Merge pull request #18 from tklengyel/fix

Start fixing edk2 bugs and collecting them for future upstreaming
intel · Jul 25, 2024 · f9c7911 · f9c7911
2 parents df2116d + c3b0e4b
commit f9c7911
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 1 deletion.
diff --git a/...efiHostFuzzTestCasePkg/TestCase/MdeModulePkg/Universal/CapsulePei/Common/TestCapsulePei.c b/...efiHostFuzzTestCasePkg/TestCase/MdeModulePkg/Universal/CapsulePei/Common/TestCapsulePei.c
@@ -67,7 +67,7 @@ RunTestHarness(
   MemoryBase = AllocatePool (MemorySize);
 
   MemoryResource[0].PhysicalStart  = (UINT64)(UINTN)TestBuffer;
-  MemoryResource[0].ResourceLength = (UINT64)(UINTN)TOTAL_SIZE;
+  MemoryResource[0].ResourceLength = (UINT64)(UINTN)TestBufferSize;
   MemoryResource[1].PhysicalStart  = (UINT64)(UINTN)MemoryBase;
   MemoryResource[1].ResourceLength = (UINT64)(UINTN)MemorySize;
   MemoryResource[2].PhysicalStart  = 0;

diff --git a/edk2-bugfixes/0001-CapsuleCoalesce-validate-array-access-to-be-in-valid.patch b/edk2-bugfixes/0001-CapsuleCoalesce-validate-array-access-to-be-in-valid.patch
@@ -0,0 +1,39 @@
+From 87a54812f85bf9f8fb59e3456fef5ed8759f42ab Mon Sep 17 00:00:00 2001
+From: "[email protected]" <Tamas K Lengyel>
+Date: Wed, 24 Jul 2024 13:12:24 +0000
+Subject: [PATCH] CapsuleCoalesce: validate array access to be in valid memory 
+ resource
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes oss-fuzz issue #68644: Heap-buffer-overflow READ 8 · BuildCapsuleDescriptors
+
+==25707==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x78e4735ff800 at pc 0x00000059b258 bp 0x7ffcdf2e7560 sp 0x7ffcdf2e7558
+READ of size 8 at 0x78e4735ff800 thread T0
+SCARINESS: 23 (8-byte-read-heap-buffer-overflow)
+    #0 0x59b257 in BuildCapsuleDescriptors edk2/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c:908:10
+    #1 0x59b47b in CapsuleDataCoalesce edk2/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c:1067:12
+    #2 0x596cfd in RunTestHarness hbfa-fl/HBFA/UefiHostFuzzTestCasePkg/TestCase/MdeModulePkg/Universal/CapsulePei/Common/TestCapsulePei.c:80:3
+
+Signed-off-by: Tamas K Lengyel <[email protected]>
+---
+ MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
+index aab35dcd8a..94c4200d70 100644
+--- a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
++++ b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
+@@ -905,7 +905,7 @@ BuildCapsuleDescriptors (
+   TempBlock = NULL;
+   Index     = 0;
+
+-  while (BlockListBuffer[Index] != 0) {
++  while (ValidateCapsuleByMemoryResource(MemoryResource, BlockListBuffer + Index, sizeof(EFI_PHYSICAL_ADDRESS)) && BlockListBuffer[Index] != 0) {
+     //
+     // Test integrity of descriptors.
+     //
+-- 
+2.34.1
+
diff --git a/oss-fuzz/build.sh b/oss-fuzz/build.sh
@@ -37,6 +37,7 @@ build_fuzzer() {
 }
 
 cd $SRC/edk2
+for p in $(ls $SRC/hbfa-fl/edk2-bugfixes/*.patch); do patch -p1 < $p || :; done
 make -C BaseTools
 source edksetup.sh
 cd ..