Hello community, here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2020-02-20 15:37:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ovmf (Old) and /work/SRC/openSUSE:Factory/.ovmf.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ovmf" Thu Feb 20 15:37:21 2020 rev:43 rq:775106 version:201911 Changes: -------- --- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2020-02-14 16:26:47.899237020 +0100 +++ /work/SRC/openSUSE:Factory/.ovmf.new.26092/ovmf.changes 2020-02-20 15:37:26.382744978 +0100 @@ -1,0 +2,7 @@ +Tue Feb 18 09:24:30 UTC 2020 - Gary Ching-Pang Lin <g...@suse.com> + +- Add ovmf-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch + to fix the numeric truncation to avoid the potential memory + corruption (bsc#1163959, CVE-2019-14563) + +------------------------------------------------------------------- New: ---- ovmf-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.zF9AnQ/_old 2020-02-20 15:37:27.970747752 +0100 +++ /var/tmp/diff_new_pack.zF9AnQ/_new 2020-02-20 15:37:27.974747759 +0100 @@ -50,6 +50,7 @@ Patch4: %{name}-disable-ia32-firmware-piepic.patch Patch5: %{name}-set-fixed-enroll-time.patch Patch6: openssl-fix-syntax-error.patch +Patch7: %{name}-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bc BuildRequires: fdupes @@ -172,6 +173,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch7 -p1 # add openssl pushd CryptoPkg/Library/OpensslLib/openssl ++++++ ovmf-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch ++++++ >From 322ac05f8bbc1bce066af1dabd1b70ccdbe28891 Mon Sep 17 00:00:00 2001 From: Hao A Wu <hao.a...@intel.com> Date: Fri, 28 Jun 2019 14:15:55 +0800 Subject: [PATCH 1/1] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric truncation (CVE-2019-14563) REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2001 For S3BootScriptLib APIs: S3BootScriptSaveIoWrite S3BootScriptSaveMemWrite S3BootScriptSavePciCfgWrite S3BootScriptSavePciCfg2Write S3BootScriptSaveSmbusExecute S3BootScriptSaveInformation S3BootScriptSaveInformationAsciiString S3BootScriptLabel (happen in S3BootScriptLabelInternal()) possible numeric truncations will happen that may lead to S3 boot script entry with improper size being returned to store the boot script data. This commit will add checks to prevent this kind of issue. Please note that the remaining S3BootScriptLib APIs: S3BootScriptSaveIoReadWrite S3BootScriptSaveMemReadWrite S3BootScriptSavePciCfgReadWrite S3BootScriptSavePciCfg2ReadWrite S3BootScriptSaveStall S3BootScriptSaveDispatch2 S3BootScriptSaveDispatch S3BootScriptSaveMemPoll S3BootScriptSaveIoPoll S3BootScriptSavePciPoll S3BootScriptSavePci2Poll S3BootScriptCloseTable S3BootScriptExecute S3BootScriptMoveLastOpcode S3BootScriptCompare are not affected by such numeric truncation. Signed-off-by: Hao A Wu <hao.a...@intel.com> Reviewed-by: Laszlo Ersek <ler...@redhat.com> Reviewed-by: Eric Dong <eric.d...@intel.com> Acked-by: Jian J Wang <jian.j.w...@intel.com> --- .../PiDxeS3BootScriptLib/BootScriptSave.c | 52 ++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c index 9106e7d0f9f5..9315fc9f0188 100644 --- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c +++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c @@ -1,7 +1,7 @@ /** @file Save the S3 data to S3 boot script. - Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR> + Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR> SPDX-License-Identifier: BSD-2-Clause-Patent @@ -1006,6 +1006,14 @@ S3BootScriptSaveIoWrite ( EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite; WidthInByte = (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE))) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Count)); Script = S3BootScriptGetEntryAddAddress (Length); @@ -1102,6 +1110,14 @@ S3BootScriptSaveMemWrite ( EFI_BOOT_SCRIPT_MEM_WRITE ScriptMemWrite; WidthInByte = (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_MEM_WRITE))) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * Count)); Script = S3BootScriptGetEntryAddAddress (Length); @@ -1206,6 +1222,14 @@ S3BootScriptSavePciCfgWrite ( } WidthInByte = (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE))) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + (WidthInByte * Count)); Script = S3BootScriptGetEntryAddAddress (Length); @@ -1324,6 +1348,14 @@ S3BootScriptSavePciCfg2Write ( } WidthInByte = (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE))) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + (WidthInByte * Count)); Script = S3BootScriptGetEntryAddAddress (Length); @@ -1549,6 +1581,12 @@ S3BootScriptSaveSmbusExecute ( return Status; } + // + // Truncation check + // + if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) { + return RETURN_OUT_OF_RESOURCES; + } DataSize = (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + BufferLength); Script = S3BootScriptGetEntryAddAddress (DataSize); @@ -1736,6 +1774,12 @@ S3BootScriptSaveInformation ( UINT8 *Script; EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; + // + // Truncation check + // + if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength); Script = S3BootScriptGetEntryAddAddress (Length); @@ -2195,6 +2239,12 @@ S3BootScriptLabelInternal ( UINT8 *Script; EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; + // + // Truncation check + // + if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength); Script = S3BootScriptGetEntryAddAddress (Length); -- 2.25.0