A memory leak was discovered in NetworkPkg/ArpDxe in function ArpOnFrameRcvdDpc(), because of an error condition that is not correctly handled and does not signal the recycleEvent signal before continuing the reception of packets. An attacker can use this flaw to cause memory exhaustion.
Created edk2 tracking bugs for this issue: Affects: epel-all [bug 1801268] Affects: fedora-all [bug 1801267]
Upstream bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
The following upstream bugs are additionally associated with this CVE: - https://bugzilla.tianocore.org/show_bug.cgi?id=2032 - https://bugzilla.tianocore.org/show_bug.cgi?id=1610
The following upstream bugs are additionally associated with this CVE: - https://bugzilla.tianocore.org/show_bug.cgi?id=2174
Upstream tracker bug (depending on 1610, 2031, 2032, 2174): - https://bugzilla.tianocore.org/show_bug.cgi?id=2550
Upstream status: - TianoCore#1610: fixed by upstream commit 578bcdc2605e ("NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559).", 2020-02-19). - TianoCore#2031: fixed by upstream commit 1d3215fd24f4 ("NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)", 2020-02-21). - TianoCore#2032: no patch has been proposed yet; analysis seems stuck (as of <https://bugzilla.tianocore.org/show_bug.cgi?id=2032#c12>). - TianoCore#2174: a patch has been attached to the upstream ticket, but not posted to edk2-devel for review; as of <https://bugzilla.tianocore.org/show_bug.cgi?id=2174#c6>.
(In reply to Laszlo Ersek from comment #12) > Upstream status: > > - TianoCore#1610: fixed by upstream commit 578bcdc2605e > ("NetworkPkg/Ip4Dxe: Check the received package length > (CVE-2019-14559).", 2020-02-19). > > - TianoCore#2031: fixed by upstream commit 1d3215fd24f4 > ("NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)", > 2020-02-21). > > - TianoCore#2032: Fixed in upstream commit 65c73df44c61 ("ShellPkg: Fix 'ping' command Ip4 receive flow.", 2020-04-01). > - TianoCore#2174: A patch was upstreamed 9c20342eed70 ("NetworkPkg/Ip6Dxe: Improve Neightbor Discovery message validation.", 2020-03-30), but it caused a regression, which I subsequently reported. The fix for the regression (also tested OK by me) is pending subsys maintainer review.
All upstream dependencies (of TianoCore#2550) have been fixed: - TianoCore#1610: fixed by upstream commit 578bcdc2605e ("NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559).", 2020-02-19). - TianoCore#2031: fixed by upstream commit 1d3215fd24f4 ("NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)", 2020-02-21). - TianoCore#2032: fixed in upstream commit 65c73df44c61 ("ShellPkg: Fix 'ping' command Ip4 receive flow.", 2020-04-01). - TianoCore#2174: fixed in upstream commit 9c20342eed70 ("NetworkPkg/Ip6Dxe: Improve Neightbor Discovery message validation.", 2020-03-30) - TianoCore#2655 (regression from the TianoCore#2174 patch): fixed in commit 4deef2d865ef ("NetworkPkg/Ip6Dxe: Fix ASSERT logic in Ip6ProcessRouterAdvertise()", 2020-04-02).
Hi Laszlo: I am not sure if this bug only need I do the sanity test of ovmf,or need more test about it? could you provide me some suggestions.Many thanks!
Hello Leidong Wang, thanks for the question. TianoCore Bugzillas 1610, 2031 and 2032 were all found with network fuzzing; we don't have a reproducer. TianoCore #2174 does not say if it had been found with a fuzzer or not, but we still have no reproducer. So the above indicate that sanity testing should be sufficient. The fix for TianoCore#2174 introduced a regression however (up-stream); that one was fixed under TianoCore#2655. This suggests a more directed sanity testing in turn, namely an IPv6 netboot test. So please sanity check IPv4 and IPv6 PXE boot. Thanks!
Hi Laszlo, thanks for your reply! ! ! OVMF sanity test, IPv4 boot and IPv6 boot can work normally. Thank you!
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14559
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4805 https://access.redhat.com/errata/RHSA-2020:4805