Overview

File ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch of Package ovmf.15921

From 7f9f7fccf58af2db5ac8c88801f56f4efe664fcb Mon Sep 17 00:00:00 2001
From: Jiaxin Wu <Jiaxin.wu@intel.com>
Date: Mon, 29 Apr 2019 09:51:53 +0800
Subject: [PATCH 1/2] NetworkPkg/Ip4Dxe: Check the received package length
 (CVE-2019-14559).

v3: correct the coding style.
v2: correct the commit message & add BZ number.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610

This patch is to check the received package length to make sure the package
has a valid length field.

Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
(cherry picked from commit 578bcdc2605e3438b9cbdac4e68339f90f5bf8af)
---
 NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++-------
 1 file changed, 37 insertions(+), 9 deletions(-)

diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c
index 24c584658803..fc1a892f14eb 100644
--- a/NetworkPkg/Ip4Dxe/Ip4Input.c
+++ b/NetworkPkg/Ip4Dxe/Ip4Input.c
@@ -1,7 +1,7 @@
 /** @file
   IP4 input process.
 
-Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
 
 SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -711,10 +711,6 @@ Ip4PreProcessPacket (
   //
   // Check if the IP4 header is correctly formatted.
   //
-  if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
-    return EFI_INVALID_PARAMETER;
-  }
-
   HeadLen  = (Head->HeadLen << 2);
   TotalLen = NTOHS (Head->TotalLen);
 
@@ -808,6 +804,30 @@ Ip4PreProcessPacket (
   return EFI_SUCCESS;
 }
 
+/**
+  This function checks the IPv4 packet length.
+
+  @param[in]       Packet          Pointer to the IPv4 Packet to be checked.
+
+  @retval TRUE                   The input IPv4 packet length is valid.
+  @retval FALSE                  The input IPv4 packet length is invalid.
+
+**/
+BOOLEAN
+Ip4IsValidPacketLength (
+  IN NET_BUF        *Packet
+  )
+{
+  //
+  // Check the IP4 packet length.
+  //
+  if (Packet->TotalSize < IP4_MIN_HEADLEN) {
+    return FALSE;
+  }
+
+  return TRUE;
+}
+
 /**
   The IP4 input routine. It is called by the IP4_INTERFACE when a
   IP4 fragment is received from MNP.
@@ -844,6 +864,10 @@ Ip4AccpetFrame (
     goto DROP;
   }
 
+  if (!Ip4IsValidPacketLength (Packet)) {
+    goto RESTART;
+  }
+
   Head      = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
   ASSERT (Head != NULL);
   OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
@@ -890,10 +914,14 @@ Ip4AccpetFrame (
   //
   ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
   if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
-  // Packet may have been changed. Head, HeadLen, TotalLen, and
-  // info must be reloaded bofore use. The ownership of the packet
-  // is transfered to the packet process logic.
-  //
+    // Packet may have been changed. Head, HeadLen, TotalLen, and
+    // info must be reloaded before use. The ownership of the packet
+    // is transferred to the packet process logic.
+    //
+    if (!Ip4IsValidPacketLength (Packet)) {
+      goto RESTART;
+    }
+
     Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
     ASSERT (Head != NULL);
     Status = Ip4PreProcessPacket (
-- 
2.25.0


From 03225826203c978146e4067e1d14fe66fcb75e22 Mon Sep 17 00:00:00 2001
From: Siyuan Fu <siyuan.fu@intel.com>
Date: Fri, 21 Feb 2020 10:14:18 +0800
Subject: [PATCH 2/2] NetworkPkg/ArpDxe: Recycle invalid ARP packets
 (CVE-2019-14559)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031

This patch triggers the RecycleEvent for invalid ARP packets.
Prior to this, we would just ignore invalid ARP packets,
and never free them.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Nicholas Armour <nicholas.armour@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
(cherry picked from commit 1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8)
---
 NetworkPkg/ArpDxe/ArpImpl.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/NetworkPkg/ArpDxe/ArpImpl.c b/NetworkPkg/ArpDxe/ArpImpl.c
index 0e9ef103eff9..c7f770db0734 100644
--- a/NetworkPkg/ArpDxe/ArpImpl.c
+++ b/NetworkPkg/ArpDxe/ArpImpl.c
@@ -1,7 +1,7 @@
 /** @file
   The implementation of the ARP protocol.
 
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -113,7 +113,7 @@ ArpOnFrameRcvdDpc (
     //
     // Restart the receiving if packet size is not correct.
     //
-    goto RESTART_RECEIVE;
+    goto RECYCLE_RXDATA;
   }
 
   //
@@ -125,7 +125,7 @@ ArpOnFrameRcvdDpc (
   Head->OpCode    = NTOHS (Head->OpCode);
 
   if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) {
-    goto RESTART_RECEIVE;
+    goto RECYCLE_RXDATA;
   }
 
   if ((Head->HwType != ArpService->SnpMode.IfType) ||
-- 
2.25.0
openSUSE Build Service is sponsored by
Places