Bug 1131362 - (CVE-2018-12183) VUL-0: CVE-2018-12183: ovmf,OVMF: edk2: stack overflow in DxeCore leads to privilege escalation
(CVE-2018-12183)
VUL-0: CVE-2018-12183: ovmf,OVMF: edk2: stack overflow in DxeCore leads to pr...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Gary Ching-Pang Lin
Security Team bot
https://smash.suse.de/issue/228242/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-03 06:31 UTC by Marcus Meissner
Modified: 2019-04-11 07:00 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Gary Ching-Pang Lin 2019-04-08 08:04:51 UTC
The patch enables stack guard in CpuMpPei and it actually needs to pull in more stack guard patches. On the other hand, the CVE is about DxeCore and I'm still trying to figure out why the patch in CpuMpPei could fix the bug...
Comment 2 Gary Ching-Pang Lin 2019-04-10 03:33:19 UTC
I did a quick search for the backporting of Stack Guard, and we need at least 26 patches to enable Stack Guard in SLE15 OVMF. I'm hesitant to merge them into SLE15 since those patches change the CPU and virtual memory drivers. Besides, Stack Guard requires the guest to enable NX in CPU, and the user has to configure qemu settings to enable the feature. What worries me more is that Stack Guard is currently not enabled by default due to the hardware dependency, so the feature is not really tested even in Tumbleweed.

On the other hand, the root cause is that ProcessSection() in MdeModulePkg/Core/Pei/FwVol/FwVol.c calls itself unlimitedly due to the crafted FV image, and upstream wants to use Stack Guard to detect the stack overflow and avoid code execution in the stack. I feel the "fix" is overkill. A better fix would be to refactor ProcessSection() non-recursively or just limit the number of recursions.
Comment 3 Marcus Meissner 2019-04-11 05:31:19 UTC
i am fine with skipping this issue after your explanation.
Comment 4 Gary Ching-Pang Lin 2019-04-11 06:54:10 UTC
As Laszlo, the upstream OVMF maintainer, explained in upstream bug(*), OVMF doesn't provide the means to update FV images, so OVMF is actually not vulnerable to this issue.

(*) https://bugzilla.tianocore.org/show_bug.cgi?id=1137#c6
Comment 5 Marcus Meissner 2019-04-11 07:00:04 UTC
ok, closing!