Bug 1131362 – VUL-0: CVE-2018-12183: ovmf,OVMF: edk2: stack overflow in DxeCore leads to privilege escalation

Bug 1131362 - (CVE-2018-12183) VUL-0: CVE-2018-12183: ovmf,OVMF: edk2: stack overflow in DxeCore leads to privilege escalation

(CVE-2018-12183)
Summary:	VUL-0: CVE-2018-12183: ovmf,OVMF: edk2: stack overflow in DxeCore leads to pr...

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Gary Ching-Pang Lin
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/228242/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-04-03 06:31 UTC by Marcus Meissner
Modified:	2019-04-11 07:00 UTC (History)
CC List:	1 user (show)

See Also:	https://bugzilla.tianocore.org/show_bug.cgi?id=1126 https://bugzilla.tianocore.org/show_bug.cgi?id=1137
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2019-04-03 06:31:28 UTC

rh#1694077

Stack overflow in DxeCore for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access.

Reference:
https://edk2-docs.gitbooks.io/security-advisory/content/unlimited-fv-recursion.html

Upstream commit:
https://github.com/tianocore/edk2/commit/0a0d5296e448fc350de1594c49b9c0deff7fad60

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1694077
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12183
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12183.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12183
http://www.securityfocus.com/bid/107643
https://edk2-docs.gitbooks.io/security-advisory/content/unlimited-fv-recursion.html

Comment 1 Gary Ching-Pang Lin 2019-04-08 08:04:51 UTC

The patch enables stack guard in CpuMpPei and it actually needs to pull in more stack guard patches. On the other hand, the CVE is about DxeCore and I'm still trying to figure out why the patch in CpuMpPei could fix the bug...

Comment 2 Gary Ching-Pang Lin 2019-04-10 03:33:19 UTC

I did a quick search for the backporting of Stack Guard, and we need at least 26 patches to enable Stack Guard in SLE15 OVMF. I'm hesitant to merge them into SLE15 since those patches change the CPU and virtual memory drivers. Besides, Stack Guard requires the guest to enable NX in CPU, and the user has to configure qemu settings to enable the feature. What worries me more is that Stack Guard is currently not enabled by default due to the hardware dependency, so the feature is not really tested even in Tumbleweed.

On the other hand, the root cause is that ProcessSection() in MdeModulePkg/Core/Pei/FwVol/FwVol.c calls itself unlimitedly due to the crafted FV image, and upstream wants to use Stack Guard to detect the stack overflow and avoid code execution in the stack. I feel the "fix" is overkill. A better fix would be to refactor ProcessSection() non-recursively or just limit the number of recursions.

Comment 3 Marcus Meissner 2019-04-11 05:31:19 UTC

i am fine with skipping this issue after your explanation.

Comment 4 Gary Ching-Pang Lin 2019-04-11 06:54:10 UTC

As Laszlo, the upstream OVMF maintainer, explained in upstream bug(*), OVMF doesn't provide the means to update FV images, so OVMF is actually not vulnerable to this issue.

(*) https://bugzilla.tianocore.org/show_bug.cgi?id=1137#c6

Comment 5 Marcus Meissner 2019-04-11 07:00:04 UTC

ok, closing!