|
 |
cc9195 |
From 8358e53013fc62c9556598ad842d233906de00ef Mon Sep 17 00:00:00 2001
|
|
|
cc9195 |
From: Laszlo Ersek <lersek@redhat.com>
|
|
|
cc9195 |
Date: Wed, 24 Oct 2018 21:03:44 +0200
|
|
|
cc9195 |
Subject: [PATCH 3/4] IntelFrameworkModulePkg: Add more checker in
|
|
|
cc9195 |
UefiTianoDecompressLib (CVE FIX)
|
|
|
cc9195 |
|
|
|
cc9195 |
Message-id: <20181024190345.15288-4-lersek@redhat.com>
|
|
|
cc9195 |
Patchwork-id: 82885
|
|
|
cc9195 |
O-Subject: [RHEL8 edk2 PATCH 3/4] IntelFrameworkModulePkg: Add more checker in
|
|
|
cc9195 |
UefiTianoDecompressLib (CVE FIX)
|
|
|
cc9195 |
Bugzilla: 1641453
|
|
|
cc9195 |
1641464
|
|
|
cc9195 |
1641469
|
|
|
cc9195 |
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
|
cc9195 |
Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
cc9195 |
|
|
|
cc9195 |
From: Liming Gao <liming.gao@intel.com>
|
|
|
cc9195 |
|
|
|
cc9195 |
--v-- RHEL8 note start --v--
|
|
|
cc9195 |
|
|
|
cc9195 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641453
|
|
|
cc9195 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641464
|
|
|
cc9195 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641469
|
|
|
cc9195 |
|
|
|
cc9195 |
Unfortunately, the upstream patch series was not structured according to
|
|
|
cc9195 |
the CVE reports. This patch contributes to fixing:
|
|
|
cc9195 |
|
|
|
cc9195 |
- CVE-2017-5733
|
|
|
cc9195 |
- CVE-2017-5734
|
|
|
cc9195 |
- CVE-2017-5735
|
|
|
cc9195 |
|
|
|
cc9195 |
but not CVE-2017-5731 or CVE-2017-5732 (contrarily to the upstream commit
|
|
|
cc9195 |
message). The best I could achieve up-stream was to get the "CVE FIX"
|
|
|
cc9195 |
expression into the subject, and a whole-sale dump of the CVEs into the
|
|
|
cc9195 |
body. I had not been invited to the original (off-list, embargoed)
|
|
|
cc9195 |
analysis and review.
|
|
|
cc9195 |
|
|
|
cc9195 |
The trivial context difference (whitespace) is due to RHEL8 lacking
|
|
|
cc9195 |
upstream commit 0a6f48249a60 ("IntelFrameworkModulePkg: Clean up source
|
|
|
cc9195 |
files", 2018-06-28). I've considered backporting that (since it only
|
|
|
cc9195 |
cleans up whitespace). However, the diffstat on that commit convinced me
|
|
|
cc9195 |
otherwise: "246 files changed, 4067 insertions(+), 4067 deletions(-)".
|
|
|
cc9195 |
I've decided not to do a partial backport of that (i.e. just for
|
|
|
cc9195 |
"BaseUefiTianoCustomDecompressLib.c").
|
|
|
cc9195 |
|
|
|
cc9195 |
--^-- RHEL8 note end --^--
|
|
|
cc9195 |
|
|
|
cc9195 |
Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
|
|
|
cc9195 |
https://bugzilla.tianocore.org/show_bug.cgi?id=686
|
|
|
cc9195 |
To make sure the valid buffer be accessed only.
|
|
|
cc9195 |
|
|
|
cc9195 |
Contributed-under: TianoCore Contribution Agreement 1.1
|
|
|
cc9195 |
Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
|
|
|
cc9195 |
Signed-off-by: Liming Gao <liming.gao@intel.com>
|
|
|
cc9195 |
Reviewed-by: Star Zeng <star.zeng@intel.com>
|
|
|
cc9195 |
Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
cc9195 |
(cherry picked from commit 684db6da64bc7b5faee4e1174e801c245f563b5c)
|
|
|
cc9195 |
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
cc9195 |
---
|
|
|
cc9195 |
.../BaseUefiTianoCustomDecompressLib.c | 16 ++++++++++++++--
|
|
|
cc9195 |
1 file changed, 14 insertions(+), 2 deletions(-)
|
|
|
cc9195 |
|
|
|
cc9195 |
diff --git a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
|
|
|
cc9195 |
index cb009e7..9b00166 100644
|
|
|
cc9195 |
--- a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
|
|
|
cc9195 |
+++ b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
|
|
|
cc9195 |
@@ -143,6 +143,7 @@ MakeTable (
|
|
|
cc9195 |
UINT16 Mask;
|
|
|
cc9195 |
UINT16 WordOfStart;
|
|
|
cc9195 |
UINT16 WordOfCount;
|
|
|
cc9195 |
+ UINT16 MaxTableLength;
|
|
|
cc9195 |
|
|
|
cc9195 |
//
|
|
|
cc9195 |
// The maximum mapping table width supported by this internal
|
|
|
cc9195 |
@@ -155,6 +156,9 @@ MakeTable (
|
|
|
cc9195 |
}
|
|
|
cc9195 |
|
|
|
cc9195 |
for (Index = 0; Index < NumOfChar; Index++) {
|
|
|
cc9195 |
+ if (BitLen[Index] > 16) {
|
|
|
cc9195 |
+ return (UINT16) BAD_TABLE;
|
|
|
cc9195 |
+ }
|
|
|
cc9195 |
Count[BitLen[Index]]++;
|
|
|
cc9195 |
}
|
|
|
cc9195 |
|
|
|
cc9195 |
@@ -196,6 +200,7 @@ MakeTable (
|
|
|
cc9195 |
|
|
|
cc9195 |
Avail = NumOfChar;
|
|
|
cc9195 |
Mask = (UINT16) (1U << (15 - TableBits));
|
|
|
cc9195 |
+ MaxTableLength = (UINT16) (1U << TableBits);
|
|
|
cc9195 |
|
|
|
cc9195 |
for (Char = 0; Char < NumOfChar; Char++) {
|
|
|
cc9195 |
|
|
|
cc9195 |
@@ -209,6 +214,9 @@ MakeTable (
|
|
|
cc9195 |
if (Len <= TableBits) {
|
|
|
cc9195 |
|
|
|
cc9195 |
for (Index = Start[Len]; Index < NextCode; Index++) {
|
|
|
cc9195 |
+ if (Index >= MaxTableLength) {
|
|
|
cc9195 |
+ return (UINT16) BAD_TABLE;
|
|
|
cc9195 |
+ }
|
|
|
cc9195 |
Table[Index] = Char;
|
|
|
cc9195 |
}
|
|
|
cc9195 |
|
|
|
cc9195 |
@@ -615,10 +623,14 @@ Decode (
|
|
|
cc9195 |
//
|
|
|
cc9195 |
BytesRemain--;
|
|
|
cc9195 |
while ((INT16) (BytesRemain) >= 0) {
|
|
|
cc9195 |
- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
|
|
|
cc9195 |
if (Sd->mOutBuf >= Sd->mOrigSize) {
|
|
|
cc9195 |
goto Done ;
|
|
|
cc9195 |
}
|
|
|
cc9195 |
+ if (DataIdx >= Sd->mOrigSize) {
|
|
|
cc9195 |
+ Sd->mBadTableFlag = (UINT16) BAD_TABLE;
|
|
|
cc9195 |
+ goto Done ;
|
|
|
cc9195 |
+ }
|
|
|
cc9195 |
+ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
|
|
|
cc9195 |
|
|
|
cc9195 |
BytesRemain--;
|
|
|
cc9195 |
}
|
|
|
cc9195 |
@@ -688,7 +700,7 @@ UefiDecompressGetInfo (
|
|
|
cc9195 |
}
|
|
|
cc9195 |
|
|
|
cc9195 |
CompressedSize = ReadUnaligned32 ((UINT32 *)Source);
|
|
|
cc9195 |
- if (SourceSize < (CompressedSize + 8)) {
|
|
|
cc9195 |
+ if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) {
|
|
|
cc9195 |
return RETURN_INVALID_PARAMETER;
|
|
|
cc9195 |
}
|
|
|
cc9195 |
|
|
|
cc9195 |
--
|
|
|
cc9195 |
1.8.3.1
|
|
|
cc9195 |
|