Branch: refs/heads/master
Home: https://github.com/tianocore/edk2
Commit: f31453e8d6542461d92d835e0b79fec8b039174d
https://github.com/tianocore/edk2/commit/f31453e8d6542461d92d835e0b79fec8b039174d
Author: Doug Flick via groups.io <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
M NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
M NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
M NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h
Log Message:
-----------
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535
Bug Details:
PixieFail Bug #2
CVE-2023-45230
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds
of a Memory Buffer
Changes Overview:
> -UINT8 *
> +EFI_STATUS
> Dhcp6AppendOption (
> - IN OUT UINT8 *Buf,
> - IN UINT16 OptType,
> - IN UINT16 OptLen,
> - IN UINT8 *Data
> + IN OUT EFI_DHCP6_PACKET *Packet,
> + IN OUT UINT8 **PacketCursor,
> + IN UINT16 OptType,
> + IN UINT16 OptLen,
> + IN UINT8 *Data
> );
Dhcp6AppendOption() and variants can return errors now. All callsites
are adapted accordingly.
It gets passed in EFI_DHCP6_PACKET as additional parameter ...
> + //
> + // Verify the PacketCursor is within the packet
> + //
> + if ( (*PacketCursor < Packet->Dhcp6.Option)
> + || (*PacketCursor >= Packet->Dhcp6.Option +
(Packet->Size - sizeof (EFI_DHCP6_HEADER))))
> + {
> + return EFI_INVALID_PARAMETER;
> + }
... so it can look at Packet->Size when checking buffer space.
Also to allow Packet->Length updates.
Lots of checks added.
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: 8014ac2d7bbbc503f5562b51af46bb20ae3d22ff
https://github.com/tianocore/edk2/commit/8014ac2d7bbbc503f5562b51af46bb20ae3d22ff
Author: Doug Flick via groups.io <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/NetworkPkg.ci.yaml
A NetworkPkg/Test/NetworkPkgHostTest.dsc
Log Message:
-----------
NetworkPkg: : Add Unit tests to CI and create Host Test DSC
Adds Host Based testing to the NetworkPkg
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: 5f3658197bf29c83b3349b0ab1d99cdb0c3814bc
https://github.com/tianocore/edk2/commit/5f3658197bf29c83b3349b0ab1d99cdb0c3814bc
Author: Doug Flick via groups.io <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
A NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
A NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
A NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
M NetworkPkg/Test/NetworkPkgHostTest.dsc
Log Message:
-----------
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4535
Confirms that reported issue...
"Buffer overflow in the DHCPv6 client via a long Server ID option"
..has been corrected by the provided patch.
Tests the following functions to ensure they appropriately handle
untrusted data (either too long or too small) to prevent a buffer
overflow:
Dhcp6AppendOption
Dhcp6AppendETOption
Dhcp6AppendIaOption
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: 1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0
https://github.com/tianocore/edk2/commit/1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0
Author: Doug Flick via groups.io <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
M NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
Log Message:
-----------
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
Bug Details:
PixieFail Bug #1
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Change Overview:
Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking
the Inner Option from a DHCP6 Option.
>
> EFI_STATUS
> Dhcp6SeekInnerOptionSafe (
> IN UINT16 IaType,
> IN UINT8 *Option,
> IN UINT32 OptionLen,
> OUT UINT8 **IaInnerOpt,
> OUT UINT16 *IaInnerLen
> );
>
Lots of code cleanup to improve code readability.
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: 07362769ab7a7d74dbea1c7a7a3662c7b5d1f097
https://github.com/tianocore/edk2/commit/07362769ab7a7d74dbea1c7a7a3662c7b5d1f097
Author: Doug Flick via groups.io <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
M NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
M NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
A NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h
M NetworkPkg/Test/NetworkPkgHostTest.dsc
Log Message:
-----------
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
These tests confirm that the report bug...
"Out-of-bounds read when processing IA_NA/IA_TA options in a
DHCPv6 Advertise message"
..has been patched.
The following functions are tested to confirm an out of bounds read is
patched and that the correct statuses are returned:
Dhcp6SeekInnerOptionSafe
Dhcp6SeekStsOption
TCBZ4534
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: bbfee34f4188ac00371abe1389ae9c9fb989a0cd
https://github.com/tianocore/edk2/commit/bbfee34f4188ac00371abe1389ae9c9fb989a0cd
Author: Doug Flick <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/Ip6Dxe/Ip6Option.c
Log Message:
-----------
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
Bug Overview:
PixieFail Bug #3
CVE-2023-45231
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Out-of-bounds read when handling a ND Redirect message with truncated
options
Change Overview:
Adds a check to prevent truncated options from being parsed
+ //
+ // Cannot process truncated options.
+ // Cannot process options with a length of 0 as there is no Type
field.
+ //
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+ return FALSE;
+ }
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: 6f77463d72807ec7f4ed6518c3dac29a1040df9f
https://github.com/tianocore/edk2/commit/6f77463d72807ec7f4ed6518c3dac29a1040df9f
Author: Doug Flick <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
A NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
A NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
A NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
M NetworkPkg/Test/NetworkPkgHostTest.dsc
Log Message:
-----------
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
Validates that the patch for...
Out-of-bounds read when handling a ND Redirect message with truncated
options
.. has been fixed
Tests the following function to ensure that an out of bounds read does
not occur
Ip6OptionValidation
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: 4df0229ef992d4f2721a8508787ebf9dc81fbd6e
https://github.com/tianocore/edk2/commit/4df0229ef992d4f2721a8508787ebf9dc81fbd6e
Author: Doug Flick <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/Ip6Dxe/Ip6Nd.h
M NetworkPkg/Ip6Dxe/Ip6Option.c
M NetworkPkg/Ip6Dxe/Ip6Option.h
Log Message:
-----------
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538
Bug Details:
PixieFail Bug #4
CVE-2023-45232
CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Infinite loop when parsing unknown options in the Destination Options
header
PixieFail Bug #5
CVE-2023-45233
CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Infinite loop when parsing a PadN option in the Destination Options
header
Change Overview:
Most importantly this change corrects the following incorrect math
and cleans up the code.
> // It is a PadN option
> //
> - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2);
> + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
> + Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
> case Ip6OptionSkip:
> - Offset = (UINT8)(Offset + *(Option + Offset + 1));
> OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
> Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
Additionally, this change also corrects incorrect math where the calling
function was calculating the HDR EXT optionLen as a uint8 instead of a
uint16
> - OptionLen = (UINT8)((*Option + 1) * 8 - 2);
> + OptionLen = IP6_HDR_EXT_LEN (*Option) -
IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN;
Additionally this check adds additional logic to santize the incoming
data
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: c9c87f08dd6ace36fa843424522c3558a8374cac
https://github.com/tianocore/edk2/commit/c9c87f08dd6ace36fa843424522c3558a8374cac
Author: Doug Flick <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
M NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
A NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h
Log Message:
-----------
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538
Unit tests to confirm that..
Infinite loop when parsing unknown options in the Destination Options
header
and
Infinite loop when parsing a PadN option in the Destination Options
header
... have been patched
This patch tests the following functions:
Ip6IsOptionValid
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: 1b53515d53d303166b2bbd31e2cc7f16fd0aecd7
https://github.com/tianocore/edk2/commit/1b53515d53d303166b2bbd31e2cc7f16fd0aecd7
Author: Doug Flick <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
Log Message:
-----------
NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539
Bug Details:
PixieFail Bug #6
CVE-2023-45234
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
a Memory Buffer
Buffer overflow when processing DNS Servers option in a DHCPv6
Advertise message
Change Overview:
Introduces a function to cache the Dns Server and perform sanitizing
on the incoming DnsServerLen to ensure that the length is valid
> + EFI_STATUS
> + PxeBcCacheDnsServerAddresses (
> + IN PXEBC_PRIVATE_DATA *Private,
> + IN PXEBC_DHCP6_PACKET_CACHE *Cache6
> + )
Additional code cleanup
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: 458c582685fc0e8057d2511c5a0394078d988c17
https://github.com/tianocore/edk2/commit/458c582685fc0e8057d2511c5a0394078d988c17
Author: Doug Flick <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/Test/NetworkPkgHostTest.dsc
A NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
A NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
A NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp
A NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
Log Message:
-----------
NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit Tests
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539
Unit tests to that the bug..
Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise
message
..has been patched
This contains tests for the following functions:
PxeBcHandleDhcp6Offer
PxeBcCacheDnsServerAddresses
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: 7f04c7a253621956ba59a121c6e8658256788f40
https://github.com/tianocore/edk2/commit/7f04c7a253621956ba59a121c6e8658256788f40
Author: Doug Flick via groups.io <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M
MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiRuntimeServicesTableLib.h
M
MdePkg/Test/Mock/Library/GoogleTest/MockUefiRuntimeServicesTableLib/MockUefiRuntimeServicesTableLib.cpp
Log Message:
-----------
MdePkg: Test: Add gRT_GetTime Google Test Mock
This adds support for GetTime Google Test Mock
Cc: Michael D Kinney <[email protected]>
Cc: Liming Gao <[email protected]>
Cc: Zhiguang Liu <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Michael D Kinney <[email protected]>
Commit: fac297724e6cc343430cd0104e55cd7a96d1151e
https://github.com/tianocore/edk2/commit/fac297724e6cc343430cd0104e55cd7a96d1151e
Author: Doug Flick <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
M NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
Log Message:
-----------
NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540
Bug Details:
PixieFail Bug #7
CVE-2023-45235
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
a Memory Buffer
Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message
Change Overview:
Performs two checks
1. Checks that the length of the duid is accurate
> + //
> + // Check that the minimum and maximum requirements are met
> + //
> + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) ||
(OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
> + Status = EFI_INVALID_PARAMETER;
> + goto ON_ERROR;
> + }
2. Ensures that the amount of data written to the buffer is tracked and
never exceeds that
> + //
> + // Check that the option length is valid.
> + //
> + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN)
> DiscoverLenNeeded) {
> + Status = EFI_OUT_OF_RESOURCES;
> + goto ON_ERROR;
> + }
Additional code clean up and fix for memory leak in case Option was NULL
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: ff2986358f75d8f58ef08a66fe673539c9c48f41
https://github.com/tianocore/edk2/commit/ff2986358f75d8f58ef08a66fe673539c9c48f41
Author: Doug Flick <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
M NetworkPkg/Test/NetworkPkgHostTest.dsc
M NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
M NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
Log Message:
-----------
NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540
Unit tests to confirm that the bug..
Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message
..has been patched.
This patch contains unit tests for the following functions:
PxeBcRequestBootService
PxeBcDhcp6Discover
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Commit: 1d0b95f6457d225c5108302a9da74b4ed7aa5a38
https://github.com/tianocore/edk2/commit/1d0b95f6457d225c5108302a9da74b4ed7aa5a38
Author: Doug Flick via groups.io <[email protected]>
Date: 2024-02-06 (Tue, 06 Feb 2024)
Changed paths:
A NetworkPkg/SecurityFixes.yaml
Log Message:
-----------
NetworkPkg: : Adds a SecurityFix.yaml file
This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.
Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
Compare: https://github.com/tianocore/edk2/compare/959f71c801b4...1d0b95f6457d
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
