diff -Nru edk2-0~20181115.85588389/debian/changelog
edk2-0~20181115.85588389/debian/changelog
--- edk2-0~20181115.85588389/debian/changelog 2018-11-26 16:34:54.000000000
-0700
+++ edk2-0~20181115.85588389/debian/changelog 2019-03-15 18:37:44.000000000
-0600
@@ -1,3 +1,12 @@
+edk2 (0~20181115.85588389-3) unstable; urgency=medium
+
+ * Security fixes (Closes: #924615):
+ - Fix buffer overflow in BlockIo service (CVE-2018-12180)
+ - DNS: Check received packet size before using (CVE-2018-12178)
+ - Fix stack overflow with corrupted BMP (CVE-2018-12181)
+
+ -- dann frazier <da...@debian.org> Fri, 15 Mar 2019 18:37:44 -0600
+
edk2 (0~20181115.85588389-2) unstable; urgency=medium
* debian/rules: Factor out common feature flags across builds.
diff -Nru
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
---
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
2019-03-15 18:37:44.000000000 -0600
@@ -0,0 +1,247 @@
+From ffe5f7a6b4e978dffbe1df228963adc914451106 Mon Sep 17 00:00:00 2001
+From: Ray Ni <ray...@intel.com>
+Date: Thu, 7 Mar 2019 18:35:13 +0800
+Subject: [PATCH] MdeModulePkg/HiiDatabase: Fix potential integer overflow
+ (CVE-2018-12181)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ray Ni <ray...@intel.com>
+Cc: Dandan Bi <dandan...@intel.com>
+Cc: Hao A Wu <hao.a...@intel.com>
+Reviewed-by: Hao Wu <hao.a...@intel.com>
+Reviewed-by: Jian J Wang <jian.j.w...@intel.com>
+---
+ MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 126 ++++++++++++++----
+ 1 file changed, 103 insertions(+), 23 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index 71ebc559c0..80a4ec1114 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
++++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -16,6 +16,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
EXPRESS OR IMPLIED.
+
+ #include "HiiDatabase.h"
+
++#define MAX_UINT24 0xFFFFFF
+
+ /**
+ Get the imageid of last image block: EFI_HII_IIBT_END_BLOCK when input
+@@ -651,8 +652,16 @@ HiiNewImage (
+
+ EfiAcquireLock (&mHiiDatabaseLock);
+
+- NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
(EFI_HII_RGB_PIXEL) +
+- BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
++ //
++ // Calcuate the size of new image.
++ // Make sure the size doesn't overflow UINT32.
++ // Note: 24Bit BMP occpuies 3 bytes per pixel.
++ //
++ NewBlockSize = (UINT32)Image->Width * Image->Height;
++ if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) -
sizeof (EFI_HII_RGB_PIXEL))) / 3) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK)
- sizeof (EFI_HII_RGB_PIXEL));
+
+ //
+ // Get the image package in the package list,
+@@ -671,6 +680,18 @@ HiiNewImage (
+ //
+ // Update the package's image block by appending the new block to the end.
+ //
++
++ //
++ // Make sure the final package length doesn't overflow.
++ // Length of the package header is represented using 24 bits. So MAX
length is MAX_UINT24.
++ //
++ if (NewBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ //
++ // Because ImagePackage->ImageBlockSize <
ImagePackage->ImagePkgHdr.Header.Length,
++ // So (ImagePackage->ImageBlockSize + NewBlockSize) <= MAX_UINT24
++ //
+ ImageBlocks = AllocatePool (ImagePackage->ImageBlockSize + NewBlockSize);
+ if (ImageBlocks == NULL) {
+ EfiReleaseLock (&mHiiDatabaseLock);
+@@ -701,6 +722,13 @@ HiiNewImage (
+ PackageListNode->PackageListHdr.PackageLength += NewBlockSize;
+
+ } else {
++ //
++ // Make sure the final package length doesn't overflow.
++ // Length of the package header is represented using 24 bits. So MAX
length is MAX_UINT24.
++ //
++ if (NewBlockSize > MAX_UINT24 - (sizeof (EFI_HII_IMAGE_PACKAGE_HDR) +
sizeof (EFI_HII_IIBT_END_BLOCK))) {
++ return EFI_OUT_OF_RESOURCES;
++ }
+ //
+ // The specified package list does not contain image package.
+ // Create one to add this image block.
+@@ -902,8 +930,11 @@ IGetImage (
+ // Use the common block code since the definition of these structures is
the same.
+ //
+ CopyMem (&Iibt1bit, CurrentImageBlock, sizeof
(EFI_HII_IIBT_IMAGE_1BIT_BLOCK));
+- ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) *
+- ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
++ ImageLength = (UINTN) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height;
++ if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ ImageLength *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+ Image->Bitmap = AllocateZeroPool (ImageLength);
+ if (Image->Bitmap == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+@@ -952,9 +983,13 @@ IGetImage (
+ // fall through
+ //
+ case EFI_HII_IIBT_IMAGE_24BIT:
+- Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Width);
++ Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Width);
+ Height = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Height);
+- ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32) Width *
Height);
++ ImageLength = (UINTN)Width * Height;
++ if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ ImageLength *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+ Image->Bitmap = AllocateZeroPool (ImageLength);
+ if (Image->Bitmap == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+@@ -1124,8 +1159,23 @@ HiiSetImage (
+ //
+ // Create the new image block according to input image.
+ //
+- NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
(EFI_HII_RGB_PIXEL) +
+- BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
++
++ //
++ // Make sure the final package length doesn't overflow.
++ // Length of the package header is represented using 24 bits. So MAX length
is MAX_UINT24.
++ // 24Bit BMP occpuies 3 bytes per pixel.
++ //
++ NewBlockSize = (UINT32)Image->Width * Image->Height;
++ if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) -
sizeof (EFI_HII_RGB_PIXEL))) / 3) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK)
- sizeof (EFI_HII_RGB_PIXEL));
++ if ((NewBlockSize > OldBlockSize) &&
++ (NewBlockSize - OldBlockSize > MAX_UINT24 -
ImagePackage->ImagePkgHdr.Header.Length)
++ ) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++
+ //
+ // Adjust the image package to remove the original block firstly then add
the new block.
+ //
+@@ -1219,8 +1269,8 @@ HiiDrawImage (
+ EFI_IMAGE_OUTPUT *ImageOut;
+ EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
+ UINTN BufferLen;
+- UINTN Width;
+- UINTN Height;
++ UINT16 Width;
++ UINT16 Height;
+ UINTN Xpos;
+ UINTN Ypos;
+ UINTN OffsetY1;
+@@ -1280,6 +1330,13 @@ HiiDrawImage (
+ // Otherwise a new bitmap will be allocated to hold this image.
+ //
+ if (*Blt != NULL) {
++ //
++ // Make sure the BltX and BltY is inside the Blt area.
++ //
++ if ((BltX >= (*Blt)->Width) || (BltY >= (*Blt)->Height)) {
++ return EFI_INVALID_PARAMETER;
++ }
++
+ //
+ // Clip the image by (Width, Height)
+ //
+@@ -1287,15 +1344,23 @@ HiiDrawImage (
+ Width = Image->Width;
+ Height = Image->Height;
+
+- if (Width > (*Blt)->Width - BltX) {
+- Width = (*Blt)->Width - BltX;
++ if (Width > (*Blt)->Width - (UINT16)BltX) {
++ Width = (*Blt)->Width - (UINT16)BltX;
+ }
+- if (Height > (*Blt)->Height - BltY) {
+- Height = (*Blt)->Height - BltY;
++ if (Height > (*Blt)->Height - (UINT16)BltY) {
++ Height = (*Blt)->Height - (UINT16)BltY;
+ }
+
+- BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+- BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool
(BufferLen);
++ //
++ // Prepare the buffer for the temporary image.
++ // Make sure the buffer size doesn't overflow UINTN.
++ //
++ BufferLen = Width * Height;
++ if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
++ BltBuffer = AllocateZeroPool (BufferLen);
+ if (BltBuffer == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+@@ -1358,11 +1423,26 @@ HiiDrawImage (
+ //
+ // Allocate a new bitmap to hold the incoming image.
+ //
+- Width = Image->Width + BltX;
+- Height = Image->Height + BltY;
+
+- BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+- BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool
(BufferLen);
++ //
++ // Make sure the final width and height doesn't overflow UINT16.
++ //
++ if ((BltX > (UINTN)MAX_UINT16 - Image->Width) || (BltY >
(UINTN)MAX_UINT16 - Image->Height)) {
++ return EFI_INVALID_PARAMETER;
++ }
++
++ Width = Image->Width + (UINT16)BltX;
++ Height = Image->Height + (UINT16)BltY;
++
++ //
++ // Make sure the output image size doesn't overflow UINTN.
++ //
++ BufferLen = Width * Height;
++ if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
++ BltBuffer = AllocateZeroPool (BufferLen);
+ if (BltBuffer == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+@@ -1372,8 +1452,8 @@ HiiDrawImage (
+ FreePool (BltBuffer);
+ return EFI_OUT_OF_RESOURCES;
+ }
+- ImageOut->Width = (UINT16) Width;
+- ImageOut->Height = (UINT16) Height;
++ ImageOut->Width = Width;
++ ImageOut->Height = Height;
+ ImageOut->Image.Bitmap = BltBuffer;
+
+ //
+@@ -1387,7 +1467,7 @@ HiiDrawImage (
+ return Status;
+ }
+ ASSERT (FontInfo != NULL);
+- for (Index = 0; Index < Width * Height; Index++) {
++ for (Index = 0; Index < (UINTN)Width * Height; Index++) {
+ BltBuffer[Index] = FontInfo->BackgroundColor;
+ }
+ FreePool (FontInfo);
+--
+2.20.1
+
diff -Nru
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
---
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
2019-03-15 18:37:44.000000000 -0600
@@ -0,0 +1,81 @@
+From fccdb88022c1f6d85c773fce506b10c879063f1d Mon Sep 17 00:00:00 2001
+From: Hao Wu <hao.a...@intel.com>
+Date: Fri, 9 Feb 2018 08:43:01 +0800
+Subject: [PATCH 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR
+ (CVE-2018-12180)
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
+
+The commit adds checks for detecting GPT and MBR partitions.
+
+These checks will ensure that the device block size is big enough to hold
+an MBR (512 bytes).
+
+Cc: Jian J Wang <jian.j.w...@intel.com>
+Cc: Star Zeng <star.z...@intel.com>
+Cc: Laszlo Ersek <ler...@redhat.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a...@intel.com>
+Reviewed-by: Ray Ni <ray...@intel.com>
+---
+ MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 ++++++++-
+ MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 ++++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+index fe87761bde..d679cc208b 100644
+--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
++++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+@@ -14,7 +14,7 @@
+ partition content and validate the GPT table and GPT entry.
+
+ Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
+-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD
License
+ which accompanies this distribution. The full text of the license may be
found at
+@@ -236,6 +236,13 @@ PartitionInstallGptChildHandles (
+
+ GptValidStatus = EFI_NOT_FOUND;
+
++ //
++ // Ensure the block size can hold the MBR
++ //
++ if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
++ return EFI_NOT_FOUND;
++ }
++
+ //
+ // Allocate a buffer for the Protective MBR
+ //
+diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
+index b1a99ee85b..419f8a17a7 100644
+--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
++++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
+@@ -13,7 +13,7 @@
+
+ Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
+ Copyright (c) 2014, Hewlett-Packard Development Company, L.P.<BR>
+-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD
License
+ which accompanies this distribution. The full text of the license may be
found at
+@@ -150,6 +150,13 @@ PartitionInstallMbrChildHandles (
+ MediaId = BlockIo->Media->MediaId;
+ LastBlock = BlockIo->Media->LastBlock;
+
++ //
++ // Ensure the block size can hold the MBR
++ //
++ if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
++ return EFI_NOT_FOUND;
++ }
++
+ Mbr = AllocatePool (BlockSize);
+ if (Mbr == NULL) {
+ return Found;
+--
+2.20.1
+
diff -Nru
edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
---
edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
2019-03-15 18:37:44.000000000 -0600
@@ -0,0 +1,52 @@
+From 89910a39dcfd788057caa5d88b7e76e112d187b5 Mon Sep 17 00:00:00 2001
+From: Ray Ni <ray...@intel.com>
+Date: Thu, 7 Mar 2019 18:35:14 +0800
+Subject: [PATCH] MdeModulePkg/HiiImage: Fix stack overflow when corrupted BMP
+ is parsed (CVE-2018-12181)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
+
+For 4bit BMP, there are only 2^4 = 16 colors in the palette.
+But when a corrupted BMP contains more than 16 colors in the palette,
+today's implementation wrongly copies all colors to the local
+PaletteValue[16] array which causes stack overflow.
+
+The similar issue also exists in the logic to handle 8bit BMP.
+
+The patch fixes the issue by only copies the first 16 or 256 colors
+in the palette depending on the BMP type.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ray Ni <ray...@intel.com>
+Cc: Liming Gao <liming....@intel.com>
+Cc: Jiewen Yao <jiewen....@intel.com>
+Reviewed-by: Jian J Wang <jian.j.w...@intel.com>
+---
+ MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index 80a4ec1114..8532f272eb 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
++++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -370,7 +370,7 @@ Output4bitPixel (
+ PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
+
+ ZeroMem (PaletteValue, sizeof (PaletteValue));
+- CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
++ CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum,
ARRAY_SIZE (PaletteValue)));
+ FreePool (Palette);
+
+ //
+@@ -447,7 +447,7 @@ Output8bitPixel (
+ CopyMem (Palette, PaletteInfo, PaletteSize);
+ PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
+ ZeroMem (PaletteValue, sizeof (PaletteValue));
+- CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
++ CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum,
ARRAY_SIZE (PaletteValue)));
+ FreePool (Palette);
+
+ //
+--
+2.20.1
+
diff -Nru
edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
---
edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
2019-03-15 18:37:44.000000000 -0600
@@ -0,0 +1,124 @@
+From 38c9fbdcaa0219eb86fe82d90e3f8cfb5a54be9f Mon Sep 17 00:00:00 2001
+From: Hao Wu <hao.a...@intel.com>
+Date: Wed, 7 Feb 2018 12:49:50 +0800
+Subject: [PATCH 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size
+ (CVE-2018-12180)
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
+
+Originally, the block size of created Ram disks is hard-coded to 512
+bytes. However, if the total size of the Ram disk is not a multiple of 512
+bytes, there will be potential memory access issues when dealing with the
+last block of the Ram disk.
+
+This commit will adjust the block size of the Ram disks to ensure that the
+total size is a multiple of the block size.
+
+Cc: Jian J Wang <jian.j.w...@intel.com>
+Cc: Star Zeng <star.z...@intel.com>
+Cc: Laszlo Ersek <ler...@redhat.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a...@intel.com>
+Reviewed-by: Ray Ni <ray...@intel.com>
+---
+ .../Disk/RamDiskDxe/RamDiskBlockIo.c | 20 +++++++++++++------
+ .../Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++---
+ .../Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++--
+ 3 files changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
+index 4f74b5ef15..8926ad7d2f 100644
+--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
++++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
+@@ -1,7 +1,7 @@
+ /** @file
+ Produce EFI_BLOCK_IO_PROTOCOL on a RAM disk device.
+
+- Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
++ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD
License
+ which accompanies this distribution. The full text of the license may be
found at
+@@ -54,6 +54,7 @@ RamDiskInitBlockIo (
+ EFI_BLOCK_IO_PROTOCOL *BlockIo;
+ EFI_BLOCK_IO2_PROTOCOL *BlockIo2;
+ EFI_BLOCK_IO_MEDIA *Media;
++ UINT32 Remainder;
+
+ BlockIo = &PrivateData->BlockIo;
+ BlockIo2 = &PrivateData->BlockIo2;
+@@ -69,11 +70,18 @@ RamDiskInitBlockIo (
+ Media->LogicalPartition = FALSE;
+ Media->ReadOnly = FALSE;
+ Media->WriteCaching = FALSE;
+- Media->BlockSize = RAM_DISK_BLOCK_SIZE;
+- Media->LastBlock = DivU64x32 (
+- PrivateData->Size + RAM_DISK_BLOCK_SIZE - 1,
+- RAM_DISK_BLOCK_SIZE
+- ) - 1;
++
++ for (Media->BlockSize = RAM_DISK_DEFAULT_BLOCK_SIZE;
++ Media->BlockSize >= 1;
++ Media->BlockSize = Media->BlockSize >> 1) {
++ Media->LastBlock = DivU64x32Remainder (PrivateData->Size,
Media->BlockSize, &Remainder) - 1;
++ if (Remainder == 0) {
++ break;
++ }
++ }
++ ASSERT (Media->BlockSize != 0);
++
++ return;
+ }
+
+
+diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
+index 08a8ca94c9..72f2bfe179 100644
+--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
++++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
+@@ -1,7 +1,7 @@
+ /** @file
+ The header file of RamDiskDxe driver.
+
+- Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
++ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD
License
+ which accompanies this distribution. The full text of the license may be
found at
+@@ -49,9 +49,9 @@
+ ///
+
+ //
+-// Block size for RAM disk
++// Default block size for RAM disk
+ //
+-#define RAM_DISK_BLOCK_SIZE 512
++#define RAM_DISK_DEFAULT_BLOCK_SIZE 512
+
+ //
+ // Iterate through the double linked list. NOT delete safe
+diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
+index 6784e2b2f1..e8250d5c1b 100644
+--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
++++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
+@@ -1,7 +1,7 @@
+ /** @file
+ The realization of EFI_RAM_DISK_PROTOCOL.
+
+- Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
++ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>
+ (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD
License
+@@ -613,7 +613,8 @@ RamDiskRegister (
+ //
+ // Add check to prevent data read across the memory boundary
+ //
+- if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1) {
++ if ((RamDiskSize > MAX_UINTN) ||
++ (RamDiskBase > MAX_UINTN - RamDiskSize + 1)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+--
+2.20.1
+
diff -Nru
edk2-0~20181115.85588389/debian/patches/NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
edk2-0~20181115.85588389/debian/patches/NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
---
edk2-0~20181115.85588389/debian/patches/NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
1969-12-31 17:00:00.000000000 -0700
+++
edk2-0~20181115.85588389/debian/patches/NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
2019-03-15 18:37:44.000000000 -0600
@@ -0,0 +1,222 @@
+From 84110bbe4bb3a346514b9bb12eadb7586bca7dfd Mon Sep 17 00:00:00 2001
+From: Jiaxin Wu <jiaxin...@intel.com>
+Date: Mon, 2 Jul 2018 09:20:56 +0800
+Subject: [PATCH] NetworkPkg/DnsDxe: [CVE-2018-12178] Check the received packet
+ size before parsing the message.
+
+Fix CVE-2018-12178
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809
+
+The DNS driver only checks the received packet size against the
+minimum DNS header size in DnsOnPacketReceived(), later it accesses
+the QueryName and QuerySection beyond the header scope, which might
+cause the pointer within DNS driver points to an invalid entry or
+modifies the memory content beyond the header scope.
+
+This patch is to fix above problem.
+
+Cc: Ye Ting <ting...@intel.com>
+Cc: Fu Siyuan <siyuan...@intel.com>
+Cc: Wang Fan <fan.w...@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Wu Jiaxin <jiaxin...@intel.com>
+Reviewed-by: Siyuan Fu <siyuan...@intel.com>
+---
+ NetworkPkg/DnsDxe/DnsImpl.c | 77 ++++++++++++++++++++++++++++++++-----
+ NetworkPkg/DnsDxe/DnsImpl.h | 2 +
+ 2 files changed, 69 insertions(+), 10 deletions(-)
+
+diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c
+index 89ea755cb2..26a718987c 100644
+--- a/NetworkPkg/DnsDxe/DnsImpl.c
++++ b/NetworkPkg/DnsDxe/DnsImpl.c
+@@ -1114,6 +1114,7 @@ IsValidDnsResponse (
+
+ @param Instance The DNS instance
+ @param RxString Received buffer.
++ @param Length Received buffer length.
+ @param Completed Flag to indicate that Dns response is valid.
+
+ @retval EFI_SUCCESS Parse Dns Response successfully.
+@@ -1124,12 +1125,14 @@ EFI_STATUS
+ ParseDnsResponse (
+ IN OUT DNS_INSTANCE *Instance,
+ IN UINT8 *RxString,
++ IN UINT32 Length,
+ OUT BOOLEAN *Completed
+ )
+ {
+ DNS_HEADER *DnsHeader;
+
+ CHAR8 *QueryName;
++ UINT32 QueryNameLen;
+ DNS_QUERY_SECTION *QuerySection;
+
+ CHAR8 *AnswerName;
+@@ -1155,6 +1158,7 @@ ParseDnsResponse (
+ DNS6_RESOURCE_RECORD *Dns6RR;
+
+ EFI_STATUS Status;
++ UINT32 RemainingLength;
+
+ EFI_TPL OldTpl;
+
+@@ -1178,6 +1182,17 @@ ParseDnsResponse (
+
+ *Completed = TRUE;
+ Status = EFI_SUCCESS;
++ RemainingLength = Length;
++
++ //
++ // Check whether the remaining packet length is avaiable or not.
++ //
++ if (RemainingLength <= sizeof (DNS_HEADER)) {
++ *Completed = FALSE;
++ return EFI_ABORTED;
++ } else {
++ RemainingLength -= sizeof (DNS_HEADER);
++ }
+
+ //
+ // Get header
+@@ -1191,22 +1206,38 @@ ParseDnsResponse (
+ DnsHeader->AuthorityNum = NTOHS (DnsHeader->AuthorityNum);
+ DnsHeader->AditionalNum = NTOHS (DnsHeader->AditionalNum);
+
++ //
++ // There is always one QuestionsNum in DNS message. The capability to
handle more
++ // than one requires to redesign the message format. Currently, it's not
supported.
++ //
++ if (DnsHeader->QuestionsNum > 1) {
++ *Completed = FALSE;
++ return EFI_UNSUPPORTED;
++ }
++
+ //
+ // Get Query name
+ //
+ QueryName = (CHAR8 *) (RxString + sizeof (*DnsHeader));
+
++ QueryNameLen = (UINT32) AsciiStrLen (QueryName) + 1;
++
+ //
+- // Get query section
++ // Check whether the remaining packet length is avaiable or not.
+ //
+- QuerySection = (DNS_QUERY_SECTION *) (QueryName + AsciiStrLen (QueryName) +
1);
+- QuerySection->Type = NTOHS (QuerySection->Type);
+- QuerySection->Class = NTOHS (QuerySection->Class);
++ if (RemainingLength <= QueryNameLen + sizeof (DNS_QUERY_SECTION)) {
++ *Completed = FALSE;
++ return EFI_ABORTED;
++ } else {
++ RemainingLength -= (QueryNameLen + sizeof (DNS_QUERY_SECTION));
++ }
+
+ //
+- // Get Answer name
++ // Get query section
+ //
+- AnswerName = (CHAR8 *) QuerySection + sizeof (*QuerySection);
++ QuerySection = (DNS_QUERY_SECTION *) (QueryName + QueryNameLen);
++ QuerySection->Type = NTOHS (QuerySection->Type);
++ QuerySection->Class = NTOHS (QuerySection->Class);
+
+ OldTpl = gBS->RaiseTPL (TPL_CALLBACK);
+
+@@ -1341,10 +1372,26 @@ ParseDnsResponse (
+
+ Status = EFI_NOT_FOUND;
+
++ //
++ // Get Answer name
++ //
++ AnswerName = (CHAR8 *) QuerySection + sizeof (*QuerySection);
++
+ //
+ // Processing AnswerSection.
+ //
+ while (AnswerSectionNum < DnsHeader->AnswersNum) {
++ //
++ // Check whether the remaining packet length is avaiable or not.
++ //
++ if (RemainingLength <= sizeof (UINT16) + sizeof (DNS_ANSWER_SECTION)) {
++ *Completed = FALSE;
++ Status = EFI_ABORTED;
++ goto ON_EXIT;
++ } else {
++ RemainingLength -= (sizeof (UINT16) + sizeof (DNS_ANSWER_SECTION));
++ }
++
+ //
+ // Answer name should be PTR, else EFI_UNSUPPORTED returned.
+ //
+@@ -1362,6 +1409,17 @@ ParseDnsResponse (
+ AnswerSection->Ttl = NTOHL (AnswerSection->Ttl);
+ AnswerSection->DataLength = NTOHS (AnswerSection->DataLength);
+
++ //
++ // Check whether the remaining packet length is avaiable or not.
++ //
++ if (RemainingLength < AnswerSection->DataLength) {
++ *Completed = FALSE;
++ Status = EFI_ABORTED;
++ goto ON_EXIT;
++ } else {
++ RemainingLength -= AnswerSection->DataLength;
++ }
++
+ //
+ // Check whether it's the GeneralLookUp querying.
+ //
+@@ -1733,6 +1791,7 @@ DnsOnPacketReceived (
+ DNS_INSTANCE *Instance;
+
+ UINT8 *RcvString;
++ UINT32 Len;
+
+ BOOLEAN Completed;
+
+@@ -1748,9 +1807,7 @@ DnsOnPacketReceived (
+
+ ASSERT (Packet != NULL);
+
+- if (Packet->TotalSize <= sizeof (DNS_HEADER)) {
+- goto ON_EXIT;
+- }
++ Len = Packet->TotalSize;
+
+ RcvString = NetbufGetByte (Packet, 0, NULL);
+ ASSERT (RcvString != NULL);
+@@ -1758,7 +1815,7 @@ DnsOnPacketReceived (
+ //
+ // Parse Dns Response
+ //
+- ParseDnsResponse (Instance, RcvString, &Completed);
++ ParseDnsResponse (Instance, RcvString, Len, &Completed);
+
+ ON_EXIT:
+
+diff --git a/NetworkPkg/DnsDxe/DnsImpl.h b/NetworkPkg/DnsDxe/DnsImpl.h
+index 90dc054903..45feca2160 100644
+--- a/NetworkPkg/DnsDxe/DnsImpl.h
++++ b/NetworkPkg/DnsDxe/DnsImpl.h
+@@ -583,6 +583,7 @@ IsValidDnsResponse (
+
+ @param Instance The DNS instance
+ @param RxString Received buffer.
++ @param Length Received buffer length.
+ @param Completed Flag to indicate that Dns response is valid.
+
+ @retval EFI_SUCCESS Parse Dns Response successfully.
+@@ -593,6 +594,7 @@ EFI_STATUS
+ ParseDnsResponse (
+ IN OUT DNS_INSTANCE *Instance,
+ IN UINT8 *RxString,
++ IN UINT32 Length,
+ OUT BOOLEAN *Completed
+ );
+
+--
+2.20.1
+
diff -Nru edk2-0~20181115.85588389/debian/patches/series
edk2-0~20181115.85588389/debian/patches/series
--- edk2-0~20181115.85588389/debian/patches/series 2018-11-26
16:34:54.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/series 2019-03-15
18:37:44.000000000 -0600
@@ -2,3 +2,8 @@
no-missing-braces.diff
no-stack-protector-all-archs.diff
shell-proper-valist.patch
+0001-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
+0002-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
+NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
+0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
+0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch