mirror of https://github.com/acidanthera/audk.git
aeaee8944f
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove <mbeatove@google.com> Cc: Leif Lindholm <quic_llindhol@quicinc.com> Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Abner Chang <abner.chang@amd.com> Cc: John Mathew <john.mathews@intel.com> Authored-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gua Guo <gua.guo@intel.com> |
||
|---|---|---|
| .. | ||
| Application | ||
| Drivers | ||
| EmbeddedMonotonicCounter | ||
| GdbStub | ||
| Include | ||
| Library | ||
| MetronomeDxe | ||
| RealTimeClockRuntimeDxe | ||
| ResetRuntimeDxe | ||
| Scripts/LauterbachT32 | ||
| SimpleTextInOutSerial | ||
| Test/Mock | ||
| Universal/MmcDxe | ||
| EmbeddedPkg.ci.yaml | ||
| EmbeddedPkg.dec | ||
| EmbeddedPkg.dsc | ||