Summary
An integer overflow can be triggered in CreateHob() when aligning the requested size.
This vulnerability was originally reported at https://bugzilla.tianocore.org/show_bug.cgi?id=4166.
Details
The CreateHob() function aligns the requested size to 8 performing the following operation:
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses.
Impact
Exploitability here seems tricky, as an attacker would need to trigger this vulnerability in the PEI phase. On the other hand, the number of calls to this function is fairly high.
Mitigation release plan
Patch files are available now via https://bugzilla.tianocore.org/show_bug.cgi?id=4166. Patch will be integrated for the Feb 2024 EDK2 release.
xVL00PeR Reporter
Summary
An integer overflow can be triggered in CreateHob() when aligning the requested size.
This vulnerability was originally reported at https://bugzilla.tianocore.org/show_bug.cgi?id=4166.
Details
The CreateHob() function aligns the requested size to 8 performing the following operation:
No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses.
Impact
Exploitability here seems tricky, as an attacker would need to trigger this vulnerability in the PEI phase. On the other hand, the number of calls to this function is fairly high.
Mitigation release plan
Patch files are available now via https://bugzilla.tianocore.org/show_bug.cgi?id=4166. Patch will be integrated for the Feb 2024 EDK2 release.