diff options
author | Gua Guo <gua.guo@intel.com> | 2024-01-11 13:01:19 +0800 |
---|---|---|
committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2024-01-16 23:36:08 +0000 |
commit | 59f024c76ee57c2bec84794536302fc770cd6ec2 (patch) | |
tree | 170c7b9239303e7aad9cd5699bf4358cd8b04eea /MdePkg | |
parent | 9971b99461e930008e3d35bc0a4a310b6afa57f6 (diff) | |
download | edk2-59f024c76ee57c2bec84794536302fc770cd6ec2.zip edk2-59f024c76ee57c2bec84794536302fc770cd6ec2.tar.gz edk2-59f024c76ee57c2bec84794536302fc770cd6ec2.tar.bz2 |
UefiPayloadPkg/Hob: Integer Overflow in CreateHob()
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```
No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.
Reported-by: Marc Beatove <mbeatove@google.com>
Cc: Guo Dong <guo.dong@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Reviewed-by: Gua Guo <gua.guo@intel.com>
Cc: John Mathew <john.mathews@intel.com>
Authored-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gua Guo <gua.guo@intel.com>
Diffstat (limited to 'MdePkg')
0 files changed, 0 insertions, 0 deletions