diff mbox series

[scarthgap] ovmf: fix CVE-2024-38805

Message ID 20241230143258.2992487-1-hongxu.jia@windriver.com
State Under Review
Delegated to: Steve Sakoman
Headers show
Series [scarthgap] ovmf: fix CVE-2024-38805 | expand

Commit Message

Hongxu Jia Dec. 30, 2024, 2:32 p.m. UTC 
A malicious iSCSI target could reply to the iSCSI initiator with a
malformed packet, causing out-of-bounds memory reads and writes.
This most likely leads to a denial of service, as the write
primitive should not be exploitable.

References:
https://github.com/tianocore/edk2/issues/10314

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 ...Dxe-add-checks-to-IScsiBuildKeyValue.patch | 60 +++++++++++++++++++
 meta/recipes-core/ovmf/ovmf_git.bb            |  1 +
 2 files changed, 61 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch
diff mbox series

Patch

diff --git a/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch b/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch
new file mode 100644
index 0000000000..d121e066f6
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch
@@ -0,0 +1,60 @@ 
+From dfd8ef9a9e396c4979239e518525d0b77c7715da Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Sun, 29 Dec 2024 21:58:05 +0800
+Subject: [PATCH] NetworkPkg/IScsiDxe: add checks to IScsiBuildKeyValueList
+
+Check we have any data left (Len > 0) before advancing the Data pointer
+and reducing Len.  Avoids wrapping Len.
+
+Also replace the AsciiStrLen() call with an open-coded loop which
+likewise checks Len to make sure we don't overrun the buffer.
+
+Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=4207
+Reported-by: Jeremy Boone <jeremy.boone@nccgroup.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2024-38805
+Upstream-Status: Backport [https://edk2.groups.io/g/devel/message/106280]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ NetworkPkg/IScsiDxe/IScsiProto.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
+index ef58764..88e7946 100644
+--- a/NetworkPkg/IScsiDxe/IScsiProto.c
++++ b/NetworkPkg/IScsiDxe/IScsiProto.c
+@@ -1903,9 +1903,8 @@ IScsiBuildKeyValueList (
+       Data++;
+     }
+ 
+-    if (*Data == '=') {
++    if ((Len > 0) && (*Data == '=')) {
+       *Data = '\0';
+-
+       Data++;
+       Len--;
+     } else {
+@@ -1917,8 +1916,17 @@ IScsiBuildKeyValueList (
+ 
+     InsertTailList (ListHead, &KeyValuePair->List);
+ 
+-    Data += AsciiStrLen (KeyValuePair->Value) + 1;
+-    Len  -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1;
++    while ((Len > 0) && (*Data != '\0')) {
++      Len--;
++      Data++;
++    }
++
++    if ((Len > 0) && (*Data == '\0')) {
++      Data++;
++      Len--;
++    } else {
++      goto ON_ERROR;
++    }
+   }
+ 
+   return ListHead;
+-- 
+2.27.0
+
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index ada6ee72db..eeff5da991 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -26,6 +26,7 @@  SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://0004-reproducible.patch \
            file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \
            file://0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch \
+           file://0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch \
            "
 
 PV = "edk2-stable202402"