mirror of https://github.com/acidanthera/audk.git
aeaee8944f
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove <mbeatove@google.com> Cc: Leif Lindholm <quic_llindhol@quicinc.com> Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Abner Chang <abner.chang@amd.com> Cc: John Mathew <john.mathews@intel.com> Authored-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gua Guo <gua.guo@intel.com> |
||
|---|---|---|
| .. | ||
| AcpiLib | ||
| AndroidBootImgLib | ||
| CoherentDmaLib | ||
| DebugAgentTimerLibNull | ||
| DxeDtPlatformDtbLoaderLibDefault | ||
| FdtLib | ||
| GdbSerialDebugPortLib | ||
| GdbSerialLib | ||
| NonCoherentDmaLib | ||
| NorFlashInfoLib | ||
| NvVarStoreFormattedLib | ||
| PlatformHasAcpiLib | ||
| PrePiExtractGuidedSectionLib | ||
| PrePiHobLib | ||
| PrePiLib | ||
| PrePiMemoryAllocationLib | ||
| TemplateRealTimeClockLib | ||
| TemplateResetSystemLib | ||
| TimeBaseLib | ||
| VirtualRealTimeClockLib | ||