From 64c1bf08a674454945a3e5df0f911982c2fe72c9 Mon Sep 17 00:00:00 2001 From: "tamas.lengyel@intel.com" Date: Tue, 10 Sep 2024 18:22:57 +0000 Subject: [PATCH] Add extra ASSERT in PeiUsbGetAllConfiguration Fixes oss-fuzz issue #70813. ==9957==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7e248c3009d8 at pc 0x00000059cb32 bp 0x7fff07ef3590 sp 0x7fff07ef3588 WRITE of size 8 at 0x7e248c3009d8 thread T0 SCARINESS: 57 (8-byte-write-stack-buffer-overflow) #0 0x59cb31 in PeiUsbGetAllConfiguration edk2/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c:928:61 #1 0x596c4b in RunTestHarness hbfa-fl/HBFA/UefiHostFuzzTestCasePkg/TestCase/MdeModulePkg/Bus/Usb/UsbBusPei/TestPeiUsb.c:74:3 Signed-off-by: Tamas K Lengyel --- ...SERT-to-check-that-NUM_INTERFACE-is-.patch | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 edk2-bugfixes/0001-UsbBusPei-Add-ASSERT-to-check-that-NUM_INTERFACE-is-.patch diff --git a/edk2-bugfixes/0001-UsbBusPei-Add-ASSERT-to-check-that-NUM_INTERFACE-is-.patch b/edk2-bugfixes/0001-UsbBusPei-Add-ASSERT-to-check-that-NUM_INTERFACE-is-.patch new file mode 100644 index 0000000..362161b --- /dev/null +++ b/edk2-bugfixes/0001-UsbBusPei-Add-ASSERT-to-check-that-NUM_INTERFACE-is-.patch @@ -0,0 +1,27 @@ +From 5c730710df32b82ae787c9f8794751f7a436d26e Mon Sep 17 00:00:00 2001 +From: "tamas.lengyel@intel.com" +Date: Tue, 10 Sep 2024 18:22:20 +0000 +Subject: [PATCH] UsbBusPei: Add ASSERT to check that NUM_INTERFACE is less + than max allowed + +Signed-off-by: Tamas K Lengyel +--- + MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c +index 6ea4495162..e576b0d514 100644 +--- a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c ++++ b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c +@@ -871,6 +871,8 @@ PeiUsbGetAllConfiguration ( + Ptr += sizeof (EFI_USB_CONFIG_DESCRIPTOR); + LengthLeft = ConfigDescLength - SkipBytes - sizeof (EFI_USB_CONFIG_DESCRIPTOR); + ++ ASSERT(PeiUsbDevice->ConfigDesc->NumInterfaces <= MAX_INTERFACE); ++ + for (InterfaceIndex = 0; InterfaceIndex < PeiUsbDevice->ConfigDesc->NumInterfaces; InterfaceIndex++) { + // + // Get the interface descriptor +-- +2.34.1 +