* Fri Jul 02 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-2
- edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch [bz#1961100] - edk2-redhat-build-UefiShell.iso-with-xorriso-rather-than-.patch [bz#1971840] - Resolves: bz#1961100 (edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]) - Resolves: bz#1971840 (Please replace genisoimage with xorriso)
This commit is contained in:
parent
ab15128de9
commit
b67d81feb6
@ -0,0 +1,96 @@
|
|||||||
|
From 713a76945fb7962d97be9c0f8a54a32da5f683d2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Tue, 8 Jun 2021 14:12:55 +0200
|
||||||
|
Subject: [PATCH 06/11] NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always
|
||||||
|
succeeds
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
||||||
|
RH-Commit: [6/10] f75dedb1034e5feb5fd268c99184d3e392ef9beb
|
||||||
|
RH-Bugzilla: 1961100
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
|
||||||
|
IScsiBinToHex() is called for encoding:
|
||||||
|
|
||||||
|
- the answer to the target's challenge; that is, CHAP_R;
|
||||||
|
|
||||||
|
- the challenge for the target, in case mutual authentication is enabled;
|
||||||
|
that is, CHAP_C.
|
||||||
|
|
||||||
|
The initiator controls the size of both blobs, the sizes of their hex
|
||||||
|
encodings are correctly calculated in "RspLen" and "ChallengeLen".
|
||||||
|
Therefore the IScsiBinToHex() calls never fail; assert that.
|
||||||
|
|
||||||
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||||
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||||
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Message-Id: <20210608121259.32451-7-lersek@redhat.com>
|
||||||
|
(cherry picked from commit d90fff40cb2502b627370a77f5608c8a178c3f78)
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiCHAP.c | 27 +++++++++++++++------------
|
||||||
|
1 file changed, 15 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
index 9e192ce292..dbe3c8ef46 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
@@ -391,6 +391,7 @@ IScsiCHAPToSendReq (
|
||||||
|
UINT32 RspLen;
|
||||||
|
CHAR8 *Challenge;
|
||||||
|
UINT32 ChallengeLen;
|
||||||
|
+ EFI_STATUS BinToHexStatus;
|
||||||
|
|
||||||
|
ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);
|
||||||
|
|
||||||
|
@@ -471,12 +472,13 @@ IScsiCHAPToSendReq (
|
||||||
|
//
|
||||||
|
// CHAP_R=<R>
|
||||||
|
//
|
||||||
|
- IScsiBinToHex (
|
||||||
|
- (UINT8 *) AuthData->CHAPResponse,
|
||||||
|
- ISCSI_CHAP_RSP_LEN,
|
||||||
|
- Response,
|
||||||
|
- &RspLen
|
||||||
|
- );
|
||||||
|
+ BinToHexStatus = IScsiBinToHex (
|
||||||
|
+ (UINT8 *) AuthData->CHAPResponse,
|
||||||
|
+ ISCSI_CHAP_RSP_LEN,
|
||||||
|
+ Response,
|
||||||
|
+ &RspLen
|
||||||
|
+ );
|
||||||
|
+ ASSERT_EFI_ERROR (BinToHexStatus);
|
||||||
|
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
|
||||||
|
|
||||||
|
if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
|
||||||
|
@@ -490,12 +492,13 @@ IScsiCHAPToSendReq (
|
||||||
|
// CHAP_C=<C>
|
||||||
|
//
|
||||||
|
IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
|
||||||
|
- IScsiBinToHex (
|
||||||
|
- (UINT8 *) AuthData->OutChallenge,
|
||||||
|
- ISCSI_CHAP_RSP_LEN,
|
||||||
|
- Challenge,
|
||||||
|
- &ChallengeLen
|
||||||
|
- );
|
||||||
|
+ BinToHexStatus = IScsiBinToHex (
|
||||||
|
+ (UINT8 *) AuthData->OutChallenge,
|
||||||
|
+ ISCSI_CHAP_RSP_LEN,
|
||||||
|
+ Challenge,
|
||||||
|
+ &ChallengeLen
|
||||||
|
+ );
|
||||||
|
+ ASSERT_EFI_ERROR (BinToHexStatus);
|
||||||
|
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
|
||||||
|
|
||||||
|
Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -0,0 +1,92 @@
|
|||||||
|
From de86f03cd7ed849ff62b1591c5fd34aeb1792887 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Tue, 8 Jun 2021 14:12:59 +0200
|
||||||
|
Subject: [PATCH 10/11] NetworkPkg/IScsiDxe: check IScsiHexToBin() return
|
||||||
|
values
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
||||||
|
RH-Commit: [10/10] 840f483839ce598396bb6db8ec1f0f50689b8215
|
||||||
|
RH-Bugzilla: 1961100
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
|
||||||
|
IScsiDxe (that is, the initiator) receives two hex-encoded strings from
|
||||||
|
the iSCSI target:
|
||||||
|
|
||||||
|
- CHAP_C, where the target challenges the initiator,
|
||||||
|
|
||||||
|
- CHAP_R, where the target answers the challenge from the initiator (in
|
||||||
|
case the initiator wants mutual authentication).
|
||||||
|
|
||||||
|
Accordingly, we have two IScsiHexToBin() call sites:
|
||||||
|
|
||||||
|
- At the CHAP_C decoding site, check whether the decoding succeeds. The
|
||||||
|
decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,
|
||||||
|
which is a permissible restriction on the target, per
|
||||||
|
<https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges
|
||||||
|
from the target are acceptable.
|
||||||
|
|
||||||
|
- At the CHAP_R decoding site, enforce that the decoding both succeed, and
|
||||||
|
provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest
|
||||||
|
calculated by the target, therefore it must be of fixed size. We may
|
||||||
|
only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.
|
||||||
|
|
||||||
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||||
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||||
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Message-Id: <20210608121259.32451-11-lersek@redhat.com>
|
||||||
|
(cherry picked from commit b8649cf2a3e673a4a8cb6c255e394b354b771550)
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------
|
||||||
|
1 file changed, 14 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
index dbe3c8ef46..7e930c0d1e 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (
|
||||||
|
|
||||||
|
AuthData->InIdentifier = (UINT32) Result;
|
||||||
|
AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
|
||||||
|
- IScsiHexToBin (
|
||||||
|
- (UINT8 *) AuthData->InChallenge,
|
||||||
|
- &AuthData->InChallengeLength,
|
||||||
|
- Challenge
|
||||||
|
- );
|
||||||
|
+ Status = IScsiHexToBin (
|
||||||
|
+ (UINT8 *) AuthData->InChallenge,
|
||||||
|
+ &AuthData->InChallengeLength,
|
||||||
|
+ Challenge
|
||||||
|
+ );
|
||||||
|
+ if (EFI_ERROR (Status)) {
|
||||||
|
+ Status = EFI_PROTOCOL_ERROR;
|
||||||
|
+ goto ON_EXIT;
|
||||||
|
+ }
|
||||||
|
Status = IScsiCHAPCalculateResponse (
|
||||||
|
AuthData->InIdentifier,
|
||||||
|
AuthData->AuthConfig->CHAPSecret,
|
||||||
|
@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (
|
||||||
|
}
|
||||||
|
|
||||||
|
RspLen = ISCSI_CHAP_RSP_LEN;
|
||||||
|
- IScsiHexToBin (TargetRsp, &RspLen, Response);
|
||||||
|
+ Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
|
||||||
|
+ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
|
||||||
|
+ Status = EFI_PROTOCOL_ERROR;
|
||||||
|
+ goto ON_EXIT;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
//
|
||||||
|
// Check the CHAP Name and Response replied by Target.
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
103
edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch
Normal file
103
edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
From 4524b42b1cdf042d348c0070984428ec95ba96ec Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Tue, 8 Jun 2021 14:12:52 +0200
|
||||||
|
Subject: [PATCH 03/11] NetworkPkg/IScsiDxe: clean up
|
||||||
|
"ISCSI_CHAP_AUTH_DATA.OutChallengeLength"
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
||||||
|
RH-Commit: [3/10] 10e4f6de005e7fd67eb3a0d266c9bc95b2df648c
|
||||||
|
RH-Bugzilla: 1961100
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
|
||||||
|
The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array
|
||||||
|
with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge
|
||||||
|
is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used
|
||||||
|
in the array.
|
||||||
|
|
||||||
|
Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused)
|
||||||
|
ISCSI_CHAP_AUTH_MAX_LEN macro.
|
||||||
|
|
||||||
|
Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is
|
||||||
|
superfluous too.
|
||||||
|
|
||||||
|
Most importantly, explain in a new comment *why* tying the challenge size
|
||||||
|
to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also
|
||||||
|
Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge
|
||||||
|
length to the hash digest size", 2019-11-06.) For sure, the motivation
|
||||||
|
that the new comment now explains has always been there, and has always
|
||||||
|
been the same, for IScsiDxe; it's just that now we spell it out too.
|
||||||
|
|
||||||
|
No change in peer-visible behavior.
|
||||||
|
|
||||||
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||||
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||||
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Message-Id: <20210608121259.32451-4-lersek@redhat.com>
|
||||||
|
(cherry picked from commit 95616b866187b00355042953efa5c198df07250f)
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiCHAP.c | 3 +--
|
||||||
|
NetworkPkg/IScsiDxe/IScsiCHAP.h | 9 ++++++---
|
||||||
|
2 files changed, 7 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
index df3c2eb120..9e192ce292 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
@@ -122,7 +122,7 @@ IScsiCHAPAuthTarget (
|
||||||
|
AuthData->AuthConfig->ReverseCHAPSecret,
|
||||||
|
SecretSize,
|
||||||
|
AuthData->OutChallenge,
|
||||||
|
- AuthData->OutChallengeLength,
|
||||||
|
+ ISCSI_CHAP_RSP_LEN, // ChallengeLength
|
||||||
|
VerifyRsp
|
||||||
|
);
|
||||||
|
|
||||||
|
@@ -490,7 +490,6 @@ IScsiCHAPToSendReq (
|
||||||
|
// CHAP_C=<C>
|
||||||
|
//
|
||||||
|
IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
|
||||||
|
- AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
|
||||||
|
IScsiBinToHex (
|
||||||
|
(UINT8 *) AuthData->OutChallenge,
|
||||||
|
ISCSI_CHAP_RSP_LEN,
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
|
||||||
|
index 1fc1d96ea3..35d5d6ec29 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
|
||||||
|
@@ -19,7 +19,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||||
|
|
||||||
|
#define ISCSI_CHAP_ALGORITHM_MD5 5
|
||||||
|
|
||||||
|
-#define ISCSI_CHAP_AUTH_MAX_LEN 1024
|
||||||
|
///
|
||||||
|
/// MD5_HASHSIZE
|
||||||
|
///
|
||||||
|
@@ -59,9 +58,13 @@ typedef struct _ISCSI_CHAP_AUTH_DATA {
|
||||||
|
//
|
||||||
|
// Auth-data to be sent out for mutual authentication.
|
||||||
|
//
|
||||||
|
+ // While the challenge size is technically independent of the hashing
|
||||||
|
+ // algorithm, it is good practice to avoid hashing *fewer bytes* than the
|
||||||
|
+ // digest size. In other words, it's good practice to feed *at least as many
|
||||||
|
+ // bytes* to the hashing algorithm as the hashing algorithm will output.
|
||||||
|
+ //
|
||||||
|
UINT32 OutIdentifier;
|
||||||
|
- UINT8 OutChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
|
||||||
|
- UINT32 OutChallengeLength;
|
||||||
|
+ UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN];
|
||||||
|
} ISCSI_CHAP_AUTH_DATA;
|
||||||
|
|
||||||
|
/**
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
102
edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch
Normal file
102
edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
From 26388852ad953a169f29b24277674c53f878ffe3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Tue, 8 Jun 2021 14:12:53 +0200
|
||||||
|
Subject: [PATCH 04/11] NetworkPkg/IScsiDxe: clean up library class
|
||||||
|
dependencies
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
||||||
|
RH-Commit: [4/10] c468615c009bfd43f68f93fd9c1dc0e5b8615563
|
||||||
|
RH-Bugzilla: 1961100
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
|
||||||
|
Sort the library class dependencies in the #include directives and in the
|
||||||
|
INF file. Remove the DpcLib class from the #include directives -- it is
|
||||||
|
not listed in the INF file, and IScsiDxe doesn't call either DpcLib API
|
||||||
|
(QueueDpc(), DispatchDpc()). No functional changes.
|
||||||
|
|
||||||
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||||
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||||
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Message-Id: <20210608121259.32451-5-lersek@redhat.com>
|
||||||
|
(cherry picked from commit e8f28b09e63dfdbb4169969a43c65f86c44b035a)
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiDxe.inf | 6 +++---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiImpl.h | 17 ++++++++---------
|
||||||
|
2 files changed, 11 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf
|
||||||
|
index 0ffb340ce0..543c408302 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf
|
||||||
|
@@ -65,6 +65,7 @@
|
||||||
|
NetworkPkg/NetworkPkg.dec
|
||||||
|
|
||||||
|
[LibraryClasses]
|
||||||
|
+ BaseCryptLib
|
||||||
|
BaseLib
|
||||||
|
BaseMemoryLib
|
||||||
|
DebugLib
|
||||||
|
@@ -72,14 +73,13 @@
|
||||||
|
HiiLib
|
||||||
|
MemoryAllocationLib
|
||||||
|
NetLib
|
||||||
|
- TcpIoLib
|
||||||
|
PrintLib
|
||||||
|
+ TcpIoLib
|
||||||
|
UefiBootServicesTableLib
|
||||||
|
UefiDriverEntryPoint
|
||||||
|
+ UefiHiiServicesLib
|
||||||
|
UefiLib
|
||||||
|
UefiRuntimeServicesTableLib
|
||||||
|
- UefiHiiServicesLib
|
||||||
|
- BaseCryptLib
|
||||||
|
|
||||||
|
[Protocols]
|
||||||
|
gEfiAcpiTableProtocolGuid ## SOMETIMES_CONSUMES ## SystemTable
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h
|
||||||
|
index 387ab9765e..d895c7feb9 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiImpl.h
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiImpl.h
|
||||||
|
@@ -35,21 +35,20 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||||
|
#include <Protocol/AdapterInformation.h>
|
||||||
|
#include <Protocol/NetworkInterfaceIdentifier.h>
|
||||||
|
|
||||||
|
-#include <Library/HiiLib.h>
|
||||||
|
-#include <Library/UefiHiiServicesLib.h>
|
||||||
|
-#include <Library/DevicePathLib.h>
|
||||||
|
-#include <Library/DebugLib.h>
|
||||||
|
+#include <Library/BaseCryptLib.h>
|
||||||
|
#include <Library/BaseLib.h>
|
||||||
|
#include <Library/BaseMemoryLib.h>
|
||||||
|
+#include <Library/DebugLib.h>
|
||||||
|
+#include <Library/DevicePathLib.h>
|
||||||
|
+#include <Library/HiiLib.h>
|
||||||
|
#include <Library/MemoryAllocationLib.h>
|
||||||
|
+#include <Library/NetLib.h>
|
||||||
|
#include <Library/PrintLib.h>
|
||||||
|
+#include <Library/TcpIoLib.h>
|
||||||
|
#include <Library/UefiBootServicesTableLib.h>
|
||||||
|
-#include <Library/UefiRuntimeServicesTableLib.h>
|
||||||
|
+#include <Library/UefiHiiServicesLib.h>
|
||||||
|
#include <Library/UefiLib.h>
|
||||||
|
-#include <Library/DpcLib.h>
|
||||||
|
-#include <Library/NetLib.h>
|
||||||
|
-#include <Library/TcpIoLib.h>
|
||||||
|
-#include <Library/BaseCryptLib.h>
|
||||||
|
+#include <Library/UefiRuntimeServicesTableLib.h>
|
||||||
|
|
||||||
|
#include <Guid/MdeModuleHii.h>
|
||||||
|
#include <Guid/EventGroup.h>
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
114
edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch
Normal file
114
edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch
Normal file
@ -0,0 +1,114 @@
|
|||||||
|
From 5fb7ec7c442e3ca7ab27b2a66223345cb7411c87 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Tue, 8 Jun 2021 14:12:58 +0200
|
||||||
|
Subject: [PATCH 09/11] NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer
|
||||||
|
overflow
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
||||||
|
RH-Commit: [9/10] 91724ef3d2d9732ffe9328168a39d922d1baaa8b
|
||||||
|
RH-Bugzilla: 1961100
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
|
||||||
|
The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return
|
||||||
|
condition, but never actually checks whether the decoded buffer fits into
|
||||||
|
the caller-provided room (i.e., the input value of "BinLength"), and
|
||||||
|
EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can
|
||||||
|
overflow "BinBuffer".
|
||||||
|
|
||||||
|
This is remotely exploitable, as shown in a subsequent patch, which adds
|
||||||
|
error checking to the IScsiHexToBin() call sites. This issue allows the
|
||||||
|
target to compromise the initiator.
|
||||||
|
|
||||||
|
Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent
|
||||||
|
EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow,
|
||||||
|
plus actually catch the buffer overflow.
|
||||||
|
|
||||||
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||||
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||||
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Message-Id: <20210608121259.32451-10-lersek@redhat.com>
|
||||||
|
(cherry picked from commit 54e90edaed0d7c15230902ac4d74f4304bad2ebd)
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiMisc.c | 20 +++++++++++++++++---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiMisc.h | 3 +++
|
||||||
|
2 files changed, 20 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
index f0f4992b07..4069547867 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
@@ -377,6 +377,9 @@ IScsiBinToHex (
|
||||||
|
@retval EFI_SUCCESS The hexadecimal string is converted into a
|
||||||
|
binary encoded buffer.
|
||||||
|
@retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
|
||||||
|
+ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
|
||||||
|
+ the decoded size cannot be expressed in
|
||||||
|
+ BinLength on output.
|
||||||
|
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
|
||||||
|
converted data.
|
||||||
|
**/
|
||||||
|
@@ -387,6 +390,8 @@ IScsiHexToBin (
|
||||||
|
IN CHAR8 *HexStr
|
||||||
|
)
|
||||||
|
{
|
||||||
|
+ UINTN BinLengthMin;
|
||||||
|
+ UINT32 BinLengthProvided;
|
||||||
|
UINTN Index;
|
||||||
|
UINTN Length;
|
||||||
|
UINT8 Digit;
|
||||||
|
@@ -409,6 +414,18 @@ IScsiHexToBin (
|
||||||
|
if (Length == 0 || Length % 2 != 0) {
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
+ //
|
||||||
|
+ // Check if the caller provides enough room for the decoded blob.
|
||||||
|
+ //
|
||||||
|
+ BinLengthMin = Length / 2;
|
||||||
|
+ if (BinLengthMin > MAX_UINT32) {
|
||||||
|
+ return EFI_BAD_BUFFER_SIZE;
|
||||||
|
+ }
|
||||||
|
+ BinLengthProvided = *BinLength;
|
||||||
|
+ *BinLength = (UINT32)BinLengthMin;
|
||||||
|
+ if (BinLengthProvided < BinLengthMin) {
|
||||||
|
+ return EFI_BUFFER_TOO_SMALL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
for (Index = 0; Index < Length; Index ++) {
|
||||||
|
TemStr[0] = HexStr[Index];
|
||||||
|
@@ -425,9 +442,6 @@ IScsiHexToBin (
|
||||||
|
BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- *BinLength = (UINT32) ((Index + 1)/2);
|
||||||
|
-
|
||||||
|
return EFI_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
index 404a482e57..fddef4f466 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
@@ -172,6 +172,9 @@ IScsiBinToHex (
|
||||||
|
@retval EFI_SUCCESS The hexadecimal string is converted into a
|
||||||
|
binary encoded buffer.
|
||||||
|
@retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
|
||||||
|
+ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
|
||||||
|
+ the decoded size cannot be expressed in
|
||||||
|
+ BinLength on output.
|
||||||
|
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
|
||||||
|
converted data.
|
||||||
|
**/
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
105
edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch
Normal file
105
edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
From b0b03cadbee4f8560e4eb284b8d12a5ccc697281 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Tue, 8 Jun 2021 14:12:57 +0200
|
||||||
|
Subject: [PATCH 08/11] NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
||||||
|
RH-Commit: [8/10] d336a24538fe8b4a53f7fd249ae94cd2c3c22cb5
|
||||||
|
RH-Bugzilla: 1961100
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
|
||||||
|
The IScsiHexToBin() function has the following parser issues:
|
||||||
|
|
||||||
|
(1) If the *subject sequence* in "HexStr" is empty, the function returns
|
||||||
|
EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should
|
||||||
|
be rejected.
|
||||||
|
|
||||||
|
(2) The function mis-handles a "HexStr" that ends with a stray nibble. For
|
||||||
|
example, if "HexStr" is "0xABC", the function decodes it to the bytes
|
||||||
|
{0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns
|
||||||
|
EFI_SUCCESS. Such inputs should be rejected.
|
||||||
|
|
||||||
|
(3) If an invalid hex char is found in "HexStr", the function treats it as
|
||||||
|
end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be
|
||||||
|
rejected.
|
||||||
|
|
||||||
|
All of the above cases are remotely triggerable, as shown in a subsequent
|
||||||
|
patch, which adds error checking to the IScsiHexToBin() call sites. While
|
||||||
|
the initiator is not immediately compromised, incorrectly parsing CHAP_R
|
||||||
|
from the target, in case of mutual authentication, is not great.
|
||||||
|
|
||||||
|
Extend the interface contract of IScsiHexToBin() with
|
||||||
|
EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement
|
||||||
|
the new checks.
|
||||||
|
|
||||||
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||||
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||||
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Message-Id: <20210608121259.32451-9-lersek@redhat.com>
|
||||||
|
(cherry picked from commit 47b76780b487dbfde4efb6843b16064c4a97e94d)
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++++--
|
||||||
|
NetworkPkg/IScsiDxe/IScsiMisc.h | 1 +
|
||||||
|
2 files changed, 11 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
index 014700e87a..f0f4992b07 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
@@ -376,6 +376,7 @@ IScsiBinToHex (
|
||||||
|
|
||||||
|
@retval EFI_SUCCESS The hexadecimal string is converted into a
|
||||||
|
binary encoded buffer.
|
||||||
|
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
|
||||||
|
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
|
||||||
|
converted data.
|
||||||
|
**/
|
||||||
|
@@ -402,14 +403,21 @@ IScsiHexToBin (
|
||||||
|
|
||||||
|
Length = AsciiStrLen (HexStr);
|
||||||
|
|
||||||
|
+ //
|
||||||
|
+ // Reject an empty hex string; reject a stray nibble.
|
||||||
|
+ //
|
||||||
|
+ if (Length == 0 || Length % 2 != 0) {
|
||||||
|
+ return EFI_INVALID_PARAMETER;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (Index = 0; Index < Length; Index ++) {
|
||||||
|
TemStr[0] = HexStr[Index];
|
||||||
|
Digit = (UINT8) AsciiStrHexToUint64 (TemStr);
|
||||||
|
if (Digit == 0 && TemStr[0] != '0') {
|
||||||
|
//
|
||||||
|
- // Invalid Lun Char.
|
||||||
|
+ // Invalid Hex Char.
|
||||||
|
//
|
||||||
|
- break;
|
||||||
|
+ return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
if ((Index & 1) == 0) {
|
||||||
|
BinBuffer [Index/2] = Digit;
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
index 28cf408cd5..404a482e57 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
@@ -171,6 +171,7 @@ IScsiBinToHex (
|
||||||
|
|
||||||
|
@retval EFI_SUCCESS The hexadecimal string is converted into a
|
||||||
|
binary encoded buffer.
|
||||||
|
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
|
||||||
|
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
|
||||||
|
converted data.
|
||||||
|
**/
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
155
edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch
Normal file
155
edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch
Normal file
@ -0,0 +1,155 @@
|
|||||||
|
From 67474c22010ba8c7c240d8e02b2151c7d796171d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Tue, 8 Jun 2021 14:12:54 +0200
|
||||||
|
Subject: [PATCH 05/11] NetworkPkg/IScsiDxe: fix potential integer overflow in
|
||||||
|
IScsiBinToHex()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
||||||
|
RH-Commit: [5/10] 3d7a886c1f73d811ef47381e4d6a82683ab0900e
|
||||||
|
RH-Bugzilla: 1961100
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
|
||||||
|
Considering IScsiBinToHex():
|
||||||
|
|
||||||
|
> if (((*HexLength) - 3) < BinLength * 2) {
|
||||||
|
> *HexLength = BinLength * 2 + 3;
|
||||||
|
> }
|
||||||
|
|
||||||
|
the following subexpressions are problematic:
|
||||||
|
|
||||||
|
(*HexLength) - 3
|
||||||
|
BinLength * 2
|
||||||
|
BinLength * 2 + 3
|
||||||
|
|
||||||
|
The first one may wrap under zero, the latter two may wrap over
|
||||||
|
MAX_UINT32.
|
||||||
|
|
||||||
|
Rewrite the calculation using SafeIntLib.
|
||||||
|
|
||||||
|
While at it, change the type of the "Index" variable from UINTN to UINT32.
|
||||||
|
The largest "Index"-based value that we calculate is
|
||||||
|
|
||||||
|
Index * 2 + 2 (with (Index == BinLength))
|
||||||
|
|
||||||
|
Because the patch makes
|
||||||
|
|
||||||
|
BinLength * 2 + 3
|
||||||
|
|
||||||
|
safe to calculate in UINT32, using UINT32 for
|
||||||
|
|
||||||
|
Index * 2 + 2 (with (Index == BinLength))
|
||||||
|
|
||||||
|
is safe too. Consistently using UINT32 improves readability.
|
||||||
|
|
||||||
|
This patch is best reviewed with "git show -W".
|
||||||
|
|
||||||
|
The integer overflows that this patch fixes are theoretical; a subsequent
|
||||||
|
patch in the series will audit the IScsiBinToHex() call sites, and show
|
||||||
|
that none of them can fail.
|
||||||
|
|
||||||
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||||
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||||
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Message-Id: <20210608121259.32451-6-lersek@redhat.com>
|
||||||
|
(cherry picked from commit cf01b2dc8fc3ff9cf49fb891af5703dc03e3193e)
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 +
|
||||||
|
NetworkPkg/IScsiDxe/IScsiImpl.h | 1 +
|
||||||
|
NetworkPkg/IScsiDxe/IScsiMisc.c | 19 +++++++++++++++----
|
||||||
|
NetworkPkg/IScsiDxe/IScsiMisc.h | 1 +
|
||||||
|
4 files changed, 18 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf
|
||||||
|
index 543c408302..1dde56d00c 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf
|
||||||
|
@@ -74,6 +74,7 @@
|
||||||
|
MemoryAllocationLib
|
||||||
|
NetLib
|
||||||
|
PrintLib
|
||||||
|
+ SafeIntLib
|
||||||
|
TcpIoLib
|
||||||
|
UefiBootServicesTableLib
|
||||||
|
UefiDriverEntryPoint
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h
|
||||||
|
index d895c7feb9..ac3a25730e 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiImpl.h
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiImpl.h
|
||||||
|
@@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||||
|
#include <Library/MemoryAllocationLib.h>
|
||||||
|
#include <Library/NetLib.h>
|
||||||
|
#include <Library/PrintLib.h>
|
||||||
|
+#include <Library/SafeIntLib.h>
|
||||||
|
#include <Library/TcpIoLib.h>
|
||||||
|
#include <Library/UefiBootServicesTableLib.h>
|
||||||
|
#include <Library/UefiHiiServicesLib.h>
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
index b8fef3ff6f..42988e15cb 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
@@ -316,6 +316,7 @@ IScsiMacAddrToStr (
|
||||||
|
@retval EFI_SUCCESS The binary data is converted to the hexadecimal string
|
||||||
|
and the length of the string is updated.
|
||||||
|
@retval EFI_BUFFER_TOO_SMALL The string is too small.
|
||||||
|
+ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
|
||||||
|
@retval EFI_INVALID_PARAMETER The IP string is malformatted.
|
||||||
|
|
||||||
|
**/
|
||||||
|
@@ -327,18 +328,28 @@ IScsiBinToHex (
|
||||||
|
IN OUT UINT32 *HexLength
|
||||||
|
)
|
||||||
|
{
|
||||||
|
- UINTN Index;
|
||||||
|
+ UINT32 HexLengthMin;
|
||||||
|
+ UINT32 HexLengthProvided;
|
||||||
|
+ UINT32 Index;
|
||||||
|
|
||||||
|
if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) {
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (((*HexLength) - 3) < BinLength * 2) {
|
||||||
|
- *HexLength = BinLength * 2 + 3;
|
||||||
|
+ //
|
||||||
|
+ // Safely calculate: HexLengthMin := BinLength * 2 + 3.
|
||||||
|
+ //
|
||||||
|
+ if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) ||
|
||||||
|
+ RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) {
|
||||||
|
+ return EFI_BAD_BUFFER_SIZE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ HexLengthProvided = *HexLength;
|
||||||
|
+ *HexLength = HexLengthMin;
|
||||||
|
+ if (HexLengthProvided < HexLengthMin) {
|
||||||
|
return EFI_BUFFER_TOO_SMALL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- *HexLength = BinLength * 2 + 3;
|
||||||
|
//
|
||||||
|
// Prefix for Hex String.
|
||||||
|
//
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
index 46c725aab3..231413993b 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
@@ -150,6 +150,7 @@ IScsiAsciiStrToIp (
|
||||||
|
@retval EFI_SUCCESS The binary data is converted to the hexadecimal string
|
||||||
|
and the length of the string is updated.
|
||||||
|
@retval EFI_BUFFER_TOO_SMALL The string is too small.
|
||||||
|
+ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
|
||||||
|
@retval EFI_INVALID_PARAMETER The IP string is malformatted.
|
||||||
|
|
||||||
|
**/
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -0,0 +1,94 @@
|
|||||||
|
From 618ba71beb3f848660c8c95187d92f2c8f277143 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Tue, 8 Jun 2021 14:12:56 +0200
|
||||||
|
Subject: [PATCH 07/11] NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading
|
||||||
|
comment block
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
||||||
|
RH-Commit: [7/10] ea7e41e567759e461777094ae2049a29eb5c3826
|
||||||
|
RH-Bugzilla: 1961100
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
|
||||||
|
We'll need further return values for IScsiHexToBin() in a subsequent
|
||||||
|
patch; make room for them in the leading comment block of the function.
|
||||||
|
While at it, rewrap the comment block to 80 characters width.
|
||||||
|
|
||||||
|
No functional changes.
|
||||||
|
|
||||||
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||||
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||||
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Message-Id: <20210608121259.32451-8-lersek@redhat.com>
|
||||||
|
(cherry picked from commit dc469f137110fe79704b8b92c552972c739bb915)
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiMisc.c | 16 ++++++++--------
|
||||||
|
NetworkPkg/IScsiDxe/IScsiMisc.h | 16 ++++++++--------
|
||||||
|
2 files changed, 16 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
index 42988e15cb..014700e87a 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
|
||||||
|
@@ -370,14 +370,14 @@ IScsiBinToHex (
|
||||||
|
/**
|
||||||
|
Convert the hexadecimal string into a binary encoded buffer.
|
||||||
|
|
||||||
|
- @param[in, out] BinBuffer The binary buffer.
|
||||||
|
- @param[in, out] BinLength Length of the binary buffer.
|
||||||
|
- @param[in] HexStr The hexadecimal string.
|
||||||
|
-
|
||||||
|
- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
|
||||||
|
- encoded buffer.
|
||||||
|
- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
|
||||||
|
-
|
||||||
|
+ @param[in, out] BinBuffer The binary buffer.
|
||||||
|
+ @param[in, out] BinLength Length of the binary buffer.
|
||||||
|
+ @param[in] HexStr The hexadecimal string.
|
||||||
|
+
|
||||||
|
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
|
||||||
|
+ binary encoded buffer.
|
||||||
|
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
|
||||||
|
+ converted data.
|
||||||
|
**/
|
||||||
|
EFI_STATUS
|
||||||
|
IScsiHexToBin (
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
index 231413993b..28cf408cd5 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
|
||||||
|
@@ -165,14 +165,14 @@ IScsiBinToHex (
|
||||||
|
/**
|
||||||
|
Convert the hexadecimal string into a binary encoded buffer.
|
||||||
|
|
||||||
|
- @param[in, out] BinBuffer The binary buffer.
|
||||||
|
- @param[in, out] BinLength Length of the binary buffer.
|
||||||
|
- @param[in] HexStr The hexadecimal string.
|
||||||
|
-
|
||||||
|
- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
|
||||||
|
- encoded buffer.
|
||||||
|
- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
|
||||||
|
-
|
||||||
|
+ @param[in, out] BinBuffer The binary buffer.
|
||||||
|
+ @param[in, out] BinLength Length of the binary buffer.
|
||||||
|
+ @param[in] HexStr The hexadecimal string.
|
||||||
|
+
|
||||||
|
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
|
||||||
|
+ binary encoded buffer.
|
||||||
|
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
|
||||||
|
+ converted data.
|
||||||
|
**/
|
||||||
|
EFI_STATUS
|
||||||
|
IScsiHexToBin (
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -0,0 +1,72 @@
|
|||||||
|
From 543362e185edf822b9832b1953e78548ab42a0c5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Tue, 8 Jun 2021 14:12:51 +0200
|
||||||
|
Subject: [PATCH 02/11] NetworkPkg/IScsiDxe: simplify
|
||||||
|
"ISCSI_CHAP_AUTH_DATA.InChallenge" size
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
||||||
|
RH-Commit: [2/10] d1c332767a87d87274e5ff68cb0c0f630ec095e1
|
||||||
|
RH-Bugzilla: 1961100
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
|
||||||
|
The ISCSI_CHAP_AUTH_MAX_LEN macro is defined with value 1024.
|
||||||
|
|
||||||
|
The usage of this macro currently involves a semantic (not functional)
|
||||||
|
bug, which we're going to fix in a subsequent patch, eliminating
|
||||||
|
ISCSI_CHAP_AUTH_MAX_LEN altogether.
|
||||||
|
|
||||||
|
For now, remove the macro's usage from all
|
||||||
|
"ISCSI_CHAP_AUTH_DATA.InChallenge" contexts. This is doable without
|
||||||
|
duplicating open-coded constants.
|
||||||
|
|
||||||
|
No changes in functionality.
|
||||||
|
|
||||||
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||||
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||||
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Message-Id: <20210608121259.32451-3-lersek@redhat.com>
|
||||||
|
(cherry picked from commit 29cab43bb7912a12efa5a78dac15394aee866e4c)
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 +-
|
||||||
|
NetworkPkg/IScsiDxe/IScsiCHAP.h | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
index cbbc56ae5b..df3c2eb120 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
@@ -289,7 +289,7 @@ IScsiCHAPOnRspReceived (
|
||||||
|
}
|
||||||
|
|
||||||
|
AuthData->InIdentifier = (UINT32) Result;
|
||||||
|
- AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
|
||||||
|
+ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
|
||||||
|
IScsiHexToBin (
|
||||||
|
(UINT8 *) AuthData->InChallenge,
|
||||||
|
&AuthData->InChallengeLength,
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
|
||||||
|
index 5e59fb678b..1fc1d96ea3 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
|
||||||
|
@@ -49,7 +49,7 @@ typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA {
|
||||||
|
typedef struct _ISCSI_CHAP_AUTH_DATA {
|
||||||
|
ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig;
|
||||||
|
UINT32 InIdentifier;
|
||||||
|
- UINT8 InChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
|
||||||
|
+ UINT8 InChallenge[1024];
|
||||||
|
UINT32 InChallengeLength;
|
||||||
|
//
|
||||||
|
// Calculated CHAP Response (CHAP_R) value.
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
252
edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch
Normal file
252
edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch
Normal file
@ -0,0 +1,252 @@
|
|||||||
|
From 997b8a12436a433a451ef4595ccf4abb8d90dd04 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Tue, 8 Jun 2021 14:12:50 +0200
|
||||||
|
Subject: [PATCH 01/11] NetworkPkg/IScsiDxe: wrap IScsiCHAP source files to 80
|
||||||
|
characters
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
||||||
|
RH-Commit: [1/10] a8d51743b8735749b53b0d0f8e665c42c4ea183c
|
||||||
|
RH-Bugzilla: 1961100
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
|
||||||
|
Working with overlong lines is difficult for me; rewrap the CHAP-related
|
||||||
|
source files in IScsiDxe to 80 characters width. No functional changes.
|
||||||
|
|
||||||
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||||
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||||
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Message-Id: <20210608121259.32451-2-lersek@redhat.com>
|
||||||
|
(cherry picked from commit 83761337ec91fbd459c55d7d956fcc25df3bfa50)
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
NetworkPkg/IScsiDxe/IScsiCHAP.c | 90 +++++++++++++++++++++++++--------
|
||||||
|
NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 +-
|
||||||
|
2 files changed, 71 insertions(+), 22 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
index 355c6f129f..cbbc56ae5b 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
||||||
|
@@ -1,5 +1,6 @@
|
||||||
|
/** @file
|
||||||
|
- This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration.
|
||||||
|
+ This file is for Challenge-Handshake Authentication Protocol (CHAP)
|
||||||
|
+ Configuration.
|
||||||
|
|
||||||
|
Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||||
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||||
|
@@ -18,9 +19,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||||
|
@param[in] ChallengeLength The length of iSCSI CHAP challenge message.
|
||||||
|
@param[out] ChapResponse The calculation of the expected hash value.
|
||||||
|
|
||||||
|
- @retval EFI_SUCCESS The expected hash value was calculatedly successfully.
|
||||||
|
- @retval EFI_PROTOCOL_ERROR The length of the secret should be at least the
|
||||||
|
- length of the hash value for the hashing algorithm chosen.
|
||||||
|
+ @retval EFI_SUCCESS The expected hash value was calculatedly
|
||||||
|
+ successfully.
|
||||||
|
+ @retval EFI_PROTOCOL_ERROR The length of the secret should be at least
|
||||||
|
+ the length of the hash value for the hashing
|
||||||
|
+ algorithm chosen.
|
||||||
|
@retval EFI_PROTOCOL_ERROR MD5 hash operation fail.
|
||||||
|
@retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD5.
|
||||||
|
|
||||||
|
@@ -94,8 +97,10 @@ Exit:
|
||||||
|
@param[in] AuthData iSCSI CHAP authentication data.
|
||||||
|
@param[in] TargetResponse The response from target.
|
||||||
|
|
||||||
|
- @retval EFI_SUCCESS The response from target passed authentication.
|
||||||
|
- @retval EFI_SECURITY_VIOLATION The response from target was not expected value.
|
||||||
|
+ @retval EFI_SUCCESS The response from target passed
|
||||||
|
+ authentication.
|
||||||
|
+ @retval EFI_SECURITY_VIOLATION The response from target was not expected
|
||||||
|
+ value.
|
||||||
|
@retval Others Other errors as indicated.
|
||||||
|
|
||||||
|
**/
|
||||||
|
@@ -193,7 +198,10 @@ IScsiCHAPOnRspReceived (
|
||||||
|
//
|
||||||
|
// The first Login Response.
|
||||||
|
//
|
||||||
|
- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG);
|
||||||
|
+ Value = IScsiGetValueByKeyFromList (
|
||||||
|
+ KeyValueList,
|
||||||
|
+ ISCSI_KEY_TARGET_PORTAL_GROUP_TAG
|
||||||
|
+ );
|
||||||
|
if (Value == NULL) {
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
@@ -205,13 +213,17 @@ IScsiCHAPOnRspReceived (
|
||||||
|
|
||||||
|
Session->TargetPortalGroupTag = (UINT16) Result;
|
||||||
|
|
||||||
|
- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD);
|
||||||
|
+ Value = IScsiGetValueByKeyFromList (
|
||||||
|
+ KeyValueList,
|
||||||
|
+ ISCSI_KEY_AUTH_METHOD
|
||||||
|
+ );
|
||||||
|
if (Value == NULL) {
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
//
|
||||||
|
- // Initiator mandates CHAP authentication but target replies without "CHAP", or
|
||||||
|
- // initiator suggets "None" but target replies with some kind of auth method.
|
||||||
|
+ // Initiator mandates CHAP authentication but target replies without
|
||||||
|
+ // "CHAP", or initiator suggets "None" but target replies with some kind of
|
||||||
|
+ // auth method.
|
||||||
|
//
|
||||||
|
if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {
|
||||||
|
if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) {
|
||||||
|
@@ -236,7 +248,10 @@ IScsiCHAPOnRspReceived (
|
||||||
|
//
|
||||||
|
// The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>
|
||||||
|
//
|
||||||
|
- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM);
|
||||||
|
+ Value = IScsiGetValueByKeyFromList (
|
||||||
|
+ KeyValueList,
|
||||||
|
+ ISCSI_KEY_CHAP_ALGORITHM
|
||||||
|
+ );
|
||||||
|
if (Value == NULL) {
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
@@ -249,12 +264,18 @@ IScsiCHAPOnRspReceived (
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
|
||||||
|
- Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER);
|
||||||
|
+ Identifier = IScsiGetValueByKeyFromList (
|
||||||
|
+ KeyValueList,
|
||||||
|
+ ISCSI_KEY_CHAP_IDENTIFIER
|
||||||
|
+ );
|
||||||
|
if (Identifier == NULL) {
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
|
||||||
|
- Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE);
|
||||||
|
+ Challenge = IScsiGetValueByKeyFromList (
|
||||||
|
+ KeyValueList,
|
||||||
|
+ ISCSI_KEY_CHAP_CHALLENGE
|
||||||
|
+ );
|
||||||
|
if (Challenge == NULL) {
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
@@ -269,7 +290,11 @@ IScsiCHAPOnRspReceived (
|
||||||
|
|
||||||
|
AuthData->InIdentifier = (UINT32) Result;
|
||||||
|
AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
|
||||||
|
- IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge);
|
||||||
|
+ IScsiHexToBin (
|
||||||
|
+ (UINT8 *) AuthData->InChallenge,
|
||||||
|
+ &AuthData->InChallengeLength,
|
||||||
|
+ Challenge
|
||||||
|
+ );
|
||||||
|
Status = IScsiCHAPCalculateResponse (
|
||||||
|
AuthData->InIdentifier,
|
||||||
|
AuthData->AuthConfig->CHAPSecret,
|
||||||
|
@@ -303,7 +328,10 @@ IScsiCHAPOnRspReceived (
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
|
||||||
|
- Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE);
|
||||||
|
+ Response = IScsiGetValueByKeyFromList (
|
||||||
|
+ KeyValueList,
|
||||||
|
+ ISCSI_KEY_CHAP_RESPONSE
|
||||||
|
+ );
|
||||||
|
if (Response == NULL) {
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
@@ -341,7 +369,8 @@ ON_EXIT:
|
||||||
|
@param[in, out] Pdu The PDU to send out.
|
||||||
|
|
||||||
|
@retval EFI_SUCCESS All check passed and the phase-related CHAP
|
||||||
|
- authentication info is filled into the iSCSI PDU.
|
||||||
|
+ authentication info is filled into the iSCSI
|
||||||
|
+ PDU.
|
||||||
|
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
|
||||||
|
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
|
||||||
|
|
||||||
|
@@ -392,7 +421,11 @@ IScsiCHAPToSendReq (
|
||||||
|
// It's the initial Login Request. Fill in the key=value pairs mandatory
|
||||||
|
// for the initial Login Request.
|
||||||
|
//
|
||||||
|
- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, mPrivate->InitiatorName);
|
||||||
|
+ IScsiAddKeyValuePair (
|
||||||
|
+ Pdu,
|
||||||
|
+ ISCSI_KEY_INITIATOR_NAME,
|
||||||
|
+ mPrivate->InitiatorName
|
||||||
|
+ );
|
||||||
|
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");
|
||||||
|
IScsiAddKeyValuePair (
|
||||||
|
Pdu,
|
||||||
|
@@ -413,7 +446,8 @@ IScsiCHAPToSendReq (
|
||||||
|
|
||||||
|
case ISCSI_CHAP_STEP_ONE:
|
||||||
|
//
|
||||||
|
- // First step, send the Login Request with CHAP_A=<A1,A2...> key-value pair.
|
||||||
|
+ // First step, send the Login Request with CHAP_A=<A1,A2...> key-value
|
||||||
|
+ // pair.
|
||||||
|
//
|
||||||
|
AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5);
|
||||||
|
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr);
|
||||||
|
@@ -429,11 +463,20 @@ IScsiCHAPToSendReq (
|
||||||
|
//
|
||||||
|
// CHAP_N=<N>
|
||||||
|
//
|
||||||
|
- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName);
|
||||||
|
+ IScsiAddKeyValuePair (
|
||||||
|
+ Pdu,
|
||||||
|
+ ISCSI_KEY_CHAP_NAME,
|
||||||
|
+ (CHAR8 *) &AuthData->AuthConfig->CHAPName
|
||||||
|
+ );
|
||||||
|
//
|
||||||
|
// CHAP_R=<R>
|
||||||
|
//
|
||||||
|
- IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen);
|
||||||
|
+ IScsiBinToHex (
|
||||||
|
+ (UINT8 *) AuthData->CHAPResponse,
|
||||||
|
+ ISCSI_CHAP_RSP_LEN,
|
||||||
|
+ Response,
|
||||||
|
+ &RspLen
|
||||||
|
+ );
|
||||||
|
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
|
||||||
|
|
||||||
|
if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
|
||||||
|
@@ -448,7 +491,12 @@ IScsiCHAPToSendReq (
|
||||||
|
//
|
||||||
|
IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
|
||||||
|
AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
|
||||||
|
- IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen);
|
||||||
|
+ IScsiBinToHex (
|
||||||
|
+ (UINT8 *) AuthData->OutChallenge,
|
||||||
|
+ ISCSI_CHAP_RSP_LEN,
|
||||||
|
+ Challenge,
|
||||||
|
+ &ChallengeLen
|
||||||
|
+ );
|
||||||
|
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
|
||||||
|
|
||||||
|
Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
|
||||||
|
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
|
||||||
|
index 140bba0dcd..5e59fb678b 100644
|
||||||
|
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
|
||||||
|
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
|
||||||
|
@@ -88,7 +88,8 @@ IScsiCHAPOnRspReceived (
|
||||||
|
@param[in, out] Pdu The PDU to send out.
|
||||||
|
|
||||||
|
@retval EFI_SUCCESS All check passed and the phase-related CHAP
|
||||||
|
- authentication info is filled into the iSCSI PDU.
|
||||||
|
+ authentication info is filled into the iSCSI
|
||||||
|
+ PDU.
|
||||||
|
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
|
||||||
|
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
|
||||||
|
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
49
edk2.spec
49
edk2.spec
@ -7,14 +7,14 @@ ExclusiveArch: x86_64 aarch64
|
|||||||
|
|
||||||
Name: edk2
|
Name: edk2
|
||||||
Version: %{GITDATE}git%{GITCOMMIT}
|
Version: %{GITDATE}git%{GITCOMMIT}
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: UEFI firmware for 64-bit virtual machines
|
Summary: UEFI firmware for 64-bit virtual machines
|
||||||
Group: Applications/Emulators
|
Group: Applications/Emulators
|
||||||
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
||||||
URL: http://www.tianocore.org
|
URL: http://www.tianocore.org
|
||||||
|
|
||||||
# The source tarball is created using following commands:
|
# The source tarball is created using following commands:
|
||||||
# COMMIT=%{GITCOMMIT}
|
# COMMIT=e1999b264f1f
|
||||||
# git archive --format=tar --prefix=edk2-$COMMIT/ $COMMIT \
|
# git archive --format=tar --prefix=edk2-$COMMIT/ $COMMIT \
|
||||||
# | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
|
# | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
|
||||||
Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz
|
Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz
|
||||||
@ -50,6 +50,26 @@ Patch0024: 0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
|
|||||||
Patch0025: 0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
|
Patch0025: 0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
|
||||||
Patch0026: 0026-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
|
Patch0026: 0026-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
|
||||||
Patch0027: 0027-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
|
Patch0027: 0027-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
|
||||||
|
# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
|
||||||
|
Patch28: edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch
|
||||||
|
# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
|
||||||
|
Patch29: edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch
|
||||||
|
# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
|
||||||
|
Patch30: edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch
|
||||||
|
# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
|
||||||
|
Patch31: edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch
|
||||||
|
# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
|
||||||
|
Patch32: edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch
|
||||||
|
# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
|
||||||
|
Patch33: edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch
|
||||||
|
# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
|
||||||
|
Patch34: edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch
|
||||||
|
# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
|
||||||
|
Patch35: edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch
|
||||||
|
# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
|
||||||
|
Patch36: edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch
|
||||||
|
# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
|
||||||
|
Patch37: edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
|
||||||
|
|
||||||
|
|
||||||
# python3-devel and libuuid-devel are required for building tools.
|
# python3-devel and libuuid-devel are required for building tools.
|
||||||
@ -68,7 +88,7 @@ BuildRequires: nasm
|
|||||||
# the UEFI shell.
|
# the UEFI shell.
|
||||||
BuildRequires: dosfstools
|
BuildRequires: dosfstools
|
||||||
BuildRequires: mtools
|
BuildRequires: mtools
|
||||||
BuildRequires: genisoimage
|
BuildRequires: xorriso
|
||||||
|
|
||||||
# For generating the variable store template with the default certificates
|
# For generating the variable store template with the default certificates
|
||||||
# enrolled, we need the qemu-kvm executable.
|
# enrolled, we need the qemu-kvm executable.
|
||||||
@ -263,9 +283,9 @@ cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
|
|||||||
mdir -i "$UEFI_SHELL_IMAGE" -/ ::
|
mdir -i "$UEFI_SHELL_IMAGE" -/ ::
|
||||||
|
|
||||||
# build ISO with FAT image file as El Torito EFI boot image
|
# build ISO with FAT image file as El Torito EFI boot image
|
||||||
genisoimage -input-charset ASCII -J -rational-rock \
|
mkisofs -input-charset ASCII -J -rational-rock \
|
||||||
-efi-boot "$UEFI_SHELL_IMAGE" -no-emul-boot \
|
-e "$UEFI_SHELL_IMAGE" -no-emul-boot \
|
||||||
-o "$ISO_IMAGE" -- "$UEFI_SHELL_IMAGE"
|
-o "$ISO_IMAGE" "$UEFI_SHELL_IMAGE"
|
||||||
)
|
)
|
||||||
|
|
||||||
# Enroll the default certificates in a separate variable store template.
|
# Enroll the default certificates in a separate variable store template.
|
||||||
@ -494,6 +514,23 @@ true
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 02 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-2
|
||||||
|
- edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch [bz#1961100]
|
||||||
|
- edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch [bz#1961100]
|
||||||
|
- edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch [bz#1961100]
|
||||||
|
- edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch [bz#1961100]
|
||||||
|
- edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch [bz#1961100]
|
||||||
|
- edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch [bz#1961100]
|
||||||
|
- edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch [bz#1961100]
|
||||||
|
- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch [bz#1961100]
|
||||||
|
- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch [bz#1961100]
|
||||||
|
- edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch [bz#1961100]
|
||||||
|
- edk2-redhat-build-UefiShell.iso-with-xorriso-rather-than-.patch [bz#1971840]
|
||||||
|
- Resolves: bz#1961100
|
||||||
|
(edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0])
|
||||||
|
- Resolves: bz#1971840
|
||||||
|
(Please replace genisoimage with xorriso)
|
||||||
|
|
||||||
* Wed Jun 23 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-1
|
* Wed Jun 23 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-1
|
||||||
- Rebase to edk2-stable202105 [bz#1938254]
|
- Rebase to edk2-stable202105 [bz#1938254]
|
||||||
- Resolves: bz#1938254
|
- Resolves: bz#1938254
|
||||||
|
Loading…
Reference in New Issue
Block a user