Gua: I think new code logic is same to old one. Can you point what difference here?
Thanks Liming > -----邮件原件----- > 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Guo, Gua > 发送时间: 2024年1月12日 10:25 > 收件人: devel@edk2.groups.io > 抄送: gua....@intel.com; Marc Beatove <mbeat...@google.com>; Liming > Gao <gaolim...@byosoft.com.cn>; John Mathew <john.math...@intel.com>; > Gerd Hoffmann <kra...@redhat.com> > 主题: [edk2-devel] [PATCH v3 4/4] MdeModulePkg/Hob: Integer Overflow in > CreateHob() > > From: Gua Guo <gua....@intel.com> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 > > Fix integer overflow in various CreateHob instances. > Fixes: CVE-2022-36765 > > The CreateHob() function aligns the requested size to 8 > performing the following operation: > ``` > HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); > ``` > > No checks are performed to ensure this value doesn't > overflow, and could lead to CreateHob() returning a smaller > HOB than requested, which could lead to OOB HOB accesses. > > Reported-by: Marc Beatove <mbeat...@google.com> > Cc: Liming Gao <gaolim...@byosoft.com.cn> > Cc: John Mathew <john.math...@intel.com> > Authored-by: Gerd Hoffmann <kra...@redhat.com> > Signed-off-by: Gua Guo <gua....@intel.com> > --- > MdeModulePkg/Core/Pei/Hob/Hob.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/MdeModulePkg/Core/Pei/Hob/Hob.c > b/MdeModulePkg/Core/Pei/Hob/Hob.c > index c4882a23cd..985da50995 100644 > --- a/MdeModulePkg/Core/Pei/Hob/Hob.c > +++ b/MdeModulePkg/Core/Pei/Hob/Hob.c > @@ -85,7 +85,7 @@ PeiCreateHob ( > // > > // Check Length to avoid data overflow. > > // > > - if (0x10000 - Length <= 0x7) { > > + if (MAX_UINT16 - Length < 0x7) { > > return EFI_INVALID_PARAMETER; > > } > > > > -- > 2.39.2.windows.1 > > > > -=-=-=-=-=-= > Groups.io Links: You receive all messages sent to this group. > View/Reply Online (#113643): > https://edk2.groups.io/g/devel/message/113643 > Mute This Topic: https://groups.io/mt/103675965/4905953 > Group Owner: devel+ow...@edk2.groups.io > Unsubscribe: https://edk2.groups.io/g/devel/unsub > [gaolim...@byosoft.com.cn] > -=-=-=-=-=-= > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113905): https://edk2.groups.io/g/devel/message/113905 Mute This Topic: https://groups.io/mt/103762835/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
