diff --git a/backport-CVE-2023-40547-avoid-incorrectly-trusting-HTTP-heade.patch b/backport-CVE-2023-40547-avoid-incorrectly-trusting-HTTP-heade.patch new file mode 100644 index 0000000000000000000000000000000000000000..53d97251f2d9f769f9bc21caefdc7486f7bdcc67 --- /dev/null +++ b/backport-CVE-2023-40547-avoid-incorrectly-trusting-HTTP-heade.patch @@ -0,0 +1,45 @@ +From 0226b56513b2b8bd5fd281bce77c40c9bf07c66d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 2 Aug 2023 14:19:31 -0400 +Subject: [PATCH] CVE-2023-40547 - avoid incorrectly trusting HTTP headers + +When retrieving files via HTTP or related protocols, shim attempts to +allocate a buffer to store the received data. Unfortunately, this means +getting the size from an HTTP header, which can be manipulated to +specify a size that's smaller than the received data. In this case, the +code accidentally uses the header for the allocation but the protocol +metadata to copy it from the rx buffer, resulting in an out-of-bounds +write. + +This patch adds an additional check to test that the rx buffer is not +larger than the allocation. + +Resolves: CVE-2023-40547 +Reported-by: Bill Demirkapi, Microsoft Security Response Center +Signed-off-by: Peter Jones +--- + httpboot.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/httpboot.c b/httpboot.c +index dfa493b..b34dd49 100644 +--- a/httpboot.c ++++ b/httpboot.c +@@ -578,7 +578,13 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size) + } + + if (*buf_size == 0) { +- perror(L"Failed to get Content-Lenght\n"); ++ perror(L"Failed to get Content-Length\n"); ++ goto error; ++ } ++ ++ if (*buf_size < rx_message.BodyLength) { ++ efi_status = EFI_BAD_BUFFER_SIZE; ++ perror(L"Invalid Content-Length\n"); + goto error; + } + +-- +2.33.0 + diff --git a/backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch b/backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc3fdfed2ee546fc89f8c27c849cc131734506ca --- /dev/null +++ b/backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch @@ -0,0 +1,81 @@ +From 945f88af2301bb4deec66eb16cd47136970ab2f2 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Tue, 30 Jan 2024 10:20:28 +0800 +Subject: [PATCH] CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries + +In read_header(), we attempt to parse the PE binary headers. In doing +so, if there is an MZ (i.e. MS-DOS) header, we locate the PE header by +finding the offset in that header. Unfortunately that is not correctly +bounds checked, and carefully chosen values can cause an out-of-bounds +ready beyond the end of the loaded binary. + +Unfortunately the trivial fix (bounds check that value) also makes it +clear that the way we were determining if an image is loadable on this +platform and distinguishing between PE32 and PE32+ binaries has the +exact same issue going on, and so the fix includes reworking that logic +to correctly bounds check all of those tests as well. +h +It's not currently known if this is actually exploitable beyond creating +a denial of service, and an attacker who is in a position to use it for +a denial of service attack must already be able to do so. + +Resolves: CVE-2023-40551 +Reported-by: gkirkpatrick@google.com +Signed-off-by: Peter Jones +--- + shim.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/shim.c b/shim.c +index 2c3dbf3..8bfa652 100644 +--- a/shim.c ++++ b/shim.c +@@ -161,7 +161,7 @@ static int + image_is_64_bit(EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr) + { + /* .Magic is the same offset in all cases */ +- if (PEHdr->Pe32Plus.OptionalHeader.Magic ++ if (PEHdr->Pe32.OptionalHeader.Magic + == EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC) + return 1; + return 0; +@@ -1095,14 +1095,34 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, + EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr = data; + unsigned long HeaderWithoutDataDir, SectionHeaderOffset, OptHeaderSize; + unsigned long FileAlignment = 0; ++ size_t dos_sz = 0; + +- if (datasize < sizeof (PEHdr->Pe32)) { ++ if (datasize < sizeof (*DosHdr)) { + perror(L"Invalid image\n"); + return EFI_UNSUPPORTED; + } + +- if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) ++ if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) { ++ if (DosHdr->e_lfanew < sizeof (*DosHdr) || ++ DosHdr->e_lfanew > datasize - 4) { ++ perror(L"Invalid image\n"); ++ return EFI_UNSUPPORTED; ++ } ++ ++ dos_sz = DosHdr->e_lfanew; + PEHdr = (EFI_IMAGE_OPTIONAL_HEADER_UNION *)((char *)data + DosHdr->e_lfanew); ++ } ++ ++ if (datasize - dos_sz < sizeof (PEHdr->Pe32)) { ++ perror(L"Invalid image\n"); ++ return EFI_UNSUPPORTED; ++ } ++ ++ if (image_is_64_bit(PEHdr) && ++ (datasize - dos_sz < sizeof (PEHdr->Pe32Plus))) { ++ perror(L"Invalid image\n"); ++ return EFI_UNSUPPORTED; ++ } + + if (!image_is_loadable(PEHdr)) { + perror(L"Platform does not support this image\n"); +-- +2.33.0 + diff --git a/shim.spec b/shim.spec index 1ea701962856b2ae52812c7b08eb78a7eddeb431..2ff71a084aed0d0f7fdf0484aa2e851962d8a3bc 100644 --- a/shim.spec +++ b/shim.spec @@ -22,7 +22,7 @@ Name: shim Version: 15 -Release: 33 +Release: 34 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -56,6 +56,8 @@ Patch21: backport-CVE-2021-3712.patch Patch22: backport-CVE-2023-0286.patch Patch23: backport-CVE-2023-0464.patch Patch24: backport-CVE-2023-3817.patch +Patch25: backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch +Patch26: backport-CVE-2023-40547-avoid-incorrectly-trusting-HTTP-heade.patch # Feature Patch9000: Feature-add-tpcm-support-with-ipmi-channel.patch @@ -160,6 +162,9 @@ cd .. /usr/src/debug/%{name}-%{version}-%{release}/* %changelog +* Tue Jan 30 2024 jinlun - 15-34 +- fix CVE-2023-40547 CVE-2023-40551 + * Sat Oct 14 2023 ExtinctFire - 15-33 - fix CVE-2023-0464 CVE-2023-3817