NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer overflow

The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return
condition, but never actually checks whether the decoded buffer fits into
the caller-provided room (i.e., the input value of "BinLength"), and
EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can
overflow "BinBuffer".

This is remotely exploitable, as shown in a subsequent patch, which adds
error checking to the IScsiHexToBin() call sites. This issue allows the
target to compromise the initiator.

Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent
EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow,
plus actually catch the buffer overflow.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210608121259.32451-10-lersek@redhat.com>

diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index f0f4992b07c797bf4493dddb4fb6c8f461643699..4069547867513f50e97799e1294e9068835cd806 100644 (file)
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -377,6 +377,9 @@ IScsiBinToHex (
   @retval EFI_SUCCESS           The hexadecimal string is converted into a\r
                                 binary encoded buffer.\r
   @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.\r
+  @retval EFI_BAD_BUFFER_SIZE   The length of HexStr is too large for decoding:\r
+                                the decoded size cannot be expressed in\r
+                                BinLength on output.\r
   @retval EFI_BUFFER_TOO_SMALL  The binary buffer is too small to hold the\r
                                 converted data.\r
 **/\r
@@ -387,6 +390,8 @@ IScsiHexToBin (
   IN     CHAR8  *HexStr\r
   )\r
 {\r
+  UINTN   BinLengthMin;\r
+  UINT32  BinLengthProvided;\r
   UINTN   Index;\r
   UINTN   Length;\r
   UINT8   Digit;\r
@@ -409,6 +414,18 @@ IScsiHexToBin (
   if (Length == 0 || Length % 2 != 0) {\r
     return EFI_INVALID_PARAMETER;\r
   }\r
+  //\r
+  // Check if the caller provides enough room for the decoded blob.\r
+  //\r
+  BinLengthMin = Length / 2;\r
+  if (BinLengthMin > MAX_UINT32) {\r
+    return EFI_BAD_BUFFER_SIZE;\r
+  }\r
+  BinLengthProvided = *BinLength;\r
+  *BinLength = (UINT32)BinLengthMin;\r
+  if (BinLengthProvided < BinLengthMin) {\r
+    return EFI_BUFFER_TOO_SMALL;\r
+  }\r
 \r
   for (Index = 0; Index < Length; Index ++) {\r
     TemStr[0] = HexStr[Index];\r
@@ -425,9 +442,6 @@ IScsiHexToBin (
       BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit);\r
     }\r
   }\r
-\r
-  *BinLength = (UINT32) ((Index + 1)/2);\r
-\r
   return EFI_SUCCESS;\r
 }\r
 \r

diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index 404a482e57f3fb62a35e0610ae50a856f81691a9..fddef4f466dc6dd1a1751cc71403f21a84633726 100644 (file)
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -172,6 +172,9 @@ IScsiBinToHex (
   @retval EFI_SUCCESS           The hexadecimal string is converted into a\r
                                 binary encoded buffer.\r
   @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.\r
+  @retval EFI_BAD_BUFFER_SIZE   The length of HexStr is too large for decoding:\r
+                                the decoded size cannot be expressed in\r
+                                BinLength on output.\r
   @retval EFI_BUFFER_TOO_SMALL  The binary buffer is too small to hold the\r
                                 converted data.\r
 **/\r