From f887d6a52b6b3c7450a255aed265e8f5b8399ed6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 10 Aug 2021 08:02:28 -0400 Subject: [PATCH] import edk2-20200602gitca407c7246bf-4.el8_4.2 --- ...Dxe-assert-that-IScsiBinToHex-always.patch | 94 +++++++ ...Dxe-check-IScsiHexToBin-return-value.patch | 90 +++++++ ...Dxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch | 101 +++++++ ...Dxe-clean-up-library-class-dependenc.patch | 100 +++++++ ...Dxe-fix-IScsiHexToBin-buffer-overflo.patch | 112 ++++++++ ...csiDxe-fix-IScsiHexToBin-hex-parsing.patch | 103 ++++++++ ...Dxe-fix-potential-integer-overflow-i.patch | 153 +++++++++++ ...Dxe-reformat-IScsiHexToBin-leading-c.patch | 92 +++++++ ...Dxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch | 70 +++++ ...Dxe-wrap-IScsiCHAP-source-files-to-8.patch | 250 ++++++++++++++++++ SPECS/edk2.spec | 36 ++- 11 files changed, 1200 insertions(+), 1 deletion(-) create mode 100644 SOURCES/edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch create mode 100644 SOURCES/edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch create mode 100644 SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch create mode 100644 SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch create mode 100644 SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch create mode 100644 SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch create mode 100644 SOURCES/edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch create mode 100644 SOURCES/edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch create mode 100644 SOURCES/edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch create mode 100644 SOURCES/edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch new file mode 100644 index 0000000..cdcda71 --- /dev/null +++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch @@ -0,0 +1,94 @@ +From 95ce1cb291324bdef3c790e367ba6ac8752c5f23 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 27 Apr 2021 10:26:01 +0200 +Subject: [PATCH 06/10] NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always + succeeds +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] +RH-Commit: [6/10] b302b99312b327b9bf04ea408c638fa0e366d643 +RH-Bugzilla: 1956676 +RH-Acked-by: Philippe Mathieu-Daudé + +IScsiBinToHex() is called for encoding: + +- the answer to the target's challenge; that is, CHAP_R; + +- the challenge for the target, in case mutual authentication is enabled; + that is, CHAP_C. + +The initiator controls the size of both blobs, the sizes of their hex +encodings are correctly calculated in "RspLen" and "ChallengeLen". +Therefore the IScsiBinToHex() calls never fail; assert that. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maciej Rabeda +Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index 9e192ce292..dbe3c8ef46 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -391,6 +391,7 @@ IScsiCHAPToSendReq ( + UINT32 RspLen; + CHAR8 *Challenge; + UINT32 ChallengeLen; ++ EFI_STATUS BinToHexStatus; + + ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION); + +@@ -471,12 +472,13 @@ IScsiCHAPToSendReq ( + // + // CHAP_R= + // +- IScsiBinToHex ( +- (UINT8 *) AuthData->CHAPResponse, +- ISCSI_CHAP_RSP_LEN, +- Response, +- &RspLen +- ); ++ BinToHexStatus = IScsiBinToHex ( ++ (UINT8 *) AuthData->CHAPResponse, ++ ISCSI_CHAP_RSP_LEN, ++ Response, ++ &RspLen ++ ); ++ ASSERT_EFI_ERROR (BinToHexStatus); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response); + + if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) { +@@ -490,12 +492,13 @@ IScsiCHAPToSendReq ( + // CHAP_C= + // + IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN); +- IScsiBinToHex ( +- (UINT8 *) AuthData->OutChallenge, +- ISCSI_CHAP_RSP_LEN, +- Challenge, +- &ChallengeLen +- ); ++ BinToHexStatus = IScsiBinToHex ( ++ (UINT8 *) AuthData->OutChallenge, ++ ISCSI_CHAP_RSP_LEN, ++ Challenge, ++ &ChallengeLen ++ ); ++ ASSERT_EFI_ERROR (BinToHexStatus); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge); + + Conn->AuthStep = ISCSI_CHAP_STEP_FOUR; +-- +2.27.0 + diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch new file mode 100644 index 0000000..d6c8f97 --- /dev/null +++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch @@ -0,0 +1,90 @@ +From 79c8488d768ea02939474374a18c536425c36de3 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 27 Apr 2021 12:10:12 +0200 +Subject: [PATCH 10/10] NetworkPkg/IScsiDxe: check IScsiHexToBin() return + values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] +RH-Commit: [10/10] 171f8f1c114e0028d83bcb1ca46844a99a825b29 +RH-Bugzilla: 1956676 +RH-Acked-by: Philippe Mathieu-Daudé + +IScsiDxe (that is, the initiator) receives two hex-encoded strings from +the iSCSI target: + +- CHAP_C, where the target challenges the initiator, + +- CHAP_R, where the target answers the challenge from the initiator (in + case the initiator wants mutual authentication). + +Accordingly, we have two IScsiHexToBin() call sites: + +- At the CHAP_C decoding site, check whether the decoding succeeds. The + decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, + which is a permissible restriction on the target, per + . Shorter challenges + from the target are acceptable. + +- At the CHAP_R decoding site, enforce that the decoding both succeed, and + provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest + calculated by the target, therefore it must be of fixed size. We may + only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maciej Rabeda +Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index dbe3c8ef46..7e930c0d1e 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived ( + + AuthData->InIdentifier = (UINT32) Result; + AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge); +- IScsiHexToBin ( +- (UINT8 *) AuthData->InChallenge, +- &AuthData->InChallengeLength, +- Challenge +- ); ++ Status = IScsiHexToBin ( ++ (UINT8 *) AuthData->InChallenge, ++ &AuthData->InChallengeLength, ++ Challenge ++ ); ++ if (EFI_ERROR (Status)) { ++ Status = EFI_PROTOCOL_ERROR; ++ goto ON_EXIT; ++ } + Status = IScsiCHAPCalculateResponse ( + AuthData->InIdentifier, + AuthData->AuthConfig->CHAPSecret, +@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived ( + } + + RspLen = ISCSI_CHAP_RSP_LEN; +- IScsiHexToBin (TargetRsp, &RspLen, Response); ++ Status = IScsiHexToBin (TargetRsp, &RspLen, Response); ++ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) { ++ Status = EFI_PROTOCOL_ERROR; ++ goto ON_EXIT; ++ } + + // + // Check the CHAP Name and Response replied by Target. +-- +2.27.0 + diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch new file mode 100644 index 0000000..56916f7 --- /dev/null +++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch @@ -0,0 +1,101 @@ +From dd65b4f245e318e0d76a213c92b159819c6dae79 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Mon, 26 Apr 2021 20:17:23 +0200 +Subject: [PATCH 03/10] NetworkPkg/IScsiDxe: clean up + "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] +RH-Commit: [3/10] 93e6e1fa7f093898350a40ec60201f64a8849f3c +RH-Bugzilla: 1956676 +RH-Acked-by: Philippe Mathieu-Daudé + +The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array +with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge +is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used +in the array. + +Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused) +ISCSI_CHAP_AUTH_MAX_LEN macro. + +Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is +superfluous too. + +Most importantly, explain in a new comment *why* tying the challenge size +to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also +Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge +length to the hash digest size", 2019-11-06.) For sure, the motivation +that the new comment now explains has always been there, and has always +been the same, for IScsiDxe; it's just that now we spell it out too. + +No change in peer-visible behavior. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maciej Rabeda +Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 3 +-- + NetworkPkg/IScsiDxe/IScsiCHAP.h | 9 ++++++--- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index df3c2eb120..9e192ce292 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -122,7 +122,7 @@ IScsiCHAPAuthTarget ( + AuthData->AuthConfig->ReverseCHAPSecret, + SecretSize, + AuthData->OutChallenge, +- AuthData->OutChallengeLength, ++ ISCSI_CHAP_RSP_LEN, // ChallengeLength + VerifyRsp + ); + +@@ -490,7 +490,6 @@ IScsiCHAPToSendReq ( + // CHAP_C= + // + IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN); +- AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN; + IScsiBinToHex ( + (UINT8 *) AuthData->OutChallenge, + ISCSI_CHAP_RSP_LEN, +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h +index 1fc1d96ea3..35d5d6ec29 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h +@@ -19,7 +19,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + + #define ISCSI_CHAP_ALGORITHM_MD5 5 + +-#define ISCSI_CHAP_AUTH_MAX_LEN 1024 + /// + /// MD5_HASHSIZE + /// +@@ -59,9 +58,13 @@ typedef struct _ISCSI_CHAP_AUTH_DATA { + // + // Auth-data to be sent out for mutual authentication. + // ++ // While the challenge size is technically independent of the hashing ++ // algorithm, it is good practice to avoid hashing *fewer bytes* than the ++ // digest size. In other words, it's good practice to feed *at least as many ++ // bytes* to the hashing algorithm as the hashing algorithm will output. ++ // + UINT32 OutIdentifier; +- UINT8 OutChallenge[ISCSI_CHAP_AUTH_MAX_LEN]; +- UINT32 OutChallengeLength; ++ UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN]; + } ISCSI_CHAP_AUTH_DATA; + + /** +-- +2.27.0 + diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch new file mode 100644 index 0000000..038ecb3 --- /dev/null +++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch @@ -0,0 +1,100 @@ +From fc21f1820452cf17a777f141b8ae9112a9ca3b84 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 27 Apr 2021 09:49:16 +0200 +Subject: [PATCH 04/10] NetworkPkg/IScsiDxe: clean up library class + dependencies +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] +RH-Commit: [4/10] 981f8efd1155dbe653c846b013c90780c32f3f59 +RH-Bugzilla: 1956676 +RH-Acked-by: Philippe Mathieu-Daudé + +Sort the library class dependencies in the #include directives and in the +INF file. Remove the DpcLib class from the #include directives -- it is +not listed in the INF file, and IScsiDxe doesn't call either DpcLib API +(QueueDpc(), DispatchDpc()). No functional changes. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maciej Rabeda +Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 +--- + NetworkPkg/IScsiDxe/IScsiDxe.inf | 6 +++--- + NetworkPkg/IScsiDxe/IScsiImpl.h | 17 ++++++++--------- + 2 files changed, 11 insertions(+), 12 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf +index 0ffb340ce0..543c408302 100644 +--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf ++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf +@@ -65,6 +65,7 @@ + NetworkPkg/NetworkPkg.dec + + [LibraryClasses] ++ BaseCryptLib + BaseLib + BaseMemoryLib + DebugLib +@@ -72,14 +73,13 @@ + HiiLib + MemoryAllocationLib + NetLib +- TcpIoLib + PrintLib ++ TcpIoLib + UefiBootServicesTableLib + UefiDriverEntryPoint ++ UefiHiiServicesLib + UefiLib + UefiRuntimeServicesTableLib +- UefiHiiServicesLib +- BaseCryptLib + + [Protocols] + gEfiAcpiTableProtocolGuid ## SOMETIMES_CONSUMES ## SystemTable +diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h +index 387ab9765e..d895c7feb9 100644 +--- a/NetworkPkg/IScsiDxe/IScsiImpl.h ++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h +@@ -35,21 +35,20 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include + #include + +-#include +-#include +-#include +-#include ++#include + #include + #include ++#include ++#include ++#include + #include ++#include + #include ++#include + #include +-#include ++#include + #include +-#include +-#include +-#include +-#include ++#include + + #include + #include +-- +2.27.0 + diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch new file mode 100644 index 0000000..272a450 --- /dev/null +++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch @@ -0,0 +1,112 @@ +From 47668ca7bca333ef223b5897fb044b6760f215f5 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 27 Apr 2021 11:02:51 +0200 +Subject: [PATCH 09/10] NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer + overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] +RH-Commit: [9/10] 9230129f3b079e61a53d39b81072c7884c991e49 +RH-Bugzilla: 1956676 +RH-Acked-by: Philippe Mathieu-Daudé + +The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return +condition, but never actually checks whether the decoded buffer fits into +the caller-provided room (i.e., the input value of "BinLength"), and +EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can +overflow "BinBuffer". + +This is remotely exploitable, as shown in a subsequent patch, which adds +error checking to the IScsiHexToBin() call sites. This issue allows the +target to compromise the initiator. + +Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent +EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow, +plus actually catch the buffer overflow. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 +--- + NetworkPkg/IScsiDxe/IScsiMisc.c | 20 +++++++++++++++++--- + NetworkPkg/IScsiDxe/IScsiMisc.h | 3 +++ + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index f0f4992b07..4069547867 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -377,6 +377,9 @@ IScsiBinToHex ( + @retval EFI_SUCCESS The hexadecimal string is converted into a + binary encoded buffer. + @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. ++ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding: ++ the decoded size cannot be expressed in ++ BinLength on output. + @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the + converted data. + **/ +@@ -387,6 +390,8 @@ IScsiHexToBin ( + IN CHAR8 *HexStr + ) + { ++ UINTN BinLengthMin; ++ UINT32 BinLengthProvided; + UINTN Index; + UINTN Length; + UINT8 Digit; +@@ -409,6 +414,18 @@ IScsiHexToBin ( + if (Length == 0 || Length % 2 != 0) { + return EFI_INVALID_PARAMETER; + } ++ // ++ // Check if the caller provides enough room for the decoded blob. ++ // ++ BinLengthMin = Length / 2; ++ if (BinLengthMin > MAX_UINT32) { ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ BinLengthProvided = *BinLength; ++ *BinLength = (UINT32)BinLengthMin; ++ if (BinLengthProvided < BinLengthMin) { ++ return EFI_BUFFER_TOO_SMALL; ++ } + + for (Index = 0; Index < Length; Index ++) { + TemStr[0] = HexStr[Index]; +@@ -425,9 +442,6 @@ IScsiHexToBin ( + BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit); + } + } +- +- *BinLength = (UINT32) ((Index + 1)/2); +- + return EFI_SUCCESS; + } + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 404a482e57..fddef4f466 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -172,6 +172,9 @@ IScsiBinToHex ( + @retval EFI_SUCCESS The hexadecimal string is converted into a + binary encoded buffer. + @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. ++ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding: ++ the decoded size cannot be expressed in ++ BinLength on output. + @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the + converted data. + **/ +-- +2.27.0 + diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch new file mode 100644 index 0000000..a732ab4 --- /dev/null +++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch @@ -0,0 +1,103 @@ +From fd7e1858bc0e538e9af42b9f0514553da9533553 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 27 Apr 2021 11:02:51 +0200 +Subject: [PATCH 08/10] NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] +RH-Commit: [8/10] f77fc01700564c5e15027bd902a846102d488bf6 +RH-Bugzilla: 1956676 +RH-Acked-by: Philippe Mathieu-Daudé + +The IScsiHexToBin() function has the following parser issues: + +(1) If the *subject sequence* in "HexStr" is empty, the function returns + EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should + be rejected. + +(2) The function mis-handles a "HexStr" that ends with a stray nibble. For + example, if "HexStr" is "0xABC", the function decodes it to the bytes + {0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns + EFI_SUCCESS. Such inputs should be rejected. + +(3) If an invalid hex char is found in "HexStr", the function treats it as + end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be + rejected. + +All of the above cases are remotely triggerable, as shown in a subsequent +patch, which adds error checking to the IScsiHexToBin() call sites. While +the initiator is not immediately compromised, incorrectly parsing CHAP_R +from the target, in case of mutual authentication, is not great. + +Extend the interface contract of IScsiHexToBin() with +EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement +the new checks. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 +--- + NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++++-- + NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index 014700e87a..f0f4992b07 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -376,6 +376,7 @@ IScsiBinToHex ( + + @retval EFI_SUCCESS The hexadecimal string is converted into a + binary encoded buffer. ++ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. + @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the + converted data. + **/ +@@ -402,14 +403,21 @@ IScsiHexToBin ( + + Length = AsciiStrLen (HexStr); + ++ // ++ // Reject an empty hex string; reject a stray nibble. ++ // ++ if (Length == 0 || Length % 2 != 0) { ++ return EFI_INVALID_PARAMETER; ++ } ++ + for (Index = 0; Index < Length; Index ++) { + TemStr[0] = HexStr[Index]; + Digit = (UINT8) AsciiStrHexToUint64 (TemStr); + if (Digit == 0 && TemStr[0] != '0') { + // +- // Invalid Lun Char. ++ // Invalid Hex Char. + // +- break; ++ return EFI_INVALID_PARAMETER; + } + if ((Index & 1) == 0) { + BinBuffer [Index/2] = Digit; +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 28cf408cd5..404a482e57 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -171,6 +171,7 @@ IScsiBinToHex ( + + @retval EFI_SUCCESS The hexadecimal string is converted into a + binary encoded buffer. ++ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. + @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the + converted data. + **/ +-- +2.27.0 + diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch new file mode 100644 index 0000000..91507c4 --- /dev/null +++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch @@ -0,0 +1,153 @@ +From ae16157ee5c96e36e5d1ec558f875e6b89188770 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 27 Apr 2021 10:10:42 +0200 +Subject: [PATCH 05/10] NetworkPkg/IScsiDxe: fix potential integer overflow in + IScsiBinToHex() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] +RH-Commit: [5/10] 96bbb794ca2355c2d9e83d79d385582daf8e4aa4 +RH-Bugzilla: 1956676 +RH-Acked-by: Philippe Mathieu-Daudé + +Considering IScsiBinToHex(): + +> if (((*HexLength) - 3) < BinLength * 2) { +> *HexLength = BinLength * 2 + 3; +> } + +the following subexpressions are problematic: + + (*HexLength) - 3 + BinLength * 2 + BinLength * 2 + 3 + +The first one may wrap under zero, the latter two may wrap over +MAX_UINT32. + +Rewrite the calculation using SafeIntLib. + +While at it, change the type of the "Index" variable from UINTN to UINT32. +The largest "Index"-based value that we calculate is + + Index * 2 + 2 (with (Index == BinLength)) + +Because the patch makes + + BinLength * 2 + 3 + +safe to calculate in UINT32, using UINT32 for + + Index * 2 + 2 (with (Index == BinLength)) + +is safe too. Consistently using UINT32 improves readability. + +This patch is best reviewed with "git show -W". + +The integer overflows that this patch fixes are theoretical; a subsequent +patch in the series will audit the IScsiBinToHex() call sites, and show +that none of them can fail. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 +--- + NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 + + NetworkPkg/IScsiDxe/IScsiImpl.h | 1 + + NetworkPkg/IScsiDxe/IScsiMisc.c | 19 +++++++++++++++---- + NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + + 4 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf +index 543c408302..1dde56d00c 100644 +--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf ++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf +@@ -74,6 +74,7 @@ + MemoryAllocationLib + NetLib + PrintLib ++ SafeIntLib + TcpIoLib + UefiBootServicesTableLib + UefiDriverEntryPoint +diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h +index d895c7feb9..ac3a25730e 100644 +--- a/NetworkPkg/IScsiDxe/IScsiImpl.h ++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h +@@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include + #include + #include ++#include + #include + #include + #include +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index b8fef3ff6f..42988e15cb 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -316,6 +316,7 @@ IScsiMacAddrToStr ( + @retval EFI_SUCCESS The binary data is converted to the hexadecimal string + and the length of the string is updated. + @retval EFI_BUFFER_TOO_SMALL The string is too small. ++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding. + @retval EFI_INVALID_PARAMETER The IP string is malformatted. + + **/ +@@ -327,18 +328,28 @@ IScsiBinToHex ( + IN OUT UINT32 *HexLength + ) + { +- UINTN Index; ++ UINT32 HexLengthMin; ++ UINT32 HexLengthProvided; ++ UINT32 Index; + + if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) { + return EFI_INVALID_PARAMETER; + } + +- if (((*HexLength) - 3) < BinLength * 2) { +- *HexLength = BinLength * 2 + 3; ++ // ++ // Safely calculate: HexLengthMin := BinLength * 2 + 3. ++ // ++ if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) || ++ RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) { ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ ++ HexLengthProvided = *HexLength; ++ *HexLength = HexLengthMin; ++ if (HexLengthProvided < HexLengthMin) { + return EFI_BUFFER_TOO_SMALL; + } + +- *HexLength = BinLength * 2 + 3; + // + // Prefix for Hex String. + // +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 46c725aab3..231413993b 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -150,6 +150,7 @@ IScsiAsciiStrToIp ( + @retval EFI_SUCCESS The binary data is converted to the hexadecimal string + and the length of the string is updated. + @retval EFI_BUFFER_TOO_SMALL The string is too small. ++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding. + @retval EFI_INVALID_PARAMETER The IP string is malformatted. + + **/ +-- +2.27.0 + diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch new file mode 100644 index 0000000..a4bf106 --- /dev/null +++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch @@ -0,0 +1,92 @@ +From cd26bdad5567460515fbfc91a4caabc8d740e8ed Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 27 Apr 2021 10:37:26 +0200 +Subject: [PATCH 07/10] NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading + comment block +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] +RH-Commit: [7/10] 6c86ac71821db916b67df2a5ce188706f9b8d515 +RH-Bugzilla: 1956676 +RH-Acked-by: Philippe Mathieu-Daudé + +We'll need further return values for IScsiHexToBin() in a subsequent +patch; make room for them in the leading comment block of the function. +While at it, rewrap the comment block to 80 characters width. + +No functional changes. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 +--- + NetworkPkg/IScsiDxe/IScsiMisc.c | 16 ++++++++-------- + NetworkPkg/IScsiDxe/IScsiMisc.h | 16 ++++++++-------- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index 42988e15cb..014700e87a 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -370,14 +370,14 @@ IScsiBinToHex ( + /** + Convert the hexadecimal string into a binary encoded buffer. + +- @param[in, out] BinBuffer The binary buffer. +- @param[in, out] BinLength Length of the binary buffer. +- @param[in] HexStr The hexadecimal string. +- +- @retval EFI_SUCCESS The hexadecimal string is converted into a binary +- encoded buffer. +- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data. +- ++ @param[in, out] BinBuffer The binary buffer. ++ @param[in, out] BinLength Length of the binary buffer. ++ @param[in] HexStr The hexadecimal string. ++ ++ @retval EFI_SUCCESS The hexadecimal string is converted into a ++ binary encoded buffer. ++ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the ++ converted data. + **/ + EFI_STATUS + IScsiHexToBin ( +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 231413993b..28cf408cd5 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -165,14 +165,14 @@ IScsiBinToHex ( + /** + Convert the hexadecimal string into a binary encoded buffer. + +- @param[in, out] BinBuffer The binary buffer. +- @param[in, out] BinLength Length of the binary buffer. +- @param[in] HexStr The hexadecimal string. +- +- @retval EFI_SUCCESS The hexadecimal string is converted into a binary +- encoded buffer. +- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data. +- ++ @param[in, out] BinBuffer The binary buffer. ++ @param[in, out] BinLength Length of the binary buffer. ++ @param[in] HexStr The hexadecimal string. ++ ++ @retval EFI_SUCCESS The hexadecimal string is converted into a ++ binary encoded buffer. ++ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the ++ converted data. + **/ + EFI_STATUS + IScsiHexToBin ( +-- +2.27.0 + diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch new file mode 100644 index 0000000..afc316e --- /dev/null +++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch @@ -0,0 +1,70 @@ +From 557a962ce519757cacb236fbbc819f9300d9d287 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Mon, 26 Apr 2021 20:07:25 +0200 +Subject: [PATCH 02/10] NetworkPkg/IScsiDxe: simplify + "ISCSI_CHAP_AUTH_DATA.InChallenge" size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] +RH-Commit: [2/10] ce3d2f2f2e16c44a621ffbed70ff245a1ec473bd +RH-Bugzilla: 1956676 +RH-Acked-by: Philippe Mathieu-Daudé + +The ISCSI_CHAP_AUTH_MAX_LEN macro is defined with value 1024. + +The usage of this macro currently involves a semantic (not functional) +bug, which we're going to fix in a subsequent patch, eliminating +ISCSI_CHAP_AUTH_MAX_LEN altogether. + +For now, remove the macro's usage from all +"ISCSI_CHAP_AUTH_DATA.InChallenge" contexts. This is doable without +duplicating open-coded constants. + +No changes in functionality. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maciej Rabeda +Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 +- + NetworkPkg/IScsiDxe/IScsiCHAP.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index cbbc56ae5b..df3c2eb120 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -289,7 +289,7 @@ IScsiCHAPOnRspReceived ( + } + + AuthData->InIdentifier = (UINT32) Result; +- AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN; ++ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge); + IScsiHexToBin ( + (UINT8 *) AuthData->InChallenge, + &AuthData->InChallengeLength, +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h +index 5e59fb678b..1fc1d96ea3 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h +@@ -49,7 +49,7 @@ typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA { + typedef struct _ISCSI_CHAP_AUTH_DATA { + ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig; + UINT32 InIdentifier; +- UINT8 InChallenge[ISCSI_CHAP_AUTH_MAX_LEN]; ++ UINT8 InChallenge[1024]; + UINT32 InChallengeLength; + // + // Calculated CHAP Response (CHAP_R) value. +-- +2.27.0 + diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch new file mode 100644 index 0000000..6e30b61 --- /dev/null +++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch @@ -0,0 +1,250 @@ +From f47859b9e9caf237d0691be7915cc026f4f015a4 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Mon, 26 Apr 2021 19:05:20 +0200 +Subject: [PATCH 01/10] NetworkPkg/IScsiDxe: wrap IScsiCHAP source files to 80 + characters +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] +RH-Commit: [1/10] 190e229a59ca2e2e48593b00942749336e04f81e +RH-Bugzilla: 1956676 +RH-Acked-by: Philippe Mathieu-Daudé + +Working with overlong lines is difficult for me; rewrap the CHAP-related +source files in IScsiDxe to 80 characters width. No functional changes. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 90 +++++++++++++++++++++++++-------- + NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 +- + 2 files changed, 71 insertions(+), 22 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index 355c6f129f..cbbc56ae5b 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -1,5 +1,6 @@ + /** @file +- This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration. ++ This file is for Challenge-Handshake Authentication Protocol (CHAP) ++ Configuration. + + Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent +@@ -18,9 +19,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + @param[in] ChallengeLength The length of iSCSI CHAP challenge message. + @param[out] ChapResponse The calculation of the expected hash value. + +- @retval EFI_SUCCESS The expected hash value was calculatedly successfully. +- @retval EFI_PROTOCOL_ERROR The length of the secret should be at least the +- length of the hash value for the hashing algorithm chosen. ++ @retval EFI_SUCCESS The expected hash value was calculatedly ++ successfully. ++ @retval EFI_PROTOCOL_ERROR The length of the secret should be at least ++ the length of the hash value for the hashing ++ algorithm chosen. + @retval EFI_PROTOCOL_ERROR MD5 hash operation fail. + @retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD5. + +@@ -94,8 +97,10 @@ Exit: + @param[in] AuthData iSCSI CHAP authentication data. + @param[in] TargetResponse The response from target. + +- @retval EFI_SUCCESS The response from target passed authentication. +- @retval EFI_SECURITY_VIOLATION The response from target was not expected value. ++ @retval EFI_SUCCESS The response from target passed ++ authentication. ++ @retval EFI_SECURITY_VIOLATION The response from target was not expected ++ value. + @retval Others Other errors as indicated. + + **/ +@@ -193,7 +198,10 @@ IScsiCHAPOnRspReceived ( + // + // The first Login Response. + // +- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG); ++ Value = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_TARGET_PORTAL_GROUP_TAG ++ ); + if (Value == NULL) { + goto ON_EXIT; + } +@@ -205,13 +213,17 @@ IScsiCHAPOnRspReceived ( + + Session->TargetPortalGroupTag = (UINT16) Result; + +- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD); ++ Value = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_AUTH_METHOD ++ ); + if (Value == NULL) { + goto ON_EXIT; + } + // +- // Initiator mandates CHAP authentication but target replies without "CHAP", or +- // initiator suggets "None" but target replies with some kind of auth method. ++ // Initiator mandates CHAP authentication but target replies without ++ // "CHAP", or initiator suggets "None" but target replies with some kind of ++ // auth method. + // + if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) { + if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) { +@@ -236,7 +248,10 @@ IScsiCHAPOnRspReceived ( + // + // The Target replies with CHAP_A= CHAP_I= CHAP_C= + // +- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM); ++ Value = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_CHAP_ALGORITHM ++ ); + if (Value == NULL) { + goto ON_EXIT; + } +@@ -249,12 +264,18 @@ IScsiCHAPOnRspReceived ( + goto ON_EXIT; + } + +- Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER); ++ Identifier = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_CHAP_IDENTIFIER ++ ); + if (Identifier == NULL) { + goto ON_EXIT; + } + +- Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE); ++ Challenge = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_CHAP_CHALLENGE ++ ); + if (Challenge == NULL) { + goto ON_EXIT; + } +@@ -269,7 +290,11 @@ IScsiCHAPOnRspReceived ( + + AuthData->InIdentifier = (UINT32) Result; + AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN; +- IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge); ++ IScsiHexToBin ( ++ (UINT8 *) AuthData->InChallenge, ++ &AuthData->InChallengeLength, ++ Challenge ++ ); + Status = IScsiCHAPCalculateResponse ( + AuthData->InIdentifier, + AuthData->AuthConfig->CHAPSecret, +@@ -303,7 +328,10 @@ IScsiCHAPOnRspReceived ( + goto ON_EXIT; + } + +- Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE); ++ Response = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_CHAP_RESPONSE ++ ); + if (Response == NULL) { + goto ON_EXIT; + } +@@ -341,7 +369,8 @@ ON_EXIT: + @param[in, out] Pdu The PDU to send out. + + @retval EFI_SUCCESS All check passed and the phase-related CHAP +- authentication info is filled into the iSCSI PDU. ++ authentication info is filled into the iSCSI ++ PDU. + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. + @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred. + +@@ -392,7 +421,11 @@ IScsiCHAPToSendReq ( + // It's the initial Login Request. Fill in the key=value pairs mandatory + // for the initial Login Request. + // +- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, mPrivate->InitiatorName); ++ IScsiAddKeyValuePair ( ++ Pdu, ++ ISCSI_KEY_INITIATOR_NAME, ++ mPrivate->InitiatorName ++ ); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal"); + IScsiAddKeyValuePair ( + Pdu, +@@ -413,7 +446,8 @@ IScsiCHAPToSendReq ( + + case ISCSI_CHAP_STEP_ONE: + // +- // First step, send the Login Request with CHAP_A= key-value pair. ++ // First step, send the Login Request with CHAP_A= key-value ++ // pair. + // + AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr); +@@ -429,11 +463,20 @@ IScsiCHAPToSendReq ( + // + // CHAP_N= + // +- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName); ++ IScsiAddKeyValuePair ( ++ Pdu, ++ ISCSI_KEY_CHAP_NAME, ++ (CHAR8 *) &AuthData->AuthConfig->CHAPName ++ ); + // + // CHAP_R= + // +- IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen); ++ IScsiBinToHex ( ++ (UINT8 *) AuthData->CHAPResponse, ++ ISCSI_CHAP_RSP_LEN, ++ Response, ++ &RspLen ++ ); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response); + + if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) { +@@ -448,7 +491,12 @@ IScsiCHAPToSendReq ( + // + IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN); + AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN; +- IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen); ++ IScsiBinToHex ( ++ (UINT8 *) AuthData->OutChallenge, ++ ISCSI_CHAP_RSP_LEN, ++ Challenge, ++ &ChallengeLen ++ ); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge); + + Conn->AuthStep = ISCSI_CHAP_STEP_FOUR; +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h +index 140bba0dcd..5e59fb678b 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h +@@ -88,7 +88,8 @@ IScsiCHAPOnRspReceived ( + @param[in, out] Pdu The PDU to send out. + + @retval EFI_SUCCESS All check passed and the phase-related CHAP +- authentication info is filled into the iSCSI PDU. ++ authentication info is filled into the iSCSI ++ PDU. + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. + @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred. + +-- +2.27.0 + diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index ea2bc9a..138f368 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 4%{?dist}.1 +Release: 4%{?dist}.2 Summary: UEFI firmware for 64-bit virtual machines Group: Applications/Emulators License: BSD-2-Clause-Patent and OpenSSL and MIT @@ -68,6 +68,26 @@ Patch34: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch Patch35: edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch # For bz#1952953 - edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8] [rhel-8.4.0.z] Patch36: edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch +# For bz#1956676 - EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z] +Patch37: edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch +# For bz#1956676 - EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z] +Patch38: edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch +# For bz#1956676 - EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z] +Patch39: edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch +# For bz#1956676 - EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z] +Patch40: edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch +# For bz#1956676 - EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z] +Patch41: edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch +# For bz#1956676 - EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z] +Patch42: edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch +# For bz#1956676 - EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z] +Patch43: edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch +# For bz#1956676 - EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z] +Patch44: edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch +# For bz#1956676 - EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z] +Patch45: edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch +# For bz#1956676 - EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z] +Patch46: edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch # python3-devel and libuuid-devel are required for building tools. @@ -517,6 +537,20 @@ true %endif %changelog +* Mon May 24 2021 Miroslav Rezanina - 20200602gitca407c7246bf-4.el8_4.2 +- edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch [bz#1956676] +- edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch [bz#1956676] +- edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch [bz#1956676] +- edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch [bz#1956676] +- edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch [bz#1956676] +- edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch [bz#1956676] +- edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch [bz#1956676] +- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch [bz#1956676] +- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch [bz#1956676] +- edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch [bz#1956676] +- Resolves: bz#1956676 + (EMBARGOED edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.4.0.z]) + * Thu May 13 2021 Miroslav Rezanina - 20200602gitca407c7246bf-4.el8_4.1 - edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch [bz#1952953] - Resolves: bz#1952953