diff options
| author | Soumya Sambu <soumya.sambu@windriver.com> | 2024-06-28 09:42:17 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-12-09 07:54:03 -0800 |
| commit | 3a7159d8d87d665cea93e2dc52201eb3dfbc46b9 (patch) | |
| tree | eb37af39a2300cf6832ea63738b1b4287dc6d831 | |
| parent | 5133058e11e93b24113517cf39d6c1e7430b597e (diff) | |
| download | poky-3a7159d8d87d665cea93e2dc52201eb3dfbc46b9.tar.gz | |
ovmf: Fix CVE-2023-45229
EDK2's Network Package is susceptible to an out-of-bounds read
vulnerability when processing the IA_NA or IA_TA option in a DHCPv6
Advertise message. This vulnerability can be exploited by an attacker
to gain unauthorized access and potentially lead to a loss of
Confidentiality.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45229
Upstream-patches:
https://github.com/tianocore/edk2/commit/1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0
https://github.com/tianocore/edk2/commit/07362769ab7a7d74dbea1c7a7a3662c7b5d1f097
https://github.com/tianocore/edk2/commit/1c440a5eceedc64e892877eeac0f1a4938f5abbb
https://github.com/tianocore/edk2/commit/1d0b95f6457d225c5108302a9da74b4ed7aa5a38
(From OE-Core rev: 23a87c571ae4cdd285a96af0d458906aaf8c4571)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0001.patch | 604 | ||||
| -rw-r--r-- | meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0002.patch | 539 | ||||
| -rw-r--r-- | meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0003.patch | 244 | ||||
| -rw-r--r-- | meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0004.patch | 157 | ||||
| -rw-r--r-- | meta/recipes-core/ovmf/ovmf_git.bb | 4 |
5 files changed, 1548 insertions, 0 deletions
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0001.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0001.patch new file mode 100644 index 0000000000..9d8549b27d --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0001.patch | |||
| @@ -0,0 +1,604 @@ | |||
| 1 | From 1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io> | ||
| 3 | Date: Fri, 26 Jan 2024 05:54:46 +0800 | ||
| 4 | Subject: [PATCH] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch | ||
| 5 | |||
| 6 | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 | ||
| 7 | |||
| 8 | Bug Details: | ||
| 9 | PixieFail Bug #1 | ||
| 10 | CVE-2023-45229 | ||
| 11 | CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | ||
| 12 | CWE-125 Out-of-bounds Read | ||
| 13 | |||
| 14 | Change Overview: | ||
| 15 | |||
| 16 | Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking | ||
| 17 | the Inner Option from a DHCP6 Option. | ||
| 18 | |||
| 19 | > | ||
| 20 | > EFI_STATUS | ||
| 21 | > Dhcp6SeekInnerOptionSafe ( | ||
| 22 | > IN UINT16 IaType, | ||
| 23 | > IN UINT8 *Option, | ||
| 24 | > IN UINT32 OptionLen, | ||
| 25 | > OUT UINT8 **IaInnerOpt, | ||
| 26 | > OUT UINT16 *IaInnerLen | ||
| 27 | > ); | ||
| 28 | > | ||
| 29 | |||
| 30 | Lots of code cleanup to improve code readability. | ||
| 31 | |||
| 32 | Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> | ||
| 33 | Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> | ||
| 34 | |||
| 35 | Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> | ||
| 36 | Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> | ||
| 37 | |||
| 38 | CVE: CVE-2023-45229 | ||
| 39 | |||
| 40 | Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0] | ||
| 41 | |||
| 42 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
| 43 | --- | ||
| 44 | NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 +++++++++++++++++++--- | ||
| 45 | NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 203 +++++++++++++++++++++----------- | ||
| 46 | 2 files changed, 256 insertions(+), 85 deletions(-) | ||
| 47 | |||
| 48 | diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | ||
| 49 | index f2422c2f28..220e7c68f1 100644 | ||
| 50 | --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | ||
| 51 | +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | ||
| 52 | @@ -45,6 +45,20 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; | ||
| 53 | #define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S') | ||
| 54 | #define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I') | ||
| 55 | |||
| 56 | +#define DHCP6_PACKET_ALL 0 | ||
| 57 | +#define DHCP6_PACKET_STATEFUL 1 | ||
| 58 | +#define DHCP6_PACKET_STATELESS 2 | ||
| 59 | + | ||
| 60 | +#define DHCP6_BASE_PACKET_SIZE 1024 | ||
| 61 | + | ||
| 62 | +#define DHCP6_PORT_CLIENT 546 | ||
| 63 | +#define DHCP6_PORT_SERVER 547 | ||
| 64 | + | ||
| 65 | +#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20) | ||
| 66 | + | ||
| 67 | +#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE) | ||
| 68 | +#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE) | ||
| 69 | + | ||
| 70 | // | ||
| 71 | // For more information on DHCP options see RFC 8415, Section 21.1 | ||
| 72 | // | ||
| 73 | @@ -59,12 +73,10 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; | ||
| 74 | // | (option-len octets) | | ||
| 75 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 76 | // | ||
| 77 | -#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16)) | ||
| 78 | -#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16)) | ||
| 79 | +#define DHCP6_SIZE_OF_OPT_CODE (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode)) | ||
| 80 | +#define DHCP6_SIZE_OF_OPT_LEN (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen)) | ||
| 81 | |||
| 82 | -// | ||
| 83 | // Combined size of Code and Length | ||
| 84 | -// | ||
| 85 | #define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \ | ||
| 86 | DHCP6_SIZE_OF_OPT_LEN) | ||
| 87 | |||
| 88 | @@ -73,34 +85,122 @@ STATIC_ASSERT ( | ||
| 89 | "Combined size of Code and Length must be 4 per RFC 8415" | ||
| 90 | ); | ||
| 91 | |||
| 92 | -// | ||
| 93 | // Offset to the length is just past the code | ||
| 94 | -// | ||
| 95 | -#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE) | ||
| 96 | +#define DHCP6_OFFSET_OF_OPT_LEN(a) (a + DHCP6_SIZE_OF_OPT_CODE) | ||
| 97 | STATIC_ASSERT ( | ||
| 98 | - DHCP6_OPT_LEN_OFFSET (0) == 2, | ||
| 99 | + DHCP6_OFFSET_OF_OPT_LEN (0) == 2, | ||
| 100 | "Offset of length is + 2 past start of option" | ||
| 101 | ); | ||
| 102 | |||
| 103 | -#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) | ||
| 104 | +#define DHCP6_OFFSET_OF_OPT_DATA(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) | ||
| 105 | STATIC_ASSERT ( | ||
| 106 | - DHCP6_OPT_DATA_OFFSET (0) == 4, | ||
| 107 | + DHCP6_OFFSET_OF_OPT_DATA (0) == 4, | ||
| 108 | "Offset to option data should be +4 from start of option" | ||
| 109 | ); | ||
| 110 | +// | ||
| 111 | +// Identity Association options (both NA (Non-Temporary) and TA (Temporary Association)) | ||
| 112 | +// are defined in RFC 8415 and are a deriviation of a TLV stucture | ||
| 113 | +// For more information on IA_NA see Section 21.4 | ||
| 114 | +// For more information on IA_TA see Section 21.5 | ||
| 115 | +// | ||
| 116 | +// | ||
| 117 | +// The format of IA_NA and IA_TA option: | ||
| 118 | +// | ||
| 119 | +// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||
| 120 | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 121 | +// | OPTION_IA_NA | option-len | | ||
| 122 | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 123 | +// | IAID (4 octets) | | ||
| 124 | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 125 | +// | T1 (only for IA_NA) | | ||
| 126 | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 127 | +// | T2 (only for IA_NA) | | ||
| 128 | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 129 | +// | | | ||
| 130 | +// . IA_NA-options/IA_TA-options . | ||
| 131 | +// . . | ||
| 132 | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 133 | +// | ||
| 134 | +#define DHCP6_SIZE_OF_IAID (sizeof(UINT32)) | ||
| 135 | +#define DHCP6_SIZE_OF_TIME_INTERVAL (sizeof(UINT32)) | ||
| 136 | |||
| 137 | -#define DHCP6_PACKET_ALL 0 | ||
| 138 | -#define DHCP6_PACKET_STATEFUL 1 | ||
| 139 | -#define DHCP6_PACKET_STATELESS 2 | ||
| 140 | +// Combined size of IAID, T1, and T2 | ||
| 141 | +#define DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 (DHCP6_SIZE_OF_IAID + \ | ||
| 142 | + DHCP6_SIZE_OF_TIME_INTERVAL + \ | ||
| 143 | + DHCP6_SIZE_OF_TIME_INTERVAL) | ||
| 144 | +STATIC_ASSERT ( | ||
| 145 | + DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 == 12, | ||
| 146 | + "Combined size of IAID, T1, T2 must be 12 per RFC 8415" | ||
| 147 | + ); | ||
| 148 | |||
| 149 | -#define DHCP6_BASE_PACKET_SIZE 1024 | ||
| 150 | +// This is the size of IA_TA without options | ||
| 151 | +#define DHCP6_MIN_SIZE_OF_IA_TA (DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \ | ||
| 152 | + DHCP6_SIZE_OF_IAID) | ||
| 153 | +STATIC_ASSERT ( | ||
| 154 | + DHCP6_MIN_SIZE_OF_IA_TA == 8, | ||
| 155 | + "Minimum combined size of IA_TA per RFC 8415" | ||
| 156 | + ); | ||
| 157 | |||
| 158 | -#define DHCP6_PORT_CLIENT 546 | ||
| 159 | -#define DHCP6_PORT_SERVER 547 | ||
| 160 | +// Offset to a IA_TA inner option | ||
| 161 | +#define DHCP6_OFFSET_OF_IA_TA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_TA) | ||
| 162 | +STATIC_ASSERT ( | ||
| 163 | + DHCP6_OFFSET_OF_IA_TA_INNER_OPT (0) == 8, | ||
| 164 | + "Offset of IA_TA Inner option is + 8 past start of option" | ||
| 165 | + ); | ||
| 166 | |||
| 167 | -#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20) | ||
| 168 | +// This is the size of IA_NA without options (16) | ||
| 169 | +#define DHCP6_MIN_SIZE_OF_IA_NA DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \ | ||
| 170 | + DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 | ||
| 171 | +STATIC_ASSERT ( | ||
| 172 | + DHCP6_MIN_SIZE_OF_IA_NA == 16, | ||
| 173 | + "Minimum combined size of IA_TA per RFC 8415" | ||
| 174 | + ); | ||
| 175 | |||
| 176 | -#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE) | ||
| 177 | -#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE) | ||
| 178 | +#define DHCP6_OFFSET_OF_IA_NA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_NA) | ||
| 179 | +STATIC_ASSERT ( | ||
| 180 | + DHCP6_OFFSET_OF_IA_NA_INNER_OPT (0) == 16, | ||
| 181 | + "Offset of IA_NA Inner option is + 16 past start of option" | ||
| 182 | + ); | ||
| 183 | + | ||
| 184 | +#define DHCP6_OFFSET_OF_IA_NA_T1(a) (a + \ | ||
| 185 | + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \ | ||
| 186 | + DHCP6_SIZE_OF_IAID) | ||
| 187 | +STATIC_ASSERT ( | ||
| 188 | + DHCP6_OFFSET_OF_IA_NA_T1 (0) == 8, | ||
| 189 | + "Offset of IA_NA Inner option is + 8 past start of option" | ||
| 190 | + ); | ||
| 191 | + | ||
| 192 | +#define DHCP6_OFFSET_OF_IA_NA_T2(a) (a + \ | ||
| 193 | + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN +\ | ||
| 194 | + DHCP6_SIZE_OF_IAID + \ | ||
| 195 | + DHCP6_SIZE_OF_TIME_INTERVAL) | ||
| 196 | +STATIC_ASSERT ( | ||
| 197 | + DHCP6_OFFSET_OF_IA_NA_T2 (0) == 12, | ||
| 198 | + "Offset of IA_NA Inner option is + 12 past start of option" | ||
| 199 | + ); | ||
| 200 | + | ||
| 201 | +// | ||
| 202 | +// For more information see RFC 8415 Section 21.13 | ||
| 203 | +// | ||
| 204 | +// The format of the Status Code Option: | ||
| 205 | +// | ||
| 206 | +// 0 1 2 3 | ||
| 207 | +// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||
| 208 | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 209 | +// | OPTION_STATUS_CODE | option-len | | ||
| 210 | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 211 | +// | status-code | | | ||
| 212 | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ||
| 213 | +// . . | ||
| 214 | +// . status-message . | ||
| 215 | +// . . | ||
| 216 | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 217 | +// | ||
| 218 | +#define DHCP6_OFFSET_OF_STATUS_CODE(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) | ||
| 219 | +STATIC_ASSERT ( | ||
| 220 | + DHCP6_OFFSET_OF_STATUS_CODE (0) == 4, | ||
| 221 | + "Offset of status is + 4 past start of option" | ||
| 222 | + ); | ||
| 223 | |||
| 224 | extern EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress; | ||
| 225 | extern EFI_DHCP6_PROTOCOL gDhcp6ProtocolTemplate; | ||
| 226 | diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | ||
| 227 | index bf5aa7a769..89d16484a5 100644 | ||
| 228 | --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | ||
| 229 | +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | ||
| 230 | @@ -598,8 +598,8 @@ Dhcp6UpdateIaInfo ( | ||
| 231 | // The inner options still start with 2 bytes option-code and 2 bytes option-len. | ||
| 232 | // | ||
| 233 | if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) { | ||
| 234 | - T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 8))); | ||
| 235 | - T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 12))); | ||
| 236 | + T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option)))); | ||
| 237 | + T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option)))); | ||
| 238 | // | ||
| 239 | // Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2, | ||
| 240 | // and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes | ||
| 241 | @@ -609,13 +609,14 @@ Dhcp6UpdateIaInfo ( | ||
| 242 | return EFI_DEVICE_ERROR; | ||
| 243 | } | ||
| 244 | |||
| 245 | - IaInnerOpt = Option + 16; | ||
| 246 | - IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2))) - 12); | ||
| 247 | + IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option); | ||
| 248 | + IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2); | ||
| 249 | } else { | ||
| 250 | - T1 = 0; | ||
| 251 | - T2 = 0; | ||
| 252 | - IaInnerOpt = Option + 8; | ||
| 253 | - IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2))) - 4); | ||
| 254 | + T1 = 0; | ||
| 255 | + T2 = 0; | ||
| 256 | + | ||
| 257 | + IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option); | ||
| 258 | + IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID); | ||
| 259 | } | ||
| 260 | |||
| 261 | // | ||
| 262 | @@ -641,7 +642,7 @@ Dhcp6UpdateIaInfo ( | ||
| 263 | Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode); | ||
| 264 | |||
| 265 | if (Option != NULL) { | ||
| 266 | - StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4))); | ||
| 267 | + StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))); | ||
| 268 | if (StsCode != Dhcp6StsSuccess) { | ||
| 269 | return EFI_DEVICE_ERROR; | ||
| 270 | } | ||
| 271 | @@ -661,6 +662,87 @@ Dhcp6UpdateIaInfo ( | ||
| 272 | return Status; | ||
| 273 | } | ||
| 274 | |||
| 275 | +/** | ||
| 276 | + Seeks the Inner Options from a DHCP6 Option | ||
| 277 | + | ||
| 278 | + @param[in] IaType The type of the IA option. | ||
| 279 | + @param[in] Option The pointer to the DHCP6 Option. | ||
| 280 | + @param[in] OptionLen The length of the DHCP6 Option. | ||
| 281 | + @param[out] IaInnerOpt The pointer to the IA inner option. | ||
| 282 | + @param[out] IaInnerLen The length of the IA inner option. | ||
| 283 | + | ||
| 284 | + @retval EFI_SUCCESS Seek the inner option successfully. | ||
| 285 | + @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error, | ||
| 286 | + the pointers are not modified | ||
| 287 | +**/ | ||
| 288 | +EFI_STATUS | ||
| 289 | +Dhcp6SeekInnerOptionSafe ( | ||
| 290 | + IN UINT16 IaType, | ||
| 291 | + IN UINT8 *Option, | ||
| 292 | + IN UINT32 OptionLen, | ||
| 293 | + OUT UINT8 **IaInnerOpt, | ||
| 294 | + OUT UINT16 *IaInnerLen | ||
| 295 | + ) | ||
| 296 | +{ | ||
| 297 | + UINT16 IaInnerLenTmp; | ||
| 298 | + UINT8 *IaInnerOptTmp; | ||
| 299 | + | ||
| 300 | + if (Option == NULL) { | ||
| 301 | + ASSERT (Option != NULL); | ||
| 302 | + return EFI_DEVICE_ERROR; | ||
| 303 | + } | ||
| 304 | + | ||
| 305 | + if (IaInnerOpt == NULL) { | ||
| 306 | + ASSERT (IaInnerOpt != NULL); | ||
| 307 | + return EFI_DEVICE_ERROR; | ||
| 308 | + } | ||
| 309 | + | ||
| 310 | + if (IaInnerLen == NULL) { | ||
| 311 | + ASSERT (IaInnerLen != NULL); | ||
| 312 | + return EFI_DEVICE_ERROR; | ||
| 313 | + } | ||
| 314 | + | ||
| 315 | + if (IaType == Dhcp6OptIana) { | ||
| 316 | + // Verify we have a fully formed IA_NA | ||
| 317 | + if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) { | ||
| 318 | + return EFI_DEVICE_ERROR; | ||
| 319 | + } | ||
| 320 | + | ||
| 321 | + // | ||
| 322 | + IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option); | ||
| 323 | + | ||
| 324 | + // Verify the IaInnerLen is valid. | ||
| 325 | + IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option))); | ||
| 326 | + if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) { | ||
| 327 | + return EFI_DEVICE_ERROR; | ||
| 328 | + } | ||
| 329 | + | ||
| 330 | + IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2; | ||
| 331 | + } else if (IaType == Dhcp6OptIata) { | ||
| 332 | + // Verify the OptionLen is valid. | ||
| 333 | + if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) { | ||
| 334 | + return EFI_DEVICE_ERROR; | ||
| 335 | + } | ||
| 336 | + | ||
| 337 | + IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option); | ||
| 338 | + | ||
| 339 | + // Verify the IaInnerLen is valid. | ||
| 340 | + IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))); | ||
| 341 | + if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) { | ||
| 342 | + return EFI_DEVICE_ERROR; | ||
| 343 | + } | ||
| 344 | + | ||
| 345 | + IaInnerLenTmp -= DHCP6_SIZE_OF_IAID; | ||
| 346 | + } else { | ||
| 347 | + return EFI_DEVICE_ERROR; | ||
| 348 | + } | ||
| 349 | + | ||
| 350 | + *IaInnerOpt = IaInnerOptTmp; | ||
| 351 | + *IaInnerLen = IaInnerLenTmp; | ||
| 352 | + | ||
| 353 | + return EFI_SUCCESS; | ||
| 354 | +} | ||
| 355 | + | ||
| 356 | /** | ||
| 357 | Seek StatusCode Option in package. A Status Code option may appear in the | ||
| 358 | options field of a DHCP message and/or in the options field of another option. | ||
| 359 | @@ -684,6 +766,12 @@ Dhcp6SeekStsOption ( | ||
| 360 | UINT8 *IaInnerOpt; | ||
| 361 | UINT16 IaInnerLen; | ||
| 362 | UINT16 StsCode; | ||
| 363 | + UINT32 OptionLen; | ||
| 364 | + | ||
| 365 | + // OptionLen is the length of the Options excluding the DHCP header. | ||
| 366 | + // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last | ||
| 367 | + // byte of the Option[] field. | ||
| 368 | + OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header); | ||
| 369 | |||
| 370 | // | ||
| 371 | // Seek StatusCode option directly in DHCP message body. That is, search in | ||
| 372 | @@ -691,12 +779,12 @@ Dhcp6SeekStsOption ( | ||
| 373 | // | ||
| 374 | *Option = Dhcp6SeekOption ( | ||
| 375 | Packet->Dhcp6.Option, | ||
| 376 | - Packet->Length - 4, | ||
| 377 | + OptionLen, | ||
| 378 | Dhcp6OptStatusCode | ||
| 379 | ); | ||
| 380 | |||
| 381 | if (*Option != NULL) { | ||
| 382 | - StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4))); | ||
| 383 | + StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (*Option)))); | ||
| 384 | if (StsCode != Dhcp6StsSuccess) { | ||
| 385 | return EFI_DEVICE_ERROR; | ||
| 386 | } | ||
| 387 | @@ -707,7 +795,7 @@ Dhcp6SeekStsOption ( | ||
| 388 | // | ||
| 389 | *Option = Dhcp6SeekIaOption ( | ||
| 390 | Packet->Dhcp6.Option, | ||
| 391 | - Packet->Length - sizeof (EFI_DHCP6_HEADER), | ||
| 392 | + OptionLen, | ||
| 393 | &Instance->Config->IaDescriptor | ||
| 394 | ); | ||
| 395 | if (*Option == NULL) { | ||
| 396 | @@ -715,52 +803,35 @@ Dhcp6SeekStsOption ( | ||
| 397 | } | ||
| 398 | |||
| 399 | // | ||
| 400 | - // The format of the IA_NA option is: | ||
| 401 | + // Calculate the distance from Packet->Dhcp6.Option to the IA option. | ||
| 402 | // | ||
| 403 | - // 0 1 2 3 | ||
| 404 | - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||
| 405 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 406 | - // | OPTION_IA_NA | option-len | | ||
| 407 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 408 | - // | IAID (4 octets) | | ||
| 409 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 410 | - // | T1 | | ||
| 411 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 412 | - // | T2 | | ||
| 413 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 414 | - // | | | ||
| 415 | - // . IA_NA-options . | ||
| 416 | - // . . | ||
| 417 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 418 | + // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is | ||
| 419 | + // the size of the whole packet, including the DHCP header, and Packet->Length | ||
| 420 | + // is the length of the DHCP message body, excluding the DHCP header. | ||
| 421 | // | ||
| 422 | - // The format of the IA_TA option is: | ||
| 423 | + // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of | ||
| 424 | + // DHCP6 option area to the start of the IA option. | ||
| 425 | // | ||
| 426 | - // 0 1 2 3 | ||
| 427 | - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||
| 428 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 429 | - // | OPTION_IA_TA | option-len | | ||
| 430 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 431 | - // | IAID (4 octets) | | ||
| 432 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 433 | - // | | | ||
| 434 | - // . IA_TA-options . | ||
| 435 | - // . . | ||
| 436 | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 437 | + // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the | ||
| 438 | + // IA option to the end of the DHCP6 option area, thus subtract the space | ||
| 439 | + // up until this option | ||
| 440 | // | ||
| 441 | + OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option); | ||
| 442 | |||
| 443 | // | ||
| 444 | - // sizeof (option-code + option-len + IaId) = 8 | ||
| 445 | - // sizeof (option-code + option-len + IaId + T1) = 12 | ||
| 446 | - // sizeof (option-code + option-len + IaId + T1 + T2) = 16 | ||
| 447 | - // | ||
| 448 | - // The inner options still start with 2 bytes option-code and 2 bytes option-len. | ||
| 449 | + // Seek the inner option | ||
| 450 | // | ||
| 451 | - if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) { | ||
| 452 | - IaInnerOpt = *Option + 16; | ||
| 453 | - IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 2))) - 12); | ||
| 454 | - } else { | ||
| 455 | - IaInnerOpt = *Option + 8; | ||
| 456 | - IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 2))) - 4); | ||
| 457 | + if (EFI_ERROR ( | ||
| 458 | + Dhcp6SeekInnerOptionSafe ( | ||
| 459 | + Instance->Config->IaDescriptor.Type, | ||
| 460 | + *Option, | ||
| 461 | + OptionLen, | ||
| 462 | + &IaInnerOpt, | ||
| 463 | + &IaInnerLen | ||
| 464 | + ) | ||
| 465 | + )) | ||
| 466 | + { | ||
| 467 | + return EFI_DEVICE_ERROR; | ||
| 468 | } | ||
| 469 | |||
| 470 | // | ||
| 471 | @@ -784,7 +855,7 @@ Dhcp6SeekStsOption ( | ||
| 472 | // | ||
| 473 | *Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode); | ||
| 474 | if (*Option != NULL) { | ||
| 475 | - StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4))); | ||
| 476 | + StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (*Option))))); | ||
| 477 | if (StsCode != Dhcp6StsSuccess) { | ||
| 478 | return EFI_DEVICE_ERROR; | ||
| 479 | } | ||
| 480 | @@ -1105,7 +1176,7 @@ Dhcp6SendRequestMsg ( | ||
| 481 | // | ||
| 482 | Option = Dhcp6SeekOption ( | ||
| 483 | Instance->AdSelect->Dhcp6.Option, | ||
| 484 | - Instance->AdSelect->Length - 4, | ||
| 485 | + Instance->AdSelect->Length - sizeof (EFI_DHCP6_HEADER), | ||
| 486 | Dhcp6OptServerId | ||
| 487 | ); | ||
| 488 | if (Option == NULL) { | ||
| 489 | @@ -1289,7 +1360,7 @@ Dhcp6SendDeclineMsg ( | ||
| 490 | // | ||
| 491 | Option = Dhcp6SeekOption ( | ||
| 492 | LastReply->Dhcp6.Option, | ||
| 493 | - LastReply->Length - 4, | ||
| 494 | + LastReply->Length - sizeof (EFI_DHCP6_HEADER), | ||
| 495 | Dhcp6OptServerId | ||
| 496 | ); | ||
| 497 | if (Option == NULL) { | ||
| 498 | @@ -1448,7 +1519,7 @@ Dhcp6SendReleaseMsg ( | ||
| 499 | // | ||
| 500 | Option = Dhcp6SeekOption ( | ||
| 501 | LastReply->Dhcp6.Option, | ||
| 502 | - LastReply->Length - 4, | ||
| 503 | + LastReply->Length - sizeof (EFI_DHCP6_HEADER), | ||
| 504 | Dhcp6OptServerId | ||
| 505 | ); | ||
| 506 | if (Option == NULL) { | ||
| 507 | @@ -1673,7 +1744,7 @@ Dhcp6SendRenewRebindMsg ( | ||
| 508 | |||
| 509 | Option = Dhcp6SeekOption ( | ||
| 510 | LastReply->Dhcp6.Option, | ||
| 511 | - LastReply->Length - 4, | ||
| 512 | + LastReply->Length - sizeof (EFI_DHCP6_HEADER), | ||
| 513 | Dhcp6OptServerId | ||
| 514 | ); | ||
| 515 | if (Option == NULL) { | ||
| 516 | @@ -2208,7 +2279,7 @@ Dhcp6HandleReplyMsg ( | ||
| 517 | // | ||
| 518 | Option = Dhcp6SeekOption ( | ||
| 519 | Packet->Dhcp6.Option, | ||
| 520 | - Packet->Length - 4, | ||
| 521 | + Packet->Length - sizeof (EFI_DHCP6_HEADER), | ||
| 522 | Dhcp6OptRapidCommit | ||
| 523 | ); | ||
| 524 | |||
| 525 | @@ -2354,7 +2425,7 @@ Dhcp6HandleReplyMsg ( | ||
| 526 | // | ||
| 527 | // Any error status code option is found. | ||
| 528 | // | ||
| 529 | - StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4))); | ||
| 530 | + StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (Option))))); | ||
| 531 | switch (StsCode) { | ||
| 532 | case Dhcp6StsUnspecFail: | ||
| 533 | // | ||
| 534 | @@ -2487,7 +2558,7 @@ Dhcp6SelectAdvertiseMsg ( | ||
| 535 | // | ||
| 536 | Option = Dhcp6SeekOption ( | ||
| 537 | AdSelect->Dhcp6.Option, | ||
| 538 | - AdSelect->Length - 4, | ||
| 539 | + AdSelect->Length - sizeof (EFI_DHCP6_HEADER), | ||
| 540 | Dhcp6OptServerUnicast | ||
| 541 | ); | ||
| 542 | |||
| 543 | @@ -2498,7 +2569,7 @@ Dhcp6SelectAdvertiseMsg ( | ||
| 544 | return EFI_OUT_OF_RESOURCES; | ||
| 545 | } | ||
| 546 | |||
| 547 | - CopyMem (Instance->Unicast, Option + 4, sizeof (EFI_IPv6_ADDRESS)); | ||
| 548 | + CopyMem (Instance->Unicast, DHCP6_OFFSET_OF_OPT_DATA (Option), sizeof (EFI_IPv6_ADDRESS)); | ||
| 549 | } | ||
| 550 | |||
| 551 | // | ||
| 552 | @@ -2551,7 +2622,7 @@ Dhcp6HandleAdvertiseMsg ( | ||
| 553 | // | ||
| 554 | Option = Dhcp6SeekOption ( | ||
| 555 | Packet->Dhcp6.Option, | ||
| 556 | - Packet->Length - 4, | ||
| 557 | + Packet->Length - sizeof (EFI_DHCP6_HEADER), | ||
| 558 | Dhcp6OptRapidCommit | ||
| 559 | ); | ||
| 560 | |||
| 561 | @@ -2645,7 +2716,7 @@ Dhcp6HandleAdvertiseMsg ( | ||
| 562 | CopyMem (Instance->AdSelect, Packet, Packet->Size); | ||
| 563 | |||
| 564 | if (Option != NULL) { | ||
| 565 | - Instance->AdPref = *(Option + 4); | ||
| 566 | + Instance->AdPref = *(DHCP6_OFFSET_OF_OPT_DATA (Option)); | ||
| 567 | } | ||
| 568 | } else { | ||
| 569 | // | ||
| 570 | @@ -2714,11 +2785,11 @@ Dhcp6HandleStateful ( | ||
| 571 | // | ||
| 572 | Option = Dhcp6SeekOption ( | ||
| 573 | Packet->Dhcp6.Option, | ||
| 574 | - Packet->Length - 4, | ||
| 575 | + Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN, | ||
| 576 | Dhcp6OptClientId | ||
| 577 | ); | ||
| 578 | |||
| 579 | - if ((Option == NULL) || (CompareMem (Option + 4, ClientId->Duid, ClientId->Length) != 0)) { | ||
| 580 | + if ((Option == NULL) || (CompareMem (DHCP6_OFFSET_OF_OPT_DATA (Option), ClientId->Duid, ClientId->Length) != 0)) { | ||
| 581 | goto ON_CONTINUE; | ||
| 582 | } | ||
| 583 | |||
| 584 | @@ -2727,7 +2798,7 @@ Dhcp6HandleStateful ( | ||
| 585 | // | ||
| 586 | Option = Dhcp6SeekOption ( | ||
| 587 | Packet->Dhcp6.Option, | ||
| 588 | - Packet->Length - 4, | ||
| 589 | + Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN, | ||
| 590 | Dhcp6OptServerId | ||
| 591 | ); | ||
| 592 | |||
| 593 | @@ -2832,7 +2903,7 @@ Dhcp6HandleStateless ( | ||
| 594 | // | ||
| 595 | Option = Dhcp6SeekOption ( | ||
| 596 | Packet->Dhcp6.Option, | ||
| 597 | - Packet->Length - 4, | ||
| 598 | + Packet->Length - sizeof (EFI_DHCP6_HEADER), | ||
| 599 | Dhcp6OptServerId | ||
| 600 | ); | ||
| 601 | |||
| 602 | -- | ||
| 603 | 2.40.0 | ||
| 604 | |||
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0002.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0002.patch new file mode 100644 index 0000000000..7ce5c98789 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0002.patch | |||
| @@ -0,0 +1,539 @@ | |||
| 1 | From 07362769ab7a7d74dbea1c7a7a3662c7b5d1f097 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io> | ||
| 3 | Date: Fri, 26 Jan 2024 05:54:47 +0800 | ||
| 4 | Subject: [PATCH] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit | ||
| 5 | Tests | ||
| 6 | |||
| 7 | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 | ||
| 8 | |||
| 9 | These tests confirm that the report bug... | ||
| 10 | |||
| 11 | "Out-of-bounds read when processing IA_NA/IA_TA options in a | ||
| 12 | DHCPv6 Advertise message" | ||
| 13 | |||
| 14 | ..has been patched. | ||
| 15 | |||
| 16 | The following functions are tested to confirm an out of bounds read is | ||
| 17 | patched and that the correct statuses are returned: | ||
| 18 | |||
| 19 | Dhcp6SeekInnerOptionSafe | ||
| 20 | Dhcp6SeekStsOption | ||
| 21 | |||
| 22 | TCBZ4534 | ||
| 23 | CVE-2023-45229 | ||
| 24 | CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | ||
| 25 | CWE-125 Out-of-bounds Read | ||
| 26 | |||
| 27 | Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> | ||
| 28 | Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> | ||
| 29 | |||
| 30 | Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> | ||
| 31 | Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> | ||
| 32 | |||
| 33 | CVE: CVE-2023-45229 | ||
| 34 | |||
| 35 | Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/07362769ab7a7d74dbea1c7a7a3662c7b5d1f097] | ||
| 36 | |||
| 37 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
| 38 | --- | ||
| 39 | NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 2 +- | ||
| 40 | .../GoogleTest/Dhcp6DxeGoogleTest.inf | 1 + | ||
| 41 | .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 365 +++++++++++++++++- | ||
| 42 | .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h | 58 +++ | ||
| 43 | 4 files changed, 423 insertions(+), 3 deletions(-) | ||
| 44 | create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h | ||
| 45 | |||
| 46 | diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | ||
| 47 | index 89d16484a5..3b8feb4a20 100644 | ||
| 48 | --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | ||
| 49 | +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | ||
| 50 | @@ -816,7 +816,7 @@ Dhcp6SeekStsOption ( | ||
| 51 | // IA option to the end of the DHCP6 option area, thus subtract the space | ||
| 52 | // up until this option | ||
| 53 | // | ||
| 54 | - OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option); | ||
| 55 | + OptionLen = OptionLen - (UINT32)(*Option - Packet->Dhcp6.Option); | ||
| 56 | |||
| 57 | // | ||
| 58 | // Seek the inner option | ||
| 59 | diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf | ||
| 60 | index 8e9119a371..12532ed30c 100644 | ||
| 61 | --- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf | ||
| 62 | +++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf | ||
| 63 | @@ -18,6 +18,7 @@ | ||
| 64 | [Sources] | ||
| 65 | Dhcp6DxeGoogleTest.cpp | ||
| 66 | Dhcp6IoGoogleTest.cpp | ||
| 67 | + Dhcp6IoGoogleTest.h | ||
| 68 | ../Dhcp6Io.c | ||
| 69 | ../Dhcp6Utility.c | ||
| 70 | |||
| 71 | diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | ||
| 72 | index 7ee40e4af4..7db253a7b8 100644 | ||
| 73 | --- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | ||
| 74 | +++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | ||
| 75 | @@ -13,6 +13,7 @@ extern "C" { | ||
| 76 | #include <Library/BaseMemoryLib.h> | ||
| 77 | #include "../Dhcp6Impl.h" | ||
| 78 | #include "../Dhcp6Utility.h" | ||
| 79 | + #include "Dhcp6IoGoogleTest.h" | ||
| 80 | } | ||
| 81 | |||
| 82 | //////////////////////////////////////////////////////////////////////// | ||
| 83 | @@ -21,7 +22,35 @@ extern "C" { | ||
| 84 | |||
| 85 | #define DHCP6_PACKET_MAX_LEN 1500 | ||
| 86 | |||
| 87 | +// This definition is used by this test but is also required to compile | ||
| 88 | +// by Dhcp6Io.c | ||
| 89 | +#define DHCPV6_OPTION_IA_NA 3 | ||
| 90 | +#define DHCPV6_OPTION_IA_TA 4 | ||
| 91 | + | ||
| 92 | +#define SEARCH_PATTERN 0xDEADC0DE | ||
| 93 | +#define SEARCH_PATTERN_LEN sizeof(SEARCH_PATTERN) | ||
| 94 | + | ||
| 95 | //////////////////////////////////////////////////////////////////////// | ||
| 96 | +// Test structures for IA_NA and IA_TA options | ||
| 97 | +//////////////////////////////////////////////////////////////////////// | ||
| 98 | +typedef struct { | ||
| 99 | + UINT16 Code; | ||
| 100 | + UINT16 Len; | ||
| 101 | + UINT32 IAID; | ||
| 102 | +} DHCPv6_OPTION; | ||
| 103 | + | ||
| 104 | +typedef struct { | ||
| 105 | + DHCPv6_OPTION Header; | ||
| 106 | + UINT32 T1; | ||
| 107 | + UINT32 T2; | ||
| 108 | + UINT8 InnerOptions[0]; | ||
| 109 | +} DHCPv6_OPTION_IA_NA; | ||
| 110 | + | ||
| 111 | +typedef struct { | ||
| 112 | + DHCPv6_OPTION Header; | ||
| 113 | + UINT8 InnerOptions[0]; | ||
| 114 | +} DHCPv6_OPTION_IA_TA; | ||
| 115 | + | ||
| 116 | //////////////////////////////////////////////////////////////////////// | ||
| 117 | // Symbol Definitions | ||
| 118 | // These functions are not directly under test - but required to compile | ||
| 119 | @@ -210,7 +239,7 @@ TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) { | ||
| 120 | Status = Dhcp6AppendETOption ( | ||
| 121 | Dhcp6AppendETOptionTest::Packet, | ||
| 122 | &Cursor, | ||
| 123 | - &Instance, // Instance is not used in this function | ||
| 124 | + &Instance, // Instance is not used in this function | ||
| 125 | &ElapsedTime | ||
| 126 | ); | ||
| 127 | |||
| 128 | @@ -240,7 +269,7 @@ TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) { | ||
| 129 | Status = Dhcp6AppendETOption ( | ||
| 130 | Dhcp6AppendETOptionTest::Packet, | ||
| 131 | &Cursor, | ||
| 132 | - &Instance, // Instance is not used in this function | ||
| 133 | + &Instance, // Instance is not used in this function | ||
| 134 | &ElapsedTime | ||
| 135 | ); | ||
| 136 | |||
| 137 | @@ -476,3 +505,335 @@ TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) { | ||
| 138 | // verify that the status is EFI_SUCCESS | ||
| 139 | ASSERT_EQ (Status, EFI_SUCCESS); | ||
| 140 | } | ||
| 141 | + | ||
| 142 | +//////////////////////////////////////////////////////////////////////// | ||
| 143 | +// Dhcp6SeekInnerOptionSafe Tests | ||
| 144 | +//////////////////////////////////////////////////////////////////////// | ||
| 145 | + | ||
| 146 | +// Define a fixture for your tests if needed | ||
| 147 | +class Dhcp6SeekInnerOptionSafeTest : public ::testing::Test { | ||
| 148 | +protected: | ||
| 149 | + // Add any setup code if needed | ||
| 150 | + virtual void | ||
| 151 | + SetUp ( | ||
| 152 | + ) | ||
| 153 | + { | ||
| 154 | + // Initialize any resources or variables | ||
| 155 | + } | ||
| 156 | + | ||
| 157 | + // Add any cleanup code if needed | ||
| 158 | + virtual void | ||
| 159 | + TearDown ( | ||
| 160 | + ) | ||
| 161 | + { | ||
| 162 | + // Clean up any resources or variables | ||
| 163 | + } | ||
| 164 | +}; | ||
| 165 | + | ||
| 166 | +// Test Description: | ||
| 167 | +// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IANA option is found. | ||
| 168 | +TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAValidOptionExpectSuccess) { | ||
| 169 | + EFI_STATUS Result; | ||
| 170 | + UINT8 Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTERN_LEN] = { 0 }; | ||
| 171 | + UINT32 OptionLength = sizeof (Option); | ||
| 172 | + DHCPv6_OPTION_IA_NA *OptionPtr = (DHCPv6_OPTION_IA_NA *)Option; | ||
| 173 | + UINT32 SearchPattern = SEARCH_PATTERN; | ||
| 174 | + | ||
| 175 | + UINTN SearchPatternLength = SEARCH_PATTERN_LEN; | ||
| 176 | + UINT8 *InnerOptionPtr = NULL; | ||
| 177 | + UINT16 InnerOptionLength = 0; | ||
| 178 | + | ||
| 179 | + OptionPtr->Header.Code = Dhcp6OptIana; | ||
| 180 | + OptionPtr->Header.Len = HTONS (4 + 12); // Valid length has to be more than 12 | ||
| 181 | + OptionPtr->Header.IAID = 0x12345678; | ||
| 182 | + OptionPtr->T1 = 0x11111111; | ||
| 183 | + OptionPtr->T2 = 0x22222222; | ||
| 184 | + CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); | ||
| 185 | + | ||
| 186 | + Result = Dhcp6SeekInnerOptionSafe ( | ||
| 187 | + Dhcp6OptIana, | ||
| 188 | + Option, | ||
| 189 | + OptionLength, | ||
| 190 | + &InnerOptionPtr, | ||
| 191 | + &InnerOptionLength | ||
| 192 | + ); | ||
| 193 | + ASSERT_EQ (Result, EFI_SUCCESS); | ||
| 194 | + ASSERT_EQ (InnerOptionLength, 4); | ||
| 195 | + ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLength), 0); | ||
| 196 | +} | ||
| 197 | + | ||
| 198 | +// Test Description: | ||
| 199 | +// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_DEIVCE_ERROR when the IANA option size is invalid. | ||
| 200 | +TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAInvalidSizeExpectFail) { | ||
| 201 | + // Lets add an inner option of bytes we expect to find | ||
| 202 | + EFI_STATUS Status; | ||
| 203 | + UINT8 Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTERN_LEN] = { 0 }; | ||
| 204 | + UINT32 OptionLength = sizeof (Option); | ||
| 205 | + DHCPv6_OPTION_IA_NA *OptionPtr = (DHCPv6_OPTION_IA_NA *)Option; | ||
| 206 | + UINT32 SearchPattern = SEARCH_PATTERN; | ||
| 207 | + | ||
| 208 | + UINTN SearchPatternLength = SEARCH_PATTERN_LEN; | ||
| 209 | + UINT8 *InnerOptionPtr = NULL; | ||
| 210 | + UINT16 InnerOptionLength = 0; | ||
| 211 | + | ||
| 212 | + OptionPtr->Header.Code = Dhcp6OptIana; | ||
| 213 | + OptionPtr->Header.Len = HTONS (4); // Set the length to lower than expected (12) | ||
| 214 | + OptionPtr->Header.IAID = 0x12345678; | ||
| 215 | + OptionPtr->T1 = 0x11111111; | ||
| 216 | + OptionPtr->T2 = 0x22222222; | ||
| 217 | + CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); | ||
| 218 | + | ||
| 219 | + // Set the InnerOptionLength to be less than the size of the option | ||
| 220 | + Status = Dhcp6SeekInnerOptionSafe ( | ||
| 221 | + Dhcp6OptIana, | ||
| 222 | + Option, | ||
| 223 | + OptionLength, | ||
| 224 | + &InnerOptionPtr, | ||
| 225 | + &InnerOptionLength | ||
| 226 | + ); | ||
| 227 | + ASSERT_EQ (Status, EFI_DEVICE_ERROR); | ||
| 228 | + | ||
| 229 | + // Now set the OptionLength to be less than the size of the option | ||
| 230 | + OptionLength = sizeof (DHCPv6_OPTION_IA_NA) - 1; | ||
| 231 | + Status = Dhcp6SeekInnerOptionSafe ( | ||
| 232 | + Dhcp6OptIana, | ||
| 233 | + Option, | ||
| 234 | + OptionLength, | ||
| 235 | + &InnerOptionPtr, | ||
| 236 | + &InnerOptionLength | ||
| 237 | + ); | ||
| 238 | + ASSERT_EQ (Status, EFI_DEVICE_ERROR); | ||
| 239 | +} | ||
| 240 | + | ||
| 241 | +// Test Description: | ||
| 242 | +// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option is found | ||
| 243 | +TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAValidOptionExpectSuccess) { | ||
| 244 | + // Lets add an inner option of bytes we expect to find | ||
| 245 | + EFI_STATUS Status; | ||
| 246 | + UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 }; | ||
| 247 | + UINT32 OptionLength = sizeof (Option); | ||
| 248 | + DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option; | ||
| 249 | + UINT32 SearchPattern = SEARCH_PATTERN; | ||
| 250 | + | ||
| 251 | + UINTN SearchPatternLength = SEARCH_PATTERN_LEN; | ||
| 252 | + UINT8 *InnerOptionPtr = NULL; | ||
| 253 | + UINT16 InnerOptionLength = 0; | ||
| 254 | + | ||
| 255 | + OptionPtr->Header.Code = Dhcp6OptIata; | ||
| 256 | + OptionPtr->Header.Len = HTONS (4 + 4); // Valid length has to be more than 4 | ||
| 257 | + OptionPtr->Header.IAID = 0x12345678; | ||
| 258 | + CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); | ||
| 259 | + | ||
| 260 | + Status = Dhcp6SeekInnerOptionSafe ( | ||
| 261 | + Dhcp6OptIata, | ||
| 262 | + Option, | ||
| 263 | + OptionLength, | ||
| 264 | + &InnerOptionPtr, | ||
| 265 | + &InnerOptionLength | ||
| 266 | + ); | ||
| 267 | + ASSERT_EQ (Status, EFI_SUCCESS); | ||
| 268 | + ASSERT_EQ (InnerOptionLength, 4); | ||
| 269 | + ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLength), 0); | ||
| 270 | +} | ||
| 271 | + | ||
| 272 | +// Test Description: | ||
| 273 | +// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option size is invalid. | ||
| 274 | +TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAInvalidSizeExpectFail) { | ||
| 275 | + // Lets add an inner option of bytes we expect to find | ||
| 276 | + EFI_STATUS Status; | ||
| 277 | + UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 }; | ||
| 278 | + UINT32 OptionLength = sizeof (Option); | ||
| 279 | + DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option; | ||
| 280 | + UINT32 SearchPattern = SEARCH_PATTERN; | ||
| 281 | + | ||
| 282 | + UINTN SearchPatternLength = SEARCH_PATTERN_LEN; | ||
| 283 | + UINT8 *InnerOptionPtr = NULL; | ||
| 284 | + UINT16 InnerOptionLength = 0; | ||
| 285 | + | ||
| 286 | + OptionPtr->Header.Code = Dhcp6OptIata; | ||
| 287 | + OptionPtr->Header.Len = HTONS (2); // Set the length to lower than expected (4) | ||
| 288 | + OptionPtr->Header.IAID = 0x12345678; | ||
| 289 | + CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); | ||
| 290 | + | ||
| 291 | + Status = Dhcp6SeekInnerOptionSafe ( | ||
| 292 | + Dhcp6OptIata, | ||
| 293 | + Option, | ||
| 294 | + OptionLength, | ||
| 295 | + &InnerOptionPtr, | ||
| 296 | + &InnerOptionLength | ||
| 297 | + ); | ||
| 298 | + ASSERT_EQ (Status, EFI_DEVICE_ERROR); | ||
| 299 | + | ||
| 300 | + // Now lets try modifying the OptionLength to be less than the size of the option | ||
| 301 | + OptionLength = sizeof (DHCPv6_OPTION_IA_TA) - 1; | ||
| 302 | + Status = Dhcp6SeekInnerOptionSafe ( | ||
| 303 | + Dhcp6OptIata, | ||
| 304 | + Option, | ||
| 305 | + OptionLength, | ||
| 306 | + &InnerOptionPtr, | ||
| 307 | + &InnerOptionLength | ||
| 308 | + ); | ||
| 309 | + ASSERT_EQ (Status, EFI_DEVICE_ERROR); | ||
| 310 | +} | ||
| 311 | + | ||
| 312 | +// Test Description: | ||
| 313 | +// This test verifies that any other Option Type fails | ||
| 314 | +TEST_F (Dhcp6SeekInnerOptionSafeTest, InvalidOption) { | ||
| 315 | + // Lets add an inner option of bytes we expect to find | ||
| 316 | + EFI_STATUS Result; | ||
| 317 | + UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 }; | ||
| 318 | + UINT32 OptionLength = sizeof (Option); | ||
| 319 | + DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option; | ||
| 320 | + UINT32 SearchPattern = SEARCH_PATTERN; | ||
| 321 | + | ||
| 322 | + UINTN SearchPatternLength = SEARCH_PATTERN_LEN; | ||
| 323 | + UINT8 *InnerOptionPtr = NULL; | ||
| 324 | + UINT16 InnerOptionLength = 0; | ||
| 325 | + | ||
| 326 | + OptionPtr->Header.Code = 0xC0DE; | ||
| 327 | + OptionPtr->Header.Len = HTONS (2); // Set the length to lower than expected (4) | ||
| 328 | + OptionPtr->Header.IAID = 0x12345678; | ||
| 329 | + CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); | ||
| 330 | + | ||
| 331 | + Result = Dhcp6SeekInnerOptionSafe (0xC0DE, Option, OptionLength, &InnerOptionPtr, &InnerOptionLength); | ||
| 332 | + ASSERT_EQ (Result, EFI_DEVICE_ERROR); | ||
| 333 | +} | ||
| 334 | + | ||
| 335 | +//////////////////////////////////////////////////////////////////////// | ||
| 336 | +// Dhcp6SeekStsOption Tests | ||
| 337 | +//////////////////////////////////////////////////////////////////////// | ||
| 338 | + | ||
| 339 | +#define PACKET_SIZE (1500) | ||
| 340 | + | ||
| 341 | +class Dhcp6SeekStsOptionTest : public ::testing::Test { | ||
| 342 | +public: | ||
| 343 | + DHCP6_INSTANCE Instance = { 0 }; | ||
| 344 | + EFI_DHCP6_PACKET *Packet = NULL; | ||
| 345 | + EFI_DHCP6_CONFIG_DATA Config = { 0 }; | ||
| 346 | + | ||
| 347 | +protected: | ||
| 348 | + // Add any setup code if needed | ||
| 349 | + virtual void | ||
| 350 | + SetUp ( | ||
| 351 | + ) | ||
| 352 | + { | ||
| 353 | + // Allocate a packet | ||
| 354 | + Packet = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE); | ||
| 355 | + ASSERT_NE (Packet, nullptr); | ||
| 356 | + | ||
| 357 | + // Initialize the packet | ||
| 358 | + Packet->Size = PACKET_SIZE; | ||
| 359 | + | ||
| 360 | + Instance.Config = &Config; | ||
| 361 | + } | ||
| 362 | + | ||
| 363 | + // Add any cleanup code if needed | ||
| 364 | + virtual void | ||
| 365 | + TearDown ( | ||
| 366 | + ) | ||
| 367 | + { | ||
| 368 | + // Clean up any resources or variables | ||
| 369 | + FreePool (Packet); | ||
| 370 | + } | ||
| 371 | +}; | ||
| 372 | + | ||
| 373 | +// Test Description: | ||
| 374 | +// This test verifies that Dhcp6SeekStsOption returns EFI_DEVICE_ERROR when the option is invalid | ||
| 375 | +// This verifies that the calling function is working as expected | ||
| 376 | +TEST_F (Dhcp6SeekStsOptionTest, SeekIATAOptionExpectFail) { | ||
| 377 | + EFI_STATUS Status; | ||
| 378 | + UINT8 *Option = NULL; | ||
| 379 | + UINT32 SearchPattern = SEARCH_PATTERN; | ||
| 380 | + UINT16 SearchPatternLength = SEARCH_PATTERN_LEN; | ||
| 381 | + UINT16 *Len = NULL; | ||
| 382 | + EFI_DHCP6_IA Ia = { 0 }; | ||
| 383 | + | ||
| 384 | + Ia.Descriptor.Type = DHCPV6_OPTION_IA_TA; | ||
| 385 | + Ia.IaAddressCount = 1; | ||
| 386 | + Ia.IaAddress[0].PreferredLifetime = 0xDEADBEEF; | ||
| 387 | + Ia.IaAddress[0].ValidLifetime = 0xDEADAAAA; | ||
| 388 | + Ia.IaAddress[0].IpAddress = mAllDhcpRelayAndServersAddress; | ||
| 389 | + | ||
| 390 | + Packet->Length = sizeof (EFI_DHCP6_HEADER); | ||
| 391 | + | ||
| 392 | + Option = Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option; | ||
| 393 | + | ||
| 394 | + // Let's append the option to the packet | ||
| 395 | + Status = Dhcp6AppendOption ( | ||
| 396 | + Dhcp6SeekStsOptionTest::Packet, | ||
| 397 | + &Option, | ||
| 398 | + Dhcp6OptStatusCode, | ||
| 399 | + SearchPatternLength, | ||
| 400 | + (UINT8 *)&SearchPattern | ||
| 401 | + ); | ||
| 402 | + ASSERT_EQ (Status, EFI_SUCCESS); | ||
| 403 | + | ||
| 404 | + // Inner option length - this will be overwritten later | ||
| 405 | + Len = (UINT16 *)(Option + 2); | ||
| 406 | + | ||
| 407 | + // Fill in the inner IA option | ||
| 408 | + Status = Dhcp6AppendIaOption ( | ||
| 409 | + Dhcp6SeekStsOptionTest::Packet, | ||
| 410 | + &Option, | ||
| 411 | + &Ia, | ||
| 412 | + 0x12345678, | ||
| 413 | + 0x11111111, | ||
| 414 | + 0x22222222 | ||
| 415 | + ); | ||
| 416 | + ASSERT_EQ (Status, EFI_SUCCESS); | ||
| 417 | + | ||
| 418 | + // overwrite the len of inner Ia option | ||
| 419 | + *Len = HTONS (3); | ||
| 420 | + | ||
| 421 | + Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type = DHCPV6_OPTION_IA_TA; | ||
| 422 | + | ||
| 423 | + Option = NULL; | ||
| 424 | + Status = Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp6SeekStsOptionTest::Packet, &Option); | ||
| 425 | + | ||
| 426 | + ASSERT_EQ (Status, EFI_DEVICE_ERROR); | ||
| 427 | +} | ||
| 428 | + | ||
| 429 | +// Test Description: | ||
| 430 | +// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option size is invalid. | ||
| 431 | +TEST_F (Dhcp6SeekStsOptionTest, SeekIANAOptionExpectSuccess) { | ||
| 432 | + EFI_STATUS Status = EFI_NOT_FOUND; | ||
| 433 | + UINT8 *Option = NULL; | ||
| 434 | + UINT32 SearchPattern = SEARCH_PATTERN; | ||
| 435 | + UINT16 SearchPatternLength = SEARCH_PATTERN_LEN; | ||
| 436 | + EFI_DHCP6_IA Ia = { 0 }; | ||
| 437 | + | ||
| 438 | + Ia.Descriptor.Type = DHCPV6_OPTION_IA_NA; | ||
| 439 | + Ia.IaAddressCount = 1; | ||
| 440 | + Ia.IaAddress[0].PreferredLifetime = 0x11111111; | ||
| 441 | + Ia.IaAddress[0].ValidLifetime = 0x22222222; | ||
| 442 | + Ia.IaAddress[0].IpAddress = mAllDhcpRelayAndServersAddress; | ||
| 443 | + Packet->Length = sizeof (EFI_DHCP6_HEADER); | ||
| 444 | + | ||
| 445 | + Option = Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option; | ||
| 446 | + | ||
| 447 | + Status = Dhcp6AppendOption ( | ||
| 448 | + Dhcp6SeekStsOptionTest::Packet, | ||
| 449 | + &Option, | ||
| 450 | + Dhcp6OptStatusCode, | ||
| 451 | + SearchPatternLength, | ||
| 452 | + (UINT8 *)&SearchPattern | ||
| 453 | + ); | ||
| 454 | + ASSERT_EQ (Status, EFI_SUCCESS); | ||
| 455 | + | ||
| 456 | + Status = Dhcp6AppendIaOption ( | ||
| 457 | + Dhcp6SeekStsOptionTest::Packet, | ||
| 458 | + &Option, | ||
| 459 | + &Ia, | ||
| 460 | + 0x12345678, | ||
| 461 | + 0x11111111, | ||
| 462 | + 0x22222222 | ||
| 463 | + ); | ||
| 464 | + ASSERT_EQ (Status, EFI_SUCCESS); | ||
| 465 | + | ||
| 466 | + Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type = DHCPV6_OPTION_IA_NA; | ||
| 467 | + | ||
| 468 | + Option = NULL; | ||
| 469 | + Status = Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp6SeekStsOptionTest::Packet, &Option); | ||
| 470 | + | ||
| 471 | + ASSERT_EQ (Status, EFI_SUCCESS); | ||
| 472 | +} | ||
| 473 | diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h | ||
| 474 | new file mode 100644 | ||
| 475 | index 0000000000..aed3b89082 | ||
| 476 | --- /dev/null | ||
| 477 | +++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h | ||
| 478 | @@ -0,0 +1,58 @@ | ||
| 479 | +/** @file | ||
| 480 | + Acts as header for private functions under test in Dhcp6Io.c | ||
| 481 | + | ||
| 482 | + Copyright (c) Microsoft Corporation | ||
| 483 | + SPDX-License-Identifier: BSD-2-Clause-Patent | ||
| 484 | +**/ | ||
| 485 | + | ||
| 486 | +#ifndef DHCP6_IO_GOOGLE_TEST_H_ | ||
| 487 | +#define DHCP6_IO_GOOGLE_TEST_H_ | ||
| 488 | + | ||
| 489 | +//////////////////////////////////////////////////////////////////////////////// | ||
| 490 | +// These are the functions that are being unit tested | ||
| 491 | +//////////////////////////////////////////////////////////////////////////////// | ||
| 492 | + | ||
| 493 | +#include <Uefi.h> | ||
| 494 | + | ||
| 495 | +/** | ||
| 496 | + Seeks the Inner Options from a DHCP6 Option | ||
| 497 | + | ||
| 498 | + @param[in] IaType The type of the IA option. | ||
| 499 | + @param[in] Option The pointer to the DHCP6 Option. | ||
| 500 | + @param[in] OptionLen The length of the DHCP6 Option. | ||
| 501 | + @param[out] IaInnerOpt The pointer to the IA inner option. | ||
| 502 | + @param[out] IaInnerLen The length of the IA inner option. | ||
| 503 | + | ||
| 504 | + @retval EFI_SUCCESS Seek the inner option successfully. | ||
| 505 | + @retval EFI_DEVICE_ERROR The OptionLen is invalid. | ||
| 506 | +*/ | ||
| 507 | +EFI_STATUS | ||
| 508 | +Dhcp6SeekInnerOptionSafe ( | ||
| 509 | + UINT16 IaType, | ||
| 510 | + UINT8 *Option, | ||
| 511 | + UINT32 OptionLen, | ||
| 512 | + UINT8 **IaInnerOpt, | ||
| 513 | + UINT16 *IaInnerLen | ||
| 514 | + ); | ||
| 515 | + | ||
| 516 | +/** | ||
| 517 | + Seek StatusCode Option in package. A Status Code option may appear in the | ||
| 518 | + options field of a DHCP message and/or in the options field of another option. | ||
| 519 | + See details in section 22.13, RFC3315. | ||
| 520 | + | ||
| 521 | + @param[in] Instance The pointer to the Dhcp6 instance. | ||
| 522 | + @param[in] Packet The pointer to reply messages. | ||
| 523 | + @param[out] Option The pointer to status code option. | ||
| 524 | + | ||
| 525 | + @retval EFI_SUCCESS Seek status code option successfully. | ||
| 526 | + @retval EFI_DEVICE_ERROR An unexpected error. | ||
| 527 | + | ||
| 528 | +**/ | ||
| 529 | +EFI_STATUS | ||
| 530 | +Dhcp6SeekStsOption ( | ||
| 531 | + IN DHCP6_INSTANCE *Instance, | ||
| 532 | + IN EFI_DHCP6_PACKET *Packet, | ||
| 533 | + OUT UINT8 **Option | ||
| 534 | + ); | ||
| 535 | + | ||
| 536 | +#endif // DHCP6_IO_GOOGLE_TEST_H | ||
| 537 | -- | ||
| 538 | 2.40.0 | ||
| 539 | |||
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0003.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0003.patch new file mode 100644 index 0000000000..bf4e8eda1f --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0003.patch | |||
| @@ -0,0 +1,244 @@ | |||
| 1 | From 1c440a5eceedc64e892877eeac0f1a4938f5abbb Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Doug Flick <dougflick@microsoft.com> | ||
| 3 | Date: Tue, 13 Feb 2024 10:46:00 -0800 | ||
| 4 | Subject: [PATCH] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related | ||
| 5 | Patch | ||
| 6 | |||
| 7 | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4673 | ||
| 8 | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 | ||
| 9 | |||
| 10 | This was not part of the Quarkslab bugs however the same pattern | ||
| 11 | as CVE-2023-45229 exists in Dhcp6UpdateIaInfo. | ||
| 12 | |||
| 13 | This patch replaces the code in question with the safe function | ||
| 14 | created to patch CVE-2023-45229 | ||
| 15 | |||
| 16 | > | ||
| 17 | > if (EFI_ERROR ( | ||
| 18 | > Dhcp6SeekInnerOptionSafe ( | ||
| 19 | > Instance->Config->IaDescriptor.Type, | ||
| 20 | > Option, | ||
| 21 | > OptionLen, | ||
| 22 | > &IaInnerOpt, | ||
| 23 | > &IaInnerLen | ||
| 24 | > ) | ||
| 25 | > )) | ||
| 26 | > { | ||
| 27 | > return EFI_DEVICE_ERROR; | ||
| 28 | > } | ||
| 29 | > | ||
| 30 | |||
| 31 | Additionally corrects incorrect usage of macro to read the status | ||
| 32 | |||
| 33 | > - StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN | ||
| 34 | (Option))); | ||
| 35 | > + StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) | ||
| 36 | DHCP6_OFFSET_OF_STATUS_CODE (Option)); | ||
| 37 | |||
| 38 | Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> | ||
| 39 | Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> | ||
| 40 | Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> | ||
| 41 | Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> | ||
| 42 | Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com> | ||
| 43 | |||
| 44 | CVE: CVE-2023-45229 | ||
| 45 | |||
| 46 | Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1c440a5eceedc64e892877eeac0f1a4938f5abbb] | ||
| 47 | |||
| 48 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
| 49 | --- | ||
| 50 | NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 70 ++++++++++++++++++++++++++--------- | ||
| 51 | NetworkPkg/Dhcp6Dxe/Dhcp6Io.h | 22 +++++++++++ | ||
| 52 | 2 files changed, 75 insertions(+), 17 deletions(-) | ||
| 53 | |||
| 54 | diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | ||
| 55 | index 3b8feb4a20..a9bffae353 100644 | ||
| 56 | --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | ||
| 57 | +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | ||
| 58 | @@ -528,13 +528,23 @@ Dhcp6UpdateIaInfo ( | ||
| 59 | { | ||
| 60 | EFI_STATUS Status; | ||
| 61 | UINT8 *Option; | ||
| 62 | + UINT32 OptionLen; | ||
| 63 | UINT8 *IaInnerOpt; | ||
| 64 | UINT16 IaInnerLen; | ||
| 65 | UINT16 StsCode; | ||
| 66 | UINT32 T1; | ||
| 67 | UINT32 T2; | ||
| 68 | |||
| 69 | + T1 = 0; | ||
| 70 | + T2 = 0; | ||
| 71 | + | ||
| 72 | ASSERT (Instance->Config != NULL); | ||
| 73 | + | ||
| 74 | + // OptionLen is the length of the Options excluding the DHCP header. | ||
| 75 | + // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last | ||
| 76 | + // byte of the Option[] field. | ||
| 77 | + OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header); | ||
| 78 | + | ||
| 79 | // | ||
| 80 | // If the reply was received in response to a solicit with rapid commit option, | ||
| 81 | // request, renew or rebind message, the client updates the information it has | ||
| 82 | @@ -549,13 +559,29 @@ Dhcp6UpdateIaInfo ( | ||
| 83 | // | ||
| 84 | Option = Dhcp6SeekIaOption ( | ||
| 85 | Packet->Dhcp6.Option, | ||
| 86 | - Packet->Length - sizeof (EFI_DHCP6_HEADER), | ||
| 87 | + OptionLen, | ||
| 88 | &Instance->Config->IaDescriptor | ||
| 89 | ); | ||
| 90 | if (Option == NULL) { | ||
| 91 | return EFI_DEVICE_ERROR; | ||
| 92 | } | ||
| 93 | |||
| 94 | + // | ||
| 95 | + // Calculate the distance from Packet->Dhcp6.Option to the IA option. | ||
| 96 | + // | ||
| 97 | + // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is | ||
| 98 | + // the size of the whole packet, including the DHCP header, and Packet->Length | ||
| 99 | + // is the length of the DHCP message body, excluding the DHCP header. | ||
| 100 | + // | ||
| 101 | + // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of | ||
| 102 | + // DHCP6 option area to the start of the IA option. | ||
| 103 | + // | ||
| 104 | + // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the | ||
| 105 | + // IA option to the end of the DHCP6 option area, thus subtract the space | ||
| 106 | + // up until this option | ||
| 107 | + // | ||
| 108 | + OptionLen = OptionLen - (UINT32)(Option - Packet->Dhcp6.Option); | ||
| 109 | + | ||
| 110 | // | ||
| 111 | // The format of the IA_NA option is: | ||
| 112 | // | ||
| 113 | @@ -591,32 +617,32 @@ Dhcp6UpdateIaInfo ( | ||
| 114 | // | ||
| 115 | |||
| 116 | // | ||
| 117 | - // sizeof (option-code + option-len + IaId) = 8 | ||
| 118 | - // sizeof (option-code + option-len + IaId + T1) = 12 | ||
| 119 | - // sizeof (option-code + option-len + IaId + T1 + T2) = 16 | ||
| 120 | - // | ||
| 121 | - // The inner options still start with 2 bytes option-code and 2 bytes option-len. | ||
| 122 | + // Seek the inner option | ||
| 123 | // | ||
| 124 | + if (EFI_ERROR ( | ||
| 125 | + Dhcp6SeekInnerOptionSafe ( | ||
| 126 | + Instance->Config->IaDescriptor.Type, | ||
| 127 | + Option, | ||
| 128 | + OptionLen, | ||
| 129 | + &IaInnerOpt, | ||
| 130 | + &IaInnerLen | ||
| 131 | + ) | ||
| 132 | + )) | ||
| 133 | + { | ||
| 134 | + return EFI_DEVICE_ERROR; | ||
| 135 | + } | ||
| 136 | + | ||
| 137 | if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) { | ||
| 138 | T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option)))); | ||
| 139 | T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option)))); | ||
| 140 | // | ||
| 141 | // Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2, | ||
| 142 | // and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes | ||
| 143 | - // the remainder of the message as though the server had not included the invalid IA_NA option. | ||
| 144 | + // the remainder of the message as though the server had not included the invalid IA_NA option. | ||
| 145 | // | ||
| 146 | if ((T1 > T2) && (T2 > 0)) { | ||
| 147 | return EFI_DEVICE_ERROR; | ||
| 148 | } | ||
| 149 | - | ||
| 150 | - IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option); | ||
| 151 | - IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2); | ||
| 152 | - } else { | ||
| 153 | - T1 = 0; | ||
| 154 | - T2 = 0; | ||
| 155 | - | ||
| 156 | - IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option); | ||
| 157 | - IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID); | ||
| 158 | } | ||
| 159 | |||
| 160 | // | ||
| 161 | @@ -642,7 +668,7 @@ Dhcp6UpdateIaInfo ( | ||
| 162 | Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode); | ||
| 163 | |||
| 164 | if (Option != NULL) { | ||
| 165 | - StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))); | ||
| 166 | + StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (Option)))); | ||
| 167 | if (StsCode != Dhcp6StsSuccess) { | ||
| 168 | return EFI_DEVICE_ERROR; | ||
| 169 | } | ||
| 170 | @@ -703,15 +729,21 @@ Dhcp6SeekInnerOptionSafe ( | ||
| 171 | } | ||
| 172 | |||
| 173 | if (IaType == Dhcp6OptIana) { | ||
| 174 | + // | ||
| 175 | // Verify we have a fully formed IA_NA | ||
| 176 | + // | ||
| 177 | if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) { | ||
| 178 | return EFI_DEVICE_ERROR; | ||
| 179 | } | ||
| 180 | |||
| 181 | + // | ||
| 182 | + // Get the IA Inner Option and Length | ||
| 183 | // | ||
| 184 | IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option); | ||
| 185 | |||
| 186 | + // | ||
| 187 | // Verify the IaInnerLen is valid. | ||
| 188 | + // | ||
| 189 | IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option))); | ||
| 190 | if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) { | ||
| 191 | return EFI_DEVICE_ERROR; | ||
| 192 | @@ -719,14 +751,18 @@ Dhcp6SeekInnerOptionSafe ( | ||
| 193 | |||
| 194 | IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2; | ||
| 195 | } else if (IaType == Dhcp6OptIata) { | ||
| 196 | + // | ||
| 197 | // Verify the OptionLen is valid. | ||
| 198 | + // | ||
| 199 | if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) { | ||
| 200 | return EFI_DEVICE_ERROR; | ||
| 201 | } | ||
| 202 | |||
| 203 | IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option); | ||
| 204 | |||
| 205 | + // | ||
| 206 | // Verify the IaInnerLen is valid. | ||
| 207 | + // | ||
| 208 | IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))); | ||
| 209 | if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) { | ||
| 210 | return EFI_DEVICE_ERROR; | ||
| 211 | diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h | ||
| 212 | index 051a652f2b..ab0e1ac27f 100644 | ||
| 213 | --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h | ||
| 214 | +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h | ||
| 215 | @@ -217,4 +217,26 @@ Dhcp6OnTimerTick ( | ||
| 216 | IN VOID *Context | ||
| 217 | ); | ||
| 218 | |||
| 219 | +/** | ||
| 220 | + Seeks the Inner Options from a DHCP6 Option | ||
| 221 | + | ||
| 222 | + @param[in] IaType The type of the IA option. | ||
| 223 | + @param[in] Option The pointer to the DHCP6 Option. | ||
| 224 | + @param[in] OptionLen The length of the DHCP6 Option. | ||
| 225 | + @param[out] IaInnerOpt The pointer to the IA inner option. | ||
| 226 | + @param[out] IaInnerLen The length of the IA inner option. | ||
| 227 | + | ||
| 228 | + @retval EFI_SUCCESS Seek the inner option successfully. | ||
| 229 | + @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error, | ||
| 230 | + the pointers are not modified | ||
| 231 | +**/ | ||
| 232 | +EFI_STATUS | ||
| 233 | +Dhcp6SeekInnerOptionSafe ( | ||
| 234 | + IN UINT16 IaType, | ||
| 235 | + IN UINT8 *Option, | ||
| 236 | + IN UINT32 OptionLen, | ||
| 237 | + OUT UINT8 **IaInnerOpt, | ||
| 238 | + OUT UINT16 *IaInnerLen | ||
| 239 | + ); | ||
| 240 | + | ||
| 241 | #endif | ||
| 242 | -- | ||
| 243 | 2.40.0 | ||
| 244 | |||
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0004.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0004.patch new file mode 100644 index 0000000000..85d204972d --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0004.patch | |||
| @@ -0,0 +1,157 @@ | |||
| 1 | From 1d0b95f6457d225c5108302a9da74b4ed7aa5a38 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io> | ||
| 3 | Date: Fri, 26 Jan 2024 05:54:57 +0800 | ||
| 4 | Subject: [PATCH] NetworkPkg: : Adds a SecurityFix.yaml file | ||
| 5 | |||
| 6 | This creates / adds a security file that tracks the security fixes | ||
| 7 | found in this package and can be used to find the fixes that were | ||
| 8 | applied. | ||
| 9 | |||
| 10 | Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> | ||
| 11 | Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> | ||
| 12 | |||
| 13 | Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> | ||
| 14 | Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> | ||
| 15 | |||
| 16 | CVE: CVE_2023_45229 | ||
| 17 | |||
| 18 | Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1d0b95f6457d225c5108302a9da74b4ed7aa5a38] | ||
| 19 | |||
| 20 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
| 21 | --- | ||
| 22 | NetworkPkg/SecurityFixes.yaml | 123 ++++++++++++++++++++++++++++++++++ | ||
| 23 | 1 file changed, 123 insertions(+) | ||
| 24 | create mode 100644 NetworkPkg/SecurityFixes.yaml | ||
| 25 | |||
| 26 | diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml | ||
| 27 | new file mode 100644 | ||
| 28 | index 0000000000..7e900483fe | ||
| 29 | --- /dev/null | ||
| 30 | +++ b/NetworkPkg/SecurityFixes.yaml | ||
| 31 | @@ -0,0 +1,123 @@ | ||
| 32 | +## @file | ||
| 33 | +# Security Fixes for SecurityPkg | ||
| 34 | +# | ||
| 35 | +# Copyright (c) Microsoft Corporation | ||
| 36 | +# SPDX-License-Identifier: BSD-2-Clause-Patent | ||
| 37 | +## | ||
| 38 | +CVE_2023_45229: | ||
| 39 | + commit_titles: | ||
| 40 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch" | ||
| 41 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests" | ||
| 42 | + cve: CVE-2023-45229 | ||
| 43 | + date_reported: 2023-08-28 13:56 UTC | ||
| 44 | + description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message" | ||
| 45 | + note: | ||
| 46 | + files_impacted: | ||
| 47 | + - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c | ||
| 48 | + - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h | ||
| 49 | + links: | ||
| 50 | + - https://bugzilla.tianocore.org/show_bug.cgi?id=4534 | ||
| 51 | + - https://nvd.nist.gov/vuln/detail/CVE-2023-45229 | ||
| 52 | + - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| 53 | + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| 54 | + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| 55 | +CVE_2023_45230: | ||
| 56 | + commit_titles: | ||
| 57 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch" | ||
| 58 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests" | ||
| 59 | + cve: CVE-2023-45230 | ||
| 60 | + date_reported: 2023-08-28 13:56 UTC | ||
| 61 | + description: "Bug 02 - edk2/NetworkPkg: Buffer overflow in the DHCPv6 client via a long Server ID option" | ||
| 62 | + note: | ||
| 63 | + files_impacted: | ||
| 64 | + - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c | ||
| 65 | + - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h | ||
| 66 | + links: | ||
| 67 | + - https://bugzilla.tianocore.org/show_bug.cgi?id=4535 | ||
| 68 | + - https://nvd.nist.gov/vuln/detail/CVE-2023-45230 | ||
| 69 | + - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| 70 | + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| 71 | + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| 72 | +CVE_2023_45231: | ||
| 73 | + commit_titles: | ||
| 74 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Patch" | ||
| 75 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests" | ||
| 76 | + cve: CVE-2023-45231 | ||
| 77 | + date_reported: 2023-08-28 13:56 UTC | ||
| 78 | + description: "Bug 03 - edk2/NetworkPkg: Out-of-bounds read when handling a ND Redirect message with truncated options" | ||
| 79 | + note: | ||
| 80 | + files_impacted: | ||
| 81 | + - NetworkPkg/Ip6Dxe/Ip6Option.c | ||
| 82 | + links: | ||
| 83 | + - https://bugzilla.tianocore.org/show_bug.cgi?id=4536 | ||
| 84 | + - https://nvd.nist.gov/vuln/detail/CVE-2023-45231 | ||
| 85 | + - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| 86 | + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| 87 | + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| 88 | +CVE_2023_45232: | ||
| 89 | + commit_titles: | ||
| 90 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch" | ||
| 91 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests" | ||
| 92 | + cve: CVE-2023-45232 | ||
| 93 | + date_reported: 2023-08-28 13:56 UTC | ||
| 94 | + description: "Bug 04 - edk2/NetworkPkg: Infinite loop when parsing unknown options in the Destination Options header" | ||
| 95 | + note: | ||
| 96 | + files_impacted: | ||
| 97 | + - NetworkPkg/Ip6Dxe/Ip6Option.c | ||
| 98 | + - NetworkPkg/Ip6Dxe/Ip6Option.h | ||
| 99 | + links: | ||
| 100 | + - https://bugzilla.tianocore.org/show_bug.cgi?id=4537 | ||
| 101 | + - https://nvd.nist.gov/vuln/detail/CVE-2023-45232 | ||
| 102 | + - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| 103 | + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| 104 | + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| 105 | +CVE_2023_45233: | ||
| 106 | + commit_titles: | ||
| 107 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch" | ||
| 108 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests" | ||
| 109 | + cve: CVE-2023-45233 | ||
| 110 | + date_reported: 2023-08-28 13:56 UTC | ||
| 111 | + description: "Bug 05 - edk2/NetworkPkg: Infinite loop when parsing a PadN option in the Destination Options header " | ||
| 112 | + note: This was fixed along with CVE-2023-45233 | ||
| 113 | + files_impacted: | ||
| 114 | + - NetworkPkg/Ip6Dxe/Ip6Option.c | ||
| 115 | + - NetworkPkg/Ip6Dxe/Ip6Option.h | ||
| 116 | + links: | ||
| 117 | + - https://bugzilla.tianocore.org/show_bug.cgi?id=4538 | ||
| 118 | + - https://nvd.nist.gov/vuln/detail/CVE-2023-45233 | ||
| 119 | + - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| 120 | + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| 121 | + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| 122 | +CVE_2023_45234: | ||
| 123 | + commit_titles: | ||
| 124 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Patch" | ||
| 125 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Unit Tests" | ||
| 126 | + cve: CVE-2023-45234 | ||
| 127 | + date_reported: 2023-08-28 13:56 UTC | ||
| 128 | + description: "Bug 06 - edk2/NetworkPkg: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message" | ||
| 129 | + note: | ||
| 130 | + files_impacted: | ||
| 131 | + - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | ||
| 132 | + links: | ||
| 133 | + - https://bugzilla.tianocore.org/show_bug.cgi?id=4539 | ||
| 134 | + - https://nvd.nist.gov/vuln/detail/CVE-2023-45234 | ||
| 135 | + - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| 136 | + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| 137 | + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| 138 | +CVE_2023_45235: | ||
| 139 | + commit_titles: | ||
| 140 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Patch" | ||
| 141 | + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Unit Tests" | ||
| 142 | + cve: CVE-2023-45235 | ||
| 143 | + date_reported: 2023-08-28 13:56 UTC | ||
| 144 | + description: "Bug 07 - edk2/NetworkPkg: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message" | ||
| 145 | + note: | ||
| 146 | + files_impacted: | ||
| 147 | + - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | ||
| 148 | + - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | ||
| 149 | + links: | ||
| 150 | + - https://bugzilla.tianocore.org/show_bug.cgi?id=4540 | ||
| 151 | + - https://nvd.nist.gov/vuln/detail/CVE-2023-45235 | ||
| 152 | + - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| 153 | + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| 154 | + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| 155 | -- | ||
| 156 | 2.40.0 | ||
| 157 | |||
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index ceebb53438..6ac72772d1 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb | |||
| @@ -43,6 +43,10 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ | |||
| 43 | file://CVE-2023-45234-0002.patch \ | 43 | file://CVE-2023-45234-0002.patch \ |
| 44 | file://CVE-2023-45235-0001.patch \ | 44 | file://CVE-2023-45235-0001.patch \ |
| 45 | file://CVE-2023-45235-0002.patch \ | 45 | file://CVE-2023-45235-0002.patch \ |
| 46 | file://CVE-2023-45229-0001.patch \ | ||
| 47 | file://CVE-2023-45229-0002.patch \ | ||
| 48 | file://CVE-2023-45229-0003.patch \ | ||
| 49 | file://CVE-2023-45229-0004.patch \ | ||
| 46 | " | 50 | " |
| 47 | 51 | ||
| 48 | PV = "edk2-stable202202" | 52 | PV = "edk2-stable202202" |
