| Message ID | 20241230143258.2992487-1-hongxu.jia@windriver.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [scarthgap] ovmf: fix CVE-2024-38805 | expand |
Once again there are line ending issues :-( I may need to pull them from a git repo like we did last time (https://github.com/hongxu-jia/openembedded-core/tree/scarthgap perhaps?) Thanks, Steve On Mon, Dec 30, 2024 at 6:33 AM Hongxu Jia <hongxu.jia@windriver.com> wrote: > > A malicious iSCSI target could reply to the iSCSI initiator with a > malformed packet, causing out-of-bounds memory reads and writes. > This most likely leads to a denial of service, as the write > primitive should not be exploitable. > > References: > https://github.com/tianocore/edk2/issues/10314 > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > ...Dxe-add-checks-to-IScsiBuildKeyValue.patch | 60 +++++++++++++++++++ > meta/recipes-core/ovmf/ovmf_git.bb | 1 + > 2 files changed, 61 insertions(+) > create mode 100644 meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch > > diff --git a/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch b/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch > new file mode 100644 > index 0000000000..d121e066f6 > --- /dev/null > +++ b/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch > @@ -0,0 +1,60 @@ > +From dfd8ef9a9e396c4979239e518525d0b77c7715da Mon Sep 17 00:00:00 2001 > +From: Hongxu Jia <hongxu.jia@windriver.com> > +Date: Sun, 29 Dec 2024 21:58:05 +0800 > +Subject: [PATCH] NetworkPkg/IScsiDxe: add checks to IScsiBuildKeyValueList > + > +Check we have any data left (Len > 0) before advancing the Data pointer > +and reducing Len. Avoids wrapping Len. > + > +Also replace the AsciiStrLen() call with an open-coded loop which > +likewise checks Len to make sure we don't overrun the buffer. > + > +Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=4207 > +Reported-by: Jeremy Boone <jeremy.boone@nccgroup.com> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +CVE: CVE-2024-38805 > +Upstream-Status: Backport [https://edk2.groups.io/g/devel/message/106280] > +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > +--- > + NetworkPkg/IScsiDxe/IScsiProto.c | 16 ++++++++++++---- > + 1 file changed, 12 insertions(+), 4 deletions(-) > + > +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c > +index ef58764..88e7946 100644 > +--- a/NetworkPkg/IScsiDxe/IScsiProto.c > ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c > +@@ -1903,9 +1903,8 @@ IScsiBuildKeyValueList ( > + Data++; > + } > + > +- if (*Data == '=') { > ++ if ((Len > 0) && (*Data == '=')) { > + *Data = '\0'; > +- > + Data++; > + Len--; > + } else { > +@@ -1917,8 +1916,17 @@ IScsiBuildKeyValueList ( > + > + InsertTailList (ListHead, &KeyValuePair->List); > + > +- Data += AsciiStrLen (KeyValuePair->Value) + 1; > +- Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1; > ++ while ((Len > 0) && (*Data != '\0')) { > ++ Len--; > ++ Data++; > ++ } > ++ > ++ if ((Len > 0) && (*Data == '\0')) { > ++ Data++; > ++ Len--; > ++ } else { > ++ goto ON_ERROR; > ++ } > + } > + > + return ListHead; > +-- > +2.27.0 > + > diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb > index ada6ee72db..eeff5da991 100644 > --- a/meta/recipes-core/ovmf/ovmf_git.bb > +++ b/meta/recipes-core/ovmf/ovmf_git.bb > @@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ > file://0004-reproducible.patch \ > file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \ > file://0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch \ > + file://0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch \ > " > > PV = "edk2-stable202402" > -- > 2.25.1 >
diff --git a/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch b/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch new file mode 100644 index 0000000000..d121e066f6 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch @@ -0,0 +1,60 @@ +From dfd8ef9a9e396c4979239e518525d0b77c7715da Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu.jia@windriver.com> +Date: Sun, 29 Dec 2024 21:58:05 +0800 +Subject: [PATCH] NetworkPkg/IScsiDxe: add checks to IScsiBuildKeyValueList + +Check we have any data left (Len > 0) before advancing the Data pointer +and reducing Len. Avoids wrapping Len. + +Also replace the AsciiStrLen() call with an open-coded loop which +likewise checks Len to make sure we don't overrun the buffer. + +Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=4207 +Reported-by: Jeremy Boone <jeremy.boone@nccgroup.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2024-38805 +Upstream-Status: Backport [https://edk2.groups.io/g/devel/message/106280] +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + NetworkPkg/IScsiDxe/IScsiProto.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c +index ef58764..88e7946 100644 +--- a/NetworkPkg/IScsiDxe/IScsiProto.c ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c +@@ -1903,9 +1903,8 @@ IScsiBuildKeyValueList ( + Data++; + } + +- if (*Data == '=') { ++ if ((Len > 0) && (*Data == '=')) { + *Data = '\0'; +- + Data++; + Len--; + } else { +@@ -1917,8 +1916,17 @@ IScsiBuildKeyValueList ( + + InsertTailList (ListHead, &KeyValuePair->List); + +- Data += AsciiStrLen (KeyValuePair->Value) + 1; +- Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1; ++ while ((Len > 0) && (*Data != '\0')) { ++ Len--; ++ Data++; ++ } ++ ++ if ((Len > 0) && (*Data == '\0')) { ++ Data++; ++ Len--; ++ } else { ++ goto ON_ERROR; ++ } + } + + return ListHead; +-- +2.27.0 + diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index ada6ee72db..eeff5da991 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://0004-reproducible.patch \ file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \ file://0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch \ + file://0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch \ " PV = "edk2-stable202402"
A malicious iSCSI target could reply to the iSCSI initiator with a malformed packet, causing out-of-bounds memory reads and writes. This most likely leads to a denial of service, as the write primitive should not be exploitable. References: https://github.com/tianocore/edk2/issues/10314 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- ...Dxe-add-checks-to-IScsiBuildKeyValue.patch | 60 +++++++++++++++++++ meta/recipes-core/ovmf/ovmf_git.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch