4c3660a215
This commit adds a security fix from the upstream commit:b3a2f7ff24It fixes CVE-2024-38805: https://www.cve.org/CVERecord?id=CVE-2024-38805 Note: at the time of this commit, this CVE is "reserved" by a CNA. Details will come later. See also the associated pull request: https://github.com/tianocore/edk2/pull/11042 This commit also adds the corresponding _IGNORE_CVES entry. Reviewed-by: Romain Naour <romain.naour@smile.fr> Signed-off-by: Julien Olivain <ju.o@free.fr> (cherry picked from commit14d07d1914) Signed-off-by: Thomas Perale <thomas.perale@mind.be>
76 lines
2.7 KiB
Diff
76 lines
2.7 KiB
Diff
From 0a3b2a29b96b11fb858974044359c806c6b0a111 Mon Sep 17 00:00:00 2001
|
|
From: Santhosh Kumar V <santhoshkumarv@ami.com>
|
|
Date: Wed, 7 May 2025 18:53:30 +0530
|
|
Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for out of bound memory access for
|
|
bz4207 (CVE-2024-38805)
|
|
|
|
In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len.
|
|
Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len .
|
|
|
|
Upstream: https://github.com/tianocore/edk2/commit/b3a2f7ff24e156e8c4d694fffff01e95a048c536
|
|
Signed-off-by: santhosh kumar V <santhoshkumarv@ami.com>
|
|
Signed-off-by: Julien Olivain <ju.o@free.fr>
|
|
---
|
|
NetworkPkg/IScsiDxe/IScsiProto.c | 29 ++++++++++++++++++++++++-----
|
|
1 file changed, 24 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
|
|
index ef587649a0..53a0ff801d 100644
|
|
--- a/NetworkPkg/IScsiDxe/IScsiProto.c
|
|
+++ b/NetworkPkg/IScsiDxe/IScsiProto.c
|
|
@@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList (
|
|
{
|
|
LIST_ENTRY *ListHead;
|
|
ISCSI_KEY_VALUE_PAIR *KeyValuePair;
|
|
+ EFI_STATUS Status;
|
|
+ UINT32 Result;
|
|
|
|
ListHead = AllocatePool (sizeof (LIST_ENTRY));
|
|
if (ListHead == NULL) {
|
|
@@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList (
|
|
Data++;
|
|
}
|
|
|
|
- if (*Data == '=') {
|
|
+ // Here Len must not be zero.
|
|
+ // The value of Len is size of data buffer. Actually, Data is make up of strings.
|
|
+ // AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0
|
|
+ // (1) Len == 0, *Data != '=' goto ON_ERROR
|
|
+ // (2) *Data == '=', Len != 0 normal case.
|
|
+ // (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error.
|
|
+ if ((Len > 0) && (*Data == '=')) {
|
|
*Data = '\0';
|
|
-
|
|
Data++;
|
|
Len--;
|
|
} else {
|
|
@@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList (
|
|
|
|
KeyValuePair->Value = Data;
|
|
|
|
- InsertTailList (ListHead, &KeyValuePair->List);
|
|
+ Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__));
|
|
+ FreePool (KeyValuePair);
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Data += AsciiStrLen (KeyValuePair->Value) + 1;
|
|
- Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1;
|
|
+ Status = SafeUint32Sub (Len, Result, &Len);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__));
|
|
+ FreePool (KeyValuePair);
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
+
|
|
+ InsertTailList (ListHead, &KeyValuePair->List);
|
|
+ Data += Result;
|
|
}
|
|
|
|
return ListHead;
|
|
--
|
|
2.49.0
|
|
|