A malicious iSCSI target could reply to the iSCSI initiator with a malformed packet, causing out-of-bounds memory reads and writes. This most likely leads to a denial of service, as the write primitive should not be exploitable.
References: https://github.com/tianocore/edk2/issues/10314 Signed-off-by: Hongxu Jia <[email protected]> --- ...Dxe-add-checks-to-IScsiBuildKeyValue.patch | 60 +++++++++++++++++++ meta/recipes-core/ovmf/ovmf_git.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch diff --git a/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch b/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch new file mode 100644 index 0000000000..d121e066f6 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch @@ -0,0 +1,60 @@ +From dfd8ef9a9e396c4979239e518525d0b77c7715da Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <[email protected]> +Date: Sun, 29 Dec 2024 21:58:05 +0800 +Subject: [PATCH] NetworkPkg/IScsiDxe: add checks to IScsiBuildKeyValueList + +Check we have any data left (Len > 0) before advancing the Data pointer +and reducing Len. Avoids wrapping Len. + +Also replace the AsciiStrLen() call with an open-coded loop which +likewise checks Len to make sure we don't overrun the buffer. + +Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=4207 +Reported-by: Jeremy Boone <[email protected]> +Signed-off-by: Gerd Hoffmann <[email protected]> + +CVE: CVE-2024-38805 +Upstream-Status: Backport [https://edk2.groups.io/g/devel/message/106280] +Signed-off-by: Hongxu Jia <[email protected]> +--- + NetworkPkg/IScsiDxe/IScsiProto.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c +index ef58764..88e7946 100644 +--- a/NetworkPkg/IScsiDxe/IScsiProto.c ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c +@@ -1903,9 +1903,8 @@ IScsiBuildKeyValueList ( + Data++; + } + +- if (*Data == '=') { ++ if ((Len > 0) && (*Data == '=')) { + *Data = '\0'; +- + Data++; + Len--; + } else { +@@ -1917,8 +1916,17 @@ IScsiBuildKeyValueList ( + + InsertTailList (ListHead, &KeyValuePair->List); + +- Data += AsciiStrLen (KeyValuePair->Value) + 1; +- Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1; ++ while ((Len > 0) && (*Data != '\0')) { ++ Len--; ++ Data++; ++ } ++ ++ if ((Len > 0) && (*Data == '\0')) { ++ Data++; ++ Len--; ++ } else { ++ goto ON_ERROR; ++ } + } + + return ListHead; +-- +2.27.0 + diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index ada6ee72db..eeff5da991 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://0004-reproducible.patch \ file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \ file://0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch \ + file://0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch \ " PV = "edk2-stable202402" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#209163): https://lists.openembedded.org/g/openembedded-core/message/209163 Mute This Topic: https://lists.openembedded.org/mt/110342646/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
