--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu
Fixes 3 CVEs.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.20.0-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru edk2-0~20161202.7bbe0b3e/debian/changelog
edk2-0~20161202.7bbe0b3e/debian/changelog
--- edk2-0~20161202.7bbe0b3e/debian/changelog 2016-12-09 01:09:39.000000000
-0700
+++ edk2-0~20161202.7bbe0b3e/debian/changelog 2019-03-18 14:12:49.000000000
-0600
@@ -1,3 +1,12 @@
+edk2 (0~20161202.7bbe0b3e-1+deb9u1) stretch; urgency=medium
+
+ * Security fixes (Closes: #924615):
+ - Fix buffer overflow in BlockIo service (CVE-2018-12180)
+ - DNS: Check received packet size before using (CVE-2018-12178)
+ - Fix stack overflow with corrupted BMP (CVE-2018-12181)
+
+ -- dann frazier <[email protected]> Mon, 18 Mar 2019 14:12:49 -0600
+
edk2 (0~20161202.7bbe0b3e-1) unstable; urgency=medium
* New upstream release.
diff -Nru
edk2-0~20161202.7bbe0b3e/debian/patches/0000-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
edk2-0~20161202.7bbe0b3e/debian/patches/0000-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
---
edk2-0~20161202.7bbe0b3e/debian/patches/0000-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20161202.7bbe0b3e/debian/patches/0000-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
2019-03-18 14:12:49.000000000 -0600
@@ -0,0 +1,144 @@
+From: Dandan Bi <[email protected]>
+Date: Wed, 12 Apr 2017 11:21:52 +0800
+Subject: [PATCH] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication
+
+An example:
+The codes in function Output8bitPixel in Image.c:
+OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
+
+Both Image->Width and Ypos are of type UINT16. They will be promoted to
+int (signed) first, and then perform the multiplication defined by macro
+BITMAP_LEN_8_BIT. If the result of multiplication between Image->Width and
+Ypos exceeds the range of type int, a potential incorrect results
+will be assigned to OffsetY.
+
+This commit adds explicit UINT32 type cast for 'Image->Width' to avoid
+possible overflow in the int range. And also fix similar issues in
+HiiDatabase.
+
+Cc: Eric Dong <[email protected]>
+Cc: Liming Gao <[email protected]>
+Cc: Hao Wu <[email protected]>
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Dandan Bi <[email protected]>
+Reviewed-by: Hao Wu <[email protected]>
+
+Origin:
https://github.com/tianocore/edk2/commit/f76bc44362e5f0a2ea509c07b2f6846bd9833ee8
+Bug-Debian: https://bugs.debian.org/924615
+Last-Update: 2019-03-18
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index e2fa16e6e0..431a5b8454 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
++++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -105,7 +105,7 @@ GetImageIdOrAddress (
+ case EFI_HII_IIBT_IMAGE_8BIT_TRANS:
+ Length = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) +
+ BITMAP_LEN_8_BIT (
+- ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Width),
++ (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK
*) CurrentImageBlock)->Bitmap.Width),
+ ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Height)
+ );
+ ImageIdCurrent++;
+@@ -115,7 +115,7 @@ GetImageIdOrAddress (
+ case EFI_HII_IIBT_IMAGE_24BIT_TRANS:
+ Length = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
(EFI_HII_RGB_PIXEL) +
+ BITMAP_LEN_24_BIT (
+- ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK
*) CurrentImageBlock)->Bitmap.Width),
++ (UINT32) ReadUnaligned16 ((VOID *)
&((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
+ ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK
*) CurrentImageBlock)->Bitmap.Height)
+ );
+ ImageIdCurrent++;
+@@ -453,7 +453,7 @@ Output8bitPixel (
+ // Convert the pixel from 8 bits to corresponding color.
+ //
+ for (Ypos = 0; Ypos < Image->Height; Ypos++) {
+- OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
++ OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
+ //
+ // All bits are meaningful since the bitmap is 8 bits per pixel.
+ //
+@@ -493,7 +493,7 @@ Output24bitPixel (
+ BitMapPtr = Image->Bitmap;
+
+ for (Ypos = 0; Ypos < Image->Height; Ypos++) {
+- OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
++ OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
+ CopyRgbToGopPixel (&BitMapPtr[OffsetY], &Data[OffsetY], Image->Width);
+ }
+
+@@ -650,7 +650,7 @@ HiiNewImage (
+ }
+
+ NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
(EFI_HII_RGB_PIXEL) +
+- BITMAP_LEN_24_BIT (Image->Width, Image->Height);
++ BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
+
+ //
+ // Get the image package in the package list,
+@@ -753,7 +753,7 @@ HiiNewImage (
+ }
+ WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
ImageBlocks)->Bitmap.Width, Image->Width);
+ WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
ImageBlocks)->Bitmap.Height, Image->Height);
+- CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
ImageBlocks)->Bitmap.Bitmap, Image->Bitmap, Image->Width * Image->Height);
++ CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
ImageBlocks)->Bitmap.Bitmap, Image->Bitmap, (UINT32) Image->Width *
Image->Height);
+
+ //
+ // Append the block end
+@@ -896,7 +896,7 @@ IGetImage (
+ //
+ CopyMem (&Iibt1bit, CurrentImageBlock, sizeof
(EFI_HII_IIBT_IMAGE_1BIT_BLOCK));
+ ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) *
+- (Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
++ ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
+ Image->Bitmap = AllocateZeroPool (ImageLength);
+ if (Image->Bitmap == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+@@ -947,7 +947,7 @@ IGetImage (
+ case EFI_HII_IIBT_IMAGE_24BIT:
+ Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Width);
+ Height = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Height);
+- ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * (Width * Height);
++ ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32) Width *
Height);
+ Image->Bitmap = AllocateZeroPool (ImageLength);
+ if (Image->Bitmap == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+@@ -1095,7 +1095,7 @@ HiiSetImage (
+ case EFI_HII_IIBT_IMAGE_8BIT_TRANS:
+ OldBlockSize = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) +
+ BITMAP_LEN_8_BIT (
+- ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Width),
++ (UINT32) ReadUnaligned16
(&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
+ ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Height)
+ );
+ break;
+@@ -1103,7 +1103,7 @@ HiiSetImage (
+ case EFI_HII_IIBT_IMAGE_24BIT_TRANS:
+ OldBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
(EFI_HII_RGB_PIXEL) +
+ BITMAP_LEN_24_BIT (
+- ReadUnaligned16 ((VOID *)
&((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
++ (UINT32) ReadUnaligned16 ((VOID *)
&((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
+ ReadUnaligned16 ((VOID *)
&((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height)
+ );
+ break;
+@@ -1115,7 +1115,7 @@ HiiSetImage (
+ // Create the new image block according to input image.
+ //
+ NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
(EFI_HII_RGB_PIXEL) +
+- BITMAP_LEN_24_BIT (Image->Width, Image->Height);
++ BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
+ //
+ // Adjust the image package to remove the original block firstly then add
the new block.
+ //
+@@ -1140,7 +1140,7 @@ HiiSetImage (
+ WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
NewImageBlock)->Bitmap.Width, Image->Width);
+ WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
NewImageBlock)->Bitmap.Height, Image->Height);
+ CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
NewImageBlock)->Bitmap.Bitmap,
+- Image->Bitmap, Image->Width * Image->Height);
++ Image->Bitmap, (UINT32) Image->Width * Image->Height);
+
+ CopyMem ((UINT8 *) NewImageBlock + NewBlockSize, (UINT8 *)
CurrentImageBlock + OldBlockSize, Part2Size);
+
+--
+2.20.1
+
diff -Nru
edk2-0~20161202.7bbe0b3e/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
edk2-0~20161202.7bbe0b3e/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
---
edk2-0~20161202.7bbe0b3e/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20161202.7bbe0b3e/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
2019-03-18 14:12:49.000000000 -0600
@@ -0,0 +1,243 @@
+From: Ray Ni <[email protected]>
+Date: Thu, 7 Mar 2019 18:35:13 +0800
+Subject: [PATCH] MdeModulePkg/HiiDatabase: Fix potential integer overflow
+ (CVE-2018-12181)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ray Ni <[email protected]>
+Cc: Dandan Bi <[email protected]>
+Cc: Hao A Wu <[email protected]>
+Reviewed-by: Hao Wu <[email protected]>
+Reviewed-by: Jian J Wang <[email protected]>
+
+Origin:
https://github.com/tianocore/edk2/commit/ffe5f7a6b4e978dffbe1df228963adc914451106
+Bug-Debian: https://bugs.debian.org/924615
+Last-Update: 2019-03-18
+
+Index: edk2/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+===================================================================
+--- edk2.orig/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
++++ edk2/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -16,6 +16,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF
+
+ #include "HiiDatabase.h"
+
++#define MAX_UINT24 0xFFFFFF
+
+ /**
+ Get the imageid of last image block: EFI_HII_IIBT_END_BLOCK when input
+@@ -649,8 +650,16 @@ HiiNewImage (
+ return EFI_NOT_FOUND;
+ }
+
+- NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
(EFI_HII_RGB_PIXEL) +
+- BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
++ //
++ // Calcuate the size of new image.
++ // Make sure the size doesn't overflow UINT32.
++ // Note: 24Bit BMP occpuies 3 bytes per pixel.
++ //
++ NewBlockSize = (UINT32)Image->Width * Image->Height;
++ if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) -
sizeof (EFI_HII_RGB_PIXEL))) / 3) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK)
- sizeof (EFI_HII_RGB_PIXEL));
+
+ //
+ // Get the image package in the package list,
+@@ -669,6 +678,18 @@ HiiNewImage (
+ //
+ // Update the package's image block by appending the new block to the end.
+ //
++
++ //
++ // Make sure the final package length doesn't overflow.
++ // Length of the package header is represented using 24 bits. So MAX
length is MAX_UINT24.
++ //
++ if (NewBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ //
++ // Because ImagePackage->ImageBlockSize <
ImagePackage->ImagePkgHdr.Header.Length,
++ // So (ImagePackage->ImageBlockSize + NewBlockSize) <= MAX_UINT24
++ //
+ ImageBlocks = AllocatePool (ImagePackage->ImageBlockSize + NewBlockSize);
+ if (ImageBlocks == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+@@ -699,6 +720,13 @@ HiiNewImage (
+
+ } else {
+ //
++ // Make sure the final package length doesn't overflow.
++ // Length of the package header is represented using 24 bits. So MAX
length is MAX_UINT24.
++ //
++ if (NewBlockSize > MAX_UINT24 - (sizeof (EFI_HII_IMAGE_PACKAGE_HDR) +
sizeof (EFI_HII_IIBT_END_BLOCK))) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ //
+ // The specified package list does not contain image package.
+ // Create one to add this image block.
+ //
+@@ -895,8 +923,11 @@ IGetImage (
+ // Use the common block code since the definition of these structures is
the same.
+ //
+ CopyMem (&Iibt1bit, CurrentImageBlock, sizeof
(EFI_HII_IIBT_IMAGE_1BIT_BLOCK));
+- ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) *
+- ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
++ ImageLength = (UINTN) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height;
++ if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ ImageLength *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+ Image->Bitmap = AllocateZeroPool (ImageLength);
+ if (Image->Bitmap == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+@@ -945,9 +976,13 @@ IGetImage (
+ // fall through
+ //
+ case EFI_HII_IIBT_IMAGE_24BIT:
+- Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Width);
++ Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Width);
+ Height = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Height);
+- ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32) Width *
Height);
++ ImageLength = (UINTN)Width * Height;
++ if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ ImageLength *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+ Image->Bitmap = AllocateZeroPool (ImageLength);
+ if (Image->Bitmap == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+@@ -1114,8 +1149,23 @@ HiiSetImage (
+ //
+ // Create the new image block according to input image.
+ //
+- NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
(EFI_HII_RGB_PIXEL) +
+- BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
++
++ //
++ // Make sure the final package length doesn't overflow.
++ // Length of the package header is represented using 24 bits. So MAX length
is MAX_UINT24.
++ // 24Bit BMP occpuies 3 bytes per pixel.
++ //
++ NewBlockSize = (UINT32)Image->Width * Image->Height;
++ if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) -
sizeof (EFI_HII_RGB_PIXEL))) / 3) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK)
- sizeof (EFI_HII_RGB_PIXEL));
++ if ((NewBlockSize > OldBlockSize) &&
++ (NewBlockSize - OldBlockSize > MAX_UINT24 -
ImagePackage->ImagePkgHdr.Header.Length)
++ ) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++
+ //
+ // Adjust the image package to remove the original block firstly then add
the new block.
+ //
+@@ -1207,8 +1257,8 @@ HiiDrawImage (
+ EFI_IMAGE_OUTPUT *ImageOut;
+ EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
+ UINTN BufferLen;
+- UINTN Width;
+- UINTN Height;
++ UINT16 Width;
++ UINT16 Height;
+ UINTN Xpos;
+ UINTN Ypos;
+ UINTN OffsetY1;
+@@ -1269,21 +1319,36 @@ HiiDrawImage (
+ //
+ if (*Blt != NULL) {
+ //
++ // Make sure the BltX and BltY is inside the Blt area.
++ //
++ if ((BltX >= (*Blt)->Width) || (BltY >= (*Blt)->Height)) {
++ return EFI_INVALID_PARAMETER;
++ }
++
++ //
+ // Clip the image by (Width, Height)
+ //
+
+ Width = Image->Width;
+ Height = Image->Height;
+
+- if (Width > (*Blt)->Width - BltX) {
+- Width = (*Blt)->Width - BltX;
++ if (Width > (*Blt)->Width - (UINT16)BltX) {
++ Width = (*Blt)->Width - (UINT16)BltX;
+ }
+- if (Height > (*Blt)->Height - BltY) {
+- Height = (*Blt)->Height - BltY;
++ if (Height > (*Blt)->Height - (UINT16)BltY) {
++ Height = (*Blt)->Height - (UINT16)BltY;
+ }
+
+- BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+- BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool
(BufferLen);
++ //
++ // Prepare the buffer for the temporary image.
++ // Make sure the buffer size doesn't overflow UINTN.
++ //
++ BufferLen = Width * Height;
++ if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
++ BltBuffer = AllocateZeroPool (BufferLen);
+ if (BltBuffer == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+@@ -1346,11 +1411,26 @@ HiiDrawImage (
+ //
+ // Allocate a new bitmap to hold the incoming image.
+ //
+- Width = Image->Width + BltX;
+- Height = Image->Height + BltY;
+
+- BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+- BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool
(BufferLen);
++ //
++ // Make sure the final width and height doesn't overflow UINT16.
++ //
++ if ((BltX > (UINTN)MAX_UINT16 - Image->Width) || (BltY >
(UINTN)MAX_UINT16 - Image->Height)) {
++ return EFI_INVALID_PARAMETER;
++ }
++
++ Width = Image->Width + (UINT16)BltX;
++ Height = Image->Height + (UINT16)BltY;
++
++ //
++ // Make sure the output image size doesn't overflow UINTN.
++ //
++ BufferLen = Width * Height;
++ if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
++ BltBuffer = AllocateZeroPool (BufferLen);
+ if (BltBuffer == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+@@ -1360,8 +1440,8 @@ HiiDrawImage (
+ FreePool (BltBuffer);
+ return EFI_OUT_OF_RESOURCES;
+ }
+- ImageOut->Width = (UINT16) Width;
+- ImageOut->Height = (UINT16) Height;
++ ImageOut->Width = Width;
++ ImageOut->Height = Height;
+ ImageOut->Image.Bitmap = BltBuffer;
+
+ //
+@@ -1375,7 +1455,7 @@ HiiDrawImage (
+ return Status;
+ }
+ ASSERT (FontInfo != NULL);
+- for (Index = 0; Index < Width * Height; Index++) {
++ for (Index = 0; Index < (UINTN)Width * Height; Index++) {
+ BltBuffer[Index] = FontInfo->BackgroundColor;
+ }
+ FreePool (FontInfo);
diff -Nru
edk2-0~20161202.7bbe0b3e/debian/patches/0001-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
edk2-0~20161202.7bbe0b3e/debian/patches/0001-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
---
edk2-0~20161202.7bbe0b3e/debian/patches/0001-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20161202.7bbe0b3e/debian/patches/0001-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
2019-03-18 14:12:49.000000000 -0600
@@ -0,0 +1,59 @@
+From: Hao Wu <[email protected]>
+Date: Fri, 9 Feb 2018 08:43:01 +0800
+Subject: [PATCH 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR
+ (CVE-2018-12180)
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
+
+The commit adds checks for detecting GPT and MBR partitions.
+
+These checks will ensure that the device block size is big enough to hold
+an MBR (512 bytes).
+
+Cc: Jian J Wang <[email protected]>
+Cc: Star Zeng <[email protected]>
+Cc: Laszlo Ersek <[email protected]>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <[email protected]>
+Reviewed-by: Ray Ni <[email protected]>
+
+Origin:
https://github.com/tianocore/edk2/commit/fccdb88022c1f6d85c773fce506b10c879063f1d
+Bug-Debian: https://bugs.debian.org/924615
+Last-Update: 2019-03-18
+
+Index: edk2/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+===================================================================
+--- edk2.orig/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
++++ edk2/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+@@ -235,6 +235,13 @@ PartitionInstallGptChildHandles (
+ GptValidStatus = EFI_NOT_FOUND;
+
+ //
++ // Ensure the block size can hold the MBR
++ //
++ if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
++ return EFI_NOT_FOUND;
++ }
++
++ //
+ // Allocate a buffer for the Protective MBR
+ //
+ ProtectiveMbr = AllocatePool (BlockSize);
+Index: edk2/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
+===================================================================
+--- edk2.orig/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
++++ edk2/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
+@@ -148,6 +148,13 @@ PartitionInstallMbrChildHandles (
+ MediaId = BlockIo->Media->MediaId;
+ LastBlock = BlockIo->Media->LastBlock;
+
++ //
++ // Ensure the block size can hold the MBR
++ //
++ if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
++ return EFI_NOT_FOUND;
++ }
++
+ Mbr = AllocatePool (BlockSize);
+ if (Mbr == NULL) {
+ return Found;
diff -Nru
edk2-0~20161202.7bbe0b3e/debian/patches/0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
edk2-0~20161202.7bbe0b3e/debian/patches/0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
---
edk2-0~20161202.7bbe0b3e/debian/patches/0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20161202.7bbe0b3e/debian/patches/0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
2019-03-18 14:12:49.000000000 -0600
@@ -0,0 +1,52 @@
+From: Ray Ni <[email protected]>
+Date: Thu, 7 Mar 2019 18:35:14 +0800
+Subject: [PATCH] MdeModulePkg/HiiImage: Fix stack overflow when corrupted BMP
+ is parsed (CVE-2018-12181)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
+
+For 4bit BMP, there are only 2^4 = 16 colors in the palette.
+But when a corrupted BMP contains more than 16 colors in the palette,
+today's implementation wrongly copies all colors to the local
+PaletteValue[16] array which causes stack overflow.
+
+The similar issue also exists in the logic to handle 8bit BMP.
+
+The patch fixes the issue by only copies the first 16 or 256 colors
+in the palette depending on the BMP type.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ray Ni <[email protected]>
+Cc: Liming Gao <[email protected]>
+Cc: Jiewen Yao <[email protected]>
+Reviewed-by: Jian J Wang <[email protected]>
+
+Origin:
https://github.com/tianocore/edk2/commit/89910a39dcfd788057caa5d88b7e76e112d187b5
+Bug-Debian: https://bugs.debian.org/924615
+Last-Update: 2019-03-18
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index 80a4ec1114..8532f272eb 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
++++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -370,7 +370,7 @@ Output4bitPixel (
+ PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
+
+ ZeroMem (PaletteValue, sizeof (PaletteValue));
+- CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
++ CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum,
ARRAY_SIZE (PaletteValue)));
+ FreePool (Palette);
+
+ //
+@@ -447,7 +447,7 @@ Output8bitPixel (
+ CopyMem (Palette, PaletteInfo, PaletteSize);
+ PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
+ ZeroMem (PaletteValue, sizeof (PaletteValue));
+- CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
++ CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum,
ARRAY_SIZE (PaletteValue)));
+ FreePool (Palette);
+
+ //
+--
+2.20.1
+
diff -Nru
edk2-0~20161202.7bbe0b3e/debian/patches/0002-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
edk2-0~20161202.7bbe0b3e/debian/patches/0002-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
---
edk2-0~20161202.7bbe0b3e/debian/patches/0002-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20161202.7bbe0b3e/debian/patches/0002-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
2019-03-18 14:12:49.000000000 -0600
@@ -0,0 +1,92 @@
+From: Hao Wu <[email protected]>
+Date: Wed, 7 Feb 2018 12:49:50 +0800
+Subject: [PATCH 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size
+ (CVE-2018-12180)
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
+
+Originally, the block size of created Ram disks is hard-coded to 512
+bytes. However, if the total size of the Ram disk is not a multiple of 512
+bytes, there will be potential memory access issues when dealing with the
+last block of the Ram disk.
+
+This commit will adjust the block size of the Ram disks to ensure that the
+total size is a multiple of the block size.
+
+Cc: Jian J Wang <[email protected]>
+Cc: Star Zeng <[email protected]>
+Cc: Laszlo Ersek <[email protected]>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <[email protected]>
+Reviewed-by: Ray Ni <[email protected]>
+
+Origin:
https://github.com/tianocore/edk2/commit/38c9fbdcaa0219eb86fe82d90e3f8cfb5a54be9f
+Bug-Debian: https://bugs.debian.org/924615
+Last-Update: 2019-03-18
+
+Index: edk2/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
+===================================================================
+--- edk2.orig/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
++++ edk2/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
+@@ -54,6 +54,7 @@ RamDiskInitBlockIo (
+ EFI_BLOCK_IO_PROTOCOL *BlockIo;
+ EFI_BLOCK_IO2_PROTOCOL *BlockIo2;
+ EFI_BLOCK_IO_MEDIA *Media;
++ UINT32 Remainder;
+
+ BlockIo = &PrivateData->BlockIo;
+ BlockIo2 = &PrivateData->BlockIo2;
+@@ -69,11 +70,18 @@ RamDiskInitBlockIo (
+ Media->LogicalPartition = FALSE;
+ Media->ReadOnly = FALSE;
+ Media->WriteCaching = FALSE;
+- Media->BlockSize = RAM_DISK_BLOCK_SIZE;
+- Media->LastBlock = DivU64x32 (
+- PrivateData->Size + RAM_DISK_BLOCK_SIZE - 1,
+- RAM_DISK_BLOCK_SIZE
+- ) - 1;
++
++ for (Media->BlockSize = RAM_DISK_DEFAULT_BLOCK_SIZE;
++ Media->BlockSize >= 1;
++ Media->BlockSize = Media->BlockSize >> 1) {
++ Media->LastBlock = DivU64x32Remainder (PrivateData->Size,
Media->BlockSize, &Remainder) - 1;
++ if (Remainder == 0) {
++ break;
++ }
++ }
++ ASSERT (Media->BlockSize != 0);
++
++ return;
+ }
+
+
+Index: edk2/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
+===================================================================
+--- edk2.orig/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
++++ edk2/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
+@@ -49,9 +49,9 @@
+ ///
+
+ //
+-// Block size for RAM disk
++// Default block size for RAM disk
+ //
+-#define RAM_DISK_BLOCK_SIZE 512
++#define RAM_DISK_DEFAULT_BLOCK_SIZE 512
+
+ //
+ // Iterate through the double linked list. NOT delete safe
+Index: edk2/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
+===================================================================
+--- edk2.orig/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
++++ edk2/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
+@@ -613,7 +613,8 @@ RamDiskRegister (
+ //
+ // Add check to prevent data read across the memory boundary
+ //
+- if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1) {
++ if ((RamDiskSize > MAX_UINTN) ||
++ (RamDiskBase > MAX_UINTN - RamDiskSize + 1)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
diff -Nru
edk2-0~20161202.7bbe0b3e/debian/patches/NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
edk2-0~20161202.7bbe0b3e/debian/patches/NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
---
edk2-0~20161202.7bbe0b3e/debian/patches/NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20161202.7bbe0b3e/debian/patches/NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
2019-03-18 14:12:49.000000000 -0600
@@ -0,0 +1,217 @@
+From: Jiaxin Wu <[email protected]>
+Date: Mon, 2 Jul 2018 09:20:56 +0800
+Subject: [PATCH] NetworkPkg/DnsDxe: [CVE-2018-12178] Check the received packet
+ size before parsing the message.
+
+Fix CVE-2018-12178
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809
+
+The DNS driver only checks the received packet size against the
+minimum DNS header size in DnsOnPacketReceived(), later it accesses
+the QueryName and QuerySection beyond the header scope, which might
+cause the pointer within DNS driver points to an invalid entry or
+modifies the memory content beyond the header scope.
+
+This patch is to fix above problem.
+
+Cc: Ye Ting <[email protected]>
+Cc: Fu Siyuan <[email protected]>
+Cc: Wang Fan <[email protected]>
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Wu Jiaxin <[email protected]>
+Reviewed-by: Siyuan Fu <[email protected]>
+
+Origin:
https://github.com/tianocore/edk2/commit/84110bbe4bb3a346514b9bb12eadb7586bca7dfd
+Bug-Debian: https://bugs.debian.org/924615
+Last-Update: 2019-03-18
+
+Index: edk2/NetworkPkg/DnsDxe/DnsImpl.c
+===================================================================
+--- edk2.orig/NetworkPkg/DnsDxe/DnsImpl.c
++++ edk2/NetworkPkg/DnsDxe/DnsImpl.c
+@@ -1098,6 +1098,7 @@ IsValidDnsResponse (
+
+ @param Instance The DNS instance
+ @param RxString Received buffer.
++ @param Length Received buffer length.
+ @param Completed Flag to indicate that Dns response is valid.
+
+ @retval EFI_SUCCESS Parse Dns Response successfully.
+@@ -1108,12 +1109,14 @@ EFI_STATUS
+ ParseDnsResponse (
+ IN OUT DNS_INSTANCE *Instance,
+ IN UINT8 *RxString,
++ IN UINT32 Length,
+ OUT BOOLEAN *Completed
+ )
+ {
+ DNS_HEADER *DnsHeader;
+
+ CHAR8 *QueryName;
++ UINT32 QueryNameLen;
+ DNS_QUERY_SECTION *QuerySection;
+
+ CHAR8 *AnswerName;
+@@ -1139,6 +1142,7 @@ ParseDnsResponse (
+ DNS6_RESOURCE_RECORD *Dns6RR;
+
+ EFI_STATUS Status;
++ UINT32 RemainingLength;
+
+ EFI_TPL OldTpl;
+
+@@ -1162,6 +1166,17 @@ ParseDnsResponse (
+
+ *Completed = TRUE;
+ Status = EFI_SUCCESS;
++ RemainingLength = Length;
++
++ //
++ // Check whether the remaining packet length is avaiable or not.
++ //
++ if (RemainingLength <= sizeof (DNS_HEADER)) {
++ *Completed = FALSE;
++ return EFI_ABORTED;
++ } else {
++ RemainingLength -= sizeof (DNS_HEADER);
++ }
+
+ //
+ // Get header
+@@ -1176,21 +1191,37 @@ ParseDnsResponse (
+ DnsHeader->AditionalNum = NTOHS (DnsHeader->AditionalNum);
+
+ //
++ // There is always one QuestionsNum in DNS message. The capability to
handle more
++ // than one requires to redesign the message format. Currently, it's not
supported.
++ //
++ if (DnsHeader->QuestionsNum > 1) {
++ *Completed = FALSE;
++ return EFI_UNSUPPORTED;
++ }
++
++ //
+ // Get Query name
+ //
+ QueryName = (CHAR8 *) (RxString + sizeof (*DnsHeader));
+
++ QueryNameLen = (UINT32) AsciiStrLen (QueryName) + 1;
++
+ //
+- // Get query section
++ // Check whether the remaining packet length is avaiable or not.
+ //
+- QuerySection = (DNS_QUERY_SECTION *) (QueryName + AsciiStrLen (QueryName) +
1);
+- QuerySection->Type = NTOHS (QuerySection->Type);
+- QuerySection->Class = NTOHS (QuerySection->Class);
++ if (RemainingLength <= QueryNameLen + sizeof (DNS_QUERY_SECTION)) {
++ *Completed = FALSE;
++ return EFI_ABORTED;
++ } else {
++ RemainingLength -= (QueryNameLen + sizeof (DNS_QUERY_SECTION));
++ }
+
+ //
+- // Get Answer name
++ // Get query section
+ //
+- AnswerName = (CHAR8 *) QuerySection + sizeof (*QuerySection);
++ QuerySection = (DNS_QUERY_SECTION *) (QueryName + QueryNameLen);
++ QuerySection->Type = NTOHS (QuerySection->Type);
++ QuerySection->Class = NTOHS (QuerySection->Class);
+
+ OldTpl = gBS->RaiseTPL (TPL_CALLBACK);
+
+@@ -1326,10 +1357,26 @@ ParseDnsResponse (
+ Status = EFI_NOT_FOUND;
+
+ //
++ // Get Answer name
++ //
++ AnswerName = (CHAR8 *) QuerySection + sizeof (*QuerySection);
++
++ //
+ // Processing AnswerSection.
+ //
+ while (AnswerSectionNum < DnsHeader->AnswersNum) {
+ //
++ // Check whether the remaining packet length is avaiable or not.
++ //
++ if (RemainingLength <= sizeof (UINT16) + sizeof (DNS_ANSWER_SECTION)) {
++ *Completed = FALSE;
++ Status = EFI_ABORTED;
++ goto ON_EXIT;
++ } else {
++ RemainingLength -= (sizeof (UINT16) + sizeof (DNS_ANSWER_SECTION));
++ }
++
++ //
+ // Answer name should be PTR.
+ //
+ ASSERT ((*(UINT8 *) AnswerName & 0xC0) == 0xC0);
+@@ -1344,6 +1391,17 @@ ParseDnsResponse (
+ AnswerSection->DataLength = NTOHS (AnswerSection->DataLength);
+
+ //
++ // Check whether the remaining packet length is avaiable or not.
++ //
++ if (RemainingLength < AnswerSection->DataLength) {
++ *Completed = FALSE;
++ Status = EFI_ABORTED;
++ goto ON_EXIT;
++ } else {
++ RemainingLength -= AnswerSection->DataLength;
++ }
++
++ //
+ // Check whether it's the GeneralLookUp querying.
+ //
+ if (Instance->Service->IpVersion == IP_VERSION_4 &&
Dns4TokenEntry->GeneralLookUp) {
+@@ -1613,6 +1671,7 @@ DnsOnPacketReceived (
+ DNS_INSTANCE *Instance;
+
+ UINT8 *RcvString;
++ UINT32 Len;
+
+ BOOLEAN Completed;
+
+@@ -1628,9 +1687,7 @@ DnsOnPacketReceived (
+
+ ASSERT (Packet != NULL);
+
+- if (Packet->TotalSize <= sizeof (DNS_HEADER)) {
+- goto ON_EXIT;
+- }
++ Len = Packet->TotalSize;
+
+ RcvString = NetbufGetByte (Packet, 0, NULL);
+ ASSERT (RcvString != NULL);
+@@ -1638,7 +1695,7 @@ DnsOnPacketReceived (
+ //
+ // Parse Dns Response
+ //
+- ParseDnsResponse (Instance, RcvString, &Completed);
++ ParseDnsResponse (Instance, RcvString, Len, &Completed);
+
+ ON_EXIT:
+
+Index: edk2/NetworkPkg/DnsDxe/DnsImpl.h
+===================================================================
+--- edk2.orig/NetworkPkg/DnsDxe/DnsImpl.h
++++ edk2/NetworkPkg/DnsDxe/DnsImpl.h
+@@ -582,6 +582,7 @@ IsValidDnsResponse (
+
+ @param Instance The DNS instance
+ @param RxString Received buffer.
++ @param Length Received buffer length.
+ @param Completed Flag to indicate that Dns response is valid.
+
+ @retval EFI_SUCCESS Parse Dns Response successfully.
+@@ -592,6 +593,7 @@ EFI_STATUS
+ ParseDnsResponse (
+ IN OUT DNS_INSTANCE *Instance,
+ IN UINT8 *RxString,
++ IN UINT32 Length,
+ OUT BOOLEAN *Completed
+ );
+
diff -Nru edk2-0~20161202.7bbe0b3e/debian/patches/series
edk2-0~20161202.7bbe0b3e/debian/patches/series
--- edk2-0~20161202.7bbe0b3e/debian/patches/series 2016-12-09
01:09:39.000000000 -0700
+++ edk2-0~20161202.7bbe0b3e/debian/patches/series 2019-03-18
14:12:49.000000000 -0600
@@ -3,3 +3,9 @@
no-stack-protector-all-archs.diff
shell-proper-valist.patch
arm64-no-pie-for-you.diff
+0001-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
+0002-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
+NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
+0000-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
+0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
+0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
--- End Message ---
