You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
79 lines
2.3 KiB
79 lines
2.3 KiB
6 months ago
|
From e3f153773bd2ca13ee4869187f1711840fc8afc9 Mon Sep 17 00:00:00 2001
|
||
|
From: Jon Maloy <jmaloy@redhat.com>
|
||
|
Date: Thu, 15 Feb 2024 11:51:09 -0500
|
||
|
Subject: [PATCH 02/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
|
||
|
|
||
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||
|
RH-MergeRequest: 56: Pixiefail issues in NetworkPkg package
|
||
|
RH-Jira: RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852
|
||
|
RH-Acked-by: Gerd Hoffmann <None>
|
||
|
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
|
||
|
RH-Commit: [2/15] 61eaf6aac61b774c3a8ace54af8abd607651d2db
|
||
|
|
||
|
JIRA: https://issues.redhat.com/browse/RHEL-21844
|
||
|
CVE: CVE-2022-45231
|
||
|
Upstream: Merged
|
||
|
|
||
|
commit bbfee34f4188ac00371abe1389ae9c9fb989a0cd
|
||
|
Author: Doug Flick <dougflick@microsoft.com>
|
||
|
Date: Fri Jan 26 05:54:48 2024 +0800
|
||
|
|
||
|
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
|
||
|
|
||
|
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
|
||
|
|
||
|
Bug Overview:
|
||
|
PixieFail Bug #3
|
||
|
CVE-2023-45231
|
||
|
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||
|
CWE-125 Out-of-bounds Read
|
||
|
|
||
|
Out-of-bounds read when handling a ND Redirect message with truncated
|
||
|
options
|
||
|
|
||
|
Change Overview:
|
||
|
|
||
|
Adds a check to prevent truncated options from being parsed
|
||
|
+ //
|
||
|
+ // Cannot process truncated options.
|
||
|
+ // Cannot process options with a length of 0 as there is no Type
|
||
|
field.
|
||
|
+ //
|
||
|
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
|
||
|
+ return FALSE;
|
||
|
+ }
|
||
|
|
||
|
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||
|
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
|
||
|
|
||
|
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||
|
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||
|
|
||
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||
|
---
|
||
|
NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++
|
||
|
1 file changed, 8 insertions(+)
|
||
|
|
||
|
diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
|
||
|
index 199eea124d..8718d5d875 100644
|
||
|
--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
|
||
|
+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
|
||
|
@@ -137,6 +137,14 @@ Ip6IsNDOptionValid (
|
||
|
return FALSE;
|
||
|
}
|
||
|
|
||
|
+ //
|
||
|
+ // Cannot process truncated options.
|
||
|
+ // Cannot process options with a length of 0 as there is no Type field.
|
||
|
+ //
|
||
|
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
|
||
|
+ return FALSE;
|
||
|
+ }
|
||
|
+
|
||
|
Offset = 0;
|
||
|
|
||
|
//
|
||
|
--
|
||
|
2.39.3
|
||
|
|