From 1dae37b163e1e08e719ac06fa86b3414b4ddfb2b Mon Sep 17 00:00:00 2001 From: CoprDistGit Date: Mon, 30 Oct 2023 11:56:48 +0000 Subject: automatic import of edk2 --- ...IScsiDxe-fix-potential-integer-overflow-i.patch | 147 +++++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch (limited to '0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch') diff --git a/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch b/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch new file mode 100644 index 0000000..f1eddbe --- /dev/null +++ b/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch @@ -0,0 +1,147 @@ +From cf01b2dc8fc3ff9cf49fb891af5703dc03e3193e Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:54 +0200 +Subject: [PATCH 22/27] NetworkPkg/IScsiDxe: fix potential integer overflow in + IScsiBinToHex() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Considering IScsiBinToHex(): + +> if (((*HexLength) - 3) < BinLength * 2) { +> *HexLength = BinLength * 2 + 3; +> } + +the following subexpressions are problematic: + + (*HexLength) - 3 + BinLength * 2 + BinLength * 2 + 3 + +The first one may wrap under zero, the latter two may wrap over +MAX_UINT32. + +Rewrite the calculation using SafeIntLib. + +While at it, change the type of the "Index" variable from UINTN to UINT32. +The largest "Index"-based value that we calculate is + + Index * 2 + 2 (with (Index == BinLength)) + +Because the patch makes + + BinLength * 2 + 3 + +safe to calculate in UINT32, using UINT32 for + + Index * 2 + 2 (with (Index == BinLength)) + +is safe too. Consistently using UINT32 improves readability. + +This patch is best reviewed with "git show -W". + +The integer overflows that this patch fixes are theoretical; a subsequent +patch in the series will audit the IScsiBinToHex() call sites, and show +that none of them can fail. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210608121259.32451-6-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 + + NetworkPkg/IScsiDxe/IScsiImpl.h | 1 + + NetworkPkg/IScsiDxe/IScsiMisc.c | 19 +++++++++++++++---- + NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + + 4 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf +index 543c408302..1dde56d00c 100644 +--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf ++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf +@@ -74,6 +74,7 @@ + MemoryAllocationLib + NetLib + PrintLib ++ SafeIntLib + TcpIoLib + UefiBootServicesTableLib + UefiDriverEntryPoint +diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h +index d895c7feb9..ac3a25730e 100644 +--- a/NetworkPkg/IScsiDxe/IScsiImpl.h ++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h +@@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include + #include + #include ++#include + #include + #include + #include +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index b8fef3ff6f..42988e15cb 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -316,6 +316,7 @@ IScsiMacAddrToStr ( + @retval EFI_SUCCESS The binary data is converted to the hexadecimal string + and the length of the string is updated. + @retval EFI_BUFFER_TOO_SMALL The string is too small. ++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding. + @retval EFI_INVALID_PARAMETER The IP string is malformatted. + + **/ +@@ -327,18 +328,28 @@ IScsiBinToHex ( + IN OUT UINT32 *HexLength + ) + { +- UINTN Index; ++ UINT32 HexLengthMin; ++ UINT32 HexLengthProvided; ++ UINT32 Index; + + if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) { + return EFI_INVALID_PARAMETER; + } + +- if (((*HexLength) - 3) < BinLength * 2) { +- *HexLength = BinLength * 2 + 3; ++ // ++ // Safely calculate: HexLengthMin := BinLength * 2 + 3. ++ // ++ if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) || ++ RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) { ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ ++ HexLengthProvided = *HexLength; ++ *HexLength = HexLengthMin; ++ if (HexLengthProvided < HexLengthMin) { + return EFI_BUFFER_TOO_SMALL; + } + +- *HexLength = BinLength * 2 + 3; + // + // Prefix for Hex String. + // +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 46c725aab3..231413993b 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -150,6 +150,7 @@ IScsiAsciiStrToIp ( + @retval EFI_SUCCESS The binary data is converted to the hexadecimal string + and the length of the string is updated. + @retval EFI_BUFFER_TOO_SMALL The string is too small. ++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding. + @retval EFI_INVALID_PARAMETER The IP string is malformatted. + + **/ +-- +2.27.0 + -- cgit v1.2.3