| From 0226b56513b2b8bd5fd281bce77c40c9bf07c66d Mon Sep 17 00:00:00 2001 |
| From: Peter Jones <pjones@redhat.com> |
| Date: Wed, 2 Aug 2023 14:19:31 -0400 |
| Subject: [PATCH] CVE-2023-40547 - avoid incorrectly trusting HTTP headers |
| |
| When retrieving files via HTTP or related protocols, shim attempts to |
| allocate a buffer to store the received data. Unfortunately, this means |
| getting the size from an HTTP header, which can be manipulated to |
| specify a size that's smaller than the received data. In this case, the |
| code accidentally uses the header for the allocation but the protocol |
| metadata to copy it from the rx buffer, resulting in an out-of-bounds |
| write. |
| |
| This patch adds an additional check to test that the rx buffer is not |
| larger than the allocation. |
| |
| Resolves: CVE-2023-40547 |
| Reported-by: Bill Demirkapi, Microsoft Security Response Center |
| Signed-off-by: Peter Jones <pjones@redhat.com> |
| --- |
| httpboot.c | 8 +++++++- |
| 1 file changed, 7 insertions(+), 1 deletion(-) |
| |
| diff --git a/httpboot.c b/httpboot.c |
| index dfa493bf52f0..b34dd49c2cd6 100644 |
| --- a/httpboot.c |
| +++ b/httpboot.c |
| @@ -578,7 +578,13 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size) |
| } |
| |
| if (*buf_size == 0) { |
| - perror(L"Failed to get Content-Lenght\n"); |
| + perror(L"Failed to get Content-Length\n"); |
| + goto error; |
| + } |
| + |
| + if (*buf_size < rx_message.BodyLength) { |
| + efi_status = EFI_BAD_BUFFER_SIZE; |
| + perror(L"Invalid Content-Length\n"); |
| goto error; |
| } |
| |
| -- |
| 2.43.0.594.gd9cf4e227d-goog |
| |