On 02/27/19 13:49, Gao, Liming wrote: > Laszlo: > I add my comments. > > Thanks > Liming >> -----Original Message----- >> From: Laszlo Ersek [mailto:ler...@redhat.com] >> Sent: Wednesday, February 27, 2019 4:58 PM >> To: Wu, Hao A <hao.a...@intel.com>; Gao, Liming <liming....@intel.com>; >> edk2-devel@lists.01.org >> Cc: Zeng, Star <star.z...@intel.com> >> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross >> boundary access in Ramdisk >> >> On 02/27/19 07:56, Wu, Hao A wrote: >>>> -----Original Message----- >>>> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of >>>> Laszlo Ersek >>>> Sent: Tuesday, February 26, 2019 7:45 PM >>>> To: Wu, Hao A; edk2-devel@lists.01.org >>>> Cc: Zeng, Star >>>> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross >>>> boundary access in Ramdisk >>>> >>>> On 02/26/19 08:45, Hao Wu wrote: >>>>> V2 changes: >>>>> >>>>> Correct CC list information. >>>>> >>>>> >>>>> V1 history: >>>>> >>>>> The series will resolve a buffer cross boundary access issue during the >>>>> use of RAM disks. It is the mitigation for issue CVE-2018-12180. >>>>> >>>>> Cc: Jian J Wang <jian.j.w...@intel.com> >>>>> Cc: Ray Ni <ray...@intel.com> >>>>> Cc: Star Zeng <star.z...@intel.com> >>>>> >>>>> Hao Wu (2): >>>>> MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) >>>>> MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE >>>> FIX) >>>>> >>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- >>>>> MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 ++++++++- >>>>> MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 ++++++++- >>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 >>>> ++++++++++++++------ >>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- >>>>> 5 files changed, 36 insertions(+), 13 deletions(-) >>>>> >>>> >>>> Please put the exact CVE numbers in the subject lines. >>> >>> Hello Laszlo and Liming, >>> >>> I totally agree the commit subject line should include the CVE number. >>> But I have one feedback that, if the commit is for a CVE fix, is it >>> possible to exempt the commit subject from 71 characters limit? >> >> In my opinion, that is absolutely the case. >> >>> I found it can be hard to summary the commit with the Package/Module plus >>> the CVE number information. >> >> I agree, it is hard. But, IMO, in this case, the precise CVE reference >> takes priority. >> > For this case, I suggest to allow subject line length to be bigger, such as > 120 character. > I will update wiki > https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message-Format > for CVE commit message format. > For example: Pkg-Module: Brief-single-line-summary (CVE-Year-Number)
Thanks for that! Laszlo _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
