Once again there are line ending issues :-( I may need to pull them from a git repo like we did last time (https://github.com/hongxu-jia/openembedded-core/tree/scarthgap perhaps?)
Thanks, Steve On Mon, Dec 30, 2024 at 6:33 AM Hongxu Jia <[email protected]> wrote: > > A malicious iSCSI target could reply to the iSCSI initiator with a > malformed packet, causing out-of-bounds memory reads and writes. > This most likely leads to a denial of service, as the write > primitive should not be exploitable. > > References: > https://github.com/tianocore/edk2/issues/10314 > > Signed-off-by: Hongxu Jia <[email protected]> > --- > ...Dxe-add-checks-to-IScsiBuildKeyValue.patch | 60 +++++++++++++++++++ > meta/recipes-core/ovmf/ovmf_git.bb | 1 + > 2 files changed, 61 insertions(+) > create mode 100644 > meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch > > diff --git > a/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch > > b/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch > new file mode 100644 > index 0000000000..d121e066f6 > --- /dev/null > +++ > b/meta/recipes-core/ovmf/ovmf/0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch > @@ -0,0 +1,60 @@ > +From dfd8ef9a9e396c4979239e518525d0b77c7715da Mon Sep 17 00:00:00 2001 > +From: Hongxu Jia <[email protected]> > +Date: Sun, 29 Dec 2024 21:58:05 +0800 > +Subject: [PATCH] NetworkPkg/IScsiDxe: add checks to IScsiBuildKeyValueList > + > +Check we have any data left (Len > 0) before advancing the Data pointer > +and reducing Len. Avoids wrapping Len. > + > +Also replace the AsciiStrLen() call with an open-coded loop which > +likewise checks Len to make sure we don't overrun the buffer. > + > +Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=4207 > +Reported-by: Jeremy Boone <[email protected]> > +Signed-off-by: Gerd Hoffmann <[email protected]> > + > +CVE: CVE-2024-38805 > +Upstream-Status: Backport [https://edk2.groups.io/g/devel/message/106280] > +Signed-off-by: Hongxu Jia <[email protected]> > +--- > + NetworkPkg/IScsiDxe/IScsiProto.c | 16 ++++++++++++---- > + 1 file changed, 12 insertions(+), 4 deletions(-) > + > +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c > b/NetworkPkg/IScsiDxe/IScsiProto.c > +index ef58764..88e7946 100644 > +--- a/NetworkPkg/IScsiDxe/IScsiProto.c > ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c > +@@ -1903,9 +1903,8 @@ IScsiBuildKeyValueList ( > + Data++; > + } > + > +- if (*Data == '=') { > ++ if ((Len > 0) && (*Data == '=')) { > + *Data = '\0'; > +- > + Data++; > + Len--; > + } else { > +@@ -1917,8 +1916,17 @@ IScsiBuildKeyValueList ( > + > + InsertTailList (ListHead, &KeyValuePair->List); > + > +- Data += AsciiStrLen (KeyValuePair->Value) + 1; > +- Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1; > ++ while ((Len > 0) && (*Data != '\0')) { > ++ Len--; > ++ Data++; > ++ } > ++ > ++ if ((Len > 0) && (*Data == '\0')) { > ++ Data++; > ++ Len--; > ++ } else { > ++ goto ON_ERROR; > ++ } > + } > + > + return ListHead; > +-- > +2.27.0 > + > diff --git a/meta/recipes-core/ovmf/ovmf_git.bb > b/meta/recipes-core/ovmf/ovmf_git.bb > index ada6ee72db..eeff5da991 100644 > --- a/meta/recipes-core/ovmf/ovmf_git.bb > +++ b/meta/recipes-core/ovmf/ovmf_git.bb > @@ -26,6 +26,7 @@ SRC_URI = > "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ > file://0004-reproducible.patch \ > file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \ > > file://0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch \ > + > file://0001-NetworkPkg-IScsiDxe-add-checks-to-IScsiBuildKeyValue.patch \ > " > > PV = "edk2-stable202402" > -- > 2.25.1 >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#209311): https://lists.openembedded.org/g/openembedded-core/message/209311 Mute This Topic: https://lists.openembedded.org/mt/110342646/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
