Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
ovmf.17512
ovmf-bsc1127820-fix-blockio-buffer-overflow.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ovmf-bsc1127820-fix-blockio-buffer-overflow.patch of Package ovmf.17512
From 789465e789ddfca24c4922e01e1cc40194181777 Mon Sep 17 00:00:00 2001 From: Hao Wu <hao.a.wu@intel.com> Date: Fri, 9 Feb 2018 08:43:01 +0800 Subject: [PATCH 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR (CVE-2018-12180) REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134 The commit adds checks for detecting GPT and MBR partitions. These checks will ensure that the device block size is big enough to hold an MBR (512 bytes). Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Ray Ni <ray.ni@intel.com> (cherry picked from commit fccdb88022c1f6d85c773fce506b10c879063f1d) --- MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 10 +++++++++- MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 ++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c index 2cd3e15e8acb..87f0d381967d 100644 --- a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c +++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c @@ -13,7 +13,8 @@ PartitionValidGptTable(), PartitionCheckGptEntry() routine will accept disk partition content and validate the GPT table and GPT entry. -Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR> +Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc. +Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -235,6 +236,13 @@ PartitionInstallGptChildHandles ( GptValidStatus = EFI_NOT_FOUND; + // + // Ensure the block size can hold the MBR + // + if (BlockSize < sizeof (MASTER_BOOT_RECORD)) { + return EFI_NOT_FOUND; + } + // // Allocate a buffer for the Protective MBR // diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c index 55e9d26bae5c..ba36ffddc648 100644 --- a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c +++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c @@ -12,7 +12,7 @@ the legacy boot strap code. Copyright (c) 2014, Hewlett-Packard Development Company, L.P.<BR> -Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR> +Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -149,6 +149,13 @@ PartitionInstallMbrChildHandles ( MediaId = BlockIo->Media->MediaId; LastBlock = BlockIo->Media->LastBlock; + // + // Ensure the block size can hold the MBR + // + if (BlockSize < sizeof (MASTER_BOOT_RECORD)) { + return EFI_NOT_FOUND; + } + Mbr = AllocatePool (BlockSize); if (Mbr == NULL) { return Found; -- 2.20.1 From f8a51182b01aa72b34ea8bf151d99e82fc676eed Mon Sep 17 00:00:00 2001 From: Hao Wu <hao.a.wu@intel.com> Date: Wed, 7 Feb 2018 12:49:50 +0800 Subject: [PATCH 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180) REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134 Originally, the block size of created Ram disks is hard-coded to 512 bytes. However, if the total size of the Ram disk is not a multiple of 512 bytes, there will be potential memory access issues when dealing with the last block of the Ram disk. This commit will adjust the block size of the Ram disks to ensure that the total size is a multiple of the block size. Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Ray Ni <ray.ni@intel.com> (cherry picked from commit 38c9fbdcaa0219eb86fe82d90e3f8cfb5a54be9f) --- .../Disk/RamDiskDxe/RamDiskBlockIo.c | 20 +++++++++++++------ .../Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- .../Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- 3 files changed, 20 insertions(+), 11 deletions(-) diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c index f36e1c8ff27b..358c463624c4 100644 --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c @@ -1,7 +1,7 @@ /** @file Produce EFI_BLOCK_IO_PROTOCOL on a RAM disk device. - Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> + Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -54,6 +54,7 @@ RamDiskInitBlockIo ( EFI_BLOCK_IO_PROTOCOL *BlockIo; EFI_BLOCK_IO2_PROTOCOL *BlockIo2; EFI_BLOCK_IO_MEDIA *Media; + UINT32 Remainder; BlockIo = &PrivateData->BlockIo; BlockIo2 = &PrivateData->BlockIo2; @@ -69,11 +70,18 @@ RamDiskInitBlockIo ( Media->LogicalPartition = FALSE; Media->ReadOnly = FALSE; Media->WriteCaching = FALSE; - Media->BlockSize = RAM_DISK_BLOCK_SIZE; - Media->LastBlock = DivU64x32 ( - PrivateData->Size + RAM_DISK_BLOCK_SIZE - 1, - RAM_DISK_BLOCK_SIZE - ) - 1; + + for (Media->BlockSize = RAM_DISK_DEFAULT_BLOCK_SIZE; + Media->BlockSize >= 1; + Media->BlockSize = Media->BlockSize >> 1) { + Media->LastBlock = DivU64x32Remainder (PrivateData->Size, Media->BlockSize, &Remainder) - 1; + if (Remainder == 0) { + break; + } + } + ASSERT (Media->BlockSize != 0); + + return; } diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h index 077bb77b25bf..18c7bb2c5854 100644 --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h @@ -1,7 +1,7 @@ /** @file The header file of RamDiskDxe driver. - Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> + Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -49,9 +49,9 @@ /// // -// Block size for RAM disk +// Default block size for RAM disk // -#define RAM_DISK_BLOCK_SIZE 512 +#define RAM_DISK_DEFAULT_BLOCK_SIZE 512 // // Iterate through the double linked list. NOT delete safe diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c index 6784e2b2f1e9..e8250d5c1bcc 100644 --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c @@ -1,7 +1,7 @@ /** @file The realization of EFI_RAM_DISK_PROTOCOL. - Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> + Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR> (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -613,7 +613,8 @@ RamDiskRegister ( // // Add check to prevent data read across the memory boundary // - if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1) { + if ((RamDiskSize > MAX_UINTN) || + (RamDiskBase > MAX_UINTN - RamDiskSize + 1)) { return EFI_INVALID_PARAMETER; } -- 2.20.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor