rpms / ovmf

Clone
Source Code
GIT

Blame SOURCES/ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch

c7-beta
  1.   c7-beta
  2.   SOURCES
  3.   ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch
Blob History Raw
bdb79c 
From 6e3079460fa075f4b44c1031b1e20709979d9424 Mon Sep 17 00:00:00 2001
bdb79c 
From: Philippe Mathieu-Daude <philmd@redhat.com>
bdb79c 
Date: Wed, 13 Feb 2019 09:50:45 +0100
bdb79c 
Subject: [PATCH 02/13] MdePkg: Add more checker in UefiDecompressLib to access
bdb79c 
 the valid buffer only (CVE FIX)
bdb79c
bdb79c 
Message-id: <20190213085050.20766-3-philmd@redhat.com>
bdb79c 
Patchwork-id: 84480
bdb79c 
O-Subject:  [RHEL-7.7 ovmf PATCH v3 2/7] MdePkg: Add more checker in
bdb79c 
	UefiDecompressLib to access the valid buffer only (CVE FIX)
bdb79c 
Bugzilla: 1666586
bdb79c 
Acked-by: Laszlo Ersek <lersek@redhat.com>
bdb79c 
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
bdb79c
bdb79c 
From: Laszlo Ersek <lersek@redhat.com>
bdb79c
bdb79c 
From: Liming Gao <liming.gao@intel.com>
bdb79c
bdb79c 
--v-- RHEL7 note start --v--
bdb79c 
Unfortunately, the upstream patch series was not structured according to
bdb79c 
the CVE reports. This patch contributes to fixing:
bdb79c
bdb79c 
- CVE-2017-5732
bdb79c 
- CVE-2017-5733
bdb79c 
- CVE-2017-5734
bdb79c 
- CVE-2017-5735
bdb79c
bdb79c 
but not CVE-2017-5731 (contrarily to the upstream commit message). The
bdb79c 
best I could achieve up-stream was to get the "CVE FIX" expression into
bdb79c 
the subject, and a whole-sale dump of the CVEs into the body. I had not
bdb79c 
been invited to the original (off-list, embargoed) analysis and review.
bdb79c
bdb79c 
The trivial context difference (whitespace) is due to RHEL8 lacking
bdb79c 
upstream commit 9095d37b8fe5 ("MdePkg: Clean up source files",
bdb79c 
2018-06-28). I've considered backporting that (since it only cleans up
bdb79c 
whitespace). However, the diffstat on that commit convinced me otherwise:
bdb79c 
"729 files changed, 15667 insertions(+), 15667 deletions(-)". I've decided
bdb79c 
not to do a partial backport of that (i.e. just for
bdb79c 
"BaseUefiDecompressLib.c").
bdb79c
bdb79c 
--^-- RHEL7 note end --^--
bdb79c
bdb79c 
Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
bdb79c 
https://bugzilla.tianocore.org/show_bug.cgi?id=686
bdb79c
bdb79c 
Contributed-under: TianoCore Contribution Agreement 1.1
bdb79c 
Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
bdb79c 
Signed-off-by: Liming Gao <liming.gao@intel.com>
bdb79c 
Reviewed-by: Star Zeng <star.zeng@intel.com>
bdb79c 
Acked-by: Laszlo Ersek <lersek@redhat.com>
bdb79c 
(cherry picked from commit 2ec7953d49677142c5f7552e9e3d96fb406ba0c4)
bdb79c 
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
bdb79c 
(cherry picked from commit 41129e136b621728eb5cb1c81aafcc5fedc53a12)
bdb79c 
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
bdb79c 
---
bdb79c 
 .../BaseUefiDecompressLib/BaseUefiDecompressLib.c       | 17 +++++++++++++++--
bdb79c 
 1 file changed, 15 insertions(+), 2 deletions(-)
bdb79c
bdb79c 
diff --git a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
bdb79c 
index e818543..0c6b1fe 100644
bdb79c 
--- a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
bdb79c 
+++ b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
bdb79c 
@@ -152,6 +152,7 @@ MakeTable (
bdb79c 
   UINT16  Mask;
bdb79c 
   UINT16  WordOfStart;
bdb79c 
   UINT16  WordOfCount;
bdb79c 
+  UINT16  MaxTableLength;
bdb79c
bdb79c 
   //
bdb79c 
   // The maximum mapping table width supported by this internal
bdb79c 
@@ -164,6 +165,9 @@ MakeTable (
bdb79c 
   }
bdb79c
bdb79c 
   for (Index = 0; Index < NumOfChar; Index++) {
bdb79c 
+    if (BitLen[Index] > 16) {
bdb79c 
+      return (UINT16) BAD_TABLE;
bdb79c 
+    }
bdb79c 
     Count[BitLen[Index]]++;
bdb79c 
   }
bdb79c
bdb79c 
@@ -205,6 +209,7 @@ MakeTable (
bdb79c
bdb79c 
   Avail = NumOfChar;
bdb79c 
   Mask  = (UINT16) (1U << (15 - TableBits));
bdb79c 
+  MaxTableLength = (UINT16) (1U << TableBits);
bdb79c
bdb79c 
   for (Char = 0; Char < NumOfChar; Char++) {
bdb79c
bdb79c 
@@ -218,6 +223,9 @@ MakeTable (
bdb79c 
     if (Len <= TableBits) {
bdb79c
bdb79c 
       for (Index = Start[Len]; Index < NextCode; Index++) {
bdb79c 
+        if (Index >= MaxTableLength) {
bdb79c 
+          return (UINT16) BAD_TABLE;
bdb79c 
+        }
bdb79c 
         Table[Index] = Char;
bdb79c 
       }
bdb79c
bdb79c 
@@ -620,11 +628,16 @@ Decode (
bdb79c 
       // Write BytesRemain of bytes into mDstBase
bdb79c 
       //
bdb79c 
       BytesRemain--;
bdb79c 
+
bdb79c 
       while ((INT16) (BytesRemain) >= 0) {
bdb79c 
-        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
bdb79c 
         if (Sd->mOutBuf >= Sd->mOrigSize) {
bdb79c 
           goto Done;
bdb79c 
         }
bdb79c 
+        if (DataIdx >= Sd->mOrigSize) {
bdb79c 
+          Sd->mBadTableFlag = (UINT16) BAD_TABLE;
bdb79c 
+          goto Done;
bdb79c 
+        }
bdb79c 
+        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
bdb79c
bdb79c 
         BytesRemain--;
bdb79c 
       }
bdb79c 
@@ -694,7 +707,7 @@ UefiDecompressGetInfo (
bdb79c 
   }
bdb79c
bdb79c 
   CompressedSize   = ReadUnaligned32 ((UINT32 *)Source);
bdb79c 
-  if (SourceSize < (CompressedSize + 8)) {
bdb79c 
+  if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) {
bdb79c 
     return RETURN_INVALID_PARAMETER;
bdb79c 
   }
bdb79c
bdb79c 
--
bdb79c 
1.8.3.1
bdb79c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation