b67d81feb6
- edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch [bz#1961100] - edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch [bz#1961100] - edk2-redhat-build-UefiShell.iso-with-xorriso-rather-than-.patch [bz#1971840] - Resolves: bz#1961100 (edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]) - Resolves: bz#1971840 (Please replace genisoimage with xorriso)
93 lines
3.5 KiB
Diff
93 lines
3.5 KiB
Diff
From de86f03cd7ed849ff62b1591c5fd34aeb1792887 Mon Sep 17 00:00:00 2001
|
|
From: Laszlo Ersek <lersek@redhat.com>
|
|
Date: Tue, 8 Jun 2021 14:12:59 +0200
|
|
Subject: [PATCH 10/11] NetworkPkg/IScsiDxe: check IScsiHexToBin() return
|
|
values
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
|
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
|
|
RH-Commit: [10/10] 840f483839ce598396bb6db8ec1f0f50689b8215
|
|
RH-Bugzilla: 1961100
|
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
|
IScsiDxe (that is, the initiator) receives two hex-encoded strings from
|
|
the iSCSI target:
|
|
|
|
- CHAP_C, where the target challenges the initiator,
|
|
|
|
- CHAP_R, where the target answers the challenge from the initiator (in
|
|
case the initiator wants mutual authentication).
|
|
|
|
Accordingly, we have two IScsiHexToBin() call sites:
|
|
|
|
- At the CHAP_C decoding site, check whether the decoding succeeds. The
|
|
decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,
|
|
which is a permissible restriction on the target, per
|
|
<https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges
|
|
from the target are acceptable.
|
|
|
|
- At the CHAP_R decoding site, enforce that the decoding both succeed, and
|
|
provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest
|
|
calculated by the target, therefore it must be of fixed size. We may
|
|
only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.
|
|
|
|
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
|
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
|
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
|
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
|
Message-Id: <20210608121259.32451-11-lersek@redhat.com>
|
|
(cherry picked from commit b8649cf2a3e673a4a8cb6c255e394b354b771550)
|
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
---
|
|
NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------
|
|
1 file changed, 14 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
|
index dbe3c8ef46..7e930c0d1e 100644
|
|
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
|
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
|
|
@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (
|
|
|
|
AuthData->InIdentifier = (UINT32) Result;
|
|
AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
|
|
- IScsiHexToBin (
|
|
- (UINT8 *) AuthData->InChallenge,
|
|
- &AuthData->InChallengeLength,
|
|
- Challenge
|
|
- );
|
|
+ Status = IScsiHexToBin (
|
|
+ (UINT8 *) AuthData->InChallenge,
|
|
+ &AuthData->InChallengeLength,
|
|
+ Challenge
|
|
+ );
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ Status = EFI_PROTOCOL_ERROR;
|
|
+ goto ON_EXIT;
|
|
+ }
|
|
Status = IScsiCHAPCalculateResponse (
|
|
AuthData->InIdentifier,
|
|
AuthData->AuthConfig->CHAPSecret,
|
|
@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (
|
|
}
|
|
|
|
RspLen = ISCSI_CHAP_RSP_LEN;
|
|
- IScsiHexToBin (TargetRsp, &RspLen, Response);
|
|
+ Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
|
|
+ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
|
|
+ Status = EFI_PROTOCOL_ERROR;
|
|
+ goto ON_EXIT;
|
|
+ }
|
|
|
|
//
|
|
// Check the CHAP Name and Response replied by Target.
|
|
--
|
|
2.27.0
|
|
|