diff --git a/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch b/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch new file mode 100644 index 0000000..680d262 --- /dev/null +++ b/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch @@ -0,0 +1,101 @@ +From dea2c718df8b58f5147c7674797bf65df649c53e Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 19 Nov 2020 12:50:34 +0100 +Subject: [PATCH] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed + buffer sizes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek (lersek) +RH-MergeRequest: 1: prevent integer overflow / heap corruption in LZMA decompression [rhel-8.4.0.z] +RH-Commit: [1/1] a8ec492d7ebb6ae3c51513f501f72d5418b71f17 +RH-Bugzilla: 1952953 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Philippe Mathieu-Daudé + +The LzmaUefiDecompressGetInfo() function +[MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c] currently +silently truncates the UINT64 "DecodedSize" property of the compressed +blob to the UINT32 "DestinationSize" output parameter. + +If "DecodedSize" is 0x1_0000_0100, for example, then the subsequent memory +allocation (for decompression) will likely succeed (allocating 0x100 bytes +only), but then the LzmaUefiDecompress() function (which re-fetches the +uncompressed buffer size from the same LZMA header into a "SizeT" +variable) will overwrite the buffer. + +Catch (DecodedSize > MAX_UINT32) in LzmaUefiDecompressGetInfo() at once. +This should not be a practical limitation. (The issue cannot be fixed for +32-bit systems without spec modifications anyway, given that the +"OutputSize" output parameter of +EFI_GUIDED_SECTION_EXTRACTION_PROTOCOL.ExtractSection() has type UINTN, +not UINT64.) + +Cc: Dandan Bi +Cc: Hao A Wu +Cc: Jian J Wang +Cc: Liming Gao +Cc: Philippe Mathieu-Daud +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816 +Signed-off-by: Laszlo Ersek +Reviewed-by: Liming Gao +Reviewed-by: Philippe Mathieu-Daud +Message-Id: <20201119115034.12897-2-lersek@redhat.com> +(cherry picked from commit e7bd0dd26db7e56aa8ca70132d6ea916ee6f3db0) +--- + .../Library/LzmaCustomDecompressLib/LzmaDecompress.c | 7 +++++++ + .../LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++ + 2 files changed, 12 insertions(+) + +diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c +index c58912eb6a..8f7c242dca 100644 +--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c ++++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c +@@ -127,6 +127,10 @@ GetDecodedSizeOfBuf( + in DestinationSize and the size of the scratch + buffer was returned in ScratchSize. + ++ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the ++ uncompressed buffer size (in bytes) does not fit ++ in a UINT32. Output parameters have not been ++ modified. + **/ + RETURN_STATUS + EFIAPI +@@ -142,6 +146,9 @@ LzmaUefiDecompressGetInfo ( + ASSERT(SourceSize >= LZMA_HEADER_SIZE); + + DecodedSize = GetDecodedSizeOfBuf((UINT8*)Source); ++ if (DecodedSize > MAX_UINT32) { ++ return RETURN_UNSUPPORTED; ++ } + + *DestinationSize = (UINT32)DecodedSize; + *ScratchSize = SCRATCH_BUFFER_REQUEST_SIZE; +diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h +index 26f110ba2a..fbafd5f100 100644 +--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h ++++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h +@@ -9,6 +9,7 @@ + #ifndef __LZMADECOMPRESSLIB_INTERNAL_H__ + #define __LZMADECOMPRESSLIB_INTERNAL_H__ + ++#include + #include + #include + #include +@@ -45,6 +46,10 @@ + in DestinationSize and the size of the scratch + buffer was returned in ScratchSize. + ++ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the ++ uncompressed buffer size (in bytes) does not fit ++ in a UINT32. Output parameters have not been ++ modified. + **/ + RETURN_STATUS + EFIAPI +-- +2.27.0 + diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index 3231b35..ea2bc9a 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 4%{?dist} +Release: 4%{?dist}.1 Summary: UEFI firmware for 64-bit virtual machines Group: Applications/Emulators License: BSD-2-Clause-Patent and OpenSSL and MIT @@ -66,6 +66,8 @@ Patch33: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch Patch34: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch # For bz#1893806 - attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later) Patch35: edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch +# For bz#1952953 - edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8] [rhel-8.4.0.z] +Patch36: edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch # python3-devel and libuuid-devel are required for building tools. @@ -515,6 +517,11 @@ true %endif %changelog +* Thu May 13 2021 Miroslav Rezanina - 20200602gitca407c7246bf-4.el8_4.1 +- edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch [bz#1952953] +- Resolves: bz#1952953 + (edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8] [rhel-8.4.0.z]) + * Mon Nov 23 2020 Miroslav Rezanina - 20200602gitca407c7246bf-4.el8 - edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch [bz#1849177] - edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch [bz#1849177]