Virtualization
/
edk2
mirror of https://gitlab.com/qemu-project/edk2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

NetworkPkg/IScsiDxe:Fix for out of bound memory access for bz4207 (CVE-2024-38805) 

In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len.
Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len .

Signed-off-by: santhosh kumar V <santhoshkumarv@ami.com>
This commit is contained in:
Santhosh Kumar V 2025-05-07 18:53:30 +05:30 committed by mergify[bot]
parent 607c58ef01
commit b3a2f7ff24
1 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
NetworkPkg/IScsiDxe/IScsiProto.c
View File

@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList (
{
LIST_ENTRY *ListHead;
ISCSI_KEY_VALUE_PAIR *KeyValuePair;
EFI_STATUS Status;
UINT32 Result;
ListHead = AllocatePool (sizeof (LIST_ENTRY));
if (ListHead == NULL) {
@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList (
Data++;
}
if (*Data == '=') {
// Here Len must not be zero.
// The value of Len is size of data buffer. Actually, Data is make up of strings.
// AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0
// (1) Len == 0, *Data != '=' goto ON_ERROR
// (2) *Data == '=', Len != 0 normal case.
// (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error.
if ((Len > 0) && (*Data == '=')) {
*Data = '\0';
Data++;
Len--;
} else {
@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList (
KeyValuePair->Value = Data;
InsertTailList (ListHead, &KeyValuePair->List);
Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__));
FreePool (KeyValuePair);
goto ON_ERROR;
}
Data += AsciiStrLen (KeyValuePair->Value) + 1;
Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1;
Status = SafeUint32Sub (Len, Result, &Len);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__));
FreePool (KeyValuePair);
goto ON_ERROR;
}
InsertTailList (ListHead, &KeyValuePair->List);
Data += Result;
}
return ListHead;