--- /dev/null
+From bbfee34f4188ac00371abe1389ae9c9fb989a0cd Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 26 Jan 2024 05:54:48 +0800
+Subject: [PATCH] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
+
+Bug Overview:
+PixieFail Bug #3
+CVE-2023-45231
+CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+CWE-125 Out-of-bounds Read
+
+Out-of-bounds read when handling a ND Redirect message with truncated
+options
+
+Change Overview:
+
+Adds a check to prevent truncated options from being parsed
++ //
++ // Cannot process truncated options.
++ // Cannot process options with a length of 0 as there is no Type
+field.
++ //
++ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
++ return FALSE;
++ }
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45231
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/bbfee34f4188ac00371abe1389ae9c9fb989a0cd]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
+index 199eea124d..8718d5d875 100644
+--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
++++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
+@@ -137,6 +137,14 @@ Ip6IsNDOptionValid (
+ return FALSE;\r
+ }\r
+ \r
++ //\r
++ // Cannot process truncated options.\r
++ // Cannot process options with a length of 0 as there is no Type field.\r
++ //\r
++ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {\r
++ return FALSE;\r
++ }\r
++\r
+ Offset = 0;\r
+ \r
+ //\r
+--
+2.40.0
+
--- /dev/null
+From 6f77463d72807ec7f4ed6518c3dac29a1040df9f Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 26 Jan 2024 05:54:49 +0800
+Subject: [PATCH] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
+
+Validates that the patch for...
+
+Out-of-bounds read when handling a ND Redirect message with truncated
+options
+
+.. has been fixed
+
+Tests the following function to ensure that an out of bounds read does
+not occur
+Ip6OptionValidation
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45231
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/6f77463d72807ec7f4ed6518c3dac29a1040df9f]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp | 20 +++
+ .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 42 ++++++
+ .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 129 ++++++++++++++++++
+ 3 files changed, 191 insertions(+)
+ create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
+ create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+ create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+
+diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
+new file mode 100644
+index 0000000000..6ebfd5fdfb
+--- /dev/null
++++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
+@@ -0,0 +1,20 @@
++/** @file\r
++ Acts as the main entry point for the tests for the Ip6Dxe module.\r
++\r
++ Copyright (c) Microsoft Corporation\r
++ SPDX-License-Identifier: BSD-2-Clause-Patent\r
++**/\r
++#include <gtest/gtest.h>\r
++\r
++////////////////////////////////////////////////////////////////////////////////\r
++// Run the tests\r
++////////////////////////////////////////////////////////////////////////////////\r
++int\r
++main (\r
++ int argc,\r
++ char *argv[]\r
++ )\r
++{\r
++ testing::InitGoogleTest (&argc, argv);\r
++ return RUN_ALL_TESTS ();\r
++}\r
+diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+new file mode 100644
+index 0000000000..6e4de0745f
+--- /dev/null
++++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+@@ -0,0 +1,42 @@
++## @file\r
++# Unit test suite for the Ip6Dxe using Google Test\r
++#\r
++# Copyright (c) Microsoft Corporation.<BR>\r
++# SPDX-License-Identifier: BSD-2-Clause-Patent\r
++##\r
++[Defines]\r
++ INF_VERSION = 0x00010017\r
++ BASE_NAME = Ip6DxeUnitTest\r
++ FILE_GUID = 4F05D17D-D3E7-4AAE-820C-576D46D2D34A\r
++ VERSION_STRING = 1.0\r
++ MODULE_TYPE = HOST_APPLICATION\r
++#\r
++# The following information is for reference only and not required by the build tools.\r
++#\r
++# VALID_ARCHITECTURES = IA32 X64 AARCH64\r
++#\r
++[Sources]\r
++ Ip6DxeGoogleTest.cpp\r
++ Ip6OptionGoogleTest.cpp\r
++ ../Ip6Option.c\r
++\r
++[Packages]\r
++ MdePkg/MdePkg.dec\r
++ MdeModulePkg/MdeModulePkg.dec\r
++ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec\r
++ NetworkPkg/NetworkPkg.dec\r
++\r
++[LibraryClasses]\r
++ GoogleTestLib\r
++ DebugLib\r
++ NetLib\r
++ PcdLib\r
++\r
++[Protocols]\r
++ gEfiDhcp6ServiceBindingProtocolGuid\r
++\r
++[Pcd]\r
++ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType\r
++\r
++[Guids]\r
++ gZeroGuid\r
+diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+new file mode 100644
+index 0000000000..f2cd90e1a9
+--- /dev/null
++++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+@@ -0,0 +1,129 @@
++/** @file\r
++ Tests for Ip6Option.c.\r
++\r
++ Copyright (c) Microsoft Corporation\r
++ SPDX-License-Identifier: BSD-2-Clause-Patent\r
++**/\r
++#include <gtest/gtest.h>\r
++\r
++extern "C" {\r
++ #include <Uefi.h>\r
++ #include <Library/BaseLib.h>\r
++ #include <Library/DebugLib.h>\r
++ #include "../Ip6Impl.h"\r
++ #include "../Ip6Option.h"\r
++}\r
++\r
++/////////////////////////////////////////////////////////////////////////\r
++// Defines\r
++///////////////////////////////////////////////////////////////////////\r
++\r
++#define IP6_PREFIX_INFO_OPTION_DATA_LEN 32\r
++#define OPTION_HEADER_IP6_PREFIX_DATA_LEN (sizeof (IP6_OPTION_HEADER) + IP6_PREFIX_INFO_OPTION_DATA_LEN)\r
++\r
++////////////////////////////////////////////////////////////////////////\r
++// Symbol Definitions\r
++// These functions are not directly under test - but required to compile\r
++////////////////////////////////////////////////////////////////////////\r
++UINT32 mIp6Id;\r
++\r
++EFI_STATUS\r
++Ip6SendIcmpError (\r
++ IN IP6_SERVICE *IpSb,\r
++ IN NET_BUF *Packet,\r
++ IN EFI_IPv6_ADDRESS *SourceAddress OPTIONAL,\r
++ IN EFI_IPv6_ADDRESS *DestinationAddress,\r
++ IN UINT8 Type,\r
++ IN UINT8 Code,\r
++ IN UINT32 *Pointer OPTIONAL\r
++ )\r
++{\r
++ // ..\r
++ return EFI_SUCCESS;\r
++}\r
++\r
++////////////////////////////////////////////////////////////////////////\r
++// Ip6OptionValidation Tests\r
++////////////////////////////////////////////////////////////////////////\r
++\r
++// Define a fixture for your tests if needed\r
++class Ip6OptionValidationTest : public ::testing::Test {\r
++protected:\r
++ // Add any setup code if needed\r
++ virtual void\r
++ SetUp (\r
++ )\r
++ {\r
++ // Initialize any resources or variables\r
++ }\r
++\r
++ // Add any cleanup code if needed\r
++ virtual void\r
++ TearDown (\r
++ )\r
++ {\r
++ // Clean up any resources or variables\r
++ }\r
++};\r
++\r
++// Test Description:\r
++// Null option should return false\r
++TEST_F (Ip6OptionValidationTest, NullOptionShouldReturnFalse) {\r
++ UINT8 *option = nullptr;\r
++ UINT16 optionLen = 10; // Provide a suitable length\r
++\r
++ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));\r
++}\r
++\r
++// Test Description:\r
++// Truncated option should return false\r
++TEST_F (Ip6OptionValidationTest, TruncatedOptionShouldReturnFalse) {\r
++ UINT8 option[] = { 0x01 }; // Provide a truncated option\r
++ UINT16 optionLen = 1;\r
++\r
++ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));\r
++}\r
++\r
++// Test Description:\r
++// Ip6OptionPrefixInfo Option with zero length should return false\r
++TEST_F (Ip6OptionValidationTest, OptionWithZeroLengthShouldReturnFalse) {\r
++ IP6_OPTION_HEADER optionHeader;\r
++\r
++ optionHeader.Type = Ip6OptionPrefixInfo;\r
++ optionHeader.Length = 0;\r
++ UINT8 option[sizeof (IP6_OPTION_HEADER)];\r
++\r
++ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));\r
++ UINT16 optionLen = sizeof (IP6_OPTION_HEADER);\r
++\r
++ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));\r
++}\r
++\r
++// Test Description:\r
++// Ip6OptionPrefixInfo Option with valid length should return true\r
++TEST_F (Ip6OptionValidationTest, ValidPrefixInfoOptionShouldReturnTrue) {\r
++ IP6_OPTION_HEADER optionHeader;\r
++\r
++ optionHeader.Type = Ip6OptionPrefixInfo;\r
++ optionHeader.Length = 4; // Length 4 * 8 = 32\r
++ UINT8 option[OPTION_HEADER_IP6_PREFIX_DATA_LEN];\r
++\r
++ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));\r
++\r
++ EXPECT_TRUE (Ip6IsNDOptionValid (option, IP6_PREFIX_INFO_OPTION_DATA_LEN));\r
++}\r
++\r
++// Test Description:\r
++// Ip6OptionPrefixInfo Option with invalid length should return false\r
++TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOptionLengthShouldReturnFalse) {\r
++ IP6_OPTION_HEADER optionHeader;\r
++\r
++ optionHeader.Type = Ip6OptionPrefixInfo;\r
++ optionHeader.Length = 3; // Length 3 * 8 = 24 (Invalid)\r
++ UINT8 option[sizeof (IP6_OPTION_HEADER)];\r
++\r
++ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));\r
++ UINT16 optionLen = sizeof (IP6_OPTION_HEADER);\r
++\r
++ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));\r
++}\r
+--
+2.40.0
+
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
