Bug 1694077 (CVE-2018-12183)

Summary: CVE-2018-12183 edk2: stack overflow in DxeCore leads to privilege escalation
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, bmcclain, crobinso, dblechte, dfediuck, eedri, kraxel, lersek, mgoldboi, michal.skrivanek, pbonzini, philmd, sbonazzo, sherold, virt-maint, virt-maint, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:52:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1694085, 1694086    
Bug Blocks: 1694083    

Description Dhananjay Arunesh 2019-03-29 13:01:51 UTC 
Stack overflow in DxeCore for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access.

Reference:
https://edk2-docs.gitbooks.io/security-advisory/content/unlimited-fv-recursion.html

Upstream commit:
https://github.com/tianocore/edk2/commit/0a0d5296e448fc350de1594c49b9c0deff7fad60
Comment 1 Dhananjay Arunesh 2019-03-29 13:02:17 UTC 
External References:

https://edk2-docs.gitbooks.io/security-advisory/content/unlimited-fv-recursion.html
Comment 2 Dhananjay Arunesh 2019-03-29 13:35:17 UTC 
Created edk2 tracking bugs for this issue:

Affects: fedora-all [bug 1694085]
Comment 3 Dhananjay Arunesh 2019-03-29 13:36:09 UTC 
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1694086]
Comment 4 Laszlo Ersek 2019-04-01 16:36:04 UTC 
(In reply to Dhananjay Arunesh from comment #1)
> External References:
> 
> https://edk2-docs.gitbooks.io/security-advisory/content/unlimited-fv-
> recursion.html

This advisory references upstream bugs #1126 and #1137.

- TianoCore#1126 is open to the public, and it identifies the commit hash (0a0d5296e4) at which the related series was completed. I don't see how that work is related to DxeCore stack overflow. The advisory names the same commit as well. IMO both of these may have been in error, in the advisory (i.e. both the commit hash and the BZ reference); although I could be proved wrong, obviously.

- In comparison, TianoCore#1137 has not been opened up to the public. I guess that BZ tracks the actual security bug. Can you please work with the TianoCore Bugzilla InfoSec group to open up TianoCore#1137? Thanks.
Comment 9 Riccardo Schirone 2019-04-15 08:30:52 UTC 
Upstream issues:
https://bugzilla.tianocore.org/show_bug.cgi?id=1126
https://bugzilla.tianocore.org/show_bug.cgi?id=1137