riscv-gnu-toolchain/qemu/roms/edk2.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Gua Guo <gua.guo@intel.com>	2024-01-11 13:01:19 +0800
committer	mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>	2024-01-16 23:36:08 +0000
commit	59f024c76ee57c2bec84794536302fc770cd6ec2 (patch)
tree	170c7b9239303e7aad9cd5699bf4358cd8b04eea /PrmPkg
parent	9971b99461e930008e3d35bc0a4a310b6afa57f6 (diff)
download	edk2-59f024c76ee57c2bec84794536302fc770cd6ec2.zip edk2-59f024c76ee57c2bec84794536302fc770cd6ec2.tar.gz edk2-59f024c76ee57c2bec84794536302fc770cd6ec2.tar.bz2

UefiPayloadPkg/Hob: Integer Overflow in CreateHob()

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove <mbeatove@google.com> Cc: Guo Dong <guo.dong@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Reviewed-by: Gua Guo <gua.guo@intel.com> Cc: John Mathew <john.mathews@intel.com> Authored-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gua Guo <gua.guo@intel.com>

Diffstat (limited to 'PrmPkg')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: