Related to: https://bugzilla.tianocore.org/show_bug.cgi?id=3319 The "borrow" technique mentioned in above's ticket seems to still exist for PEI MpInitLib[1]. PEI should follow the DXE code to properly allocate the required memory[2]. Possibly the buffer could be shared by HOB to have a "single of point failure" for the LegacyBios-conflicting allocations. [1] https://github.com/tianocore/edk2/blob/2072c22a0d63c780b0cc6377f6d4ffb116ad6144/UefiCpuPkg/Library/MpInitLib/PeiMpLib.c#L191 [2] https://github.com/tianocore/edk2/commit/e4ff6349bf9ee4f3f392141374901ea4994e043e
Hi, Marvin. Was it intentional that BZ 3319 was filed against "EDK2" product (public), while BZ 3320 was filed against the "Tianocore Security Issues" product (Infosec)?
Hey, John. Yes, I could not find any memory safety issues in the DXE version of the library. The changes would arguably be cosmetical. Of course they will benefit review-ability, reduce complexity, and allow for easier memory protection (e.g. the proposed W^X pattern from 3326). Meanwhile the borrowed buffer in PEI is clearly a risk for memory safety. I did not check in detail yet, and might not for another couple of weeks, but 3319 might be blocked by this issue, depending on how the shared code works.
Hi, Marvin. We discussed, and do not see this being an attack vector by itself. Rather than treating this as a security issue, I propose that we make this BZ public, and develop patch in the open (no CVE will be assigned). Are you OK with this approach?
Sure, thank you!
Moving to confirmed and making public, per discussion in 9/1 Tianocore Infosec mtg. See comment 3.
Created attachment 863 [details] .json file_v1 I have attached the .json file for CVE classification. Please assign a release this issue is observed in, so I can update the .json file and assign a CVE-ID to this bug. Thanks!