Laszlo: I add my comments. Thanks Liming > -----Original Message----- > From: Laszlo Ersek [mailto:ler...@redhat.com] > Sent: Wednesday, February 27, 2019 4:58 PM > To: Wu, Hao A <hao.a...@intel.com>; Gao, Liming <liming....@intel.com>; > edk2-devel@lists.01.org > Cc: Zeng, Star <star.z...@intel.com> > Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross > boundary access in Ramdisk > > On 02/27/19 07:56, Wu, Hao A wrote: > >> -----Original Message----- > >> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > >> Laszlo Ersek > >> Sent: Tuesday, February 26, 2019 7:45 PM > >> To: Wu, Hao A; edk2-devel@lists.01.org > >> Cc: Zeng, Star > >> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross > >> boundary access in Ramdisk > >> > >> On 02/26/19 08:45, Hao Wu wrote: > >>> V2 changes: > >>> > >>> Correct CC list information. > >>> > >>> > >>> V1 history: > >>> > >>> The series will resolve a buffer cross boundary access issue during the > >>> use of RAM disks. It is the mitigation for issue CVE-2018-12180. > >>> > >>> Cc: Jian J Wang <jian.j.w...@intel.com> > >>> Cc: Ray Ni <ray...@intel.com> > >>> Cc: Star Zeng <star.z...@intel.com> > >>> > >>> Hao Wu (2): > >>> MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) > >>> MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE > >> FIX) > >>> > >>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- > >>> MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 ++++++++- > >>> MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 ++++++++- > >>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 > >> ++++++++++++++------ > >>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- > >>> 5 files changed, 36 insertions(+), 13 deletions(-) > >>> > >> > >> Please put the exact CVE numbers in the subject lines. > > > > Hello Laszlo and Liming, > > > > I totally agree the commit subject line should include the CVE number. > > But I have one feedback that, if the commit is for a CVE fix, is it > > possible to exempt the commit subject from 71 characters limit? > > In my opinion, that is absolutely the case. > > > I found it can be hard to summary the commit with the Package/Module plus > > the CVE number information. > > I agree, it is hard. But, IMO, in this case, the precise CVE reference > takes priority. > For this case, I suggest to allow subject line length to be bigger, such as 120 character. I will update wiki https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message-Format for CVE commit message format. For example: Pkg-Module: Brief-single-line-summary (CVE-Year-Number)
> Thanks > Laszlo _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
