||
# For RHEL-21842 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8]
|
||||
Patch65: edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
|
||||
# For RHEL-21840 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]
|
||||
# For RHEL-21842 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8]
|
||||
Patch66: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
|
||||
# For RHEL-21840 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]
|
||||
# For RHEL-21842 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8]
|
||||
Patch67: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
|
||||
|
||||
|
||||
# python3-devel and libuuid-devel are required for building tools.
|
||||
@ -544,6 +595,33 @@ true
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 14 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-11
|
||||
- edk2-SecurityPkg-Change-use-of-EFI_D_-to-DEBUG_.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-Change-OPTIONAL-keyword-usage-style.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-MdePkg-Introduce-CcMeasurementProtocol-for-CC-Guest-.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpm2.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpmM.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-418.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SEC-PATCH-4118-2.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-DxeTpmMeasureBootLib-SEC-PATCH-4117-2.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch [RHEL-21154 RHEL-21156]
|
||||
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch [RHEL-21840 RHEL-21842]
|
||||
- edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch [RHEL-21840 RHEL-21842]
|
||||
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch [RHEL-21840 RHEL-21842]
|
||||
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch [RHEL-21840 RHEL-21842]
|
||||
- Resolves: RHEL-21154
|
||||
(CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8])
|
||||
- Resolves: RHEL-21156
|
||||
(CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8])
|
||||
- Resolves: RHEL-21840
|
||||
(CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8])
|
||||
- Resolves: RHEL-21842
|
||||
(CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8])
|
||||
|
||||
* Sat Feb 03 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-10
|
||||
- edk2-OvmfPkg-VirtNorFlashDxe-clone-ArmPlatformPkg-s-NOR-f.patch [RHEL-17587]
|
||||
- edk2-OvmfPkg-VirtNorFlashDxe-remove-CheckBlockLocked-feat.patch [RHEL-17587]
|
||||
|
Loading…
Reference in New Issue
Block a user