mirror of https://github.com/acidanthera/audk.git
59f024c76e
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 Fix integer overflow in various CreateHob instances. Fixes: CVE-2022-36765 The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. Reported-by: Marc Beatove <mbeatove@google.com> Cc: Guo Dong <guo.dong@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Reviewed-by: Gua Guo <gua.guo@intel.com> Cc: John Mathew <john.mathews@intel.com> Authored-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gua Guo <gua.guo@intel.com> |
||
|---|---|---|
| .. | ||
| Ia32 | ||
| X64 | ||
| AcpiTable.c | ||
| FitUniversalPayloadEntry.c | ||
| FitUniversalPayloadEntry.inf | ||
| LoadDxeCore.c | ||
| MemoryAllocation.c | ||
| PrintHob.c | ||
| UefiPayloadEntry.c | ||
| UefiPayloadEntry.h | ||
| UefiPayloadEntry.inf | ||
| UniversalPayloadEntry.c | ||
| UniversalPayloadEntry.inf | ||