diff --git a/0006-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch b/0006-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch new file mode 100644 index 0000000000000000000000000000000000000000..4888c63ce6f33133445e8bea04231ca42d8a13d5 --- /dev/null +++ b/0006-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch @@ -0,0 +1,93 @@ +From e7bd0dd26db7e56aa8ca70132d6ea916ee6f3db0 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 19 Nov 2020 12:50:34 +0100 +Subject: [PATCH] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed + buffer sizes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The LzmaUefiDecompressGetInfo() function +[MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c] currently +silently truncates the UINT64 "DecodedSize" property of the compressed +blob to the UINT32 "DestinationSize" output parameter. + +If "DecodedSize" is 0x1_0000_0100, for example, then the subsequent memory +allocation (for decompression) will likely succeed (allocating 0x100 bytes +only), but then the LzmaUefiDecompress() function (which re-fetches the +uncompressed buffer size from the same LZMA header into a "SizeT" +variable) will overwrite the buffer. + +Catch (DecodedSize > MAX_UINT32) in LzmaUefiDecompressGetInfo() at once. +This should not be a practical limitation. (The issue cannot be fixed for +32-bit systems without spec modifications anyway, given that the +"OutputSize" output parameter of +EFI_GUIDED_SECTION_EXTRACTION_PROTOCOL.ExtractSection() has type UINTN, +not UINT64.) + +Cc: Dandan Bi +Cc: Hao A Wu +Cc: Jian J Wang +Cc: Liming Gao +Cc: Philippe Mathieu-Daudé +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816 +Signed-off-by: Laszlo Ersek +Reviewed-by: Liming Gao +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20201119115034.12897-2-lersek@redhat.com> +--- + .../Library/LzmaCustomDecompressLib/LzmaDecompress.c | 7 +++++++ + .../LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++ + 2 files changed, 12 insertions(+) + +diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c +index c58912eb6a..8f7c242dca 100644 +--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c ++++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c +@@ -127,6 +127,10 @@ GetDecodedSizeOfBuf( + in DestinationSize and the size of the scratch + buffer was returned in ScratchSize. + ++ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the ++ uncompressed buffer size (in bytes) does not fit ++ in a UINT32. Output parameters have not been ++ modified. + **/ + RETURN_STATUS + EFIAPI +@@ -142,6 +146,9 @@ LzmaUefiDecompressGetInfo ( + ASSERT(SourceSize >= LZMA_HEADER_SIZE); + + DecodedSize = GetDecodedSizeOfBuf((UINT8*)Source); ++ if (DecodedSize > MAX_UINT32) { ++ return RETURN_UNSUPPORTED; ++ } + + *DestinationSize = (UINT32)DecodedSize; + *ScratchSize = SCRATCH_BUFFER_REQUEST_SIZE; +diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h +index 26f110ba2a..fbafd5f100 100644 +--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h ++++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h +@@ -9,6 +9,7 @@ + #ifndef __LZMADECOMPRESSLIB_INTERNAL_H__ + #define __LZMADECOMPRESSLIB_INTERNAL_H__ + ++#include + #include + #include + #include +@@ -45,6 +46,10 @@ + in DestinationSize and the size of the scratch + buffer was returned in ScratchSize. + ++ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the ++ uncompressed buffer size (in bytes) does not fit ++ in a UINT32. Output parameters have not been ++ modified. + **/ + RETURN_STATUS + EFIAPI +-- +2.27.0 + diff --git a/edk2.spec b/edk2.spec index 782bd9b50cc6310b961aa0e4eb8957a2d5a27264..36f930521a546865cb59489ad5faccf82bf0459e 100644 --- a/edk2.spec +++ b/edk2.spec @@ -5,7 +5,7 @@ Name: edk2 Version: %{stable_date} -Release: 4 +Release: 5 Summary: EFI Development Kit II License: BSD-2-Clause-Patent URL: https://github.com/tianocore/edk2 @@ -19,6 +19,7 @@ Patch0004: 0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch Patch0005: 0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch Patch0006: 0004-MdeModulePkg-Core-Dxe-assert-SectionInstance-invariant-in-FindChildNode.patch Patch0007: 0005-MdeModulePkg-Core-Dxe-limit-FwVol-encapsulation-section-recursion.patch +Patch0008: 0006-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2 @@ -214,6 +215,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Mon Aug 30 2021 miaoyubo - 202002-5 +- MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed + * Mon Jun 28 2021 Jiajie Li - 202002-4 - Fix CVE-2021-28210