Add extra ASSERT in PeiUsbGetAllConfiguration

Fixes oss-fuzz issue #70813. ==9957==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7e248c3009d8 at pc 0x00000059cb32 bp 0x7fff07ef3590 sp 0x7fff07ef3588 WRITE of size 8 at 0x7e248c3009d8 thread T0 SCARINESS: 57 (8-byte-write-stack-buffer-overflow) #0 0x59cb31 in PeiUsbGetAllConfiguration edk2/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c:928:61 #1 0x596c4b in RunTestHarness hbfa-fl/HBFA/UefiHostFuzzTestCasePkg/TestCase/MdeModulePkg/Bus/Usb/UsbBusPei/TestPeiUsb.c:74:3 Signed-off-by: Tamas K Lengyel <[email protected]>
intel · Sep 10, 2024 · 144ab37 · 144ab37
1 parent 0224f27
commit 144ab37
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/edk2-bugfixes/0001-UsbBusPei-Add-ASSERT-to-check-that-NUM_INTERFACE-is-.patch b/edk2-bugfixes/0001-UsbBusPei-Add-ASSERT-to-check-that-NUM_INTERFACE-is-.patch
@@ -0,0 +1,27 @@
+From 2bbc8bee2129435e04051de3069be1e29e41191e Mon Sep 17 00:00:00 2001
+From: Tamas K Lengyel <[email protected]>
+Date: Tue, 10 Sep 2024 18:22:20 +0000
+Subject: [PATCH] UsbBusPei: Add ASSERT to check that NUM_INTERFACE is less
+ than max allowed
+
+Signed-off-by: Tamas K Lengyel <[email protected]>
+---
+ MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
+index 6ea4495162..e576b0d514 100644
+--- a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
++++ b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
+@@ -871,6 +871,8 @@ PeiUsbGetAllConfiguration (
+   Ptr       += sizeof (EFI_USB_CONFIG_DESCRIPTOR);
+   LengthLeft = ConfigDescLength - SkipBytes - sizeof (EFI_USB_CONFIG_DESCRIPTOR);
+
++  ASSERT(PeiUsbDevice->ConfigDesc->NumInterfaces <= MAX_INTERFACE);
++
+   for (InterfaceIndex = 0; InterfaceIndex < PeiUsbDevice->ConfigDesc->NumInterfaces; InterfaceIndex++) {
+     //
+     // Get the interface descriptor
+-- 
+2.34.1
+