UefiPayloadPkg: Integer Overflow in CreateHob() #5252

gguo11837463 · 2024-01-11T05:12:37Z

No description provided.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove <[email protected]> Cc: Guo Dong <[email protected]> Cc: Sean Rhodes <[email protected]> Cc: James Lu <[email protected]> Reviewed-by: Gua Guo <[email protected]> Cc: John Mathew <[email protected]> Authored-by: Gerd Hoffmann <[email protected]> Signed-off-by: Gua Guo <[email protected]>

gguo11837463 force-pushed the bz4166 branch 5 times, most recently from 642712b to a5d94e1 Compare January 11, 2024 09:08

gguo11837463 changed the title ~~Bz4166: Integer Overflow in CreateHob()~~ Bugzilla 4166: Integer Overflow in CreateHob() Jan 11, 2024

gguo11837463 force-pushed the bz4166 branch 4 times, most recently from 469bebd to 799e172 Compare January 15, 2024 23:26

gguo11837463 changed the title ~~Bugzilla 4166: Integer Overflow in CreateHob()~~ UefiPayloadPkg: Integer Overflow in CreateHob() Jan 16, 2024

gguo11837463 force-pushed the bz4166 branch from 799e172 to bf978c6 Compare January 16, 2024 15:10

gguo11837463 added the push Auto push patch series in PR if all checks pass label Jan 16, 2024

Merge branch 'master' into bz4166

4d12d1a

mergify bot merged commit 59f024c into tianocore:master Jan 16, 2024

Provide feedback