From 51d2956d480fef83f765013c8aec7f7ddc14b84d Mon Sep 17 00:00:00 2001

From: Laszlo Ersek <lersek@redhat.com>

Date: Tue, 11 Feb 2020 17:02:00 +0100

Subject: [PATCH 2/2] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric

 truncation (CVE-2019-14563)

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Laszlo Ersek <lersek@redhat.com>

Message-id: <20200211170200.12389-3-lersek@redhat.com>

Patchwork-id: 93777

O-Subject: [RHEL-8.2.0 edk2 PATCH 2/2] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric truncation (CVE-2019-14563)

Bugzilla: 1801274

RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>

RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

From: Hao A Wu <hao.a.wu@intel.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2001

For S3BootScriptLib APIs:

S3BootScriptSaveIoWrite

S3BootScriptSaveMemWrite

S3BootScriptSavePciCfgWrite

S3BootScriptSavePciCfg2Write

S3BootScriptSaveSmbusExecute

S3BootScriptSaveInformation

S3BootScriptSaveInformationAsciiString

S3BootScriptLabel (happen in S3BootScriptLabelInternal())

possible numeric truncations will happen that may lead to S3 boot script

entry with improper size being returned to store the boot script data.

This commit will add checks to prevent this kind of issue.

Please note that the remaining S3BootScriptLib APIs:

S3BootScriptSaveIoReadWrite

S3BootScriptSaveMemReadWrite

S3BootScriptSavePciCfgReadWrite

S3BootScriptSavePciCfg2ReadWrite

S3BootScriptSaveStall

S3BootScriptSaveDispatch2

S3BootScriptSaveDispatch

S3BootScriptSaveMemPoll

S3BootScriptSaveIoPoll

S3BootScriptSavePciPoll

S3BootScriptSavePci2Poll

S3BootScriptCloseTable

S3BootScriptExecute

S3BootScriptMoveLastOpcode

S3BootScriptCompare

are not affected by such numeric truncation.

Signed-off-by: Hao A Wu <hao.a.wu@intel.com>

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Eric Dong <eric.dong@intel.com>

Acked-by: Jian J Wang <jian.j.wang@intel.com>

(cherry picked from commit 322ac05f8bbc1bce066af1dabd1b70ccdbe28891)

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 .../Library/PiDxeS3BootScriptLib/BootScriptSave.c  | 52 +++++++++++++++++++++-

 1 file changed, 51 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c

index 9106e7d..9315fc9 100644

--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c

+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c

@@ -1,7 +1,7 @@

 /** @file

   Save the S3 data to S3 boot script.

-  Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.

+  Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.

   SPDX-License-Identifier: BSD-2-Clause-Patent

@@ -1006,6 +1006,14 @@ S3BootScriptSaveIoWrite (

   EFI_BOOT_SCRIPT_IO_WRITE  ScriptIoWrite;

   WidthInByte = (UINT8) (0x01 << (Width & 0x03));

+

+  //

+  // Truncation check

+  //

+  if ((Count > MAX_UINT8) ||

+      (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE))) {

+    return RETURN_OUT_OF_RESOURCES;

+  }

   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Count));

   Script = S3BootScriptGetEntryAddAddress (Length);

@@ -1102,6 +1110,14 @@ S3BootScriptSaveMemWrite (

   EFI_BOOT_SCRIPT_MEM_WRITE  ScriptMemWrite;

   WidthInByte = (UINT8) (0x01 << (Width & 0x03));

+

+  //

+  // Truncation check

+  //

+  if ((Count > MAX_UINT8) ||

+      (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_MEM_WRITE))) {

+    return RETURN_OUT_OF_RESOURCES;

+  }

   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * Count));

   Script = S3BootScriptGetEntryAddAddress (Length);

@@ -1206,6 +1222,14 @@ S3BootScriptSavePciCfgWrite (

   }

   WidthInByte = (UINT8) (0x01 << (Width & 0x03));

+

+  //

+  // Truncation check

+  //

+  if ((Count > MAX_UINT8) ||

+      (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE))) {

+    return RETURN_OUT_OF_RESOURCES;

+  }

   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + (WidthInByte * Count));

   Script = S3BootScriptGetEntryAddAddress (Length);

@@ -1324,6 +1348,14 @@ S3BootScriptSavePciCfg2Write (

   }

   WidthInByte = (UINT8) (0x01 << (Width & 0x03));

+

+  //

+  // Truncation check

+  //

+  if ((Count > MAX_UINT8) ||

+      (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE))) {

+    return RETURN_OUT_OF_RESOURCES;

+  }

   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + (WidthInByte * Count));

   Script = S3BootScriptGetEntryAddAddress (Length);

@@ -1549,6 +1581,12 @@ S3BootScriptSaveSmbusExecute (

     return Status;

   }

+  //

+  // Truncation check

+  //

+  if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) {

+    return RETURN_OUT_OF_RESOURCES;

+  }

   DataSize = (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + BufferLength);

   Script = S3BootScriptGetEntryAddAddress (DataSize);

@@ -1736,6 +1774,12 @@ S3BootScriptSaveInformation (

   UINT8                 *Script;

   EFI_BOOT_SCRIPT_INFORMATION  ScriptInformation;

+  //

+  // Truncation check

+  //

+  if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) {

+    return RETURN_OUT_OF_RESOURCES;

+  }

   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength);

   Script = S3BootScriptGetEntryAddAddress (Length);

@@ -2195,6 +2239,12 @@ S3BootScriptLabelInternal (

   UINT8                 *Script;

   EFI_BOOT_SCRIPT_INFORMATION  ScriptInformation;

+  //

+  // Truncation check

+  //

+  if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) {

+    return RETURN_OUT_OF_RESOURCES;

+  }

   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength);

   Script = S3BootScriptGetEntryAddAddress (Length);

-- 

1.8.3.1