* Wed Feb 14 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-11

- edk2-SecurityPkg-Change-use-of-EFI_D_-to-DEBUG_.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-Change-OPTIONAL-keyword-usage-style.patch [RHEL-21154 RHEL-21156]
- edk2-MdePkg-Introduce-CcMeasurementProtocol-for-CC-Guest-.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpm2.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpmM.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-418.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SEC-PATCH-4118-2.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpmMeasureBootLib-SEC-PATCH-4117-2.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch [RHEL-21154 RHEL-21156]
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch [RHEL-21840 RHEL-21842]
- edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch [RHEL-21840 RHEL-21842]
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch [RHEL-21840 RHEL-21842]
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch [RHEL-21840 RHEL-21842]
- Resolves: RHEL-21154
  (CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8])
- Resolves: RHEL-21156
  (CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8])
- Resolves: RHEL-21840
  (CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8])
- Resolves: RHEL-21842
  (CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8])
This commit is contained in:
Jon Maloy 2024-02-14 11:57:41 -05:00
parent d6671b1ccc
commit a0d9f2d87e
18 changed files with 11019 additions and 1 deletions

View File

@ -0,0 +1,390 @@
From b8261ac422ba284249cd4f341d78d058e79960f5 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 7 Feb 2024 11:56:37 -0500
Subject: [PATCH 03/17] MdePkg: Introduce CcMeasurementProtocol for CC Guest
firmware
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [3/13] 6bf304f8e3bc875024c8fb0a4cd5d2c944f69480 (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21154
CVE: CVE-2022-36763
Upstream: Merged
commit e193584da60550008722498442c62ddb77bf27d5
Author: Min Xu <min.m.xu@intel.com>
Date: Sat Dec 11 21:08:40 2021 +0800
MdePkg: Introduce CcMeasurementProtocol for CC Guest firmware
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3625
CC guest is a Confidential Computing guest. If CC Guest firmware
supports measurement and an event is created, CC Guest firmware
is designed to report the event log with the same data structure
in TCG-Platform-Firmware-Profile specification with
EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 format.
The CC Guest firmware supports measurement. It is designed to
produce EFI_CC_MEASUREMENT_PROTOCOL with new GUID
EFI_CC_MEASUREMENT_PROTOCOL_GUID to report event log and provides
hash capability.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ken Lu <ken.lu@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
MdePkg/Include/Protocol/CcMeasurement.h | 302 ++++++++++++++++++++++++
MdePkg/MdePkg.dec | 6 +
2 files changed, 308 insertions(+)
create mode 100644 MdePkg/Include/Protocol/CcMeasurement.h
diff --git a/MdePkg/Include/Protocol/CcMeasurement.h b/MdePkg/Include/Protocol/CcMeasurement.h
new file mode 100644
index 0000000000..68029e977f
--- /dev/null
+++ b/MdePkg/Include/Protocol/CcMeasurement.h
@@ -0,0 +1,302 @@
+/** @file
+ If CC Guest firmware supports measurement and an event is created,
+ CC Guest firmware is designed to report the event log with the same
+ data structure in TCG-Platform-Firmware-Profile specification with
+ EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 format.
+
+ The CC Guest firmware supports measurement, the CC Guest Firmware is
+ designed to produce EFI_CC_MEASUREMENT_PROTOCOL with new GUID
+ EFI_CC_MEASUREMENT_PROTOCOL_GUID to report event log and provides hash
+ capability.
+
+Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef CC_MEASUREMENT_PROTOCOL_H_
+#define CC_MEASUREMENT_PROTOCOL_H_
+
+#include <IndustryStandard/UefiTcgPlatform.h>
+
+#define EFI_CC_MEASUREMENT_PROTOCOL_GUID \
+ { 0x96751a3d, 0x72f4, 0x41a6, { 0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b }}
+extern EFI_GUID gEfiCcMeasurementProtocolGuid;
+
+typedef struct _EFI_CC_MEASUREMENT_PROTOCOL EFI_CC_MEASUREMENT_PROTOCOL;
+
+typedef struct {
+ UINT8 Major;
+ UINT8 Minor;
+} EFI_CC_VERSION;
+
+//
+// EFI_CC Type/SubType definition
+//
+#define EFI_CC_TYPE_NONE 0
+#define EFI_CC_TYPE_SEV 1
+#define EFI_CC_TYPE_TDX 2
+
+typedef struct {
+ UINT8 Type;
+ UINT8 SubType;
+} EFI_CC_TYPE;
+
+typedef UINT32 EFI_CC_EVENT_LOG_BITMAP;
+typedef UINT32 EFI_CC_EVENT_LOG_FORMAT;
+typedef UINT32 EFI_CC_EVENT_ALGORITHM_BITMAP;
+typedef UINT32 EFI_CC_MR_INDEX;
+
+//
+// Intel TDX measure register index
+//
+#define TDX_MR_INDEX_MRTD 0
+#define TDX_MR_INDEX_RTMR0 1
+#define TDX_MR_INDEX_RTMR1 2
+#define TDX_MR_INDEX_RTMR2 3
+#define TDX_MR_INDEX_RTMR3 4
+
+#define EFI_CC_EVENT_LOG_FORMAT_TCG_2 0x00000002
+#define EFI_CC_BOOT_HASH_ALG_SHA384 0x00000004
+
+//
+// This bit is shall be set when an event shall be extended but not logged.
+//
+#define EFI_CC_FLAG_EXTEND_ONLY 0x0000000000000001
+//
+// This bit shall be set when the intent is to measure a PE/COFF image.
+//
+#define EFI_CC_FLAG_PE_COFF_IMAGE 0x0000000000000010
+
+#pragma pack (1)
+
+#define EFI_CC_EVENT_HEADER_VERSION 1
+
+typedef struct {
+ //
+ // Size of the event header itself (sizeof(EFI_CC_EVENT_HEADER)).
+ //
+ UINT32 HeaderSize;
+ //
+ // Header version. For this version of this specification, the value shall be 1.
+ //
+ UINT16 HeaderVersion;
+ //
+ // Index of the MR (measurement register) that shall be extended.
+ //
+ EFI_CC_MR_INDEX MrIndex;
+ //
+ // Type of the event that shall be extended (and optionally logged).
+ //
+ UINT32 EventType;
+} EFI_CC_EVENT_HEADER;
+
+typedef struct {
+ //
+ // Total size of the event including the Size component, the header and the Event data.
+ //
+ UINT32 Size;
+ EFI_CC_EVENT_HEADER Header;
+ UINT8 Event[1];
+} EFI_CC_EVENT;
+
+#pragma pack()
+
+typedef struct {
+ //
+ // Allocated size of the structure
+ //
+ UINT8 Size;
+ //
+ // Version of the EFI_CC_BOOT_SERVICE_CAPABILITY structure itself.
+ // For this version of the protocol, the Major version shall be set to 1
+ // and the Minor version shall be set to 0.
+ //
+ EFI_CC_VERSION StructureVersion;
+ //
+ // Version of the EFI CC Measurement protocol.
+ // For this version of the protocol, the Major version shall be set to 1
+ // and the Minor version shall be set to 0.
+ //
+ EFI_CC_VERSION ProtocolVersion;
+ //
+ // Supported hash algorithms
+ //
+ EFI_CC_EVENT_ALGORITHM_BITMAP HashAlgorithmBitmap;
+ //
+ // Bitmap of supported event log formats
+ //
+ EFI_CC_EVENT_LOG_BITMAP SupportedEventLogs;
+
+ //
+ // Indicates the CC type
+ //
+ EFI_CC_TYPE CcType;
+} EFI_CC_BOOT_SERVICE_CAPABILITY;
+
+/**
+ The EFI_CC_MEASUREMENT_PROTOCOL GetCapability function call provides protocol
+ capability information and state information.
+
+ @param[in] This Indicates the calling context
+ @param[in, out] ProtocolCapability The caller allocates memory for a EFI_CC_BOOT_SERVICE_CAPABILITY
+ structure and sets the size field to the size of the structure allocated.
+ The callee fills in the fields with the EFI CC BOOT Service capability
+ information and the current CC information.
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_DEVICE_ERROR The command was unsuccessful.
+ The ProtocolCapability variable will not be populated.
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect.
+ The ProtocolCapability variable will not be populated.
+ @retval EFI_BUFFER_TOO_SMALL The ProtocolCapability variable is too small to hold the full response.
+ It will be partially populated (required Size field will be set).
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_CC_GET_CAPABILITY)(
+ IN EFI_CC_MEASUREMENT_PROTOCOL *This,
+ IN OUT EFI_CC_BOOT_SERVICE_CAPABILITY *ProtocolCapability
+ );
+
+/**
+ The EFI_CC_MEASUREMENT_PROTOCOL Get Event Log function call allows a caller to
+ retrieve the address of a given event log and its last entry.
+
+ @param[in] This Indicates the calling context
+ @param[in] EventLogFormat The type of the event log for which the information is requested.
+ @param[out] EventLogLocation A pointer to the memory address of the event log.
+ @param[out] EventLogLastEntry If the Event Log contains more than one entry, this is a pointer to the
+ address of the start of the last entry in the event log in memory.
+ @param[out] EventLogTruncated If the Event Log is missing at least one entry because an event would
+ have exceeded the area allocated for events, this value is set to TRUE.
+ Otherwise, the value will be FALSE and the Event Log will be complete.
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect
+ (e.g. asking for an event log whose format is not supported).
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_CC_GET_EVENT_LOG)(
+ IN EFI_CC_MEASUREMENT_PROTOCOL *This,
+ IN EFI_CC_EVENT_LOG_FORMAT EventLogFormat,
+ OUT EFI_PHYSICAL_ADDRESS *EventLogLocation,
+ OUT EFI_PHYSICAL_ADDRESS *EventLogLastEntry,
+ OUT BOOLEAN *EventLogTruncated
+ );
+
+/**
+ The EFI_CC_MEASUREMENT_PROTOCOL HashLogExtendEvent function call provides
+ callers with an opportunity to extend and optionally log events without requiring
+ knowledge of actual CC commands.
+ The extend operation will occur even if this function cannot create an event
+ log entry (e.g. due to the event log being full).
+
+ @param[in] This Indicates the calling context
+ @param[in] Flags Bitmap providing additional information.
+ @param[in] DataToHash Physical address of the start of the data buffer to be hashed.
+ @param[in] DataToHashLen The length in bytes of the buffer referenced by DataToHash.
+ @param[in] EfiCcEvent Pointer to data buffer containing information about the event.
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_DEVICE_ERROR The command was unsuccessful.
+ @retval EFI_VOLUME_FULL The extend operation occurred, but the event could not be written to one or more event logs.
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect.
+ @retval EFI_UNSUPPORTED The PE/COFF image type is not supported.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_CC_HASH_LOG_EXTEND_EVENT)(
+ IN EFI_CC_MEASUREMENT_PROTOCOL *This,
+ IN UINT64 Flags,
+ IN EFI_PHYSICAL_ADDRESS DataToHash,
+ IN UINT64 DataToHashLen,
+ IN EFI_CC_EVENT *EfiCcEvent
+ );
+
+/**
+ The EFI_CC_MEASUREMENT_PROTOCOL MapPcrToMrIndex function call provides callers
+ the info on TPM PCR <-> CC MR mapping information.
+
+ @param[in] This Indicates the calling context
+ @param[in] PcrIndex TPM PCR index.
+ @param[out] MrIndex CC MR index.
+
+ @retval EFI_SUCCESS The MrIndex is returned.
+ @retval EFI_INVALID_PARAMETER The MrIndex is NULL.
+ @retval EFI_UNSUPPORTED The PcrIndex is invalid.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_CC_MAP_PCR_TO_MR_INDEX)(
+ IN EFI_CC_MEASUREMENT_PROTOCOL *This,
+ IN TCG_PCRINDEX PcrIndex,
+ OUT EFI_CC_MR_INDEX *MrIndex
+ );
+
+struct _EFI_CC_MEASUREMENT_PROTOCOL {
+ EFI_CC_GET_CAPABILITY GetCapability;
+ EFI_CC_GET_EVENT_LOG GetEventLog;
+ EFI_CC_HASH_LOG_EXTEND_EVENT HashLogExtendEvent;
+ EFI_CC_MAP_PCR_TO_MR_INDEX MapPcrToMrIndex;
+};
+
+//
+// CC event log
+//
+
+#pragma pack(1)
+
+//
+// Crypto Agile Log Entry Format.
+// It is similar with TCG_PCR_EVENT2 except the field of MrIndex and PCRIndex.
+//
+typedef struct {
+ EFI_CC_MR_INDEX MrIndex;
+ UINT32 EventType;
+ TPML_DIGEST_VALUES Digests;
+ UINT32 EventSize;
+ UINT8 Event[1];
+} CC_EVENT;
+
+//
+// EFI CC Event Header
+// It is similar with TCG_PCR_EVENT2_HDR except the field of MrIndex and PCRIndex
+//
+typedef struct {
+ EFI_CC_MR_INDEX MrIndex;
+ UINT32 EventType;
+ TPML_DIGEST_VALUES Digests;
+ UINT32 EventSize;
+} CC_EVENT_HDR;
+
+#pragma pack()
+
+//
+// Log entries after Get Event Log service
+//
+
+#define EFI_CC_FINAL_EVENTS_TABLE_VERSION 1
+
+typedef struct {
+ //
+ // The version of this structure. It shall be set to 1.
+ //
+ UINT64 Version;
+ //
+ // Number of events recorded after invocation of GetEventLog API
+ //
+ UINT64 NumberOfEvents;
+ //
+ // List of events of type CC_EVENT.
+ //
+ // CC_EVENT Event[1];
+} EFI_CC_FINAL_EVENTS_TABLE;
+
+#define EFI_CC_FINAL_EVENTS_TABLE_GUID \
+ {0xdd4a4648, 0x2de7, 0x4665, {0x96, 0x4d, 0x21, 0xd9, 0xef, 0x5f, 0xb4, 0x46}}
+
+extern EFI_GUID gEfiCcFinalEventsTableGuid;
+
+#endif
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index 8b18415b10..6389a48338 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -823,6 +823,9 @@
#
gLinuxEfiInitrdMediaGuid = {0x5568e427, 0x68fc, 0x4f3d, {0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68}}
+ ## Include/Protocol/CcMeasurement.h
+ gEfiCcFinalEventsTableGuid = { 0xdd4a4648, 0x2de7, 0x4665, { 0x96, 0x4d, 0x21, 0xd9, 0xef, 0x5f, 0xb4, 0x46 }}
+
[Guids.IA32, Guids.X64]
## Include/Guid/Cper.h
gEfiIa32X64ErrorTypeCacheCheckGuid = { 0xA55701F5, 0xE3EF, 0x43de, { 0xAC, 0x72, 0x24, 0x9B, 0x57, 0x3F, 0xAD, 0x2C }}
@@ -1011,6 +1014,9 @@
## Include/Protocol/PcdInfo.h
gGetPcdInfoProtocolGuid = { 0x5be40f57, 0xfa68, 0x4610, { 0xbb, 0xbf, 0xe9, 0xc5, 0xfc, 0xda, 0xd3, 0x65 } }
+ ## Include/Protocol/CcMeasurement.h
+ gEfiCcMeasurementProtocolGuid = { 0x96751a3d, 0x72f4, 0x41a6, { 0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b }}
+
#
# Protocols defined in PI1.0.
#
--
2.41.0

View File

@ -0,0 +1,169 @@
From aa66757951e9880df4e21e191142400480aa3908 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 8 Feb 2024 10:35:14 -0500
Subject: [PATCH 15/17] NetworkPkg: : Add Unit tests to CI and create Host Test
DSC
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 50: CVE-2023-45230 and CVE-2023-45229
RH-Jira: RHEL-21840 RHEL-21842
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Commit: [2/4] 6669306e2dbb5aa3e7691d57f4a61685b7cd57b2 (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21842
CVE: CVE-2023-45230
Upstream: Merged
commit 8014ac2d7bbbc503f5562b51af46bb20ae3d22ff
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
Date: Fri Jan 26 05:54:44 2024 +0800
NetworkPkg: : Add Unit tests to CI and create Host Test DSC
Adds Host Based testing to the NetworkPkg
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/NetworkPkg.ci.yaml | 7 +-
NetworkPkg/Test/NetworkPkgHostTest.dsc | 98 ++++++++++++++++++++++++++
2 files changed, 104 insertions(+), 1 deletion(-)
create mode 100644 NetworkPkg/Test/NetworkPkgHostTest.dsc
diff --git a/NetworkPkg/NetworkPkg.ci.yaml b/NetworkPkg/NetworkPkg.ci.yaml
index 07dc7abd69..076424eb60 100644
--- a/NetworkPkg/NetworkPkg.ci.yaml
+++ b/NetworkPkg/NetworkPkg.ci.yaml
@@ -24,6 +24,9 @@
"CompilerPlugin": {
"DscPath": "NetworkPkg.dsc"
},
+ "HostUnitTestCompilerPlugin": {
+ "DscPath": "Test/NetworkPkgHostTest.dsc"
+ },
"CharEncodingCheck": {
"IgnoreFiles": []
},
@@ -35,7 +38,9 @@
"CryptoPkg/CryptoPkg.dec"
],
# For host based unit tests
- "AcceptableDependencies-HOST_APPLICATION":[],
+ "AcceptableDependencies-HOST_APPLICATION":[
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+ ],
# For UEFI shell based apps
"AcceptableDependencies-UEFI_APPLICATION":[
"ShellPkg/ShellPkg.dec"
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
new file mode 100644
index 0000000000..1aeca5c5b3
--- /dev/null
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -0,0 +1,98 @@
+## @file
+# NetworkPkgHostTest DSC file used to build host-based unit tests.
+#
+# Copyright (c) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+[Defines]
+ PLATFORM_NAME = NetworkPkgHostTest
+ PLATFORM_GUID = 3b68324e-fc07-4d49-9520-9347ede65879
+ PLATFORM_VERSION = 0.1
+ DSC_SPECIFICATION = 0x00010005
+ OUTPUT_DIRECTORY = Build/NetworkPkg/HostTest
+ SUPPORTED_ARCHITECTURES = IA32|X64|AARCH64
+ BUILD_TARGETS = NOOPT
+ SKUID_IDENTIFIER = DEFAULT
+
+!include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc
+[Packages]
+ MdePkg/MdePkg.dec
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+
+[Components]
+ #
+ # Build HOST_APPLICATION that tests NetworkPkg
+ #
+
+# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
+[LibraryClasses]
+ NetLib|NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
+ DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
+ BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
+ BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
+ HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
+ MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
+ PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
+ PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
+ UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
+ UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
+ UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf
+ UefiLib|MdePkg/Library/UefiLib/UefiLib.inf
+ UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf
+ UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServicesLib.inf
+ UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf
+ TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
+ PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf
+ PeCoffGetEntryPointLib|MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf
+ DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
+ DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf
+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
+!ifdef CONTINUOUS_INTEGRATION
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
+!else
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
+!endif
+ DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
+ FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
+ FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
+ SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+
+!if $(TOOL_CHAIN_TAG) == VS2019 or $(TOOL_CHAIN_TAG) == VS2022
+[LibraryClasses.X64]
+ # Provide StackCookie support lib so that we can link to /GS exports for VS builds
+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+!endif
+
+[LibraryClasses.common.UEFI_DRIVER]
+ HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
+ ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
+ DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
+[LibraryClasses.common.UEFI_APPLICATION]
+ DebugLib|MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
+ ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+[LibraryClasses.ARM, LibraryClasses.AARCH64]
+ #
+ # It is not possible to prevent ARM compiler calls to generic intrinsic functions.
+ # This library provides the instrinsic functions generated by a given compiler.
+ # [LibraryClasses.ARM] and NULL mean link this library into all ARM images.
+ #
+!if $(TOOL_CHAIN_TAG) != VS2017 and $(TOOL_CHAIN_TAG) != VS2015 and $(TOOL_CHAIN_TAG) != VS2019
+ NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
+!endif
+ NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf
+[LibraryClasses.ARM]
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+[LibraryClasses.RISCV64]
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+
+[PcdsFixedAtBuild]
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType|0x4
--
2.41.0

View File

@ -0,0 +1,621 @@
From a115d0a66c3e73c60b74ec6d09e3759da89e919b Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 9 Feb 2024 17:57:07 -0500
Subject: [PATCH 17/17] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229
Patch
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 50: CVE-2023-45230 and CVE-2023-45229
RH-Jira: RHEL-21840 RHEL-21842
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Commit: [4/4] 3daf69000f78416ee1f1bad0b6ceb01ed28a84a5 (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21840
CVE: CVE-2023-45229
Upstream: Merged
commit 1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
Date: Fri Jan 26 05:54:46 2024 +0800
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
Bug Details:
PixieFail Bug #1
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Change Overview:
Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking
the Inner Option from a DHCP6 Option.
>
> EFI_STATUS
> Dhcp6SeekInnerOptionSafe (
> IN UINT16 IaType,
> IN UINT8 *Option,
> IN UINT32 OptionLen,
> OUT UINT8 **IaInnerOpt,
> OUT UINT16 *IaInnerLen
> );
>
Lots of code cleanup to improve code readability.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 ++++++++++++++++++---
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 205 +++++++++++++++++++++-----------
2 files changed, 257 insertions(+), 86 deletions(-)
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
index ec0ed5d8f5..e759ab9a62 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
@@ -47,6 +47,20 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
#define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S')
#define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I')
+#define DHCP6_PACKET_ALL 0
+#define DHCP6_PACKET_STATEFUL 1
+#define DHCP6_PACKET_STATELESS 2
+
+#define DHCP6_BASE_PACKET_SIZE 1024
+
+#define DHCP6_PORT_CLIENT 546
+#define DHCP6_PORT_SERVER 547
+
+#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20)
+
+#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
+#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
+
//
// For more information on DHCP options see RFC 8415, Section 21.1
//
@@ -61,12 +75,10 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
// | (option-len octets) |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
-#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16))
-#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16))
+#define DHCP6_SIZE_OF_OPT_CODE (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode))
+#define DHCP6_SIZE_OF_OPT_LEN (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen))
-//
// Combined size of Code and Length
-//
#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \
DHCP6_SIZE_OF_OPT_LEN)
@@ -75,34 +87,122 @@ STATIC_ASSERT (
"Combined size of Code and Length must be 4 per RFC 8415"
);
-//
// Offset to the length is just past the code
-//
-#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE)
+#define DHCP6_OFFSET_OF_OPT_LEN(a) (a + DHCP6_SIZE_OF_OPT_CODE)
STATIC_ASSERT (
- DHCP6_OPT_LEN_OFFSET (0) == 2,
+ DHCP6_OFFSET_OF_OPT_LEN (0) == 2,
"Offset of length is + 2 past start of option"
);
-#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
+#define DHCP6_OFFSET_OF_OPT_DATA(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
STATIC_ASSERT (
- DHCP6_OPT_DATA_OFFSET (0) == 4,
+ DHCP6_OFFSET_OF_OPT_DATA (0) == 4,
"Offset to option data should be +4 from start of option"
);
+//
+// Identity Association options (both NA (Non-Temporary) and TA (Temporary Association))
+// are defined in RFC 8415 and are a deriviation of a TLV stucture
+// For more information on IA_NA see Section 21.4
+// For more information on IA_TA see Section 21.5
+//
+//
+// The format of IA_NA and IA_TA option:
+//
+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | OPTION_IA_NA | option-len |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | IAID (4 octets) |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | T1 (only for IA_NA) |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | T2 (only for IA_NA) |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | |
+// . IA_NA-options/IA_TA-options .
+// . .
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//
+#define DHCP6_SIZE_OF_IAID (sizeof(UINT32))
+#define DHCP6_SIZE_OF_TIME_INTERVAL (sizeof(UINT32))
-#define DHCP6_PACKET_ALL 0
-#define DHCP6_PACKET_STATEFUL 1
-#define DHCP6_PACKET_STATELESS 2
+// Combined size of IAID, T1, and T2
+#define DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 (DHCP6_SIZE_OF_IAID + \
+ DHCP6_SIZE_OF_TIME_INTERVAL + \
+ DHCP6_SIZE_OF_TIME_INTERVAL)
+STATIC_ASSERT (
+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 == 12,
+ "Combined size of IAID, T1, T2 must be 12 per RFC 8415"
+ );
-#define DHCP6_BASE_PACKET_SIZE 1024
+// This is the size of IA_TA without options
+#define DHCP6_MIN_SIZE_OF_IA_TA (DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
+ DHCP6_SIZE_OF_IAID)
+STATIC_ASSERT (
+ DHCP6_MIN_SIZE_OF_IA_TA == 8,
+ "Minimum combined size of IA_TA per RFC 8415"
+ );
-#define DHCP6_PORT_CLIENT 546
-#define DHCP6_PORT_SERVER 547
+// Offset to a IA_TA inner option
+#define DHCP6_OFFSET_OF_IA_TA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_TA)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_TA_INNER_OPT (0) == 8,
+ "Offset of IA_TA Inner option is + 8 past start of option"
+ );
-#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20)
+// This is the size of IA_NA without options (16)
+#define DHCP6_MIN_SIZE_OF_IA_NA DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2
+STATIC_ASSERT (
+ DHCP6_MIN_SIZE_OF_IA_NA == 16,
+ "Minimum combined size of IA_TA per RFC 8415"
+ );
-#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
-#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
+#define DHCP6_OFFSET_OF_IA_NA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_NA)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_NA_INNER_OPT (0) == 16,
+ "Offset of IA_NA Inner option is + 16 past start of option"
+ );
+
+#define DHCP6_OFFSET_OF_IA_NA_T1(a) (a + \
+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
+ DHCP6_SIZE_OF_IAID)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_NA_T1 (0) == 8,
+ "Offset of IA_NA Inner option is + 8 past start of option"
+ );
+
+#define DHCP6_OFFSET_OF_IA_NA_T2(a) (a + \
+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN +\
+ DHCP6_SIZE_OF_IAID + \
+ DHCP6_SIZE_OF_TIME_INTERVAL)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_NA_T2 (0) == 12,
+ "Offset of IA_NA Inner option is + 12 past start of option"
+ );
+
+//
+// For more information see RFC 8415 Section 21.13
+//
+// The format of the Status Code Option:
+//
+// 0 1 2 3
+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | OPTION_STATUS_CODE | option-len |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | status-code | |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
+// . .
+// . status-message .
+// . .
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//
+#define DHCP6_OFFSET_OF_STATUS_CODE(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_STATUS_CODE (0) == 4,
+ "Offset of status is + 4 past start of option"
+ );
extern EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress;
extern EFI_DHCP6_PROTOCOL gDhcp6ProtocolTemplate;
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index 2976684aba..d680febbf1 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -611,8 +611,8 @@ Dhcp6UpdateIaInfo (
// The inner options still start with 2 bytes option-code and 2 bytes option-len.
//
if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
- T1 = NTOHL (ReadUnaligned32 ((UINT32 *) (Option + 8)));
- T2 = NTOHL (ReadUnaligned32 ((UINT32 *) (Option + 12)));
+ T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option))));
+ T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option))));
//
// Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2,
// and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes
@@ -621,13 +621,14 @@ Dhcp6UpdateIaInfo (
if (T1 > T2 && T2 > 0) {
return EFI_DEVICE_ERROR;
}
- IaInnerOpt = Option + 16;
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 2))) - 12);
+ IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
+ IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2);
} else {
T1 = 0;
T2 = 0;
- IaInnerOpt = Option + 8;
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 2))) - 4);
+
+ IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
+ IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID);
}
//
@@ -653,7 +654,7 @@ Dhcp6UpdateIaInfo (
Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
if (Option != NULL) {
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
if (StsCode != Dhcp6StsSuccess) {
return EFI_DEVICE_ERROR;
}
@@ -675,6 +676,87 @@ Dhcp6UpdateIaInfo (
+/**
+ Seeks the Inner Options from a DHCP6 Option
+
+ @param[in] IaType The type of the IA option.
+ @param[in] Option The pointer to the DHCP6 Option.
+ @param[in] OptionLen The length of the DHCP6 Option.
+ @param[out] IaInnerOpt The pointer to the IA inner option.
+ @param[out] IaInnerLen The length of the IA inner option.
+
+ @retval EFI_SUCCESS Seek the inner option successfully.
+ @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error,
+ the pointers are not modified
+**/
+EFI_STATUS
+Dhcp6SeekInnerOptionSafe (
+ IN UINT16 IaType,
+ IN UINT8 *Option,
+ IN UINT32 OptionLen,
+ OUT UINT8 **IaInnerOpt,
+ OUT UINT16 *IaInnerLen
+ )
+{
+ UINT16 IaInnerLenTmp;
+ UINT8 *IaInnerOptTmp;
+
+ if (Option == NULL) {
+ ASSERT (Option != NULL);
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (IaInnerOpt == NULL) {
+ ASSERT (IaInnerOpt != NULL);
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (IaInnerLen == NULL) {
+ ASSERT (IaInnerLen != NULL);
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (IaType == Dhcp6OptIana) {
+ // Verify we have a fully formed IA_NA
+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
+
+ // Verify the IaInnerLen is valid.
+ IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option)));
+ if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;
+ } else if (IaType == Dhcp6OptIata) {
+ // Verify the OptionLen is valid.
+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
+
+ // Verify the IaInnerLen is valid.
+ IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
+ if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ IaInnerLenTmp -= DHCP6_SIZE_OF_IAID;
+ } else {
+ return EFI_DEVICE_ERROR;
+ }
+
+ *IaInnerOpt = IaInnerOptTmp;
+ *IaInnerLen = IaInnerLenTmp;
+
+ return EFI_SUCCESS;
+}
+
/**
Seek StatusCode Option in package. A Status Code option may appear in the
options field of a DHCP message and/or in the options field of another option.
@@ -695,9 +777,15 @@ Dhcp6SeekStsOption (
OUT UINT8 **Option
)
{
- UINT8 *IaInnerOpt;
- UINT16 IaInnerLen;
- UINT16 StsCode;
+ UINT8 *IaInnerOpt;
+ UINT16 IaInnerLen;
+ UINT16 StsCode;
+ UINT32 OptionLen;
+
+ // OptionLen is the length of the Options excluding the DHCP header.
+ // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last
+ // byte of the Option[] field.
+ OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header);
//
// Seek StatusCode option directly in DHCP message body. That is, search in
@@ -705,12 +793,12 @@ Dhcp6SeekStsOption (
//
*Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ OptionLen,
Dhcp6OptStatusCode
);
if (*Option != NULL) {
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (*Option))));
if (StsCode != Dhcp6StsSuccess) {
return EFI_DEVICE_ERROR;
}
@@ -721,7 +809,7 @@ Dhcp6SeekStsOption (
//
*Option = Dhcp6SeekIaOption (
Packet->Dhcp6.Option,
- Packet->Length - sizeof (EFI_DHCP6_HEADER),
+ OptionLen,
&Instance->Config->IaDescriptor
);
if (*Option == NULL) {
@@ -729,52 +817,35 @@ Dhcp6SeekStsOption (
}
//
- // The format of the IA_NA option is:
+ // Calculate the distance from Packet->Dhcp6.Option to the IA option.
//
- // 0 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | OPTION_IA_NA | option-len |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | IAID (4 octets) |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | T1 |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | T2 |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | |
- // . IA_NA-options .
- // . .
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is
+ // the size of the whole packet, including the DHCP header, and Packet->Length
+ // is the length of the DHCP message body, excluding the DHCP header.
//
- // The format of the IA_TA option is:
+ // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of
+ // DHCP6 option area to the start of the IA option.
//
- // 0 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | OPTION_IA_TA | option-len |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | IAID (4 octets) |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | |
- // . IA_TA-options .
- // . .
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the
+ // IA option to the end of the DHCP6 option area, thus subtract the space
+ // up until this option
//
+ OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option);
//
- // sizeof (option-code + option-len + IaId) = 8
- // sizeof (option-code + option-len + IaId + T1) = 12
- // sizeof (option-code + option-len + IaId + T1 + T2) = 16
+ // Seek the inner option
//
- // The inner options still start with 2 bytes option-code and 2 bytes option-len.
- //
- if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
- IaInnerOpt = *Option + 16;
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 2))) - 12);
- } else {
- IaInnerOpt = *Option + 8;
- IaInnerLen = (UINT16) (NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 2))) - 4);
+ if (EFI_ERROR (
+ Dhcp6SeekInnerOptionSafe (
+ Instance->Config->IaDescriptor.Type,
+ *Option,
+ OptionLen,
+ &IaInnerOpt,
+ &IaInnerLen
+ )
+ ))
+ {
+ return EFI_DEVICE_ERROR;
}
//
@@ -798,7 +869,7 @@ Dhcp6SeekStsOption (
//
*Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
if (*Option != NULL) {
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (*Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (*Option)))));
if (StsCode != Dhcp6StsSuccess) {
return EFI_DEVICE_ERROR;
}
@@ -1123,7 +1194,7 @@ Dhcp6SendRequestMsg (
//
Option = Dhcp6SeekOption (
Instance->AdSelect->Dhcp6.Option,
- Instance->AdSelect->Length - 4,
+ Instance->AdSelect->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -1309,7 +1380,7 @@ Dhcp6SendDeclineMsg (
//
Option = Dhcp6SeekOption (
LastReply->Dhcp6.Option,
- LastReply->Length - 4,
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -1469,7 +1540,7 @@ Dhcp6SendReleaseMsg (
//
Option = Dhcp6SeekOption (
LastReply->Dhcp6.Option,
- LastReply->Length - 4,
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -1695,7 +1766,7 @@ Dhcp6SendRenewRebindMsg (
Option = Dhcp6SeekOption (
LastReply->Dhcp6.Option,
- LastReply->Length - 4,
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -2235,7 +2306,7 @@ Dhcp6HandleReplyMsg (
//
Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptRapidCommit
);
@@ -2383,7 +2454,7 @@ Dhcp6HandleReplyMsg (
//
// Any error status code option is found.
//
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) (Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (Option)))));
switch (StsCode) {
case Dhcp6StsUnspecFail:
//
@@ -2514,7 +2585,7 @@ Dhcp6SelectAdvertiseMsg (
//
Option = Dhcp6SeekOption(
AdSelect->Dhcp6.Option,
- AdSelect->Length - 4,
+ AdSelect->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerUnicast
);
@@ -2526,7 +2597,7 @@ Dhcp6SelectAdvertiseMsg (
return EFI_OUT_OF_RESOURCES;
}
- CopyMem (Instance->Unicast, Option + 4, sizeof(EFI_IPv6_ADDRESS));
+ CopyMem (Instance->Unicast, DHCP6_OFFSET_OF_OPT_DATA (Option), sizeof (EFI_IPv6_ADDRESS));
}
//
@@ -2580,7 +2651,7 @@ Dhcp6HandleAdvertiseMsg (
//
Option = Dhcp6SeekOption(
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptRapidCommit
);
@@ -2676,7 +2747,7 @@ Dhcp6HandleAdvertiseMsg (
CopyMem (Instance->AdSelect, Packet, Packet->Size);
if (Option != NULL) {
- Instance->AdPref = *(Option + 4);
+ Instance->AdPref = *(DHCP6_OFFSET_OF_OPT_DATA (Option));
}
} else {
//
@@ -2747,11 +2818,11 @@ Dhcp6HandleStateful (
//
Option = Dhcp6SeekOption(
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN,
Dhcp6OptClientId
);
- if (Option == NULL || CompareMem (Option + 4, ClientId->Duid, ClientId->Length) != 0) {
+ if ((Option == NULL) || (CompareMem (DHCP6_OFFSET_OF_OPT_DATA (Option), ClientId->Duid, ClientId->Length) != 0)) {
goto ON_CONTINUE;
}
@@ -2760,7 +2831,7 @@ Dhcp6HandleStateful (
//
Option = Dhcp6SeekOption(
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN,
Dhcp6OptServerId
);
@@ -2865,7 +2936,7 @@ Dhcp6HandleStateless (
//
Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
--
2.41.0

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,629 @@
From f5274b449181cb37efce0f08ed5d75a6bf6e54a8 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 8 Feb 2024 10:35:14 -0500
Subject: [PATCH 16/17] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230
Unit Tests
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 50: CVE-2023-45230 and CVE-2023-45229
RH-Jira: RHEL-21840 RHEL-21842
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Commit: [3/4] 43b8569c0586c7dbf66b19c5db335d0ce05829de (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21842
CVE: CVE-2023-45230
Upstream: Merged
commit 5f3658197bf29c83b3349b0ab1d99cdb0c3814bc
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
Date: Fri Jan 26 05:54:45 2024 +0800
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4535
Confirms that reported issue...
"Buffer overflow in the DHCPv6 client via a long Server ID option"
..has been corrected by the provided patch.
Tests the following functions to ensure they appropriately handle
untrusted data (either too long or too small) to prevent a buffer
overflow:
Dhcp6AppendOption
Dhcp6AppendETOption
Dhcp6AppendIaOption
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../GoogleTest/Dhcp6DxeGoogleTest.cpp | 20 +
.../GoogleTest/Dhcp6DxeGoogleTest.inf | 43 ++
.../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 478 ++++++++++++++++++
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 +
4 files changed, 542 insertions(+)
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
new file mode 100644
index 0000000000..9aeced2f91
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
@@ -0,0 +1,20 @@
+/** @file
+ Acts as the main entry point for the tests for the Dhcp6Dxe module.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+////////////////////////////////////////////////////////////////////////////////
+// Run the tests
+////////////////////////////////////////////////////////////////////////////////
+int
+main (
+ int argc,
+ char *argv[]
+ )
+{
+ testing::InitGoogleTest (&argc, argv);
+ return RUN_ALL_TESTS ();
+}
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
new file mode 100644
index 0000000000..8e9119a371
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
@@ -0,0 +1,43 @@
+## @file
+# Unit test suite for the Dhcp6Dxe using Google Test
+#
+# Copyright (c) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+[Defines]
+ INF_VERSION = 0x00010017
+ BASE_NAME = Dhcp6DxeGoogleTest
+ FILE_GUID = 1D2A4C65-38C8-4C2F-BB60-B5FA49625AA9
+ VERSION_STRING = 1.0
+ MODULE_TYPE = HOST_APPLICATION
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+[Sources]
+ Dhcp6DxeGoogleTest.cpp
+ Dhcp6IoGoogleTest.cpp
+ ../Dhcp6Io.c
+ ../Dhcp6Utility.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+ NetworkPkg/NetworkPkg.dec
+
+[LibraryClasses]
+ GoogleTestLib
+ DebugLib
+ NetLib
+ PcdLib
+
+[Protocols]
+ gEfiDhcp6ServiceBindingProtocolGuid
+
+[Pcd]
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
+
+[Guids]
+ gZeroGuid
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
new file mode 100644
index 0000000000..7ee40e4af4
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
@@ -0,0 +1,478 @@
+/** @file
+ Tests for Dhcp6Io.c.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+extern "C" {
+ #include <Uefi.h>
+ #include <Library/BaseLib.h>
+ #include <Library/DebugLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include "../Dhcp6Impl.h"
+ #include "../Dhcp6Utility.h"
+}
+
+////////////////////////////////////////////////////////////////////////
+// Defines
+////////////////////////////////////////////////////////////////////////
+
+#define DHCP6_PACKET_MAX_LEN 1500
+
+////////////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////////////
+// Symbol Definitions
+// These functions are not directly under test - but required to compile
+////////////////////////////////////////////////////////////////////////
+
+// This definition is used by this test but is also required to compile
+// by Dhcp6Io.c
+EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress = {
+ { 0xFF, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 2 }
+};
+
+EFI_STATUS
+EFIAPI
+UdpIoSendDatagram (
+ IN UDP_IO *UdpIo,
+ IN NET_BUF *Packet,
+ IN UDP_END_POINT *EndPoint OPTIONAL,
+ IN EFI_IP_ADDRESS *Gateway OPTIONAL,
+ IN UDP_IO_CALLBACK CallBack,
+ IN VOID *Context
+ )
+{
+ return EFI_SUCCESS;
+}
+
+EFI_STATUS
+EFIAPI
+UdpIoRecvDatagram (
+ IN UDP_IO *UdpIo,
+ IN UDP_IO_CALLBACK CallBack,
+ IN VOID *Context,
+ IN UINT32 HeadLen
+ )
+{
+ return EFI_SUCCESS;
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6AppendOptionTest Tests
+////////////////////////////////////////////////////////////////////////
+
+class Dhcp6AppendOptionTest : public ::testing::Test {
+public:
+ UINT8 *Buffer = NULL;
+ EFI_DHCP6_PACKET *Packet;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
+
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ if (Buffer != NULL) {
+ FreePool (Buffer);
+ }
+ }
+};
+
+// Test Description:
+// Attempt to append an option to a packet that is too small by a duid that is too large
+TEST_F (Dhcp6AppendOptionTest, InvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_DHCP6_DUID *UntrustedDuid;
+ EFI_STATUS Status;
+
+ UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
+ ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);
+
+ UntrustedDuid->Length = NTOHS (0xFFFF);
+
+ Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendOption (
+ Dhcp6AppendOptionTest::Packet,
+ &Cursor,
+ HTONS (Dhcp6OptServerId),
+ UntrustedDuid->Length,
+ UntrustedDuid->Duid
+ );
+
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+}
+
+// Test Description:
+// Attempt to append an option to a packet that is large enough
+TEST_F (Dhcp6AppendOptionTest, ValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_DHCP6_DUID *UntrustedDuid;
+ EFI_STATUS Status;
+ UINTN OriginalLength;
+
+ UINT8 Duid[6] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 };
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ OriginalLength = Packet->Length;
+
+ UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
+ ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);
+
+ UntrustedDuid->Length = NTOHS (sizeof (Duid));
+ CopyMem (UntrustedDuid->Duid, Duid, sizeof (Duid));
+
+ Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendOption (
+ Dhcp6AppendOptionTest::Packet,
+ &Cursor,
+ HTONS (Dhcp6OptServerId),
+ UntrustedDuid->Length,
+ UntrustedDuid->Duid
+ );
+
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendOptionTest::Packet->Dhcp6.Option + sizeof (Duid) + 4);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendOptionTest::Packet->Length, OriginalLength + sizeof (Duid) + 4);
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6AppendETOption Tests
+////////////////////////////////////////////////////////////////////////
+
+class Dhcp6AppendETOptionTest : public ::testing::Test {
+public:
+ UINT8 *Buffer = NULL;
+ EFI_DHCP6_PACKET *Packet;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
+
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ if (Buffer != NULL) {
+ FreePool (Buffer);
+ }
+ }
+};
+
+// Test Description:
+// Attempt to append an option to a packet that is too small by a duid that is too large
+TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ DHCP6_INSTANCE Instance;
+ UINT16 ElapsedTimeVal;
+ UINT16 *ElapsedTime;
+
+ Cursor = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option;
+ ElapsedTime = &ElapsedTimeVal;
+
+ Packet->Length = Packet->Size - 2;
+
+ Status = Dhcp6AppendETOption (
+ Dhcp6AppendETOptionTest::Packet,
+ &Cursor,
+ &Instance, // Instance is not used in this function
+ &ElapsedTime
+ );
+
+ // verify that we error out because the packet is too small for the option header
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+
+ // reset the length
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+}
+
+// Test Description:
+// Attempt to append an option to a packet that is large enough
+TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ DHCP6_INSTANCE Instance;
+ UINT16 ElapsedTimeVal;
+ UINT16 *ElapsedTime;
+ UINTN ExpectedSize;
+ UINTN OriginalLength;
+
+ Cursor = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option;
+ ElapsedTime = &ElapsedTimeVal;
+ ExpectedSize = 6;
+ OriginalLength = Packet->Length;
+
+ Status = Dhcp6AppendETOption (
+ Dhcp6AppendETOptionTest::Packet,
+ &Cursor,
+ &Instance, // Instance is not used in this function
+ &ElapsedTime
+ );
+
+ // verify that the status is EFI_SUCCESS
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendETOptionTest::Packet->Dhcp6.Option + ExpectedSize);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendETOptionTest::Packet->Length, OriginalLength + ExpectedSize);
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6AppendIaOption Tests
+////////////////////////////////////////////////////////////////////////
+
+class Dhcp6AppendIaOptionTest : public ::testing::Test {
+public:
+ UINT8 *Buffer = NULL;
+ EFI_DHCP6_PACKET *Packet;
+ EFI_DHCP6_IA *Ia;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
+
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
+
+ Ia = (EFI_DHCP6_IA *)AllocateZeroPool (sizeof (EFI_DHCP6_IA) + sizeof (EFI_DHCP6_IA_ADDRESS) * 2);
+ ASSERT_NE (Ia, (EFI_DHCP6_IA *)NULL);
+
+ CopyMem (Ia->IaAddress, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS));
+ CopyMem (Ia->IaAddress + 1, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS));
+
+ Ia->IaAddressCount = 2;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ if (Buffer != NULL) {
+ FreePool (Buffer);
+ }
+
+ if (Ia != NULL) {
+ FreePool (Ia);
+ }
+ }
+};
+
+// Test Description:
+// Attempt to append an option to a packet that doesn't have enough space
+// for the option header
+TEST_F (Dhcp6AppendIaOptionTest, IaNaInvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+
+ Packet->Length = Packet->Size - 2;
+
+ Ia->Descriptor.Type = Dhcp6OptIana;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0x12345678,
+ 0x11111111,
+ Dhcp6OptIana
+ );
+
+ // verify that we error out because the packet is too small for the option header
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+
+ // reset the length
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+}
+
+// Test Description:
+// Attempt to append an option to a packet that doesn't have enough space
+// for the option header
+TEST_F (Dhcp6AppendIaOptionTest, IaTaInvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+
+ // Use up nearly all the space in the packet
+ Packet->Length = Packet->Size - 2;
+
+ Ia->Descriptor.Type = Dhcp6OptIata;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0,
+ 0,
+ Dhcp6OptIata
+ );
+
+ // verify that we error out because the packet is too small for the option header
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+
+ // reset the length
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+}
+
+TEST_F (Dhcp6AppendIaOptionTest, IaNaValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ UINTN ExpectedSize;
+ UINTN OriginalLength;
+
+ //
+ // 2 bytes for the option header type
+ //
+ ExpectedSize = 2;
+ //
+ // 2 bytes for the option header length
+ //
+ ExpectedSize += 2;
+ //
+ // 4 bytes for the IAID
+ //
+ ExpectedSize += 4;
+ //
+ // + 4 bytes for the T1
+ //
+ ExpectedSize += 4;
+ //
+ // + 4 bytes for the T2
+ //
+ ExpectedSize += 4;
+ //
+ // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+ // + 2 bytes for the option header type
+ // + 2 bytes for the option header length
+ // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address
+ //
+ ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ OriginalLength = Packet->Length;
+
+ Ia->Descriptor.Type = Dhcp6OptIana;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0x12345678,
+ 0x12345678,
+ Dhcp6OptIana
+ );
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize);
+
+ // verify that the status is EFI_SUCCESS
+ ASSERT_EQ (Status, EFI_SUCCESS);
+}
+
+TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ UINTN ExpectedSize;
+ UINTN OriginalLength;
+
+ //
+ // 2 bytes for the option header type
+ //
+ ExpectedSize = 2;
+ //
+ // 2 bytes for the option header length
+ //
+ ExpectedSize += 2;
+ //
+ // 4 bytes for the IAID
+ //
+ ExpectedSize += 4;
+ //
+ // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+ // + 2 bytes for the option header type
+ // + 2 bytes for the option header length
+ // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address
+ //
+ ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ OriginalLength = Packet->Length;
+
+ Ia->Descriptor.Type = Dhcp6OptIata;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0,
+ 0,
+ Dhcp6OptIata
+ );
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize);
+
+ // verify that the status is EFI_SUCCESS
+ ASSERT_EQ (Status, EFI_SUCCESS);
+}
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index 1aeca5c5b3..20bc90b172 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -24,6 +24,7 @@
#
# Build HOST_APPLICATION that tests NetworkPkg
#
+ NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
[LibraryClasses]
--
2.41.0

View File

@ -0,0 +1,68 @@
From 2794a967f43f2bbdfcd2cb5197ac8cad4b13c3de Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 17 Jan 2024 12:20:52 -0500
Subject: [PATCH 08/17] SecurityPkg: Adding CVE 2022-36763 to
SecurityFixes.yaml
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [8/13] 74117caf760e403566f6511332b2c0f41483f28c (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21154
Upstream: Merged
CVE: CVE-2022-36763
commit 1ddcb9fc6b4164e882687b031e8beacfcf7df29e
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date: Fri Jan 12 02:16:03 2024 +0800
SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml
This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
SecurityPkg/SecurityFixes.yaml | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
create mode 100644 SecurityPkg/SecurityFixes.yaml
diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
new file mode 100644
index 0000000000..f9e3e7be74
--- /dev/null
+++ b/SecurityPkg/SecurityFixes.yaml
@@ -0,0 +1,22 @@
+## @file
+# Security Fixes for SecurityPkg
+#
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+CVE_2022_36763:
+ commit_titles:
+ - "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763"
+ - "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763"
+ - "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml"
+ cve: CVE-2022-36763
+ date_reported: 2022-10-25 11:31 UTC
+ description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable()
+ note: This patch is related to and supersedes TCBZ2168
+ files_impacted:
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
--
2.41.0

View File

@ -0,0 +1,403 @@
From e2ccaef3baa2eb045019558c325bb94cabf65e1a Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 7 Feb 2024 11:56:37 -0500
Subject: [PATCH 02/17] SecurityPkg: Change OPTIONAL keyword usage style
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [2/13] 6a2141d871e3efc3aeea1994ab9c325614ddce57 (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21154
CVE: CVE-2022-36763
Upstream: Merged
commit 948f4003ee399241a40dc147a738f05ad2e37375
Author: Michael D Kinney <michael.d.kinney@intel.com>
Date: Thu Dec 2 18:00:56 2021 -0800
SecurityPkg: Change OPTIONAL keyword usage style
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3760
Update all use of ', OPTIONAL' to ' OPTIONAL,' for function params.
Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
SecurityPkg/Include/Library/Tcg2PpVendorLib.h | 2 +-
SecurityPkg/Include/Library/Tpm2CommandLib.h | 14 +++++++-------
SecurityPkg/Library/AuthVariableLib/AuthService.c | 6 +++---
.../DxeImageAuthenticationStatusLib.c | 2 +-
.../DxeImageVerificationLib.c | 2 +-
.../DxeRsa2048Sha256GuidedSectionExtractLib.c | 2 +-
.../DxeTcg2PhysicalPresenceLib.c | 4 ++--
.../DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c | 2 +-
.../DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c | 2 +-
.../PeiRsa2048Sha256GuidedSectionExtractLib.c | 2 +-
.../Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c | 2 +-
.../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 2 +-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c | 2 +-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Hierarchy.c | 2 +-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 2 +-
SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 6 +++---
.../RandomNumberGenerator/RngDxe/AArch64/RngDxe.c | 2 +-
.../RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 2 +-
.../RandomNumberGenerator/RngDxe/RngDxeInternals.h | 2 +-
SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c | 2 +-
20 files changed, 31 insertions(+), 31 deletions(-)
diff --git a/SecurityPkg/Include/Library/Tcg2PpVendorLib.h b/SecurityPkg/Include/Library/Tcg2PpVendorLib.h
index 569eba6874..914517f034 100644
--- a/SecurityPkg/Include/Library/Tcg2PpVendorLib.h
+++ b/SecurityPkg/Include/Library/Tcg2PpVendorLib.h
@@ -40,7 +40,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
UINT32
EFIAPI
Tcg2PpVendorLibExecutePendingRequest (
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
IN UINT32 OperationRequest,
IN OUT UINT32 *ManagementFlags,
OUT BOOLEAN *ResetRequired
diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h b/SecurityPkg/Include/Library/Tpm2CommandLib.h
index ee8eb62295..ad3b982d48 100644
--- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
+++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
@@ -186,7 +186,7 @@ EFI_STATUS
EFIAPI
Tpm2ClearControl (
IN TPMI_RH_CLEAR AuthHandle,
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
IN TPMI_YES_NO Disable
);
@@ -340,7 +340,7 @@ EFI_STATUS
EFIAPI
Tpm2NvDefineSpace (
IN TPMI_RH_PROVISION AuthHandle,
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
IN TPM2B_AUTH *Auth,
IN TPM2B_NV_PUBLIC *NvPublic
);
@@ -383,7 +383,7 @@ EFIAPI
Tpm2NvRead (
IN TPMI_RH_NV_AUTH AuthHandle,
IN TPMI_RH_NV_INDEX NvIndex,
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
IN UINT16 Size,
IN UINT16 Offset,
IN OUT TPM2B_MAX_BUFFER *OutData
@@ -407,7 +407,7 @@ EFIAPI
Tpm2NvWrite (
IN TPMI_RH_NV_AUTH AuthHandle,
IN TPMI_RH_NV_INDEX NvIndex,
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
IN TPM2B_MAX_BUFFER *InData,
IN UINT16 Offset
);
@@ -566,7 +566,7 @@ Tpm2PcrAllocate (
EFI_STATUS
EFIAPI
Tpm2PcrAllocateBanks (
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
IN UINT32 SupportedPCRBanks,
IN UINT32 PCRBanks
);
@@ -908,7 +908,7 @@ EFIAPI
Tpm2PolicySecret (
IN TPMI_DH_ENTITY AuthHandle,
IN TPMI_SH_POLICY PolicySession,
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
IN TPM2B_NONCE *NonceTPM,
IN TPM2B_DIGEST *CpHashA,
IN TPM2B_NONCE *PolicyRef,
@@ -1004,7 +1004,7 @@ Tpm2ReadPublic (
UINT32
EFIAPI
CopyAuthSessionCommand (
- IN TPMS_AUTH_COMMAND *AuthSessionIn, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSessionIn OPTIONAL,
OUT UINT8 *AuthSessionOut
);
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index aa9ebaf3be..3059e5d256 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -1183,9 +1183,9 @@ FindCertsFromDb (
IN EFI_GUID *VendorGuid,
IN UINT8 *Data,
IN UINTN DataSize,
- OUT UINT32 *CertOffset, OPTIONAL
- OUT UINT32 *CertDataSize, OPTIONAL
- OUT UINT32 *CertNodeOffset,OPTIONAL
+ OUT UINT32 *CertOffset OPTIONAL,
+ OUT UINT32 *CertDataSize OPTIONAL,
+ OUT UINT32 *CertNodeOffset OPTIONAL,
OUT UINT32 *CertNodeSize OPTIONAL
)
{
diff --git a/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c b/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c
index ec77151c9c..9acff2ae7d 100644
--- a/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c
+++ b/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c
@@ -32,7 +32,7 @@ EFI_STATUS
EFIAPI
DxeImageAuthenticationStatusHandler (
IN UINT32 AuthenticationStatus,
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File, OPTIONAL
+ IN CONST EFI_DEVICE_PATH_PROTOCOL *File OPTIONAL,
IN VOID *FileBuffer,
IN UINTN FileSize,
IN BOOLEAN BootPolicy
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 1252927664..0a12692454 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1636,7 +1636,7 @@ EFI_STATUS
EFIAPI
DxeImageVerificationHandler (
IN UINT32 AuthenticationStatus,
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File, OPTIONAL
+ IN CONST EFI_DEVICE_PATH_PROTOCOL *File OPTIONAL,
IN VOID *FileBuffer,
IN UINTN FileSize,
IN BOOLEAN BootPolicy
diff --git a/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c b/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c
index 28807d4d98..5124b884c9 100644
--- a/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c
+++ b/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c
@@ -123,7 +123,7 @@ EFIAPI
Rsa2048Sha256GuidedSectionHandler (
IN CONST VOID *InputSection,
OUT VOID **OutputBuffer,
- IN VOID *ScratchBuffer, OPTIONAL
+ IN VOID *ScratchBuffer OPTIONAL,
OUT UINT32 *AuthenticationStatus
)
{
diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index fce5c0af50..d92658f80d 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -147,7 +147,7 @@ Tpm2CommandChangeEps (
**/
UINT32
Tcg2ExecutePhysicalPresence (
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
IN UINT32 CommandCode,
IN UINT32 CommandParameter,
IN OUT EFI_TCG2_PHYSICAL_PRESENCE_FLAGS *PpiFlags
@@ -720,7 +720,7 @@ Tcg2HaveValidTpmRequest (
**/
VOID
Tcg2ExecutePendingTpmRequest (
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
IN OUT EFI_TCG2_PHYSICAL_PRESENCE *TcgPpData,
IN OUT EFI_TCG2_PHYSICAL_PRESENCE_FLAGS *Flags
)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
index a531385f81..95682ac567 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
@@ -416,7 +416,7 @@ EFI_STATUS
EFIAPI
DxeTpm2MeasureBootHandler (
IN UINT32 AuthenticationStatus,
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File, OPTIONAL
+ IN CONST EFI_DEVICE_PATH_PROTOCOL *File OPTIONAL,
IN VOID *FileBuffer,
IN UINTN FileSize,
IN BOOLEAN BootPolicy
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index 4e74cd9db6..27c0ea48ca 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -710,7 +710,7 @@ EFI_STATUS
EFIAPI
DxeTpmMeasureBootHandler (
IN UINT32 AuthenticationStatus,
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File, OPTIONAL
+ IN CONST EFI_DEVICE_PATH_PROTOCOL *File OPTIONAL,
IN VOID *FileBuffer,
IN UINTN FileSize,
IN BOOLEAN BootPolicy
diff --git a/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c b/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c
index a759183d20..96638e26aa 100644
--- a/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c
+++ b/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c
@@ -121,7 +121,7 @@ EFIAPI
Rsa2048Sha256GuidedSectionHandler (
IN CONST VOID *InputSection,
OUT VOID **OutputBuffer,
- IN VOID *ScratchBuffer, OPTIONAL
+ IN VOID *ScratchBuffer OPTIONAL,
OUT UINT32 *AuthenticationStatus
)
{
diff --git a/SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c b/SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c
index 895d05a28d..aa3dcb6beb 100644
--- a/SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c
+++ b/SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c
@@ -30,7 +30,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
UINT32
EFIAPI
Tcg2PpVendorLibExecutePendingRequest (
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
IN UINT32 OperationRequest,
IN OUT UINT32 *ManagementFlags,
OUT BOOLEAN *ResetRequired
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
index 0404c0f321..53983d745b 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
@@ -90,7 +90,7 @@ EFIAPI
Tpm2PolicySecret (
IN TPMI_DH_ENTITY AuthHandle,
IN TPMI_SH_POLICY PolicySession,
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
IN TPM2B_NONCE *NonceTPM,
IN TPM2B_DIGEST *CpHashA,
IN TPM2B_NONCE *PolicyRef,
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
index 13eeb6ec18..44115cded3 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
@@ -84,7 +84,7 @@ GetHashMaskFromAlgo (
UINT32
EFIAPI
CopyAuthSessionCommand (
- IN TPMS_AUTH_COMMAND *AuthSessionIn, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSessionIn OPTIONAL,
OUT UINT8 *AuthSessionOut
)
{
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Hierarchy.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Hierarchy.c
index 043d358a06..957d694431 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Hierarchy.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Hierarchy.c
@@ -305,7 +305,7 @@ EFI_STATUS
EFIAPI
Tpm2ClearControl (
IN TPMI_RH_CLEAR AuthHandle,
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
IN TPMI_YES_NO Disable
)
{
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
index 8c87de0b0c..d232fe725d 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
@@ -566,7 +566,7 @@ Done:
EFI_STATUS
EFIAPI
Tpm2PcrAllocateBanks (
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL
+ IN TPM2B_AUTH *PlatformAuth OPTIONAL,
IN UINT32 SupportedPCRBanks,
IN UINT32 PCRBanks
)
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
index fb46af0fed..d9171fb9a0 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
@@ -281,7 +281,7 @@ EFI_STATUS
EFIAPI
Tpm2NvDefineSpace (
IN TPMI_RH_PROVISION AuthHandle,
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
IN TPM2B_AUTH *Auth,
IN TPM2B_NV_PUBLIC *NvPublic
)
@@ -525,7 +525,7 @@ EFIAPI
Tpm2NvRead (
IN TPMI_RH_NV_AUTH AuthHandle,
IN TPMI_RH_NV_INDEX NvIndex,
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
IN UINT16 Size,
IN UINT16 Offset,
IN OUT TPM2B_MAX_BUFFER *OutData
@@ -670,7 +670,7 @@ EFIAPI
Tpm2NvWrite (
IN TPMI_RH_NV_AUTH AuthHandle,
IN TPMI_RH_NV_INDEX NvIndex,
- IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL
+ IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,
IN TPM2B_MAX_BUFFER *InData,
IN UINT16 Offset
)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index 282fdca9d3..1cdc842966 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -53,7 +53,7 @@ EFI_STATUS
EFIAPI
RngGetRNG (
IN EFI_RNG_PROTOCOL *This,
- IN EFI_RNG_ALGORITHM *RNGAlgorithm, OPTIONAL
+ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL,
IN UINTN RNGValueLength,
OUT UINT8 *RNGValue
)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
index d0e6b7de06..834123b945 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
@@ -49,7 +49,7 @@ EFI_STATUS
EFIAPI
RngGetRNG (
IN EFI_RNG_PROTOCOL *This,
- IN EFI_RNG_ALGORITHM *RNGAlgorithm, OPTIONAL
+ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL,
IN UINTN RNGValueLength,
OUT UINT8 *RNGValue
)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
index 2660ed5875..25cccbe92c 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
@@ -67,7 +67,7 @@ EFI_STATUS
EFIAPI
RngGetRNG (
IN EFI_RNG_PROTOCOL *This,
- IN EFI_RNG_ALGORITHM *RNGAlgorithm, OPTIONAL
+ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL,
IN UINTN RNGValueLength,
OUT UINT8 *RNGValue
);
diff --git a/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c b/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c
index 68cd62307c..09cb4b0ee9 100644
--- a/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c
+++ b/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c
@@ -56,7 +56,7 @@ HII_VENDOR_DEVICE_PATH mTcgHiiVendorDevicePath = {
EFI_STATUS
GetTpmState (
IN EFI_TCG_PROTOCOL *TcgProtocol,
- OUT BOOLEAN *TpmEnable, OPTIONAL
+ OUT BOOLEAN *TpmEnable OPTIONAL,
OUT BOOLEAN *TpmActivate OPTIONAL
)
{
--
2.41.0

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,272 @@
From 7b5040e857f1a16bed935f7944bda8bc6f6999ac Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 13 Feb 2024 16:30:10 -0500
Subject: [PATCH 11/17] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH
4117/4118 symbol rename
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [11/13] 45fc2658aaa726b57219789bb1af64f5c4e2cfdc (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21156
CVE: CVE-2022-36764
Upstream: Merged
commit 40adbb7f628dee79156c679fb0857968b61b7620
Author: Doug Flick <dougflick@microsoft.com>
Date: Wed Jan 17 14:47:20 2024 -0800
SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename
Updates the sanitation function names to be lib unique names
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <7b18434c8a8b561654efd40ced3becb8b378c8f1.1705529990.git.doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpm2MeasureBootLib.c | 8 +++---
.../DxeTpm2MeasureBootLibSanitization.c | 8 +++---
.../DxeTpm2MeasureBootLibSanitization.h | 8 +++---
.../DxeTpm2MeasureBootLibSanitizationTest.c | 26 +++++++++----------
4 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
index f06926e631..8f8bef1d0b 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
@@ -197,7 +197,7 @@ Tcg2MeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
- if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+ if (EFI_ERROR (Status) || EFI_ERROR (Tpm2SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
@@ -206,7 +206,7 @@ Tcg2MeasureGptTable (
//
// Read the partition entry.
//
- Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
return EFI_BAD_BUFFER_SIZE;
@@ -245,7 +245,7 @@ Tcg2MeasureGptTable (
//
// Prepare Data for Measurement (CcProtocol and Tcg2Protocol)
//
- Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
FreePool (EntryPtr);
@@ -414,7 +414,7 @@ Tcg2MeasurePeImage (
}
FilePathSize = (UINT32)GetDevicePathSize (FilePath);
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
index 2a4d52c6d5..809a3bfd89 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
@@ -63,7 +63,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+Tpm2SanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
)
@@ -169,7 +169,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+Tpm2SanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
)
@@ -221,7 +221,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+Tpm2SanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -292,7 +292,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+Tpm2SanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
index 8f72ba4240..8526bc7537 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
@@ -54,7 +54,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+Tpm2SanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
);
@@ -78,7 +78,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+Tpm2SanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
);
@@ -107,7 +107,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+Tpm2SanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -131,7 +131,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+Tpm2SanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
);
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
index 820e99aeb9..50a68e1076 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
@@ -84,27 +84,27 @@ TestSanitizeEfiPartitionTableHeader (
PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
// Test that a normal PrimaryHeader passes validation
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
PrimaryHeader.NumberOfPartitionEntries = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
// Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header Size!"
PrimaryHeader.Header.HeaderSize = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
// Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
// should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
PrimaryHeader.SizeOfPartitionEntry = 1;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -137,7 +137,7 @@ TestSanitizePrimaryHeaderAllocationSize (
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that the allocation size is correct compared to the existing logic
@@ -146,19 +146,19 @@ TestSanitizePrimaryHeaderAllocationSize (
// Test that an overflow is detected
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = 5;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the inverse
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the worst case scenario
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -196,7 +196,7 @@ TestSanitizePrimaryHeaderGptEventSize (
NumberOfPartition = 13;
// that the primary event size is correct
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Calculate the existing logic event size
@@ -207,12 +207,12 @@ TestSanitizePrimaryHeaderGptEventSize (
UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
// Tests that the primary event size may not overflow
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test that the size of partition entries may not overflow
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -245,7 +245,7 @@ TestSanitizePeImageEventSize (
FilePathSize = 255;
// Test that a normal PE image passes validation
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
// Test that the event size is correct compared to the existing logic
@@ -258,7 +258,7 @@ TestSanitizePeImageEventSize (
}
// Test that the event size may not overflow
- Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ Status = Tpm2SanitizePeImageEventSize (MAX_UINT32, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
--
2.41.0

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,286 @@
From 7c3fefb0c857acb9e7e14b150c4c3131e78fbb63 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 7 Feb 2024 15:43:10 -0500
Subject: [PATCH 09/17] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118
- CVE 2022-36764
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [9/13] c7890fc5c5d7fef2fc1daa931ea2d48f3a76b9e3 (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21156
CVE: CVE-2022-36764
Upstream: Merged
commit c7b27944218130cca3bbb20314ba5b88b5de4aa4
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date: Fri Jan 12 02:16:04 2024 +0800
SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
This commit contains the patch files and tests for DxeTpm2MeasureBootLib
CVE 2022-36764.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpm2MeasureBootLib.c | 15 +++--
.../DxeTpm2MeasureBootLibSanitization.c | 46 +++++++++++++-
.../DxeTpm2MeasureBootLibSanitization.h | 28 ++++++++-
.../DxeTpm2MeasureBootLibSanitizationTest.c | 60 ++++++++++++++++---
4 files changed, 133 insertions(+), 16 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
index 476c8d543f..f06926e631 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
@@ -372,7 +372,6 @@ Exit:
@retval EFI_OUT_OF_RESOURCES No enough resource to measure image.
@retval EFI_UNSUPPORTED ImageType is unsupported or PE image is mal-format.
@retval other error value
-
**/
EFI_STATUS
EFIAPI
@@ -399,6 +398,7 @@ Tcg2MeasurePeImage (
Status = EFI_UNSUPPORTED;
ImageLoad = NULL;
EventPtr = NULL;
+ Tcg2Event = NULL;
Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
CcProtocol = MeasureBootProtocols->CcProtocol;
@@ -413,19 +413,24 @@ Tcg2MeasurePeImage (
return EFI_UNSUPPORTED;
}
- FilePathSize = (UINT32) GetDevicePathSize (FilePath);
+ FilePathSize = (UINT32)GetDevicePathSize (FilePath);
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ if (EFI_ERROR (Status)) {
+ return EFI_UNSUPPORTED;
+ }
//
// Determine destination PCR by BootPolicy
//
- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
- EventPtr = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
+ // from a malicious GPT disk partition
+ EventPtr = AllocateZeroPool (EventSize);
if (EventPtr == NULL) {
return EFI_OUT_OF_RESOURCES;
}
Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;
- Tcg2Event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
+ Tcg2Event->Size = EventSize;
+ Tcg2Event->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER);
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
ImageLoad = (EFI_IMAGE_LOAD_EVENT *) Tcg2Event->Event;
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
index e2309655d3..2a4d52c6d5 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader (
}
/**
- This function will validate that the allocation size from the primary header is sane
+ This function will validate that the allocation size from the primary header is sane
It will check the following:
- AllocationSize does not overflow
@@ -273,3 +273,47 @@ SanitizePrimaryHeaderGptEventSize (
return EFI_SUCCESS;
}
+
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ )
+{
+ EFI_STATUS Status;
+
+ // Replacing logic:
+ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ // Replacing logic:
+ // EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)
+ Status = SafeUint32Add (*EventSize, OFFSET_OF (EFI_TCG2_EVENT, Event), EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
index 048b738987..8f72ba4240 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
@@ -9,6 +9,9 @@
Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
partition data carefully.
+ Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its
+ data structure within this image buffer before use.
+
Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -110,4 +113,27 @@ SanitizePrimaryHeaderGptEventSize (
OUT UINT32 *EventSize
);
-#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ );
+
+#endif // DXE_TPM2_MEASURE_BOOT_LIB_VALIDATION_
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
index 3eb9763e3c..820e99aeb9 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
@@ -72,10 +72,10 @@ TestSanitizeEfiPartitionTableHeader (
PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
PrimaryHeader.MyLBA = 1;
- PrimaryHeader.AlternateLBA = 2;
- PrimaryHeader.FirstUsableLBA = 3;
- PrimaryHeader.LastUsableLBA = 4;
- PrimaryHeader.PartitionEntryLBA = 5;
+ PrimaryHeader.PartitionEntryLBA = 2;
+ PrimaryHeader.AlternateLBA = 3;
+ PrimaryHeader.FirstUsableLBA = 4;
+ PrimaryHeader.LastUsableLBA = 5;
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
@@ -187,11 +187,6 @@ TestSanitizePrimaryHeaderGptEventSize (
EFI_STATUS Status;
EFI_PARTITION_TABLE_HEADER PrimaryHeader;
UINTN NumberOfPartition;
- EFI_GPT_DATA *GptData;
- EFI_TCG2_EVENT *Tcg2Event;
-
- Tcg2Event = NULL;
- GptData = NULL;
// Test that a normal PrimaryHeader passes validation
PrimaryHeader.NumberOfPartitionEntries = 5;
@@ -225,6 +220,52 @@ TestSanitizePrimaryHeaderGptEventSize (
return UNIT_TEST_PASSED;
}
+/**
+ This function tests the SanitizePeImageEventSize function.
+ It's intent is to test that the untrusted input from a file path when generating a
+ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
+ the event size when allocating space
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePeImageEventSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 EventSize;
+ UINTN ExistingLogicEventSize;
+ UINT32 FilePathSize;
+ EFI_STATUS Status;
+
+ FilePathSize = 255;
+
+ // Test that a normal PE image passes validation
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
+
+ // Test that the event size is correct compared to the existing logic
+ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
+ ExistingLogicEventSize += OFFSET_OF (EFI_TCG2_EVENT, Event);
+
+ if (EventSize != ExistingLogicEventSize) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
+ return UNIT_TEST_ERROR_TEST_FAILED;
+ }
+
+ // Test that the event size may not overflow
+ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
// *--------------------------------------------------------------------*
// * Unit Test Code Main Function
// *--------------------------------------------------------------------*
@@ -267,6 +308,7 @@ UefiTestMain (
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
Status = RunAllTestSuites (Framework);
--
2.41.0

View File

@ -0,0 +1,279 @@
From ac25c501c8d97c7520a7c75ae708fb4c43bae035 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 13 Feb 2024 16:30:10 -0500
Subject: [PATCH 12/17] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH
4117/4118 symbol rename
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [12/13] 6ef41050fb68f984a5ae6104ccc102afb5290f9f (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21156
CVE: CVE-2022-36764
Upstream: Merged
commit 326db0c9072004dea89427ea3a44393a84966f2b
Author: Doug Flick <dougflick@microsoft.com>
Date: Wed Jan 17 14:47:21 2024 -0800
SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename
Updates the sanitation function names to be lib unique names
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <355aa846a99ca6ac0f7574cf5982661da0d9fea6.1705529990.git.doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpmMeasureBootLib.c | 8 +++---
.../DxeTpmMeasureBootLibSanitization.c | 10 +++----
.../DxeTpmMeasureBootLibSanitization.h | 8 +++---
.../DxeTpmMeasureBootLibSanitizationTest.c | 26 +++++++++----------
4 files changed, 26 insertions(+), 26 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index 1598015176..c39018d7e4 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -171,7 +171,7 @@ TcgMeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
- if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+ if (EFI_ERROR (Status) || EFI_ERROR (TpmSanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
@@ -179,7 +179,7 @@ TcgMeasureGptTable (
//
// Read the partition entry.
//
- Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
@@ -218,7 +218,7 @@ TcgMeasureGptTable (
//
// Prepare Data for Measurement
//
- Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize);
if (TcgEvent == NULL) {
FreePool (PrimaryHeader);
@@ -344,7 +344,7 @@ TcgMeasurePeImage (
// Determine destination PCR by BootPolicy
//
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
index bcf8c6de6f..7f17af56cd 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
@@ -1,5 +1,5 @@
/** @file
- The library instance provides security service of TPM2 measure boot and
+ The library instance provides security service of TPM measure boot and
Confidential Computing (CC) measure boot.
Caution: This file requires additional review when modified.
@@ -63,7 +63,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+TpmSanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
)
@@ -145,7 +145,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+TpmSanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
)
@@ -194,7 +194,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+TpmSanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -258,7 +258,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+TpmSanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
)
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
index 2248495813..db6e9c3752 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
@@ -53,7 +53,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+TpmSanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
);
@@ -77,7 +77,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+TpmSanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
);
@@ -105,7 +105,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+TpmSanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -129,7 +129,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+TpmSanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
);
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
index c41498be45..de1740af41 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
@@ -83,27 +83,27 @@ TestSanitizeEfiPartitionTableHeader (
PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
// Test that a normal PrimaryHeader passes validation
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
PrimaryHeader.NumberOfPartitionEntries = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
// Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header Size!"
PrimaryHeader.Header.HeaderSize = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
// Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
// should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
PrimaryHeader.SizeOfPartitionEntry = 1;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -136,7 +136,7 @@ TestSanitizePrimaryHeaderAllocationSize (
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that the allocation size is correct compared to the existing logic
@@ -145,19 +145,19 @@ TestSanitizePrimaryHeaderAllocationSize (
// Test that an overflow is detected
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = 5;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the inverse
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the worst case scenario
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -195,7 +195,7 @@ TestSanitizePrimaryHeaderGptEventSize (
NumberOfPartition = 13;
// that the primary event size is correct
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Calculate the existing logic event size
@@ -206,12 +206,12 @@ TestSanitizePrimaryHeaderGptEventSize (
UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
// Tests that the primary event size may not overflow
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test that the size of partition entries may not overflow
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -269,7 +269,7 @@ TestSanitizePeImageEventSize (
FilePathSize = 255;
// Test that a normal PE image passes validation
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize);
if (EFI_ERROR (Status)) {
UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
goto Exit;
@@ -285,7 +285,7 @@ TestSanitizePeImageEventSize (
}
// Test that the event size may not overflow
- Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ Status = TpmSanitizePeImageEventSize (MAX_UINT32, &EventSize);
if (Status != EFI_BAD_BUFFER_SIZE) {
UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
goto Exit;
--
2.41.0

View File

@ -0,0 +1,960 @@
From cb36d95002013ae8d4e5120383cd756a2a6c4124 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 17 Jan 2024 12:20:52 -0500
Subject: [PATCH 07/17] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117
- CVE 2022-36763
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [7/13] f5a5d2b0a33dc1efdb83e501eda2716df0e904a0 (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21154
CVE: CVE-2022-36763
Upstream: Merged
Conflicts: We get function definiton clash for the following three functions:
- SanitizeEfiPartitionTableHeader()
- SanitizePrimaryHeaderAllocationSize()
- SanitizePrimaryHeaderGptEventSize()
Those are are defined both in
- SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitazion.c
and
- SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitazion.c
Closer investigation reveals that they are identical in functionality (although
not in comment style).
I chose to leave them as is now, meaning that this package will be
unbuildable until I add a commit renaming these symbols later in
this series.
commit 4776a1b39ee08fc45c70c1eab5a0195f325000d3
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date: Fri Jan 12 02:16:02 2024 +0800
SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763
This commit contains the patch files and tests for DxeTpmMeasureBootLib
CVE 2022-36763.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpmMeasureBootLib.c | 74 +++--
.../DxeTpmMeasureBootLib.inf | 4 +-
.../DxeTpmMeasureBootLibSanitization.c | 242 ++++++++++++++
.../DxeTpmMeasureBootLibSanitization.h | 114 +++++++
.../DxeTpmMeasureBootLibSanitizationTest.c | 301 ++++++++++++++++++
...eTpmMeasureBootLibSanitizationTestHost.inf | 28 ++
SecurityPkg/SecurityPkg.ci.yaml | 1 +
SecurityPkg/Test/SecurityPkgHostTest.dsc | 1 +
8 files changed, 734 insertions(+), 31 deletions(-)
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index 27c0ea48ca..d44422dee8 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -18,6 +18,8 @@
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <PiDxe.h>
@@ -40,6 +42,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/SecurityManagementLib.h>
#include <Library/HobLib.h>
+#include "DxeTpmMeasureBootLibSanitization.h"
+
//
// Flag to check GPT partition. It only need be measured once.
//
@@ -123,19 +127,22 @@ TcgMeasureGptTable (
IN EFI_HANDLE GptHandle
)
{
- EFI_STATUS Status;
- EFI_BLOCK_IO_PROTOCOL *BlockIo;
- EFI_DISK_IO_PROTOCOL *DiskIo;
- EFI_PARTITION_TABLE_HEADER *PrimaryHeader;
- EFI_PARTITION_ENTRY *PartitionEntry;
- UINT8 *EntryPtr;
- UINTN NumberOfPartition;
- UINT32 Index;
- TCG_PCR_EVENT *TcgEvent;
- EFI_GPT_DATA *GptData;
- UINT32 EventSize;
- UINT32 EventNumber;
- EFI_PHYSICAL_ADDRESS EventLogLastEntry;
+ EFI_STATUS Status;
+ EFI_BLOCK_IO_PROTOCOL *BlockIo;
+ EFI_DISK_IO_PROTOCOL *DiskIo;
+ EFI_PARTITION_TABLE_HEADER *PrimaryHeader;
+ EFI_PARTITION_ENTRY *PartitionEntry;
+ UINT8 *EntryPtr;
+ UINTN NumberOfPartition;
+ UINT32 Index;
+ TCG_PCR_EVENT *TcgEvent;
+ EFI_GPT_DATA *GptData;
+ UINT32 EventSize;
+ UINT32 EventNumber;
+ EFI_PHYSICAL_ADDRESS EventLogLastEntry;
+ UINT32 AllocSize;
+
+ GptData = NULL;
if (mMeasureGptCount > 0) {
return EFI_SUCCESS;
@@ -163,15 +170,21 @@ TcgMeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Failed to Read Partition Table Header!\n"));
+ if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+ DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
}
//
// Read the partition entry.
//
- EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry);
+ Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+ if (EFI_ERROR (Status)) {
+ FreePool (PrimaryHeader);
+ return EFI_DEVICE_ERROR;
+ }
+
+ EntryPtr = (UINT8 *)AllocatePool (AllocSize);
if (EntryPtr == NULL) {
FreePool (PrimaryHeader);
return EFI_OUT_OF_RESOURCES;
@@ -179,8 +192,8 @@ TcgMeasureGptTable (
Status = DiskIo->ReadDisk (
DiskIo,
BlockIo->Media->MediaId,
- MultU64x32(PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
- PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry,
+ MultU64x32 (PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
+ AllocSize,
EntryPtr
);
if (EFI_ERROR (Status)) {
@@ -204,19 +217,18 @@ TcgMeasureGptTable (
//
// Prepare Data for Measurement
//
- EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
- + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
- TcgEvent = (TCG_PCR_EVENT *) AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT_HDR));
+ Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
+ TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize);
if (TcgEvent == NULL) {
FreePool (PrimaryHeader);
FreePool (EntryPtr);
return EFI_OUT_OF_RESOURCES;
}
- TcgEvent->PCRIndex = 5;
- TcgEvent->EventType = EV_EFI_GPT_EVENT;
- TcgEvent->EventSize = EventSize;
- GptData = (EFI_GPT_DATA *) TcgEvent->Event;
+ TcgEvent->PCRIndex = 5;
+ TcgEvent->EventType = EV_EFI_GPT_EVENT;
+ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
+ GptData = (EFI_GPT_DATA *)TcgEvent->Event;
//
// Copy the EFI_PARTITION_TABLE_HEADER and NumberOfPartition
@@ -354,11 +366,13 @@ TcgMeasurePeImage (
TcgEvent->PCRIndex = 2;
break;
default:
- DEBUG ((
- DEBUG_ERROR,
- "TcgMeasurePeImage: Unknown subsystem type %d",
- ImageType
- ));
+ DEBUG (
+ (
+ DEBUG_ERROR,
+ "TcgMeasurePeImage: Unknown subsystem type %d",
+ ImageType
+ )
+ );
goto Finish;
}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
index ebab6f7c1e..414c654d15 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
@@ -32,6 +32,8 @@
[Sources]
DxeTpmMeasureBootLib.c
+ DxeTpmMeasureBootLibSanitization.c
+ DxeTpmMeasureBootLibSanitization.h
[Packages]
MdePkg/MdePkg.dec
@@ -41,6 +43,7 @@
[LibraryClasses]
BaseMemoryLib
+ SafeIntLib
DebugLib
MemoryAllocationLib
DevicePathLib
@@ -59,4 +62,3 @@
gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES
gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES
-
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
new file mode 100644
index 0000000000..37cd3ed0ea
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
@@ -0,0 +1,242 @@
+/** @file
+ The library instance provides security service of TPM2 measure boot and
+ Confidential Computing (CC) measure boot.
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image and GPT partition.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ This file will pull out the validation logic from the following functions, in an
+ attempt to validate the untrusted input in the form of unit tests
+
+ These are those functions:
+
+ DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
+ partition data carefully.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <Uefi.h>
+#include <Uefi/UefiSpec.h>
+#include <Library/SafeIntLib.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseLib.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+#include <Protocol/BlockIo.h>
+#include <Library/MemoryAllocationLib.h>
+
+#include "DxeTpmMeasureBootLibSanitization.h"
+
+#define GPT_HEADER_REVISION_V1 0x00010000
+
+/**
+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
+ However this function will not attempt to verify the validity of the GPT partition
+ It will check the following:
+ - Signature
+ - Revision
+ - AlternateLBA
+ - FirstUsableLBA
+ - LastUsableLBA
+ - PartitionEntryLBA
+ - NumberOfPartitionEntries
+ - SizeOfPartitionEntry
+ - BlockIo
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[in] BlockIo
+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
+
+ @retval EFI_SUCCESS
+ The EFI_PARTITION_TABLE_HEADER structure is valid.
+
+ @retval EFI_INVALID_PARAMETER
+ The EFI_PARTITION_TABLE_HEADER structure is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizeEfiPartitionTableHeader (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
+ )
+{
+ // Verify that the input parameters are safe to use
+ if (PrimaryHeader == NULL) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((BlockIo == NULL) || (BlockIo->Media == NULL)) {
+ DEBUG ((DEBUG_ERROR, "Invalid BlockIo!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // The signature must be EFI_PTAB_HEADER_ID ("EFI PART" in ASCII)
+ if (PrimaryHeader->Header.Signature != EFI_PTAB_HEADER_ID) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // The version must be GPT_HEADER_REVISION_V1 (0x00010000)
+ if (PrimaryHeader->Header.Revision != GPT_HEADER_REVISION_V1) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header Revision!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // The HeaderSize must be greater than or equal to 92 and must be less than or equal to the logical block size
+ if ((PrimaryHeader->Header.HeaderSize < sizeof (EFI_PARTITION_TABLE_HEADER)) || (PrimaryHeader->Header.HeaderSize > BlockIo->Media->BlockSize)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header HeaderSize!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // check that the PartitionEntryLBA greater than the Max LBA
+ // This will be used later for multiplication
+ if (PrimaryHeader->PartitionEntryLBA > DivU64x32 (MAX_UINT64, BlockIo->Media->BlockSize)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header PartitionEntryLBA!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // Check that the number of partition entries is greater than zero
+ if (PrimaryHeader->NumberOfPartitionEntries == 0) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // SizeOfPartitionEntry must be 128, 256, 512... improper size may lead to accessing uninitialized memory
+ if ((PrimaryHeader->SizeOfPartitionEntry < 128) || ((PrimaryHeader->SizeOfPartitionEntry & (PrimaryHeader->SizeOfPartitionEntry - 1)) != 0)) {
+ DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // This check is to prevent overflow when calculating the allocation size for the partition entries
+ // This check will be used later for multiplication
+ if (PrimaryHeader->NumberOfPartitionEntries > DivU64x32 (MAX_UINT64, PrimaryHeader->SizeOfPartitionEntry)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This function will validate that the allocation size from the primary header is sane
+ It will check the following:
+ - AllocationSize does not overflow
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[out] AllocationSize
+ Pointer to the allocation size.
+
+ @retval EFI_SUCCESS
+ The allocation size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ The allocation size is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizePrimaryHeaderAllocationSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ OUT UINT32 *AllocationSize
+ )
+{
+ EFI_STATUS Status;
+
+ if (PrimaryHeader == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (AllocationSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Replacing logic:
+ // PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry;
+ Status = SafeUint32Mult (PrimaryHeader->NumberOfPartitionEntries, PrimaryHeader->SizeOfPartitionEntry, AllocationSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Allocation Size would have overflowed!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This function will validate that the Gpt Event Size calculated from the primary header is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ Important: This function includes the entire length of the allocated space, including the
+ TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract
+ the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing.
+
+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+ @param[in] NumberOfPartition - Number of partitions.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePrimaryHeaderGptEventSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN UINTN NumberOfPartition,
+ OUT UINT32 *EventSize
+ )
+{
+ EFI_STATUS Status;
+ UINT32 SafeNumberOfPartitions;
+
+ if (PrimaryHeader == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (EventSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // We shouldn't even attempt to perform the multiplication if the number of partitions is greater than the maximum value of UINT32
+ Status = SafeUintnToUint32 (NumberOfPartition, &SafeNumberOfPartitions);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "NumberOfPartition would have overflowed!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Replacing logic:
+ // (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry + sizeof (TCG_PCR_EVENT_HDR));
+ Status = SafeUint32Mult (SafeNumberOfPartitions, PrimaryHeader->SizeOfPartitionEntry, EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ Status = SafeUint32Add (
+ sizeof (TCG_PCR_EVENT_HDR) +
+ OFFSET_OF (EFI_GPT_DATA, Partitions),
+ *EventSize,
+ EventSize
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed because of GPTData!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
+
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
new file mode 100644
index 0000000000..0d9d00c281
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
@@ -0,0 +1,114 @@
+/** @file
+ This file includes the function prototypes for the sanitization functions.
+
+ These are those functions:
+
+ DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ TcgMeasurePeImage() function will accept untrusted PE/COFF image and validate its
+ data structure within this image buffer before use.
+
+ TcgMeasureGptTable() function will receive untrusted GPT partition table, and parse
+ partition data carefully.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+#define DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+
+#include <Uefi.h>
+#include <Uefi/UefiSpec.h>
+#include <Protocol/BlockIo.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+
+/**
+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
+ However this function will not attempt to verify the validity of the GPT partition
+ It will check the following:
+ - Signature
+ - Revision
+ - AlternateLBA
+ - FirstUsableLBA
+ - LastUsableLBA
+ - PartitionEntryLBA
+ - NumberOfPartitionEntries
+ - SizeOfPartitionEntry
+ - BlockIo
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[in] BlockIo
+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
+
+ @retval EFI_SUCCESS
+ The EFI_PARTITION_TABLE_HEADER structure is valid.
+
+ @retval EFI_INVALID_PARAMETER
+ The EFI_PARTITION_TABLE_HEADER structure is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizeEfiPartitionTableHeader (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
+ );
+
+/**
+ This function will validate that the allocation size from the primary header is sane
+ It will check the following:
+ - AllocationSize does not overflow
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[out] AllocationSize
+ Pointer to the allocation size.
+
+ @retval EFI_SUCCESS
+ The allocation size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ The allocation size is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizePrimaryHeaderAllocationSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ OUT UINT32 *AllocationSize
+ );
+
+/**
+ This function will validate that the Gpt Event Size calculated from the primary header is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ Important: This function includes the entire length of the allocated space, including the
+ TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract
+ the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing.
+
+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+ @param[in] NumberOfPartition - Number of partitions.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePrimaryHeaderGptEventSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN UINTN NumberOfPartition,
+ OUT UINT32 *EventSize
+ );
+
+#endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
new file mode 100644
index 0000000000..eeb928cdb0
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
@@ -0,0 +1,301 @@
+/** @file
+This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
+
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Uefi.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UnitTestLib.h>
+#include <Protocol/BlockIo.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+
+#include "../DxeTpmMeasureBootLibSanitization.h"
+
+#define UNIT_TEST_NAME "DxeTpmMeasureBootLibSanitizationTest"
+#define UNIT_TEST_VERSION "1.0"
+
+#define DEFAULT_PRIMARY_TABLE_HEADER_REVISION 0x00010000
+#define DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES 1
+#define DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY 128
+
+/**
+ This function tests the SanitizeEfiPartitionTableHeader function.
+ It's intent is to test that a malicious EFI_PARTITION_TABLE_HEADER
+ structure will not cause undefined or unexpected behavior.
+
+ In general the TPM should still be able to measure the data, but
+ be the header should be sanitized to prevent any unexpected behavior.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizeEfiPartitionTableHeader (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+ EFI_BLOCK_IO_PROTOCOL BlockIo;
+ EFI_BLOCK_IO_MEDIA BlockMedia;
+
+ // Generate EFI_BLOCK_IO_MEDIA test data
+ BlockMedia.MediaId = 1;
+ BlockMedia.RemovableMedia = FALSE;
+ BlockMedia.MediaPresent = TRUE;
+ BlockMedia.LogicalPartition = FALSE;
+ BlockMedia.ReadOnly = FALSE;
+ BlockMedia.WriteCaching = FALSE;
+ BlockMedia.BlockSize = 512;
+ BlockMedia.IoAlign = 1;
+ BlockMedia.LastBlock = 0;
+
+ // Generate EFI_BLOCK_IO_PROTOCOL test data
+ BlockIo.Revision = 1;
+ BlockIo.Media = &BlockMedia;
+ BlockIo.Reset = NULL;
+ BlockIo.ReadBlocks = NULL;
+ BlockIo.WriteBlocks = NULL;
+ BlockIo.FlushBlocks = NULL;
+
+ // Geneate EFI_PARTITION_TABLE_HEADER test data
+ PrimaryHeader.Header.Signature = EFI_PTAB_HEADER_ID;
+ PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+ PrimaryHeader.MyLBA = 1;
+ PrimaryHeader.AlternateLBA = 2;
+ PrimaryHeader.FirstUsableLBA = 3;
+ PrimaryHeader.LastUsableLBA = 4;
+ PrimaryHeader.PartitionEntryLBA = 5;
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+ PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
+
+ // Calculate the CRC32 of the PrimaryHeader
+ PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
+
+ // Test that a normal PrimaryHeader passes validation
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
+ // Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
+ PrimaryHeader.NumberOfPartitionEntries = 0;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
+ // Should print "Invalid Partition Table Header Size!"
+ PrimaryHeader.Header.HeaderSize = 0;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+
+ // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
+ // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
+ PrimaryHeader.SizeOfPartitionEntry = 1;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+/**
+ This function tests the SanitizePrimaryHeaderAllocationSize function.
+ It's intent is to test that the untrusted input from a EFI_PARTITION_TABLE_HEADER
+ structure will not cause an overflow when calculating the allocation size.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePrimaryHeaderAllocationSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 AllocationSize;
+
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+
+ // Test that a normal PrimaryHeader passes validation
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Test that the allocation size is correct compared to the existing logic
+ UT_ASSERT_EQUAL (AllocationSize, PrimaryHeader.NumberOfPartitionEntries * PrimaryHeader.SizeOfPartitionEntry);
+
+ // Test that an overflow is detected
+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+ PrimaryHeader.SizeOfPartitionEntry = 5;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test the inverse
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test the worst case scenario
+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+/**
+ This function tests the SanitizePrimaryHeaderGptEventSize function.
+ It's intent is to test that the untrusted input from a EFI_GPT_DATA structure
+ will not cause an overflow when calculating the event size.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePrimaryHeaderGptEventSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 EventSize;
+ UINT32 ExistingLogicEventSize;
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+ UINTN NumberOfPartition;
+ EFI_GPT_DATA *GptData;
+
+ GptData = NULL;
+
+ // Test that a normal PrimaryHeader passes validation
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ // set the number of partitions
+ NumberOfPartition = 13;
+
+ // that the primary event size is correct
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Calculate the existing logic event size
+ ExistingLogicEventSize = (UINT32)(sizeof (TCG_PCR_EVENT_HDR) + OFFSET_OF (EFI_GPT_DATA, Partitions)
+ + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry);
+
+ // Check that the event size is correct
+ UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
+
+ // Tests that the primary event size may not overflow
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test that the size of partition entries may not overflow
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+// *--------------------------------------------------------------------*
+// * Unit Test Code Main Function
+// *--------------------------------------------------------------------*
+
+/**
+ This function acts as the entry point for the unit tests.
+
+ @param argc - The number of command line arguments
+ @param argv - The command line arguments
+
+ @return int - The status of the test
+**/
+EFI_STATUS
+EFIAPI
+UefiTestMain (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UNIT_TEST_FRAMEWORK_HANDLE Framework;
+ UNIT_TEST_SUITE_HANDLE TcgMeasureBootLibValidationTestSuite;
+
+ Framework = NULL;
+
+ DEBUG ((DEBUG_INFO, "%a: TestMain() - Start\n", UNIT_TEST_NAME));
+
+ Status = InitUnitTestFramework (&Framework, UNIT_TEST_NAME, gEfiCallerBaseName, UNIT_TEST_VERSION);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: Failed in InitUnitTestFramework. Status = %r\n", UNIT_TEST_NAME, Status));
+ goto EXIT;
+ }
+
+ Status = CreateUnitTestSuite (&TcgMeasureBootLibValidationTestSuite, Framework, "TcgMeasureBootLibValidationTestSuite", "Common.TcgMeasureBootLibValidation", NULL, NULL);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%s: Failed in CreateUnitTestSuite for TcgMeasureBootLibValidationTestSuite\n", UNIT_TEST_NAME));
+ Status = EFI_OUT_OF_RESOURCES;
+ goto EXIT;
+ }
+
+ // -----------Suite---------------------------------Description----------------------------Class----------------------------------Test Function------------------------Pre---Clean-Context
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
+
+ Status = RunAllTestSuites (Framework);
+
+EXIT:
+ if (Framework != NULL) {
+ FreeUnitTestFramework (Framework);
+ }
+
+ DEBUG ((DEBUG_INFO, "%a: TestMain() - End\n", UNIT_TEST_NAME));
+ return Status;
+}
+
+///
+/// Avoid ECC error for function name that starts with lower case letter
+///
+#define DxeTpmMeasureBootLibUnitTestMain main
+
+/**
+ Standard POSIX C entry point for host based unit test execution.
+
+ @param[in] Argc Number of arguments
+ @param[in] Argv Array of pointers to arguments
+
+ @retval 0 Success
+ @retval other Error
+**/
+INT32
+DxeTpmMeasureBootLibUnitTestMain (
+ IN INT32 Argc,
+ IN CHAR8 *Argv[]
+ )
+{
+ return (INT32)UefiTestMain ();
+}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
new file mode 100644
index 0000000000..47b0811b00
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
@@ -0,0 +1,28 @@
+## @file
+# This file builds the unit tests for DxeTpmMeasureBootLib
+#
+# Copyright (C) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION = 0x00010006
+ BASE_NAME = DxeTpmMeasuredBootLibTest
+ FILE_GUID = eb01bc38-309c-4d3e-967e-9f078c90772f
+ MODULE_TYPE = HOST_APPLICATION
+ VERSION_STRING = 1.0
+ ENTRY_POINT = main
+
+[Sources]
+ DxeTpmMeasureBootLibSanitizationTest.c
+ ../DxeTpmMeasureBootLibSanitization.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+ UnitTestLib
+ PrintLib
+ SafeIntLib
diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml
index aa8496d6d9..26865cb15a 100644
--- a/SecurityPkg/SecurityPkg.ci.yaml
+++ b/SecurityPkg/SecurityPkg.ci.yaml
@@ -17,6 +17,7 @@
"ExceptionList": [
"8005", "gRT",
"8001", "DxeTpm2MeasureBootLibUnitTestMain",
+ "8001", "DxeTpmMeasureBootLibUnitTestMain"
],
## Both file path and directory path are accepted.
"IgnoreFiles": [
diff --git a/SecurityPkg/Test/SecurityPkgHostTest.dsc b/SecurityPkg/Test/SecurityPkgHostTest.dsc
index 788c1ab6fe..1655e573ea 100644
--- a/SecurityPkg/Test/SecurityPkgHostTest.dsc
+++ b/SecurityPkg/Test/SecurityPkgHostTest.dsc
@@ -27,6 +27,7 @@
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf
SecurityPkg/Test/Mock/Library/GoogleTest/MockPlatformPKProtectionLib/MockPlatformPKProtectionLib.inf
SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
+ SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
#
# Build SecurityPkg HOST_APPLICATION Tests
--
2.41.0

View File

@ -0,0 +1,307 @@
From f6f72373630d901f331df719a0fb55e8f1143c4f Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 7 Feb 2024 15:43:10 -0500
Subject: [PATCH 10/17] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118
- CVE 2022-36764
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [10/13] 5ed702e16f390c79d1abb0ec0b04d886e0094c0b (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21156
CVE: CVE-2022-36764
Upstream: Merged
Conflicts: We get function definiton clash for the following three functions:
- SanitizePeImageEventSize()
This is defined both in
- SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitazion.c
and
- SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitazion.c
Closer investigation reveals that they are identical in functionality (although
not in comment style).
I chose to leave them as is now, meaning that this package will be
unbuildable until I add a commit renaming these symbols later in
this series.
commit 0d341c01eeabe0ab5e76693b36e728b8f538a40e
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date: Fri Jan 12 02:16:05 2024 +0800
SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
This commit contains the patch files and tests for DxeTpmMeasureBootLib
CVE 2022-36764.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpmMeasureBootLib.c | 17 ++--
.../DxeTpmMeasureBootLibSanitization.c | 44 +++++++++
.../DxeTpmMeasureBootLibSanitization.h | 23 +++++
.../DxeTpmMeasureBootLibSanitizationTest.c | 98 +++++++++++++++++--
4 files changed, 170 insertions(+), 12 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index d44422dee8..1598015176 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -17,6 +17,7 @@
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
+Copyright (c) Microsoft Corporation.<BR>
Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -338,19 +339,23 @@ TcgMeasurePeImage (
ImageLoad = NULL;
SectionHeader = NULL;
Sha1Ctx = NULL;
- FilePathSize = (UINT32) GetDevicePathSize (FilePath);
+ TcgEvent = NULL;
+ FilePathSize = (UINT32)GetDevicePathSize (FilePath);
- //
// Determine destination PCR by BootPolicy
//
- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
- TcgEvent = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT));
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ if (EFI_ERROR (Status)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ TcgEvent = AllocateZeroPool (EventSize);
if (TcgEvent == NULL) {
return EFI_OUT_OF_RESOURCES;
}
- TcgEvent->EventSize = EventSize;
- ImageLoad = (EFI_IMAGE_LOAD_EVENT *) TcgEvent->Event;
+ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
+ ImageLoad = (EFI_IMAGE_LOAD_EVENT *)TcgEvent->Event;
switch (ImageType) {
case EFI_IMAGE_SUBSYSTEM_EFI_APPLICATION:
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
index 37cd3ed0ea..bcf8c6de6f 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
@@ -240,3 +240,47 @@ SanitizePrimaryHeaderGptEventSize (
return EFI_SUCCESS;
}
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ )
+{
+ EFI_STATUS Status;
+
+ // Replacing logic:
+ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ // Replacing logic:
+ // EventSize + sizeof (TCG_PCR_EVENT_HDR)
+ Status = SafeUint32Add (*EventSize, sizeof (TCG_PCR_EVENT_HDR), EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
+
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
index 0d9d00c281..2248495813 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
@@ -111,4 +111,27 @@ SanitizePrimaryHeaderGptEventSize (
OUT UINT32 *EventSize
);
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ );
+
#endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
index eeb928cdb0..c41498be45 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
@@ -1,8 +1,8 @@
/** @file
-This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
+ This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
-Copyright (c) Microsoft Corporation.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Uefi.h>
@@ -186,9 +186,6 @@ TestSanitizePrimaryHeaderGptEventSize (
EFI_STATUS Status;
EFI_PARTITION_TABLE_HEADER PrimaryHeader;
UINTN NumberOfPartition;
- EFI_GPT_DATA *GptData;
-
- GptData = NULL;
// Test that a normal PrimaryHeader passes validation
PrimaryHeader.NumberOfPartitionEntries = 5;
@@ -222,6 +219,94 @@ TestSanitizePrimaryHeaderGptEventSize (
return UNIT_TEST_PASSED;
}
+/**
+ This function tests the SanitizePeImageEventSize function.
+ It's intent is to test that the untrusted input from a file path for an
+ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
+ the event size when allocating space.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePeImageEventSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 EventSize;
+ UINTN ExistingLogicEventSize;
+ UINT32 FilePathSize;
+ EFI_STATUS Status;
+ EFI_DEVICE_PATH_PROTOCOL DevicePath;
+ EFI_IMAGE_LOAD_EVENT *ImageLoadEvent;
+ UNIT_TEST_STATUS TestStatus;
+
+ TestStatus = UNIT_TEST_ERROR_TEST_FAILED;
+
+ // Generate EFI_DEVICE_PATH_PROTOCOL test data
+ DevicePath.Type = 0;
+ DevicePath.SubType = 0;
+ DevicePath.Length[0] = 0;
+ DevicePath.Length[1] = 0;
+
+ // Generate EFI_IMAGE_LOAD_EVENT test data
+ ImageLoadEvent = AllocateZeroPool (sizeof (EFI_IMAGE_LOAD_EVENT) + sizeof (EFI_DEVICE_PATH_PROTOCOL));
+ if (ImageLoadEvent == NULL) {
+ DEBUG ((DEBUG_ERROR, "%a: AllocateZeroPool failed\n", __func__));
+ goto Exit;
+ }
+
+ // Populate EFI_IMAGE_LOAD_EVENT54 test data
+ ImageLoadEvent->ImageLocationInMemory = (EFI_PHYSICAL_ADDRESS)0x12345678;
+ ImageLoadEvent->ImageLengthInMemory = 0x1000;
+ ImageLoadEvent->ImageLinkTimeAddress = (UINTN)ImageLoadEvent;
+ ImageLoadEvent->LengthOfDevicePath = sizeof (EFI_DEVICE_PATH_PROTOCOL);
+ CopyMem (ImageLoadEvent->DevicePath, &DevicePath, sizeof (EFI_DEVICE_PATH_PROTOCOL));
+
+ FilePathSize = 255;
+
+ // Test that a normal PE image passes validation
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ if (EFI_ERROR (Status)) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
+ goto Exit;
+ }
+
+ // Test that the event size is correct compared to the existing logic
+ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
+ ExistingLogicEventSize += sizeof (TCG_PCR_EVENT_HDR);
+
+ if (EventSize != ExistingLogicEventSize) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
+ goto Exit;
+ }
+
+ // Test that the event size may not overflow
+ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ if (Status != EFI_BAD_BUFFER_SIZE) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
+ goto Exit;
+ }
+
+ TestStatus = UNIT_TEST_PASSED;
+Exit:
+
+ if (ImageLoadEvent != NULL) {
+ FreePool (ImageLoadEvent);
+ }
+
+ if (TestStatus == UNIT_TEST_ERROR_TEST_FAILED) {
+ DEBUG ((DEBUG_ERROR, "%a: Test failed\n", __func__));
+ } else {
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+ }
+
+ return TestStatus;
+}
+
// *--------------------------------------------------------------------*
// * Unit Test Code Main Function
// *--------------------------------------------------------------------*
@@ -265,6 +350,7 @@ UefiTestMain (
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
Status = RunAllTestSuites (Framework);
--
2.41.0

View File

@ -0,0 +1,584 @@
From e138f66708415704ad1133938c0dce5243795656 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 13 Feb 2024 16:30:10 -0500
Subject: [PATCH 04/17] SecurityPkg: Support CcMeasurementProtocol in
DxeTpm2MeasureBootLib
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [4/13] 8038fb605dbdaccfd40cb9d9d56db559ee9df639 (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21154
CVE: CVE-2022-36763
Upstream: Merged
Conflicts: Only cosmetic, due to the uncrustify changes made
in the newer version.
commit a124cd4ef92a349a6c823ea6701fcfd3a17db255
Author: Min Xu <min.m.xu@intel.com>
Date: Sat Dec 11 21:08:41 2021 +0800
SecurityPkg: Support CcMeasurementProtocol in DxeTpm2MeasureBootLib
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3625
DxeTpm2MeasureBootLib supports TPM2 based measure boot. After
CcMeasurementProtocol is introduced, CC based measure boot needs to
be supported in DxeTpm2MeasureBootLib as well.
There are 2 major changes in this commit.
1. A platform should have only one RTS/RTR. Only one of (virtual)TPM1.2,
(virtual)TPM2.0 and CC MR exists. Then only one TCG_SERVICE_PROTOCOL,
TCG2_PROTOCOL, CC_MEASUREMENT_PROTOCOL is exposed. In this library when
do measure boot only one of TCG2_PROTOCOL / CC_MEASUREMENT_PROTOCOL
will be called. MEASURE_BOOT_PROTOCOLS is defined to store the instances
of TCG2 protocol and CC Measurement protocol.
2. CcEvent is similar to Tcg2Event except the MrIndex and PcrIndex.
So in the code Tcg2Event will be first created and intialized. If
CcMeasurementProtocol is called to do the measure boot, then CcEvent
points to Tcg2Event and the MrIndex is adjusted.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpm2MeasureBootLib.c | 347 ++++++++++++++----
.../DxeTpm2MeasureBootLib.inf | 3 +-
2 files changed, 271 insertions(+), 79 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
index 95682ac567..7abacdbc0a 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
@@ -1,5 +1,6 @@
/** @file
- The library instance provides security service of TPM2 measure boot.
+ The library instance provides security service of TPM2 measure boot and
+ Confidential Computing (CC) measure boot.
Caution: This file requires additional review when modified.
This library will have external input - PE/COFF image and GPT partition.
@@ -41,6 +42,12 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/PeCoffLib.h>
#include <Library/SecurityManagementLib.h>
#include <Library/HobLib.h>
+#include <Protocol/CcMeasurement.h>
+
+typedef struct {
+ EFI_TCG2_PROTOCOL *Tcg2Protocol;
+ EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
+} MEASURE_BOOT_PROTOCOLS;
//
// Flag to check GPT partition. It only need be measured once.
@@ -109,7 +116,7 @@ DxeTpm2MeasureBootLibImageRead (
Caution: This function may receive untrusted input.
The GPT partition table is external input, so this function should parse partition data carefully.
- @param Tcg2Protocol Pointer to the located TCG2 protocol instance.
+ @param MeasureBootProtocols Pointer to the located MeasureBoot protocol instances (i.e. TCG2/CC protocol).
@param GptHandle Handle that GPT partition was installed.
@retval EFI_SUCCESS Successfully measure GPT table.
@@ -121,26 +128,48 @@ DxeTpm2MeasureBootLibImageRead (
EFI_STATUS
EFIAPI
Tcg2MeasureGptTable (
- IN EFI_TCG2_PROTOCOL *Tcg2Protocol,
- IN EFI_HANDLE GptHandle
+ IN MEASURE_BOOT_PROTOCOLS *MeasureBootProtocols,
+ IN EFI_HANDLE GptHandle
)
{
- EFI_STATUS Status;
- EFI_BLOCK_IO_PROTOCOL *BlockIo;
- EFI_DISK_IO_PROTOCOL *DiskIo;
- EFI_PARTITION_TABLE_HEADER *PrimaryHeader;
- EFI_PARTITION_ENTRY *PartitionEntry;
- UINT8 *EntryPtr;
- UINTN NumberOfPartition;
- UINT32 Index;
- EFI_TCG2_EVENT *Tcg2Event;
- EFI_GPT_DATA *GptData;
- UINT32 EventSize;
+ EFI_STATUS Status;
+ EFI_BLOCK_IO_PROTOCOL *BlockIo;
+ EFI_DISK_IO_PROTOCOL *DiskIo;
+ EFI_PARTITION_TABLE_HEADER *PrimaryHeader;
+ EFI_PARTITION_ENTRY *PartitionEntry;
+ UINT8 *EntryPtr;
+ UINTN NumberOfPartition;
+ UINT32 Index;
+ UINT8 *EventPtr;
+ EFI_TCG2_EVENT *Tcg2Event;
+ EFI_CC_EVENT *CcEvent;
+ EFI_GPT_DATA *GptData;
+ UINT32 EventSize;
+ EFI_TCG2_PROTOCOL *Tcg2Protocol;
+ EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
+ EFI_CC_MR_INDEX MrIndex;
if (mTcg2MeasureGptCount > 0) {
return EFI_SUCCESS;
}
+ PrimaryHeader = NULL;
+ EntryPtr = NULL;
+ EventPtr = NULL;
+
+ Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
+ CcProtocol = MeasureBootProtocols->CcProtocol;
+
+ if ((Tcg2Protocol == NULL) && (CcProtocol == NULL)) {
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (sizeof (EFI_CC_EVENT) != sizeof (EFI_TCG2_EVENT)) {
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+ }
+
Status = gBS->HandleProtocol (GptHandle, &gEfiBlockIoProtocolGuid, (VOID**)&BlockIo);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
@@ -168,6 +197,16 @@ Tcg2MeasureGptTable (
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
}
+
+ //
+ // PrimaryHeader->SizeOfPartitionEntry should not be zero
+ //
+ if (PrimaryHeader->SizeOfPartitionEntry == 0) {
+ DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry should not be zero!\n"));
+ FreePool (PrimaryHeader);
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
//
// Read the partition entry.
//
@@ -202,11 +241,17 @@ Tcg2MeasureGptTable (
}
//
- // Prepare Data for Measurement
+ // Prepare Data for Measurement (CcProtocol and Tcg2Protocol)
//
EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
+ NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
- Tcg2Event = (EFI_TCG2_EVENT *) AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event));
+ EventPtr = (UINT8 *)AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
+ if (EventPtr == NULL) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto Exit;
+ }
+
+ Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;
if (Tcg2Event == NULL) {
FreePool (PrimaryHeader);
FreePool (EntryPtr);
@@ -243,22 +288,66 @@ Tcg2MeasureGptTable (
}
//
- // Measure the GPT data
+ // Only one of TCG2_PROTOCOL or CC_MEASUREMENT_PROTOCOL is exposed.
+ // So Measure the GPT data with one of the protocol.
//
- Status = Tcg2Protocol->HashLogExtendEvent (
- Tcg2Protocol,
- 0,
- (EFI_PHYSICAL_ADDRESS) (UINTN) (VOID *) GptData,
- (UINT64) EventSize,
- Tcg2Event
- );
- if (!EFI_ERROR (Status)) {
- mTcg2MeasureGptCount++;
+ if (CcProtocol != NULL) {
+ //
+ // EFI_CC_EVENT share the same data structure with EFI_TCG2_EVENT
+ // except the MrIndex and PCRIndex in Header.
+ // Tcg2Event has been created and initialized before. So only the MrIndex need
+ // be adjusted.
+ //
+ Status = CcProtocol->MapPcrToMrIndex (CcProtocol, Tcg2Event->Header.PCRIndex, &MrIndex);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot map PcrIndex(%d) to MrIndex\n", Tcg2Event->Header.PCRIndex));
+ goto Exit;
+ }
+
+ CcEvent = (EFI_CC_EVENT *)EventPtr;
+ CcEvent->Header.MrIndex = MrIndex;
+ Status = CcProtocol->HashLogExtendEvent (
+ CcProtocol,
+ 0,
+ (EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData,
+ (UINT64)EventSize,
+ CcEvent
+ );
+ if (!EFI_ERROR (Status)) {
+ mTcg2MeasureGptCount++;
+ }
+
+ DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Cc MeasureGptTable - %r\n", Status));
+ } else if (Tcg2Protocol != NULL) {
+ //
+ // If Tcg2Protocol is installed, then Measure GPT data with this protocol.
+ //
+ Status = Tcg2Protocol->HashLogExtendEvent (
+ Tcg2Protocol,
+ 0,
+ (EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData,
+ (UINT64)EventSize,
+ Tcg2Event
+ );
+ if (!EFI_ERROR (Status)) {
+ mTcg2MeasureGptCount++;
+ }
+
+ DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Tcg2 MeasureGptTable - %r\n", Status));
}
- FreePool (PrimaryHeader);
- FreePool (EntryPtr);
- FreePool (Tcg2Event);
+Exit:
+ if (PrimaryHeader != NULL) {
+ FreePool (PrimaryHeader);
+ }
+
+ if (EntryPtr != NULL) {
+ FreePool (EntryPtr);
+ }
+
+ if (EventPtr != NULL) {
+ FreePool (EventPtr);
+ }
return Status;
}
@@ -271,12 +360,12 @@ Tcg2MeasureGptTable (
PE/COFF image is external input, so this function will validate its data structure
within this image buffer before use.
- @param[in] Tcg2Protocol Pointer to the located TCG2 protocol instance.
- @param[in] ImageAddress Start address of image buffer.
- @param[in] ImageSize Image size
- @param[in] LinkTimeBase Address that the image is loaded into memory.
- @param[in] ImageType Image subsystem type.
- @param[in] FilePath File path is corresponding to the input image.
+ @param[in] MeasureBootProtocols Pointer to the located MeasureBoot protocol instances.
+ @param[in] ImageAddress Start address of image buffer.
+ @param[in] ImageSize Image size
+ @param[in] LinkTimeBase Address that the image is loaded into memory.
+ @param[in] ImageType Image subsystem type.
+ @param[in] FilePath File path is corresponding to the input image.
@retval EFI_SUCCESS Successfully measure image.
@retval EFI_OUT_OF_RESOURCES No enough resource to measure image.
@@ -287,7 +376,7 @@ Tcg2MeasureGptTable (
EFI_STATUS
EFIAPI
Tcg2MeasurePeImage (
- IN EFI_TCG2_PROTOCOL *Tcg2Protocol,
+ IN MEASURE_BOOT_PROTOCOLS *MeasureBootProtocols,
IN EFI_PHYSICAL_ADDRESS ImageAddress,
IN UINTN ImageSize,
IN UINTN LinkTimeBase,
@@ -295,26 +384,46 @@ Tcg2MeasurePeImage (
IN EFI_DEVICE_PATH_PROTOCOL *FilePath
)
{
- EFI_STATUS Status;
- EFI_TCG2_EVENT *Tcg2Event;
- EFI_IMAGE_LOAD_EVENT *ImageLoad;
- UINT32 FilePathSize;
- UINT32 EventSize;
+ EFI_STATUS Status;
+ EFI_TCG2_EVENT *Tcg2Event;
+ EFI_IMAGE_LOAD_EVENT *ImageLoad;
+ UINT32 FilePathSize;
+ UINT32 EventSize;
+ EFI_CC_EVENT *CcEvent;
+ EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
+ EFI_TCG2_PROTOCOL *Tcg2Protocol;
+ UINT8 *EventPtr;
+ EFI_CC_MR_INDEX MrIndex;
+
+ Status = EFI_UNSUPPORTED;
+ ImageLoad = NULL;
+ EventPtr = NULL;
+
+ Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
+ CcProtocol = MeasureBootProtocols->CcProtocol;
+
+ if ((Tcg2Protocol == NULL) && (CcProtocol == NULL)) {
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (sizeof (EFI_CC_EVENT) != sizeof (EFI_TCG2_EVENT)) {
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+ }
- Status = EFI_UNSUPPORTED;
- ImageLoad = NULL;
FilePathSize = (UINT32) GetDevicePathSize (FilePath);
//
// Determine destination PCR by BootPolicy
//
EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
- Tcg2Event = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event));
- if (Tcg2Event == NULL) {
+ EventPtr = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
+ if (EventPtr == NULL) {
return EFI_OUT_OF_RESOURCES;
}
- Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event);
+ Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;
Tcg2Event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
ImageLoad = (EFI_IMAGE_LOAD_EVENT *) Tcg2Event->Event;
@@ -352,13 +461,35 @@ Tcg2MeasurePeImage (
//
// Log the PE data
//
- Status = Tcg2Protocol->HashLogExtendEvent (
- Tcg2Protocol,
- PE_COFF_IMAGE,
- ImageAddress,
- ImageSize,
- Tcg2Event
- );
+ if (CcProtocol != NULL) {
+ Status = CcProtocol->MapPcrToMrIndex (CcProtocol, Tcg2Event->Header.PCRIndex, &MrIndex);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot map PcrIndex(%d) to MrIndex\n", Tcg2Event->Header.PCRIndex));
+ goto Finish;
+ }
+
+ CcEvent = (EFI_CC_EVENT *)EventPtr;
+ CcEvent->Header.MrIndex = MrIndex;
+
+ Status = CcProtocol->HashLogExtendEvent (
+ CcProtocol,
+ PE_COFF_IMAGE,
+ ImageAddress,
+ ImageSize,
+ CcEvent
+ );
+ DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Cc MeasurePeImage - %r\n", Status));
+ } else if (Tcg2Protocol != NULL) {
+ Status = Tcg2Protocol->HashLogExtendEvent (
+ Tcg2Protocol,
+ PE_COFF_IMAGE,
+ ImageAddress,
+ ImageSize,
+ Tcg2Event
+ );
+ DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Tcg2 MeasurePeImage - %r\n", Status));
+ }
+
if (Status == EFI_VOLUME_FULL) {
//
// Volume full here means the image is hashed and its result is extended to PCR.
@@ -369,11 +500,77 @@ Tcg2MeasurePeImage (
}
Finish:
- FreePool (Tcg2Event);
+ if (EventPtr != NULL) {
+ FreePool (EventPtr);
+ }
return Status;
}
+/**
+ Get the measure boot protocols.
+
+ There are 2 measure boot, TCG2 protocol based and Cc measurement protocol based.
+
+ @param MeasureBootProtocols Pointer to the located measure boot protocol instances.
+
+ @retval EFI_SUCCESS Sucessfully locate the measure boot protocol instances (at least one instance).
+ @retval EFI_UNSUPPORTED Measure boot is not supported.
+**/
+EFI_STATUS
+EFIAPI
+GetMeasureBootProtocols (
+ MEASURE_BOOT_PROTOCOLS *MeasureBootProtocols
+ )
+{
+ EFI_STATUS Status;
+ EFI_TCG2_PROTOCOL *Tcg2Protocol;
+ EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
+ EFI_TCG2_BOOT_SERVICE_CAPABILITY Tcg2ProtocolCapability;
+ EFI_CC_BOOT_SERVICE_CAPABILITY CcProtocolCapability;
+
+ CcProtocol = NULL;
+ Status = gBS->LocateProtocol (&gEfiCcMeasurementProtocolGuid, NULL, (VOID **)&CcProtocol);
+ if (EFI_ERROR (Status)) {
+ //
+ // Cc Measurement protocol is not installed.
+ //
+ DEBUG ((DEBUG_VERBOSE, "CcMeasurementProtocol is not installed. - %r\n", Status));
+ } else {
+ ZeroMem (&CcProtocolCapability, sizeof (CcProtocolCapability));
+ CcProtocolCapability.Size = sizeof (CcProtocolCapability);
+ Status = CcProtocol->GetCapability (CcProtocol, &CcProtocolCapability);
+ if (EFI_ERROR (Status) || (CcProtocolCapability.CcType.Type == EFI_CC_TYPE_NONE)) {
+ DEBUG ((DEBUG_ERROR, " CcProtocol->GetCapability returns : %x, %r\n", CcProtocolCapability.CcType.Type, Status));
+ CcProtocol = NULL;
+ }
+ }
+
+ Tcg2Protocol = NULL;
+ Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **)&Tcg2Protocol);
+ if (EFI_ERROR (Status)) {
+ //
+ // Tcg2 protocol is not installed. So, TPM2 is not present.
+ //
+ DEBUG ((DEBUG_VERBOSE, "Tcg2Protocol is not installed. - %r\n", Status));
+ } else {
+ Tcg2ProtocolCapability.Size = (UINT8)sizeof (Tcg2ProtocolCapability);
+ Status = Tcg2Protocol->GetCapability (Tcg2Protocol, &Tcg2ProtocolCapability);
+ if (EFI_ERROR (Status) || (!Tcg2ProtocolCapability.TPMPresentFlag)) {
+ //
+ // TPM device doesn't work or activate.
+ //
+ DEBUG ((DEBUG_ERROR, "TPMPresentFlag=FALSE %r\n", Status));
+ Tcg2Protocol = NULL;
+ }
+ }
+
+ MeasureBootProtocols->Tcg2Protocol = Tcg2Protocol;
+ MeasureBootProtocols->CcProtocol = CcProtocol;
+
+ return (Tcg2Protocol == NULL && CcProtocol == NULL) ? EFI_UNSUPPORTED : EFI_SUCCESS;
+}
+
/**
The security handler is used to abstract platform-specific policy
from the DXE core response to an attempt to use a file that returns a
@@ -422,9 +619,8 @@ DxeTpm2MeasureBootHandler (
IN BOOLEAN BootPolicy
)
{
- EFI_TCG2_PROTOCOL *Tcg2Protocol;
+ MEASURE_BOOT_PROTOCOLS MeasureBootProtocols;
EFI_STATUS Status;
- EFI_TCG2_BOOT_SERVICE_CAPABILITY ProtocolCapability;
EFI_DEVICE_PATH_PROTOCOL *DevicePathNode;
EFI_DEVICE_PATH_PROTOCOL *OrigDevicePathNode;
EFI_HANDLE Handle;
@@ -435,29 +631,25 @@ DxeTpm2MeasureBootHandler (
EFI_PHYSICAL_ADDRESS FvAddress;
UINT32 Index;
- Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);
+ MeasureBootProtocols.Tcg2Protocol = NULL;
+ MeasureBootProtocols.CcProtocol = NULL;
+
+ Status = GetMeasureBootProtocols (&MeasureBootProtocols);
+
if (EFI_ERROR (Status)) {
//
- // Tcg2 protocol is not installed. So, TPM2 is not present.
+ // None of Measured boot protocols (Tcg2, Cc) is installed.
// Don't do any measurement, and directly return EFI_SUCCESS.
//
- DEBUG ((DEBUG_VERBOSE, "DxeTpm2MeasureBootHandler - Tcg2 - %r\n", Status));
+ DEBUG ((DEBUG_INFO, "None of Tcg2Protocol/CcMeasurementProtocol is installed.\n"));
return EFI_SUCCESS;
}
-
- ProtocolCapability.Size = (UINT8) sizeof (ProtocolCapability);
- Status = Tcg2Protocol->GetCapability (
- Tcg2Protocol,
- &ProtocolCapability
- );
- if (EFI_ERROR (Status) || (!ProtocolCapability.TPMPresentFlag)) {
- //
- // TPM device doesn't work or activate.
- //
- DEBUG ((DEBUG_ERROR, "DxeTpm2MeasureBootHandler (%r) - TPMPresentFlag - %x\n", Status, ProtocolCapability.TPMPresentFlag));
- return EFI_SUCCESS;
- }
-
+ DEBUG ((
+ DEBUG_INFO,
+ "Tcg2Protocol = %p, CcMeasurementProtocol = %p\n",
+ MeasureBootProtocols.Tcg2Protocol,
+ MeasureBootProtocols.CcProtocol
+ ));
//
// Copy File Device Path
//
@@ -502,8 +694,8 @@ DxeTpm2MeasureBootHandler (
//
// Measure GPT disk.
//
- Status = Tcg2MeasureGptTable (Tcg2Protocol, Handle);
- DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Tcg2MeasureGptTable - %r\n", Status));
+ Status = Tcg2MeasureGptTable (&MeasureBootProtocols, Handle);
+
if (!EFI_ERROR (Status)) {
//
// GPT disk check done.
@@ -647,14 +839,13 @@ DxeTpm2MeasureBootHandler (
// Measure PE image into TPM log.
//
Status = Tcg2MeasurePeImage (
- Tcg2Protocol,
+ &MeasureBootProtocols,
(EFI_PHYSICAL_ADDRESS) (UINTN) FileBuffer,
FileSize,
(UINTN) ImageContext.ImageAddress,
ImageContext.ImageType,
DevicePathNode
);
- DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Tcg2MeasurePeImage - %r\n", Status));
}
//
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
index 2506abbe7c..6dca79a20c 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
@@ -1,5 +1,5 @@
## @file
-# Provides security service for TPM 2.0 measured boot
+# Provides security service for TPM 2.0 measured boot and Confidential Computing measure boot.
#
# Spec Compliance Info:
# "TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 Level 00 Revision 1.03 v51"
@@ -61,6 +61,7 @@
[Protocols]
gEfiTcg2ProtocolGuid ## SOMETIMES_CONSUMES
+ gEfiCcMeasurementProtocolGuid ## SOMETIMES_CONSUMES
gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES
gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES
--
2.41.0

View File

@ -0,0 +1,255 @@
From a35a08c5c8d9308ba2b63a15a40e4ddc3e265dbd Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 13 Feb 2024 16:30:10 -0500
Subject: [PATCH 05/17] SecurityPkg: Support CcMeasurementProtocol in
DxeTpmMeasurementLib
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [5/13] fa844740ca589cabb52ae7dfa0dd329315dc168f (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21154
CVE: CVE-2022-36763
Upstream: Merged
Conflicts: Only cosmetic, due to the uncrustify changes made
in the newer version.
commit 314ff1dc8c9a9597280b50e44a5c861cb6a58517 (HEAD -> CVE-2022-36763_RHEL-21154_rhel-8.10.0)
Author: Min Xu <min.m.xu@intel.com>
Date: Sat Dec 11 21:08:42 2021 +0800
SecurityPkg: Support CcMeasurementProtocol in DxeTpmMeasurementLib
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3625
DxeTpmMeasurementLib supports TPM based measurement in DXE phase.
After CcMeasurementProtocol is introduced, CC based measurement needs
to be supported in DxeTpmMeasurementLib as well.
A platform should have only one RTS/RTR. Only one of (virtual)TPM1.2,
(virtual)TPM2.0 and CC MR exists. Then only one TCG_SERVICE_PROTOCOL,
TCG2_PROTOCOL, CC_MEASUREMENT_PROTOCOL is exposed.
In this library when do measurement only one of above 3 protocols will
be called.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpmMeasurementLib.c | 122 +++++++++++++++---
.../DxeTpmMeasurementLib.inf | 9 +-
2 files changed, 111 insertions(+), 20 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c
index 061136ee78..802bc3c3cd 100644
--- a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c
@@ -1,5 +1,6 @@
/** @file
- This library is used by other modules to measure data to TPM.
+ This library is used by other modules to measure data to TPM and Confidential
+ Computing (CC) measure registers.
Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved. <BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -19,6 +20,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Guid/Acpi.h>
#include <IndustryStandard/Acpi.h>
+#include <Protocol/CcMeasurement.h>
@@ -37,6 +39,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
@retval EFI_OUT_OF_RESOURCES Out of memory.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
+STATIC
EFI_STATUS
Tpm12MeasureAndLogData (
IN UINT32 PcrIndex,
@@ -103,6 +106,7 @@ Tpm12MeasureAndLogData (
@retval EFI_OUT_OF_RESOURCES Out of memory.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
+STATIC
EFI_STATUS
Tpm20MeasureAndLogData (
IN UINT32 PcrIndex,
@@ -149,6 +153,73 @@ Tpm20MeasureAndLogData (
return Status;
}
+/**
+ Cc measure and log data, and extend the measurement result into a
+ specific CC MR.
+
+ @param[in] CcProtocol Instance of CC measurement protocol
+ @param[in] PcrIndex PCR Index.
+ @param[in] EventType Event type.
+ @param[in] EventLog Measurement event log.
+ @param[in] LogLen Event log length in bytes.
+ @param[in] HashData The start of the data buffer to be hashed, extended.
+ @param[in] HashDataLen The length, in bytes, of the buffer referenced by HashData
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_UNSUPPORTED CC guest not available.
+ @retval EFI_OUT_OF_RESOURCES Out of memory.
+ @retval EFI_DEVICE_ERROR The operation was unsuccessful.
+ @retval EFI_INVALID_PARAMETER The input parameter is invalid.
+**/
+STATIC
+EFI_STATUS
+CcMeasureAndLogData (
+ IN EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol,
+ IN UINT32 PcrIndex,
+ IN UINT32 EventType,
+ IN VOID *EventLog,
+ IN UINT32 LogLen,
+ IN VOID *HashData,
+ IN UINT64 HashDataLen
+ )
+{
+ EFI_STATUS Status;
+ EFI_CC_EVENT *EfiCcEvent;
+ EFI_CC_MR_INDEX MrIndex;
+
+ if (CcProtocol == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Status = CcProtocol->MapPcrToMrIndex (CcProtocol, PcrIndex, &MrIndex);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ EfiCcEvent = (EFI_CC_EVENT *)AllocateZeroPool (LogLen + sizeof (EFI_CC_EVENT));
+ if (EfiCcEvent == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ EfiCcEvent->Size = (UINT32)LogLen + sizeof (EFI_CC_EVENT) - sizeof (EfiCcEvent->Event);
+ EfiCcEvent->Header.HeaderSize = sizeof (EFI_CC_EVENT_HEADER);
+ EfiCcEvent->Header.HeaderVersion = EFI_CC_EVENT_HEADER_VERSION;
+ EfiCcEvent->Header.MrIndex = MrIndex;
+ EfiCcEvent->Header.EventType = EventType;
+ CopyMem (&EfiCcEvent->Event[0], EventLog, LogLen);
+
+ Status = CcProtocol->HashLogExtendEvent (
+ CcProtocol,
+ 0,
+ (EFI_PHYSICAL_ADDRESS)(UINTN)HashData,
+ HashDataLen,
+ EfiCcEvent
+ );
+ FreePool (EfiCcEvent);
+
+ return Status;
+}
+
/**
Tpm measure and log data, and extend the measurement result into a specific PCR.
@@ -175,25 +246,16 @@ TpmMeasureAndLogData (
IN UINT64 HashDataLen
)
{
- EFI_STATUS Status;
-
- //
- // Try to measure using Tpm20 protocol
- //
- Status = Tpm20MeasureAndLogData(
- PcrIndex,
- EventType,
- EventLog,
- LogLen,
- HashData,
- HashDataLen
- );
+ EFI_STATUS Status;
+ EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
- if (EFI_ERROR (Status)) {
+ Status = gBS->LocateProtocol (&gEfiCcMeasurementProtocolGuid, NULL, (VOID **)&CcProtocol);
+ if (!EFI_ERROR (Status)) {
//
- // Try to measure using Tpm1.2 protocol
+ // Try to measure using Cc measurement protocol
//
- Status = Tpm12MeasureAndLogData(
+ Status = CcMeasureAndLogData (
+ CcProtocol,
PcrIndex,
EventType,
EventLog,
@@ -201,6 +263,32 @@ TpmMeasureAndLogData (
HashData,
HashDataLen
);
+ } else {
+ //
+ // Try to measure using Tpm20 protocol
+ //
+ Status = Tpm20MeasureAndLogData (
+ PcrIndex,
+ EventType,
+ EventLog,
+ LogLen,
+ HashData,
+ HashDataLen
+ );
+
+ if (EFI_ERROR (Status)) {
+ //
+ // Try to measure using Tpm1.2 protocol
+ //
+ Status = Tpm12MeasureAndLogData (
+ PcrIndex,
+ EventType,
+ EventLog,
+ LogLen,
+ HashData,
+ HashDataLen
+ );
+ }
}
return Status;
diff --git a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
index 7d41bc41f9..3af3d4e33b 100644
--- a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+++ b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
@@ -1,5 +1,7 @@
## @file
-# Provides TPM measurement functions for TPM1.2 and TPM 2.0
+# Provides below measurement functions:
+# 1. TPM measurement functions for TPM1.2 and TPM 2.0
+# 2. Confidential Computing (CC) measurement functions
#
# This library provides TpmMeasureAndLogData() to measure and log data, and
# extend the measurement result into a specific PCR.
@@ -40,5 +42,6 @@
UefiBootServicesTableLib
[Protocols]
- gEfiTcgProtocolGuid ## SOMETIMES_CONSUMES
- gEfiTcg2ProtocolGuid ## SOMETIMES_CONSUMES
+ gEfiTcgProtocolGuid ## SOMETIMES_CONSUMES
+ gEfiTcg2ProtocolGuid ## SOMETIMES_CONSUMES
+ gEfiCcMeasurementProtocolGuid ## SOMETIMES_CONSUMES
--
2.41.0

View File

@ -0,0 +1,84 @@
From fa892c7112cfb5aa742f358544da3788a831e431 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 13 Feb 2024 16:30:10 -0500
Subject: [PATCH 13/17] SecurityPkg: : Updating SecurityFixes.yaml after symbol
rename
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 44: edk2: heap buffer overflow in Tcg2MeasureGptTable()
RH-Jira: RHEL-21154 RHEL-21156
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [13/13] 3bf59dbb583b67eddb54361781054cc650398309 (jmaloy/jons_fork)
JIRA: https://issues.redhat.com/browse/RHEL-21156
CVE: CVE-2022-36764
Upstream: Merged
commit 264636d8e6983e0f6dc6be2fca9d84ec81315954
Author: Doug Flick <dougflick@microsoft.com>
Date: Wed Jan 17 14:47:22 2024 -0800
SecurityPkg: : Updating SecurityFixes.yaml after symbol rename
Adding the new commit titles for the symbol renames
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <5e0e851e97459e183420178888d4fcdadc2f1ae1.1705529990.git.doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
SecurityPkg/SecurityFixes.yaml | 31 ++++++++++++++++++++++++++-----
1 file changed, 26 insertions(+), 5 deletions(-)
diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
index f9e3e7be74..dc1bb83489 100644
--- a/SecurityPkg/SecurityFixes.yaml
+++ b/SecurityPkg/SecurityFixes.yaml
@@ -9,14 +9,35 @@ CVE_2022_36763:
- "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763"
- "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763"
- "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml"
+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
+ - "SecurityPkg: : Updating SecurityFixes.yaml after symbol rename"
cve: CVE-2022-36763
date_reported: 2022-10-25 11:31 UTC
description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable()
note: This patch is related to and supersedes TCBZ2168
files_impacted:
- - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
- - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
links:
- - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
- - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
- - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
+CVE_2022_36764:
+ commit_titles:
+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
+ - "SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml"
+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
+ - "SecurityPkg: : Updating SecurityFixes.yaml after symbol rename"
+ cve: CVE-2022-36764
+ date_reported: 2022-10-25 12:23 UTC
+ description: Heap Buffer Overflow in Tcg2MeasurePeImage()
+ note:
+ files_impacted:
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4118
+
--
2.41.0

View File

@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2
Version: %{GITDATE}git%{GITCOMMIT}
Release: 10%{?dist}
Release: 11%{?dist}
Summary: UEFI firmware for 64-bit virtual machines
Group: Applications/Emulators
License: BSD-2-Clause-Patent and OpenSSL and MIT
@ -100,6 +100,57 @@ Patch48: edk2-OvmfPkg-VirtNorFlashDxe-move-DoErase-code-block-into.patch
Patch49: edk2-ArmVirtPkg-ArmVirtQemu-migrate-to-OVMF-s-VirtNorFlas.patch
# For RHEL-17587 - [rhel8] guest fails to boot due to ASSERT error
Patch50: edk2-OvmfPkg-clone-NorFlashPlatformLib-into-VirtNorFlashP.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch51: edk2-SecurityPkg-Change-use-of-EFI_D_-to-DEBUG_.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch52: edk2-SecurityPkg-Change-OPTIONAL-keyword-usage-style.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch53: edk2-MdePkg-Introduce-CcMeasurementProtocol-for-CC-Guest-.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch54: edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpm2.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch55: edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpmM.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch56: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch57: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch58: edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch59: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-418.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch60: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch61: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SEC-PATCH-4118-2.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch62: edk2-SecurityPkg-DxeTpmMeasureBootLib-SEC-PATCH-4117-2.patch
# For RHEL-21154 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8]
# For RHEL-21156 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8]
Patch63: edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch
# For RHEL-21840 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]
# For RHEL-21842 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8]
Patch64: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
# For RHEL-21840 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]
# For RHEL-21842 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8]
Patch65: edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
# For RHEL-21840 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]
# For RHEL-21842 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8]
Patch66: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
# For RHEL-21840 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]
# For RHEL-21842 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8]
Patch67: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
# python3-devel and libuuid-devel are required for building tools.
@ -544,6 +595,33 @@ true
%endif
%changelog
* Wed Feb 14 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-11
- edk2-SecurityPkg-Change-use-of-EFI_D_-to-DEBUG_.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-Change-OPTIONAL-keyword-usage-style.patch [RHEL-21154 RHEL-21156]
- edk2-MdePkg-Introduce-CcMeasurementProtocol-for-CC-Guest-.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpm2.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-Support-CcMeasurementProtocol-in-DxeTpmM.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-418.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SEC-PATCH-4118-2.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-DxeTpmMeasureBootLib-SEC-PATCH-4117-2.patch [RHEL-21154 RHEL-21156]
- edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch [RHEL-21154 RHEL-21156]
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch [RHEL-21840 RHEL-21842]
- edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch [RHEL-21840 RHEL-21842]
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch [RHEL-21840 RHEL-21842]
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch [RHEL-21840 RHEL-21842]
- Resolves: RHEL-21154
(CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-8])
- Resolves: RHEL-21156
(CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-8])
- Resolves: RHEL-21840
(CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8])
- Resolves: RHEL-21842
(CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-8])
* Sat Feb 03 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-10
- edk2-OvmfPkg-VirtNorFlashDxe-clone-ArmPlatformPkg-s-NOR-f.patch [RHEL-17587]
- edk2-OvmfPkg-VirtNorFlashDxe-remove-CheckBlockLocked-feat.patch [RHEL-17587]