MdePkg: Fix overflow issue in BasePeCoffLib: PeCoffLoaderRelocateImage #6249
+1
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
impact:security
Flickdm
force-pushed
the
security-fix/cve-2024-38796/advisory
branch
from
35d0384
to
758cc44
Compare
tianocore-assign-reviewers
bot
requested review from
lgao4,
LiuZhiguang001 and
mdkinney
Flickdm
force-pushed
the
security-fix/cve-2024-38796/advisory
branch
from
758cc44
to
24f3a7c
Compare
lgao4
approved these changes
Sep 30, 2024
mdkinney
reviewed
Sep 30, 2024
The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is also a UINT32 value. The current code does not check for overflow when adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a check to ensure that the addition does not overflow. Signed-off-by: Doug Flick <dougflick@microsoft.com> Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
Flickdm
force-pushed
the
security-fix/cve-2024-38796/advisory
branch
from
24f3a7c
to
a3ab23d
Compare
mdkinney
approved these changes
Sep 30, 2024
Flickdm
added a commit
to Flickdm/edk2
that referenced
this pull request
Sep 30, 2024
This change adds parantheses to the if condition detecting overflow in
the PeCoffLoaderRelocateImage function to improve readability.
Follow on change for:
REF!: tianocore#6249
Authored-By: Doug Flick <dougflick@microsoft.com>
3 tasks
Flickdm
added a commit
to Flickdm/edk2
that referenced
this pull request
Sep 30, 2024
This change adds parantheses to the if condition detecting overflow in
the PeCoffLoaderRelocateImage function to improve readability.
Follow on change for:
REF!: tianocore#6249
Signed-off-by: Doug Flick <dougflick@microsoft.com>
Flickdm
added a commit
to Flickdm/edk2
that referenced
this pull request
Oct 2, 2024
This change adds parantheses to the if condition detecting overflow in
the PeCoffLoaderRelocateImage function to improve readability.
Follow on change for:
REF!: tianocore#6249
Signed-off-by: Doug Flick <dougflick@microsoft.com>
mergify bot
pushed a commit
that referenced
this pull request
Oct 2, 2024
This change adds parantheses to the if condition detecting overflow in
the PeCoffLoaderRelocateImage function to improve readability.
Follow on change for:
REF!: #6249
Signed-off-by: Doug Flick <dougflick@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is also a UINT32 value. The current code does not check for overflow when adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a check to ensure that the addition does not overflow.
How This Was Tested
In BasePeCoff.c, the PeCoffLoaderRelocateImage() does RelocDir→VirtualAddress + ReloDir→Size- 1
inside the function was overflowing and causing memory corruption.
so added the below check for avoiding the memory corruption before calculating the RelocBase and RelocBaseEnd.
if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size -1 < MAX_UINT32 - RelocDir->VirtualAddress))
With this condition added the max value while adding size and address is always less than MAX_UINT32.
Hence there won’t be integer overflow with possible values for RelocDir->VirtualAddress and RelocDir->Size.
Have tested the fix in real platform and confirmed the image is booting fine.
Integration Instructions
N/A