render / rpms / edk2

Forked from rpms/edk2 3 months ago
Clone

Blame SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch

c4e3b2
From 5fb7ec7c442e3ca7ab27b2a66223345cb7411c87 Mon Sep 17 00:00:00 2001
c4e3b2
From: Laszlo Ersek <lersek@redhat.com>
c4e3b2
Date: Tue, 8 Jun 2021 14:12:58 +0200
c4e3b2
Subject: [PATCH 09/11] NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer
c4e3b2
 overflow
c4e3b2
MIME-Version: 1.0
c4e3b2
Content-Type: text/plain; charset=UTF-8
c4e3b2
Content-Transfer-Encoding: 8bit
c4e3b2
c4e3b2
RH-Author: Laszlo Ersek <lersek@redhat.com>
c4e3b2
RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
c4e3b2
RH-Commit: [9/10] 91724ef3d2d9732ffe9328168a39d922d1baaa8b
c4e3b2
RH-Bugzilla: 1961100
c4e3b2
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
c4e3b2
c4e3b2
The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return
c4e3b2
condition, but never actually checks whether the decoded buffer fits into
c4e3b2
the caller-provided room (i.e., the input value of "BinLength"), and
c4e3b2
EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can
c4e3b2
overflow "BinBuffer".
c4e3b2
c4e3b2
This is remotely exploitable, as shown in a subsequent patch, which adds
c4e3b2
error checking to the IScsiHexToBin() call sites. This issue allows the
c4e3b2
target to compromise the initiator.
c4e3b2
c4e3b2
Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent
c4e3b2
EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow,
c4e3b2
plus actually catch the buffer overflow.
c4e3b2
c4e3b2
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
c4e3b2
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
c4e3b2
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
c4e3b2
Cc: Siyuan Fu <siyuan.fu@intel.com>
c4e3b2
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
c4e3b2
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
c4e3b2
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
c4e3b2
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
c4e3b2
Message-Id: <20210608121259.32451-10-lersek@redhat.com>
c4e3b2
(cherry picked from commit 54e90edaed0d7c15230902ac4d74f4304bad2ebd)
c4e3b2
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
c4e3b2
---
c4e3b2
 NetworkPkg/IScsiDxe/IScsiMisc.c | 20 +++++++++++++++++---
c4e3b2
 NetworkPkg/IScsiDxe/IScsiMisc.h |  3 +++
c4e3b2
 2 files changed, 20 insertions(+), 3 deletions(-)
c4e3b2
c4e3b2
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
c4e3b2
index f0f4992b07..4069547867 100644
c4e3b2
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
c4e3b2
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
c4e3b2
@@ -377,6 +377,9 @@ IScsiBinToHex (
c4e3b2
   @retval EFI_SUCCESS           The hexadecimal string is converted into a
c4e3b2
                                 binary encoded buffer.
c4e3b2
   @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
c4e3b2
+  @retval EFI_BAD_BUFFER_SIZE   The length of HexStr is too large for decoding:
c4e3b2
+                                the decoded size cannot be expressed in
c4e3b2
+                                BinLength on output.
c4e3b2
   @retval EFI_BUFFER_TOO_SMALL  The binary buffer is too small to hold the
c4e3b2
                                 converted data.
c4e3b2
 **/
c4e3b2
@@ -387,6 +390,8 @@ IScsiHexToBin (
c4e3b2
   IN     CHAR8  *HexStr
c4e3b2
   )
c4e3b2
 {
c4e3b2
+  UINTN   BinLengthMin;
c4e3b2
+  UINT32  BinLengthProvided;
c4e3b2
   UINTN   Index;
c4e3b2
   UINTN   Length;
c4e3b2
   UINT8   Digit;
c4e3b2
@@ -409,6 +414,18 @@ IScsiHexToBin (
c4e3b2
   if (Length == 0 || Length % 2 != 0) {
c4e3b2
     return EFI_INVALID_PARAMETER;
c4e3b2
   }
c4e3b2
+  //
c4e3b2
+  // Check if the caller provides enough room for the decoded blob.
c4e3b2
+  //
c4e3b2
+  BinLengthMin = Length / 2;
c4e3b2
+  if (BinLengthMin > MAX_UINT32) {
c4e3b2
+    return EFI_BAD_BUFFER_SIZE;
c4e3b2
+  }
c4e3b2
+  BinLengthProvided = *BinLength;
c4e3b2
+  *BinLength = (UINT32)BinLengthMin;
c4e3b2
+  if (BinLengthProvided < BinLengthMin) {
c4e3b2
+    return EFI_BUFFER_TOO_SMALL;
c4e3b2
+  }
c4e3b2
 
c4e3b2
   for (Index = 0; Index < Length; Index ++) {
c4e3b2
     TemStr[0] = HexStr[Index];
c4e3b2
@@ -425,9 +442,6 @@ IScsiHexToBin (
c4e3b2
       BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit);
c4e3b2
     }
c4e3b2
   }
c4e3b2
-
c4e3b2
-  *BinLength = (UINT32) ((Index + 1)/2);
c4e3b2
-
c4e3b2
   return EFI_SUCCESS;
c4e3b2
 }
c4e3b2
 
c4e3b2
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
c4e3b2
index 404a482e57..fddef4f466 100644
c4e3b2
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
c4e3b2
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
c4e3b2
@@ -172,6 +172,9 @@ IScsiBinToHex (
c4e3b2
   @retval EFI_SUCCESS           The hexadecimal string is converted into a
c4e3b2
                                 binary encoded buffer.
c4e3b2
   @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
c4e3b2
+  @retval EFI_BAD_BUFFER_SIZE   The length of HexStr is too large for decoding:
c4e3b2
+                                the decoded size cannot be expressed in
c4e3b2
+                                BinLength on output.
c4e3b2
   @retval EFI_BUFFER_TOO_SMALL  The binary buffer is too small to hold the
c4e3b2
                                 converted data.
c4e3b2
 **/
c4e3b2
-- 
c4e3b2
2.27.0
c4e3b2