Bug 1758601 (CVE-2019-14559) - CVE-2019-14559 edk2: memory leak in ArpOnFrameRcvdDpc
Summary: CVE-2019-14559 edk2: memory leak in ArpOnFrameRcvdDpc
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14559
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1801268 1801267 1801275 1801276
Blocks: 1737084
TreeView+ depends on / blocked
 
Reported: 2019-10-04 15:16 UTC by Riccardo Schirone
Modified: 2020-11-04 04:01 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 02:21:41 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4805 0 None None None 2020-11-04 04:01:22 UTC
TianoCore 1610 0 None None None 2020-02-23 08:33:51 UTC
TianoCore 2031 0 None None None 2019-10-04 18:07:16 UTC
TianoCore 2032 0 None None None 2020-02-05 21:29:26 UTC
TianoCore 2174 0 None None None 2020-02-23 08:38:37 UTC
TianoCore 2550 0 None None None 2020-02-23 08:56:27 UTC
TianoCore 2655 0 None None None 2020-04-01 18:36:33 UTC

Description Riccardo Schirone 2019-10-04 15:16:56 UTC
A memory leak was discovered in NetworkPkg/ArpDxe in function ArpOnFrameRcvdDpc(), because of an error condition that is not correctly handled and does not signal the recycleEvent signal before continuing the reception of packets. An attacker can use this flaw to cause memory exhaustion.

Comment 5 Riccardo Schirone 2020-02-10 14:31:45 UTC
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1801268]
Affects: fedora-all [bug 1801267]

Comment 8 Riccardo Schirone 2020-02-10 14:44:54 UTC
Upstream bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=2031

Comment 9 Laszlo Ersek 2020-02-23 08:33:52 UTC
The following upstream bugs are additionally associated with this CVE:
- https://bugzilla.tianocore.org/show_bug.cgi?id=2032
- https://bugzilla.tianocore.org/show_bug.cgi?id=1610

Comment 10 Laszlo Ersek 2020-02-23 08:36:46 UTC
The following upstream bugs are additionally associated with this CVE:
- https://bugzilla.tianocore.org/show_bug.cgi?id=2174

Comment 11 Laszlo Ersek 2020-02-23 08:56:28 UTC
Upstream tracker bug (depending on 1610, 2031, 2032, 2174):
- https://bugzilla.tianocore.org/show_bug.cgi?id=2550

Comment 12 Laszlo Ersek 2020-02-23 09:12:35 UTC
Upstream status:

- TianoCore#1610: fixed by upstream commit 578bcdc2605e
  ("NetworkPkg/Ip4Dxe: Check the received package length
  (CVE-2019-14559).", 2020-02-19).

- TianoCore#2031: fixed by upstream commit 1d3215fd24f4
  ("NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)",
  2020-02-21).

- TianoCore#2032: no patch has been proposed yet; analysis seems stuck
  (as of <https://bugzilla.tianocore.org/show_bug.cgi?id=2032#c12>).

- TianoCore#2174: a patch has been attached to the upstream ticket, but
  not posted to edk2-devel for review; as of
  <https://bugzilla.tianocore.org/show_bug.cgi?id=2174#c6>.

Comment 13 Laszlo Ersek 2020-04-01 13:12:16 UTC
(In reply to Laszlo Ersek from comment #12)
> Upstream status:
> 
> - TianoCore#1610: fixed by upstream commit 578bcdc2605e
>   ("NetworkPkg/Ip4Dxe: Check the received package length
>   (CVE-2019-14559).", 2020-02-19).
> 
> - TianoCore#2031: fixed by upstream commit 1d3215fd24f4
>   ("NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)",
>   2020-02-21).
> 
> - TianoCore#2032:

Fixed in upstream commit 65c73df44c61 ("ShellPkg: Fix 'ping' command Ip4 receive flow.", 2020-04-01).

> - TianoCore#2174:

A patch was upstreamed 9c20342eed70 ("NetworkPkg/Ip6Dxe: Improve Neightbor Discovery message validation.", 2020-03-30), but it caused a regression, which I subsequently reported. The fix for the regression (also tested OK by me) is pending subsys maintainer review.

Comment 14 Laszlo Ersek 2020-04-02 15:07:35 UTC
All upstream dependencies (of TianoCore#2550) have been fixed:

- TianoCore#1610: fixed by upstream commit 578bcdc2605e
  ("NetworkPkg/Ip4Dxe: Check the received package length
  (CVE-2019-14559).", 2020-02-19).

- TianoCore#2031: fixed by upstream commit 1d3215fd24f4
  ("NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)",
  2020-02-21).

- TianoCore#2032: fixed in upstream commit 65c73df44c61 ("ShellPkg: Fix
  'ping' command Ip4 receive flow.", 2020-04-01).

- TianoCore#2174: fixed in upstream commit 9c20342eed70
  ("NetworkPkg/Ip6Dxe: Improve Neightbor Discovery message validation.",
  2020-03-30)

- TianoCore#2655 (regression from the TianoCore#2174 patch): fixed in
  commit 4deef2d865ef ("NetworkPkg/Ip6Dxe: Fix ASSERT logic in
  Ip6ProcessRouterAdvertise()", 2020-04-02).

Comment 15 leidwang@redhat.com 2020-06-29 02:48:01 UTC
Hi Laszlo:

I am not sure if this bug only need I do the sanity test of ovmf,or need more test about it? could you provide me some suggestions.Many thanks!

Comment 16 Laszlo Ersek 2020-07-02 11:45:30 UTC
Hello Leidong Wang,

thanks for the question.

TianoCore Bugzillas 1610, 2031 and 2032 were all found with network fuzzing; we don't have a reproducer.

TianoCore #2174 does not say if it had been found with a fuzzer or not, but we still have no reproducer.

So the above indicate that sanity testing should be sufficient.

The fix for TianoCore#2174 introduced a regression however (up-stream); that one was fixed under TianoCore#2655. This suggests a more directed sanity testing in turn, namely an IPv6 netboot test.

So please sanity check IPv4 and IPv6 PXE boot.

Thanks!

Comment 17 leidwang@redhat.com 2020-07-03 05:31:46 UTC
Hi Laszlo,

thanks for your reply! ! !

OVMF sanity test, IPv4 boot and IPv6 boot can work normally.

Thank you!

Comment 18 Product Security DevOps Team 2020-11-04 02:21:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14559

Comment 19 errata-xmlrpc 2020-11-04 04:01:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4805 https://access.redhat.com/errata/RHSA-2020:4805


Note You need to log in before you can comment on or make changes to this bug.