audk/OvmfPkg/Sec
Laszlo Ersek b9d4847ec2 OvmfPkg/Sec: fix out-of-bounds reads
RH covscan justifiedly reports that accessing "EFI_FFS_FILE_HEADER.Size"
and "EFI_COMMON_SECTION_HEADER.Size", which both are of type UINT8[3],
through (UINT32*), is undefined behavior:

> Error: OVERRUN (CWE-119):
> edk2-89910a39dcfd/OvmfPkg/Sec/SecMain.c:283: overrun-local: Overrunning
> array of 3 bytes at byte offset 3 by dereferencing pointer
> "(UINT32 *)File->Size".
> #  281|
> #  282|       File = (EFI_FFS_FILE_HEADER*)(UINTN) CurrentAddress;
> #  283|->     Size = *(UINT32*) File->Size & 0xffffff;
> #  284|       if (Size < (sizeof (*File) + sizeof (EFI_COMMON_SECTION_HEADER))) {
> #  285|         return EFI_VOLUME_CORRUPTED;
>
> Error: OVERRUN (CWE-119):
> edk2-89910a39dcfd/OvmfPkg/Sec/SecMain.c:614: overrun-local: Overrunning
> array of 3 bytes at byte offset 3 by dereferencing pointer
> "(UINT32 *)File->Size".
> #  612|
> #  613|       File = (EFI_FFS_FILE_HEADER*)(UINTN) CurrentAddress;
> #  614|->     Size = *(UINT32*) File->Size & 0xffffff;
> #  615|       if (Size < sizeof (*File)) {
> #  616|         return EFI_NOT_FOUND;
>
> Error: OVERRUN (CWE-119):
> edk2-89910a39dcfd/OvmfPkg/Sec/SecMain.c:639: overrun-local: Overrunning
> array of 3 bytes at byte offset 3 by dereferencing pointer
> "(UINT32 *)Section->Size".
> #  637|         Section = (EFI_COMMON_SECTION_HEADER*)(UINTN) CurrentAddress;
> #  638|
> #  639|->       Size = *(UINT32*) Section->Size & 0xffffff;
> #  640|         if (Size < sizeof (*Section)) {
> #  641|           return EFI_NOT_FOUND;

Fix these by invoking the FFS_FILE_SIZE() and SECTION_SIZE() macros, which
by now have been fixed too.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1710
Issue: scan-1008.txt
Issue: scan-1009.txt
Issue: scan-1010.txt
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2019-04-24 17:31:02 +02:00
..
Ia32 OvmfPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:19 -07:00
X64 OvmfPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:19 -07:00
SecMain.c OvmfPkg/Sec: fix out-of-bounds reads 2019-04-24 17:31:02 +02:00
SecMain.inf OvmfPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:19 -07:00