Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
> -Original Message- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > Laszlo Ersek > Sent: Tuesday, February 26, 2019 7:45 PM > To: Wu, Hao A; edk2-devel@lists.01.org > Cc: Zeng, Star > Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross > boundary access in Ramdisk > > On 02/26/19 08:45, Hao Wu wrote: > > V2 changes: > > > > Correct CC list information. > > > > > > V1 history: > > > > The series will resolve a buffer cross boundary access issue during the > > use of RAM disks. It is the mitigation for issue CVE-2018-12180. > > > > Cc: Jian J Wang > > Cc: Ray Ni > > Cc: Star Zeng > > > > Hao Wu (2): > > MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) > > MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE > FIX) > > > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- > > MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - > > MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 > ++-- > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- > > 5 files changed, 36 insertions(+), 13 deletions(-) > > > > Please put the exact CVE numbers in the subject lines. Hello Laszlo and Liming, I totally agree the commit subject line should include the CVE number. But I have one feedback that, if the commit is for a CVE fix, is it possible to exempt the commit subject from 71 characters limit? I found it can be hard to summary the commit with the Package/Module plus the CVE number information. Best Regards, Hao Wu > > Thanks > Laszlo > ___ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 1/3] MdeModulePkg/PeiCore: Ensure FfsFileHeader 8 bytes aligned [CVE-2018-3630]
Reviewed-by: Jian J Wang
> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Jian J
> Wang
> Sent: Wednesday, February 27, 2019 12:04 AM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A ; Yao, Jiewen ;
> Gao, Liming ; Zeng, Star
> Subject: [edk2] [PATCH 1/3] MdeModulePkg/PeiCore: Ensure FfsFileHeader 8
> bytes aligned [CVE-2018-3630]
>
> From: Star Zeng
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=864
>
> To follow PI spec, ensure FfsFileHeader 8 bytes aligned.
>
> Current code only handles (FwVolHeader->ExtHeaderOffset != 0) path,
> update code to also handle (FwVolHeader->ExtHeaderOffset == 0) path.
>
> Cc: Jiewen Yao
> Cc: Liming Gao
> Cc: Jian J Wang
> Cc: Hao Wu
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Star Zeng
> ---
> MdeModulePkg/Core/Pei/FwVol/FwVol.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/MdeModulePkg/Core/Pei/FwVol/FwVol.c
> b/MdeModulePkg/Core/Pei/FwVol/FwVol.c
> index 0a67b96bf1..56440eacf0 100644
> --- a/MdeModulePkg/Core/Pei/FwVol/FwVol.c
> +++ b/MdeModulePkg/Core/Pei/FwVol/FwVol.c
> @@ -2,7 +2,7 @@
>Pei Core Firmware File System service routines.
>
> Copyright (c) 2015 HP Development Company, L.P.
> -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> which accompanies this distribution. The full text of the license may be
> found
> at
> @@ -316,10 +316,10 @@ FindFileEx (
>//
>FwVolExtHeader = (EFI_FIRMWARE_VOLUME_EXT_HEADER *) ((UINT8 *)
> FwVolHeader + FwVolHeader->ExtHeaderOffset);
>FfsFileHeader = (EFI_FFS_FILE_HEADER *) ((UINT8 *) FwVolExtHeader +
> FwVolExtHeader->ExtHeaderSize);
> - FfsFileHeader = (EFI_FFS_FILE_HEADER *) ALIGN_POINTER (FfsFileHeader,
> 8);
> } else {
>FfsFileHeader = (EFI_FFS_FILE_HEADER *)((UINT8 *) FwVolHeader +
> FwVolHeader->HeaderLength);
> }
> +FfsFileHeader = (EFI_FFS_FILE_HEADER *) ALIGN_POINTER (FfsFileHeader, 8);
>} else {
> if (IS_FFS_FILE2 (*FileHeader)) {
>if (!IsFfs3Fv) {
> --
> 2.17.1.windows.2
>
> ___
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 2/3] MdeModulePkg/DxeCore: Ensure FfsFileHeader 8 bytes aligned [CVE-2018-3630]
Reviewed-by: Jian J Wang
> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Jian J
> Wang
> Sent: Wednesday, February 27, 2019 12:04 AM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A ; Yao, Jiewen ;
> Gao, Liming ; Zeng, Star
> Subject: [edk2] [PATCH 2/3] MdeModulePkg/DxeCore: Ensure FfsFileHeader 8
> bytes aligned [CVE-2018-3630]
>
> From: Star Zeng
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=864
>
> To follow PI spec, ensure FfsFileHeader 8 bytes aligned.
>
> For the integrity of FV(especially non-MemoryMapped FV) layout,
> let CachedFv point to FV beginning, but not (FV + FV header).
>
> And current code only handles (FwVolHeader->ExtHeaderOffset != 0) path,
> update code to also handle (FwVolHeader->ExtHeaderOffset == 0) path.
>
> Cc: Jiewen Yao
> Cc: Liming Gao
> Cc: Jian J Wang
> Cc: Hao Wu
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Star Zeng
> ---
> MdeModulePkg/Core/Dxe/FwVol/FwVol.c | 65 +++--
> 1 file changed, 14 insertions(+), 51 deletions(-)
>
> diff --git a/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
> b/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
> index 93ddcc3591..28fce46a95 100644
> --- a/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
> +++ b/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
> @@ -3,7 +3,7 @@
>Layers on top of Firmware Block protocol to produce a file abstraction
>of FV based files.
>
> -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> which accompanies this distribution. The full text of the license may be
> found
> at
> @@ -329,8 +329,6 @@ FvCheck (
>FFS_FILE_LIST_ENTRY *FfsFileEntry;
>EFI_FFS_FILE_HEADER *FfsHeader;
>UINT8 *CacheLocation;
> - UINTN LbaOffset;
> - UINTN HeaderSize;
>UINTN Index;
>EFI_LBA LbaIndex;
>UINTN Size;
> @@ -353,11 +351,7 @@ FvCheck (
> return Status;
>}
>
> - //
> - // Size is the size of the FV minus the head. We have already allocated
> - // the header to check to make sure the volume is valid
> - //
> - Size = (UINTN)(FwVolHeader->FvLength - FwVolHeader->HeaderLength);
> + Size = (UINTN) FwVolHeader->FvLength;
>if ((FvbAttributes & EFI_FVB2_MEMORY_MAPPED) != 0) {
> FvDevice->IsMemoryMapped = TRUE;
>
> @@ -369,7 +363,7 @@ FvCheck (
> //
> // Don't cache memory mapped FV really.
> //
> -FvDevice->CachedFv = (UINT8 *) (UINTN) (PhysicalAddress + FwVolHeader-
> >HeaderLength);
> +FvDevice->CachedFv = (UINT8 *) (UINTN) PhysicalAddress;
>} else {
> FvDevice->IsMemoryMapped = FALSE;
> FvDevice->CachedFv = AllocatePool (Size);
> @@ -380,52 +374,27 @@ FvCheck (
>}
>
>//
> - // Remember a pointer to the end fo the CachedFv
> + // Remember a pointer to the end of the CachedFv
>//
>FvDevice->EndOfCachedFv = FvDevice->CachedFv + Size;
>
>if (!FvDevice->IsMemoryMapped) {
> //
> -// Copy FV minus header into memory using the block map we have all ready
> -// read into memory.
> +// Copy FV into memory using the block map.
> //
> BlockMap = FwVolHeader->BlockMap;
> CacheLocation = FvDevice->CachedFv;
> LbaIndex = 0;
> -LbaOffset = 0;
> -HeaderSize = FwVolHeader->HeaderLength;
> while ((BlockMap->NumBlocks != 0) || (BlockMap->Length != 0)) {
> - Index = 0;
> - Size = BlockMap->Length;
> - if (HeaderSize > 0) {
> -//
> -// Skip header size
> -//
> -for (; Index < BlockMap->NumBlocks && HeaderSize >= BlockMap->Length;
> Index ++) {
> - HeaderSize -= BlockMap->Length;
> - LbaIndex ++;
> -}
> -
> -//
> -// Check whether FvHeader is crossing the multi block range.
> -//
> -if (Index >= BlockMap->NumBlocks) {
> - BlockMap++;
> - continue;
> -} else if (HeaderSize > 0) {
> - LbaOffset = HeaderSize;
> - Size = BlockMap->Length - HeaderSize;
> - HeaderSize = 0;
> -}
> - }
> -
>//
>// read the FV data
>//
> - for (; Index < BlockMap->NumBlocks; Index ++) {
> -Status = Fvb->Read (Fvb,
> + Size = BlockMap->Length;
> + for (Index = 0; Index < BlockMap->NumBlocks; Index++) {
> +Status = Fvb->Read (
> +Fvb,
> LbaIndex,
> -LbaOffset,
> +0,
> ,
> CacheLocation
> );
> @@
Re: [edk2] [PATCH 3/3] IntelFrameworkModulePkg/FwVolDxe: Ensure FfsFileHeader 8 bytes aligned [CVE-2018-3630]
Reviewed-by: Jian J Wang
> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Jian J
> Wang
> Sent: Wednesday, February 27, 2019 12:04 AM
> To: edk2-devel@lists.01.org
> Cc: Yao, Jiewen ; Gao, Liming ;
> Zeng, Star
> Subject: [edk2] [PATCH 3/3] IntelFrameworkModulePkg/FwVolDxe: Ensure
> FfsFileHeader 8 bytes aligned [CVE-2018-3630]
>
> From: Star Zeng
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=864
>
> To follow PI spec, ensure FfsFileHeader 8 bytes aligned.
>
> Current code only handles (FwVolHeader->ExtHeaderOffset != 0) path,
> update code to also handle (FwVolHeader->ExtHeaderOffset == 0) path.
>
> Cc: Jiewen Yao
> Cc: Liming Gao
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Star Zeng
> ---
> .../Universal/FirmwareVolume/FwVolDxe/FwVol.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git
> a/IntelFrameworkModulePkg/Universal/FirmwareVolume/FwVolDxe/FwVol.c
> b/IntelFrameworkModulePkg/Universal/FirmwareVolume/FwVolDxe/FwVol.c
> index 9a031bab14..9a892240b4 100644
> --- a/IntelFrameworkModulePkg/Universal/FirmwareVolume/FwVolDxe/FwVol.c
> +++
> b/IntelFrameworkModulePkg/Universal/FirmwareVolume/FwVolDxe/FwVol.c
> @@ -4,7 +4,7 @@
>Layers on top of Firmware Block protocol to produce a file abstraction
>of FV based files.
>
> - Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
> + Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
>
>This program and the accompanying materials
>are licensed and made available under the terms and conditions
> @@ -510,10 +510,10 @@ FvCheck (
> //
> FwVolExtHeader = (EFI_FIRMWARE_VOLUME_EXT_HEADER *) (UINTN)
> (FvDevice->CachedFv + FvDevice->FwVolHeader->ExtHeaderOffset);
> Ptr = (UINT8 *) FwVolExtHeader + FwVolExtHeader->ExtHeaderSize;
> -Ptr = (UINT8 *) ALIGN_POINTER (Ptr, 8);
>} else {
> Ptr = (UINT8 *) (UINTN) (FvDevice->CachedFv + FvDevice->FwVolHeader-
> >HeaderLength);
>}
> + Ptr = (UINT8 *) ALIGN_POINTER (Ptr, 8);
>TopFvAddress = (UINT8 *) (UINTN) (FvDevice->CachedFv + FvDevice-
> >FwVolHeader->FvLength);
>
>//
> --
> 2.17.1.windows.2
>
> ___
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v3 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180)
Reviewed-by: Ray Ni
> -Original Message-
> From: Wu, Hao A
> Sent: Tuesday, February 26, 2019 8:57 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A ; Wang, Jian J ;
> Ni, Ray ; Zeng, Star ; Laszlo Ersek
>
> Subject: [PATCH v3 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk
> size (CVE-2018-12180)
>
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
>
> Originally, the block size of created Ram disks is hard-coded to 512 bytes.
> However, if the total size of the Ram disk is not a multiple of 512 bytes,
> there
> will be potential memory access issues when dealing with the last block of
> the Ram disk.
>
> This commit will adjust the block size of the Ram disks to ensure that the
> total
> size is a multiple of the block size.
>
> Cc: Jian J Wang
> Cc: Ray Ni
> Cc: Star Zeng
> Cc: Laszlo Ersek
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu
> ---
> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++---
> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20
> ++--
> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++--
> 3 files changed, 20 insertions(+), 11 deletions(-)
>
> diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> index 08a8ca94c9..72f2bfe179 100644
> --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> @@ -1,7 +1,7 @@
> /** @file
>The header file of RamDiskDxe driver.
>
> - Copyright (c) 2016, Intel Corporation. All rights reserved.
> + Copyright (c) 2016 - 2019, Intel Corporation. All rights
> + reserved.
>This program and the accompanying materials
>are licensed and made available under the terms and conditions of the BSD
> License
>which accompanies this distribution. The full text of the license may be
> found at @@ -49,9 +49,9 @@ ///
>
> //
> -// Block size for RAM disk
> +// Default block size for RAM disk
> //
> -#define RAM_DISK_BLOCK_SIZE 512
> +#define RAM_DISK_DEFAULT_BLOCK_SIZE 512
>
> //
> // Iterate through the double linked list. NOT delete safe diff --git
> a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> index 4f74b5ef15..8926ad7d2f 100644
> --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> @@ -1,7 +1,7 @@
> /** @file
>Produce EFI_BLOCK_IO_PROTOCOL on a RAM disk device.
>
> - Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
> + Copyright (c) 2016 - 2019, Intel Corporation. All rights
> + reserved.
>This program and the accompanying materials
>are licensed and made available under the terms and conditions of the BSD
> License
>which accompanies this distribution. The full text of the license may be
> found at @@ -54,6 +54,7 @@ RamDiskInitBlockIo (
>EFI_BLOCK_IO_PROTOCOL *BlockIo;
>EFI_BLOCK_IO2_PROTOCOL *BlockIo2;
>EFI_BLOCK_IO_MEDIA *Media;
> + UINT32 Remainder;
>
>BlockIo = >BlockIo;
>BlockIo2 = >BlockIo2;
> @@ -69,11 +70,18 @@ RamDiskInitBlockIo (
>Media->LogicalPartition = FALSE;
>Media->ReadOnly = FALSE;
>Media->WriteCaching = FALSE;
> - Media->BlockSize= RAM_DISK_BLOCK_SIZE;
> - Media->LastBlock= DivU64x32 (
> - PrivateData->Size + RAM_DISK_BLOCK_SIZE - 1,
> - RAM_DISK_BLOCK_SIZE
> - ) - 1;
> +
> + for (Media->BlockSize = RAM_DISK_DEFAULT_BLOCK_SIZE;
> + Media->BlockSize >= 1;
> + Media->BlockSize = Media->BlockSize >> 1) {
> +Media->LastBlock = DivU64x32Remainder (PrivateData->Size, Media-
> >BlockSize, ) - 1;
> +if (Remainder == 0) {
> + break;
> +}
> + }
> + ASSERT (Media->BlockSize != 0);
> +
> + return;
> }
>
>
> diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> index 6784e2b2f1..e8250d5c1b 100644
> --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> @@ -1,7 +1,7 @@
> /** @file
>The realization of EFI_RAM_DISK_PROTOCOL.
>
> - Copyright (c) 2016, Intel Corporation. All rights reserved.
> + Copyright (c) 2016 - 2019, Intel Corporation. All rights
> + reserved.
>(C) Copyright 2016 Hewlett Packard Enterprise Development LP
>This program and the accompanying materials
>are licensed and made available under the terms and conditions of the BSD
> License @@ -613,7 +613,8 @@ RamDiskRegister (
>//
>// Add check to prevent data read across the memory boundary
>//
> - if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1)
> {
> + if ((RamDiskSize > MAX_UINTN)
Re: [edk2] [PATCH v3 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR (CVE-2018-12180)
Reviewed-by: Ray Ni
> -Original Message-
> From: Wu, Hao A
> Sent: Tuesday, February 26, 2019 8:57 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A ; Wang, Jian J ;
> Ni, Ray ; Zeng, Star ; Laszlo Ersek
>
> Subject: [PATCH v3 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize
> holds MBR (CVE-2018-12180)
>
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
>
> The commit adds checks for detecting GPT and MBR partitions.
>
> These checks will ensure that the device block size is big enough to hold
> an MBR (512 bytes).
>
> Cc: Jian J Wang
> Cc: Ray Ni
> Cc: Star Zeng
> Cc: Laszlo Ersek
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu
> ---
> MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 -
> MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 -
> 2 files changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
> b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
> index fe87761bde..d679cc208b 100644
> --- a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
> +++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
> @@ -14,7 +14,7 @@
>partition content and validate the GPT table and GPT entry.
>
> Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
> -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> which accompanies this distribution. The full text of the license may be
> found at
> @@ -237,6 +237,13 @@ PartitionInstallGptChildHandles (
>GptValidStatus = EFI_NOT_FOUND;
>
>//
> + // Ensure the block size can hold the MBR
> + //
> + if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
> +return EFI_NOT_FOUND;
> + }
> +
> + //
>// Allocate a buffer for the Protective MBR
>//
>ProtectiveMbr = AllocatePool (BlockSize);
> diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
> b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
> index b1a99ee85b..419f8a17a7 100644
> --- a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
> +++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
> @@ -13,7 +13,7 @@
>
> Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
> Copyright (c) 2014, Hewlett-Packard Development Company, L.P.
> -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> which accompanies this distribution. The full text of the license may be
> found at
> @@ -150,6 +150,13 @@ PartitionInstallMbrChildHandles (
>MediaId = BlockIo->Media->MediaId;
>LastBlock = BlockIo->Media->LastBlock;
>
> + //
> + // Ensure the block size can hold the MBR
> + //
> + if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
> +return EFI_NOT_FOUND;
> + }
> +
>Mbr = AllocatePool (BlockSize);
>if (Mbr == NULL) {
> return Found;
> --
> 2.12.0.windows.1
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v1] NetworkPkg/DnsDxe: Check the received packet size before parsing the message.
Thanks Laszlo, I will update the subject to include the CVE number when commit the patch. > -Original Message- > From: Laszlo Ersek [mailto:ler...@redhat.com] > Sent: Tuesday, February 26, 2019 7:17 PM > To: Wu, Jiaxin ; edk2-devel@lists.01.org > Cc: Ye, Ting ; Wang, Fan ; Fu, Siyuan > > Subject: Re: [edk2] [PATCH v1] NetworkPkg/DnsDxe: Check the received packet > size before parsing the message. > > On 02/26/19 09:14, Jiaxin Wu wrote: > > Fix CVE-2018-12178 > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809 > > > > The DNS driver only checks the received packet size against the > > minimum DNS header size in DnsOnPacketReceived(), later it accesses > > the QueryName and QuerySection beyond the header scope, which might > > cause the pointer within DNS driver points to an invalid entry or > > modifies the memory content beyond the header scope. > > > > This patch is to fix above problem. > > > > Cc: Ye Ting > > Cc: Fu Siyuan > > Cc: Wang Fan > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Wu Jiaxin > > --- > > NetworkPkg/DnsDxe/DnsImpl.c | 77 -- > --- > > NetworkPkg/DnsDxe/DnsImpl.h | 2 + > > 2 files changed, 69 insertions(+), 10 deletions(-) > > Please put the precise CVE number in the subject line. > > Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH] BaseTools:Some StructurePcd DecValue is redundant.
Defined 2 PCDs(Test4 & Test401) and 2 SKUs(DEFAULT & _), then set "SKUID_Defines" to ALL, for FixedAtBuild gEfiStructuredPcdPkgTokenSpaceGuid. Test401 in this case, its value should get from "Default" SKU, not from "_" SKU, but we does not set value in SKU "_" in dsc, so Test401 should only display the value get from dec. PCD value get from Dec file, so no *P and no DEC default value should be display in report. Cc: Bob Feng Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Zhiju.Fan --- BaseTools/Source/Python/build/BuildReport.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/BaseTools/Source/Python/build/BuildReport.py b/BaseTools/Source/Python/build/BuildReport.py index 65b2979c42..2879545f60 100644 --- a/BaseTools/Source/Python/build/BuildReport.py +++ b/BaseTools/Source/Python/build/BuildReport.py @@ -1107,7 +1107,10 @@ class PcdReport(object): DscOverride = False else: if not Pcd.SkuInfoList: -OverrideValues = Pcd.SkuOverrideValues +if (Pcd.TokenCName, Pcd.TokenSpaceGuidCName) in GlobalData.gPcdSkuOverrides: +OverrideValues = GlobalData.gPcdSkuOverrides[(Pcd.TokenCName, Pcd.TokenSpaceGuidCName)] +else: +OverrideValues = Pcd.SkuOverrideValues if OverrideValues: for Data in OverrideValues.values(): Struct = list(Data.values()) -- 2.14.1.windows.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH V2] BaseTools:PackageDocumentTools import lib error occurs.
Reviewed-by: Bob Feng
-Original Message-
From: Fan, ZhijuX
Sent: Monday, February 25, 2019 1:13 PM
To: edk2-devel@lists.01.org
Cc: Gao, Liming ; Feng, Bob C
Subject: [edk2][PATCH V2] BaseTools:PackageDocumentTools import lib error
occurs.
Steps:
1. Download edk2 tree
2. Build BaseTools
3. Go to edk2\BaseTools\Scripts\PackageDocumentTools
to run packagedoc_cli.py
An error occurs if relative imports are used when running a file alone
Cc: Bob Feng
Cc: Liming Gao
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhiju.Fan
---
BaseTools/Scripts/PackageDocumentTools/packagedoc_cli.py | 4 ++--
.../plugins/EdkPlugins/basemodel/doxygen.py| 2 +-
.../plugins/EdkPlugins/basemodel/ini.py| 4 ++--
.../plugins/EdkPlugins/edk2/model/baseobject.py| 14 +++---
.../plugins/EdkPlugins/edk2/model/dec.py | 4 ++--
.../plugins/EdkPlugins/edk2/model/doxygengen.py| 8
.../plugins/EdkPlugins/edk2/model/doxygengen_spec.py | 8
.../plugins/EdkPlugins/edk2/model/dsc.py | 4 ++--
.../plugins/EdkPlugins/edk2/model/inf.py | 4 ++--
9 files changed, 26 insertions(+), 26 deletions(-)
diff --git a/BaseTools/Scripts/PackageDocumentTools/packagedoc_cli.py
b/BaseTools/Scripts/PackageDocumentTools/packagedoc_cli.py
index e404a07cd7..5c65842a72 100644
--- a/BaseTools/Scripts/PackageDocumentTools/packagedoc_cli.py
+++ b/BaseTools/Scripts/PackageDocumentTools/packagedoc_cli.py
@@ -16,8 +16,8 @@ from __future__ import print_function import os, sys,
logging, traceback, subprocess from optparse import OptionParser
-from .plugins.EdkPlugins.edk2.model import baseobject -from
.plugins.EdkPlugins.edk2.model import doxygengen
+from plugins.EdkPlugins.edk2.model import baseobject from
+plugins.EdkPlugins.edk2.model import doxygengen
gArchMarcoDict = {'ALL' : 'MDE_CPU_IA32 MDE_CPU_X64 MDE_CPU_EBC
MDE_CPU_IPF _MSC_EXTENSIONS __GNUC__ __INTEL_COMPILER',
'IA32_MSFT': 'MDE_CPU_IA32 _MSC_EXTENSIONS', diff --git
a/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/basemodel/doxygen.py
b/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/basemodel/doxygen.py
index ae47ff1344..a510808842 100644
---
a/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/basemodel/doxygen.py
+++ b/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/basemode
+++ l/doxygen.py
@@ -92,7 +92,7 @@ class Page(BaseDoxygeItem):
self.mText.insert(endIndex, '')
endIndex += 1
if self.mIsSort:
-self.mSubPages.sort(cmp=lambda x, y: cmp(x.mName.lower(),
y.mName.lower()))
+self.mSubPages.sort(key=lambda x: x.mName.lower())
for page in self.mSubPages:
self.mText.insert(endIndex, '\subpage %s \"%s\" ' %
(page.mTag, page.mName))
endIndex += 1
diff --git
a/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/basemodel/ini.py
b/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/basemodel/ini.py
index 6e6f3f4b97..bac2f5e2e6 100644
--- a/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/basemodel/ini.py
+++ b/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/basemode
+++ l/ini.py
@@ -25,7 +25,7 @@ class BaseINIFile(object):
@return: instance of this class
"""
-if len(args) == 0: return object.__new__(cls, *args, **kwargs)
+if len(args) == 0: return object.__new__(cls)
filename = args[0]
parent = None
if len(args) > 1:
@@ -33,7 +33,7 @@ class BaseINIFile(object):
key = os.path.normpath(filename)
if key not in cls._objs.keys():
-cls._objs[key] = object.__new__(cls, *args, **kwargs)
+cls._objs[key] = object.__new__(cls)
if parent is not None:
cls._objs[key].AddParent(parent) diff --git
a/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/edk2/model/baseobject.py
b/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/edk2/model/baseobject.py
index 0159bd5269..7b47fd76b9 100644
---
a/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/edk2/model/baseobject.py
+++ b/BaseTools/Scripts/PackageDocumentTools/plugins/EdkPlugins/edk2/mod
+++ el/baseobject.py
@@ -10,12 +10,12 @@
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, #
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-from ...basemodel import ini
-from ...edk2.model import dsc
-from ...edk2.model import inf
-from ...edk2.model import dec
+from plugins.EdkPlugins.basemodel import ini from
+plugins.EdkPlugins.edk2.model import dsc from
+plugins.EdkPlugins.edk2.model import inf from
+plugins.EdkPlugins.edk2.model import dec
import os
-from ...basemodel.message import *
+from plugins.EdkPlugins.basemodel.message import *
class
Re: [edk2] [PATCH] BaseTools:The BOM character is processed when python reads a file
Reviewed-by: Bob Feng -Original Message- From: Fan, ZhijuX Sent: Tuesday, February 26, 2019 2:58 PM To: edk2-devel@lists.01.org Cc: Gao, Liming ; Feng, Bob C Subject: [edk2][PATCH] BaseTools:The BOM character is processed when python reads a file When python3 reads an XML file it will parse the file in error if the file has a BOM Cc: Bob Feng Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Zhiju.Fan --- BaseTools/Source/Python/Ecc/Xml/XmlRoutines.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/BaseTools/Source/Python/Ecc/Xml/XmlRoutines.py b/BaseTools/Source/Python/Ecc/Xml/XmlRoutines.py index 4294016ae3..00cbc4e55e 100644 --- a/BaseTools/Source/Python/Ecc/Xml/XmlRoutines.py +++ b/BaseTools/Source/Python/Ecc/Xml/XmlRoutines.py @@ -17,6 +17,7 @@ # from __future__ import print_function import xml.dom.minidom +import codecs from Common.LongFilePathSupport import OpenLongFilePath as open ## Create a element of XML @@ -211,7 +212,7 @@ def XmlNodeName(Dom): # def XmlParseFile(FileName): try: -XmlFile = open(FileName) +XmlFile = codecs.open(FileName,encoding='utf_8_sig') Dom = xml.dom.minidom.parse(XmlFile) XmlFile.close() return Dom -- 2.14.1.windows.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] Hang when calling ExitBootServices on IA32 firmware v1.0 on MinnowBoard Turbot
On 2/25/19 5:08 PM, Rebecca Cran via edk2-devel wrote: I've been trying to test a boot loader on my MinnowBoard Turbot board. It's running the latest 1.0 firmware from firmware.intel.com, and I'm seeing a hang at the point when gBS->ExitBootServices is called. I did more debugging using OVMF and found that the i386 boot loader code was trying to call printf (which allocates memory) after ExitBootServices. And that booting an i386 kernel isn't actually supported. So there's not a problem with the MinnowBoard firmware. -- Rebecca Cran ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 edk2-platforms 6/8] SgiClark.Ares: AcpiTables: Add entry for virtio network device
On Tue, 26 Feb 2019 at 14:17, Vijayenthiran Subramaniam
wrote:
>
> Hi Ard,
>
> This patch is part of the patch series "Platform/ARM/Sgi: Add support for
> virtio network device". While other seven patches are merged upstream, this
> patch is not yet merged. Please let me know if you have any comments on this
> patch.
>
Apologies for that, this wasn't intentional.
Reviewed-by: Ard Biesheuvel
Pushed as 54f98cb1789a..c63c3f071271
> On Fri, Dec 14, 2018 at 11:28 PM Vijayenthiran Subramaniam
> wrote:
>>
>> SgiClark Ares include an instance of the virtio network device. Add
>> a representation for it in the ACPI tables.
>>
>> Contributed-under: TianoCore Contribution Agreement 1.1
>> Signed-off-by: Vijayenthiran Subramaniam
>> ---
>> Platform/ARM/SgiPkg/AcpiTables/SgiClarkAresAcpiTables.inf | 3 +++
>> Platform/ARM/SgiPkg/AcpiTables/SgiClarkAres/Dsdt.asl | 17
>> +
>> 2 files changed, 20 insertions(+)
>>
>> diff --git a/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAresAcpiTables.inf
>> b/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAresAcpiTables.inf
>> index 10a805e07fd1..d4bacdbc8c85 100644
>> --- a/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAresAcpiTables.inf
>> +++ b/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAresAcpiTables.inf
>> @@ -58,5 +58,8 @@ [FixedPcd]
>>gArmSgiTokenSpaceGuid.PcdVirtioBlkBaseAddress
>>gArmSgiTokenSpaceGuid.PcdVirtioBlkSize
>>gArmSgiTokenSpaceGuid.PcdVirtioBlkInterrupt
>> + gArmSgiTokenSpaceGuid.PcdVirtioNetBaseAddress
>> + gArmSgiTokenSpaceGuid.PcdVirtioNetSize
>> + gArmSgiTokenSpaceGuid.PcdVirtioNetInterrupt
>>
>>gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
>> diff --git a/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAres/Dsdt.asl
>> b/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAres/Dsdt.asl
>> index af4dc424a77c..69dc33c06b4d 100644
>> --- a/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAres/Dsdt.asl
>> +++ b/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAres/Dsdt.asl
>> @@ -118,5 +118,22 @@ DefinitionBlock ("DsdtTable.aml", "DSDT", 1, "ARMLTD",
>> "ARMSGI",
>> }
>>})
>> }
>> +
>> +// VIRTIO NET
>> +Device (VR01) {
>> + Name (_HID, "LNRO0005")
>> + Name (_UID, 1)
>> + Name (_CCA, 1)// mark the device coherent
>> +
>> + Name (_CRS, ResourceTemplate() {
>> +Memory32Fixed (ReadWrite,
>> + FixedPcdGet32 (PcdVirtioNetBaseAddress),
>> + FixedPcdGet32 (PcdVirtioNetSize)
>> +)
>> +Interrupt (ResourceConsumer, Level, ActiveHigh, Exclusive) {
>> + FixedPcdGet32 (PcdVirtioNetInterrupt)
>> +}
>> + })
>> +}
>>} // Scope(_SB)
>> }
>> --
>> 2.7.4
>>
>> ___
>> edk2-devel mailing list
>> edk2-devel@lists.01.org
>> https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 2/3] MdeModulePkg/DxeCore: Ensure FfsFileHeader 8 bytes aligned [CVE-2018-3630]
From: Star Zeng
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=864
To follow PI spec, ensure FfsFileHeader 8 bytes aligned.
For the integrity of FV(especially non-MemoryMapped FV) layout,
let CachedFv point to FV beginning, but not (FV + FV header).
And current code only handles (FwVolHeader->ExtHeaderOffset != 0) path,
update code to also handle (FwVolHeader->ExtHeaderOffset == 0) path.
Cc: Jiewen Yao
Cc: Liming Gao
Cc: Jian J Wang
Cc: Hao Wu
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng
---
MdeModulePkg/Core/Dxe/FwVol/FwVol.c | 65 +++--
1 file changed, 14 insertions(+), 51 deletions(-)
diff --git a/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
b/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
index 93ddcc3591..28fce46a95 100644
--- a/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
+++ b/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
@@ -3,7 +3,7 @@
Layers on top of Firmware Block protocol to produce a file abstraction
of FV based files.
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -329,8 +329,6 @@ FvCheck (
FFS_FILE_LIST_ENTRY *FfsFileEntry;
EFI_FFS_FILE_HEADER *FfsHeader;
UINT8 *CacheLocation;
- UINTN LbaOffset;
- UINTN HeaderSize;
UINTN Index;
EFI_LBA LbaIndex;
UINTN Size;
@@ -353,11 +351,7 @@ FvCheck (
return Status;
}
- //
- // Size is the size of the FV minus the head. We have already allocated
- // the header to check to make sure the volume is valid
- //
- Size = (UINTN)(FwVolHeader->FvLength - FwVolHeader->HeaderLength);
+ Size = (UINTN) FwVolHeader->FvLength;
if ((FvbAttributes & EFI_FVB2_MEMORY_MAPPED) != 0) {
FvDevice->IsMemoryMapped = TRUE;
@@ -369,7 +363,7 @@ FvCheck (
//
// Don't cache memory mapped FV really.
//
-FvDevice->CachedFv = (UINT8 *) (UINTN) (PhysicalAddress +
FwVolHeader->HeaderLength);
+FvDevice->CachedFv = (UINT8 *) (UINTN) PhysicalAddress;
} else {
FvDevice->IsMemoryMapped = FALSE;
FvDevice->CachedFv = AllocatePool (Size);
@@ -380,52 +374,27 @@ FvCheck (
}
//
- // Remember a pointer to the end fo the CachedFv
+ // Remember a pointer to the end of the CachedFv
//
FvDevice->EndOfCachedFv = FvDevice->CachedFv + Size;
if (!FvDevice->IsMemoryMapped) {
//
-// Copy FV minus header into memory using the block map we have all ready
-// read into memory.
+// Copy FV into memory using the block map.
//
BlockMap = FwVolHeader->BlockMap;
CacheLocation = FvDevice->CachedFv;
LbaIndex = 0;
-LbaOffset = 0;
-HeaderSize = FwVolHeader->HeaderLength;
while ((BlockMap->NumBlocks != 0) || (BlockMap->Length != 0)) {
- Index = 0;
- Size = BlockMap->Length;
- if (HeaderSize > 0) {
-//
-// Skip header size
-//
-for (; Index < BlockMap->NumBlocks && HeaderSize >= BlockMap->Length;
Index ++) {
- HeaderSize -= BlockMap->Length;
- LbaIndex ++;
-}
-
-//
-// Check whether FvHeader is crossing the multi block range.
-//
-if (Index >= BlockMap->NumBlocks) {
- BlockMap++;
- continue;
-} else if (HeaderSize > 0) {
- LbaOffset = HeaderSize;
- Size = BlockMap->Length - HeaderSize;
- HeaderSize = 0;
-}
- }
-
//
// read the FV data
//
- for (; Index < BlockMap->NumBlocks; Index ++) {
-Status = Fvb->Read (Fvb,
+ Size = BlockMap->Length;
+ for (Index = 0; Index < BlockMap->NumBlocks; Index++) {
+Status = Fvb->Read (
+Fvb,
LbaIndex,
-LbaOffset,
+0,
,
CacheLocation
);
@@ -438,13 +407,7 @@ FvCheck (
}
LbaIndex++;
-CacheLocation += Size;
-
-//
-// After we skip Fv Header always read from start of block
-//
-LbaOffset = 0;
-Size = BlockMap->Length;
+CacheLocation += BlockMap->Length;
}
BlockMap++;
@@ -475,12 +438,12 @@ FvCheck (
//
// Searching for files starts on an 8 byte aligned boundary after the end
of the Extended Header if it exists.
//
-FwVolExtHeader = (EFI_FIRMWARE_VOLUME_EXT_HEADER *) (FvDevice->CachedFv +
(FwVolHeader->ExtHeaderOffset - FwVolHeader->HeaderLength));
+FwVolExtHeader =
[edk2] [PATCH 3/3] IntelFrameworkModulePkg/FwVolDxe: Ensure FfsFileHeader 8 bytes aligned [CVE-2018-3630]
From: Star Zeng
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=864
To follow PI spec, ensure FfsFileHeader 8 bytes aligned.
Current code only handles (FwVolHeader->ExtHeaderOffset != 0) path,
update code to also handle (FwVolHeader->ExtHeaderOffset == 0) path.
Cc: Jiewen Yao
Cc: Liming Gao
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng
---
.../Universal/FirmwareVolume/FwVolDxe/FwVol.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/IntelFrameworkModulePkg/Universal/FirmwareVolume/FwVolDxe/FwVol.c
b/IntelFrameworkModulePkg/Universal/FirmwareVolume/FwVolDxe/FwVol.c
index 9a031bab14..9a892240b4 100644
--- a/IntelFrameworkModulePkg/Universal/FirmwareVolume/FwVolDxe/FwVol.c
+++ b/IntelFrameworkModulePkg/Universal/FirmwareVolume/FwVolDxe/FwVol.c
@@ -4,7 +4,7 @@
Layers on top of Firmware Block protocol to produce a file abstraction
of FV based files.
- Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+ Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions
@@ -510,10 +510,10 @@ FvCheck (
//
FwVolExtHeader = (EFI_FIRMWARE_VOLUME_EXT_HEADER *) (UINTN)
(FvDevice->CachedFv + FvDevice->FwVolHeader->ExtHeaderOffset);
Ptr = (UINT8 *) FwVolExtHeader + FwVolExtHeader->ExtHeaderSize;
-Ptr = (UINT8 *) ALIGN_POINTER (Ptr, 8);
} else {
Ptr = (UINT8 *) (UINTN) (FvDevice->CachedFv +
FvDevice->FwVolHeader->HeaderLength);
}
+ Ptr = (UINT8 *) ALIGN_POINTER (Ptr, 8);
TopFvAddress = (UINT8 *) (UINTN) (FvDevice->CachedFv +
FvDevice->FwVolHeader->FvLength);
//
--
2.17.1.windows.2
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 1/3] MdeModulePkg/PeiCore: Ensure FfsFileHeader 8 bytes aligned [CVE-2018-3630]
From: Star Zeng
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=864
To follow PI spec, ensure FfsFileHeader 8 bytes aligned.
Current code only handles (FwVolHeader->ExtHeaderOffset != 0) path,
update code to also handle (FwVolHeader->ExtHeaderOffset == 0) path.
Cc: Jiewen Yao
Cc: Liming Gao
Cc: Jian J Wang
Cc: Hao Wu
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng
---
MdeModulePkg/Core/Pei/FwVol/FwVol.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/MdeModulePkg/Core/Pei/FwVol/FwVol.c
b/MdeModulePkg/Core/Pei/FwVol/FwVol.c
index 0a67b96bf1..56440eacf0 100644
--- a/MdeModulePkg/Core/Pei/FwVol/FwVol.c
+++ b/MdeModulePkg/Core/Pei/FwVol/FwVol.c
@@ -2,7 +2,7 @@
Pei Core Firmware File System service routines.
Copyright (c) 2015 HP Development Company, L.P.
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -316,10 +316,10 @@ FindFileEx (
//
FwVolExtHeader = (EFI_FIRMWARE_VOLUME_EXT_HEADER *) ((UINT8 *)
FwVolHeader + FwVolHeader->ExtHeaderOffset);
FfsFileHeader = (EFI_FFS_FILE_HEADER *) ((UINT8 *) FwVolExtHeader +
FwVolExtHeader->ExtHeaderSize);
- FfsFileHeader = (EFI_FFS_FILE_HEADER *) ALIGN_POINTER (FfsFileHeader, 8);
} else {
FfsFileHeader = (EFI_FFS_FILE_HEADER *)((UINT8 *) FwVolHeader +
FwVolHeader->HeaderLength);
}
+FfsFileHeader = (EFI_FFS_FILE_HEADER *) ALIGN_POINTER (FfsFileHeader, 8);
} else {
if (IS_FFS_FILE2 (*FileHeader)) {
if (!IsFfs3Fv) {
--
2.17.1.windows.2
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 0/3] Ensure FfsFileHeader 8 bytes aligned [CVE-2018-3630]
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=864 To follow PI spec, ensure FfsFileHeader 8 bytes aligned. Current code only handles (FwVolHeader->ExtHeaderOffset != 0) path, update code to also handle (FwVolHeader->ExtHeaderOffset == 0) path. Star Zeng (3): MdeModulePkg/PeiCore: Ensure FfsFileHeader 8 bytes aligned MdeModulePkg/DxeCore: Ensure FfsFileHeader 8 bytes aligned IntelFrameworkModulePkg/FwVolDxe: Ensure FfsFileHeader 8 bytes aligned .../Universal/FirmwareVolume/FwVolDxe/FwVol.c | 4 +- MdeModulePkg/Core/Dxe/FwVol/FwVol.c | 65 --- MdeModulePkg/Core/Pei/FwVol/FwVol.c | 4 +- 3 files changed, 18 insertions(+), 55 deletions(-) -- 2.17.1.windows.2 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 edk2-platforms 6/8] SgiClark.Ares: AcpiTables: Add entry for virtio network device
Hi Ard,
This patch is part of the patch series "Platform/ARM/Sgi: Add support for
virtio network device". While other seven patches are merged upstream, this
patch is not yet merged. Please let me know if you have any comments on
this patch.
On Fri, Dec 14, 2018 at 11:28 PM Vijayenthiran Subramaniam <
vijayenthiran.subraman...@arm.com> wrote:
> SgiClark Ares include an instance of the virtio network device. Add
> a representation for it in the ACPI tables.
>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Vijayenthiran Subramaniam <
> vijayenthiran.subraman...@arm.com>
> ---
> Platform/ARM/SgiPkg/AcpiTables/SgiClarkAresAcpiTables.inf | 3 +++
> Platform/ARM/SgiPkg/AcpiTables/SgiClarkAres/Dsdt.asl | 17
> +
> 2 files changed, 20 insertions(+)
>
> diff --git a/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAresAcpiTables.inf
> b/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAresAcpiTables.inf
> index 10a805e07fd1..d4bacdbc8c85 100644
> --- a/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAresAcpiTables.inf
> +++ b/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAresAcpiTables.inf
> @@ -58,5 +58,8 @@ [FixedPcd]
>gArmSgiTokenSpaceGuid.PcdVirtioBlkBaseAddress
>gArmSgiTokenSpaceGuid.PcdVirtioBlkSize
>gArmSgiTokenSpaceGuid.PcdVirtioBlkInterrupt
> + gArmSgiTokenSpaceGuid.PcdVirtioNetBaseAddress
> + gArmSgiTokenSpaceGuid.PcdVirtioNetSize
> + gArmSgiTokenSpaceGuid.PcdVirtioNetInterrupt
>
>gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
> diff --git a/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAres/Dsdt.asl
> b/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAres/Dsdt.asl
> index af4dc424a77c..69dc33c06b4d 100644
> --- a/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAres/Dsdt.asl
> +++ b/Platform/ARM/SgiPkg/AcpiTables/SgiClarkAres/Dsdt.asl
> @@ -118,5 +118,22 @@ DefinitionBlock ("DsdtTable.aml", "DSDT", 1,
> "ARMLTD", "ARMSGI",
> }
>})
> }
> +
> +// VIRTIO NET
> +Device (VR01) {
> + Name (_HID, "LNRO0005")
> + Name (_UID, 1)
> + Name (_CCA, 1)// mark the device coherent
> +
> + Name (_CRS, ResourceTemplate() {
> +Memory32Fixed (ReadWrite,
> + FixedPcdGet32 (PcdVirtioNetBaseAddress),
> + FixedPcdGet32 (PcdVirtioNetSize)
> +)
> +Interrupt (ResourceConsumer, Level, ActiveHigh, Exclusive) {
> + FixedPcdGet32 (PcdVirtioNetInterrupt)
> +}
> + })
> +}
>} // Scope(_SB)
> }
> --
> 2.7.4
>
> ___
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
>
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
> -Original Message- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > Laszlo Ersek > Sent: Tuesday, February 26, 2019 7:45 PM > To: Wu, Hao A; edk2-devel@lists.01.org > Cc: Zeng, Star > Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross > boundary access in Ramdisk > > On 02/26/19 08:45, Hao Wu wrote: > > V2 changes: > > > > Correct CC list information. > > > > > > V1 history: > > > > The series will resolve a buffer cross boundary access issue during the > > use of RAM disks. It is the mitigation for issue CVE-2018-12180. > > > > Cc: Jian J Wang > > Cc: Ray Ni > > Cc: Star Zeng > > > > Hao Wu (2): > > MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) > > MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE > FIX) > > > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- > > MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - > > MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 > ++-- > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- > > 5 files changed, 36 insertions(+), 13 deletions(-) > > > > Please put the exact CVE numbers in the subject lines. Thanks. V3 series proposed. Best Regards, Hao Wu > > Thanks > Laszlo > ___ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH v3 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
Originally, the block size of created Ram disks is hard-coded to 512
bytes. However, if the total size of the Ram disk is not a multiple of 512
bytes, there will be potential memory access issues when dealing with the
last block of the Ram disk.
This commit will adjust the block size of the Ram disks to ensure that the
total size is a multiple of the block size.
Cc: Jian J Wang
Cc: Ray Ni
Cc: Star Zeng
Cc: Laszlo Ersek
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu
---
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++---
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20
++--
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++--
3 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
index 08a8ca94c9..72f2bfe179 100644
--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
+++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
@@ -1,7 +1,7 @@
/** @file
The header file of RamDiskDxe driver.
- Copyright (c) 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -49,9 +49,9 @@
///
//
-// Block size for RAM disk
+// Default block size for RAM disk
//
-#define RAM_DISK_BLOCK_SIZE 512
+#define RAM_DISK_DEFAULT_BLOCK_SIZE 512
//
// Iterate through the double linked list. NOT delete safe
diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
index 4f74b5ef15..8926ad7d2f 100644
--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
+++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
@@ -1,7 +1,7 @@
/** @file
Produce EFI_BLOCK_IO_PROTOCOL on a RAM disk device.
- Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
+ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -54,6 +54,7 @@ RamDiskInitBlockIo (
EFI_BLOCK_IO_PROTOCOL *BlockIo;
EFI_BLOCK_IO2_PROTOCOL *BlockIo2;
EFI_BLOCK_IO_MEDIA *Media;
+ UINT32 Remainder;
BlockIo = >BlockIo;
BlockIo2 = >BlockIo2;
@@ -69,11 +70,18 @@ RamDiskInitBlockIo (
Media->LogicalPartition = FALSE;
Media->ReadOnly = FALSE;
Media->WriteCaching = FALSE;
- Media->BlockSize= RAM_DISK_BLOCK_SIZE;
- Media->LastBlock= DivU64x32 (
- PrivateData->Size + RAM_DISK_BLOCK_SIZE - 1,
- RAM_DISK_BLOCK_SIZE
- ) - 1;
+
+ for (Media->BlockSize = RAM_DISK_DEFAULT_BLOCK_SIZE;
+ Media->BlockSize >= 1;
+ Media->BlockSize = Media->BlockSize >> 1) {
+Media->LastBlock = DivU64x32Remainder (PrivateData->Size,
Media->BlockSize, ) - 1;
+if (Remainder == 0) {
+ break;
+}
+ }
+ ASSERT (Media->BlockSize != 0);
+
+ return;
}
diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
index 6784e2b2f1..e8250d5c1b 100644
--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
+++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
@@ -1,7 +1,7 @@
/** @file
The realization of EFI_RAM_DISK_PROTOCOL.
- Copyright (c) 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
@@ -613,7 +613,8 @@ RamDiskRegister (
//
// Add check to prevent data read across the memory boundary
//
- if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1) {
+ if ((RamDiskSize > MAX_UINTN) ||
+ (RamDiskBase > MAX_UINTN - RamDiskSize + 1)) {
return EFI_INVALID_PARAMETER;
}
--
2.12.0.windows.1
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH v3 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
V3 changes: Include exact CVE number in commit subject. V2 history: Correct CC list information. V1 history: The series will resolve a buffer cross boundary access issue during the use of RAM disks. It is the mitigation for issue CVE-2018-12180. Cc: Jian J Wang Cc: Ray Ni Cc: Star Zeng Cc: Laszlo Ersek Hao Wu (2): MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR (CVE-2018-12180) MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180) MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 ++-- MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- 5 files changed, 36 insertions(+), 13 deletions(-) -- 2.12.0.windows.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH v3 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR (CVE-2018-12180)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
The commit adds checks for detecting GPT and MBR partitions.
These checks will ensure that the device block size is big enough to hold
an MBR (512 bytes).
Cc: Jian J Wang
Cc: Ray Ni
Cc: Star Zeng
Cc: Laszlo Ersek
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu
---
MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 -
MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 -
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
index fe87761bde..d679cc208b 100644
--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
@@ -14,7 +14,7 @@
partition content and validate the GPT table and GPT entry.
Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -237,6 +237,13 @@ PartitionInstallGptChildHandles (
GptValidStatus = EFI_NOT_FOUND;
//
+ // Ensure the block size can hold the MBR
+ //
+ if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
+return EFI_NOT_FOUND;
+ }
+
+ //
// Allocate a buffer for the Protective MBR
//
ProtectiveMbr = AllocatePool (BlockSize);
diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
index b1a99ee85b..419f8a17a7 100644
--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
+++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
@@ -13,7 +13,7 @@
Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
Copyright (c) 2014, Hewlett-Packard Development Company, L.P.
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -150,6 +150,13 @@ PartitionInstallMbrChildHandles (
MediaId = BlockIo->Media->MediaId;
LastBlock = BlockIo->Media->LastBlock;
+ //
+ // Ensure the block size can hold the MBR
+ //
+ if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
+return EFI_NOT_FOUND;
+ }
+
Mbr = AllocatePool (BlockSize);
if (Mbr == NULL) {
return Found;
--
2.12.0.windows.1
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH] StdLib: Update resolv.conf to use Google's public DNS servers
On 02/25/19 19:36, Rebecca Cran via edk2-devel wrote: > The current servers listed appear to be unusable. I suspect most > people will get correct DNS servers via DHCP, but the defaults > should work for anyone. > > Change the entries to be Google's public DNS servers. > Also, change the domain name to be example.com, to be more applicable > to consumers outside Intel. > --- > StdLib/Efi/StdLib/etc/resolv.conf | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/StdLib/Efi/StdLib/etc/resolv.conf > b/StdLib/Efi/StdLib/etc/resolv.conf > index 3ac16ac230..724e6297b2 100644 > --- a/StdLib/Efi/StdLib/etc/resolv.conf > +++ b/StdLib/Efi/StdLib/etc/resolv.conf > @@ -1,13 +1,13 @@ > # > # Domain name > # > -domain intel.com > +domain example.com > > ; > ; Name Servers > ; > -nameserver 206.63.63.61 > -nameserver 216.251.100.1 > +nameserver 8.8.8.8 > +nameserver 8.8.4.4 > > ; nameserver 10.248.2.1 > ; nameserver 10.22.224.204 > Sorry for missing this earlier, but the patch misses the Contributed-under and Signed-off-by lines, from the end of the commit message. Please repost like that, and then please also include the Reviewed-by tags from Jaben and myself. Thanks, Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH] Fix links in Maintainers.txt and remove slow, outdated sourceforge git mirror
Rebecca,
On 02/26/19 00:56, Gao, Liming wrote:
> Yes. This is a bug fix. I agree to push it for Q1 release.
>
>> -Original Message-
>> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
>> Laszlo Ersek
>> Sent: Tuesday, February 26, 2019 3:36 AM
>> To: Gao, Liming ; Rebecca Cran
>> ; edk2-devel@lists.01.org
>> Cc: Kinney, Michael D
>> Subject: Re: [edk2] [PATCH] Fix links in Maintainers.txt and remove slow,
>> outdated sourceforge git mirror
>>
>> On 02/25/19 14:36, Gao, Liming wrote:
>>> I can't clone edk2 code from http://git.code.sf.net/p/tianocore/edk2.
>> Seemly, it doesn't work. So, I agree to remove it.
>>>
>>> Reviewed-by: Liming Gao
>>
>> Do we consider this a bugfix, suitable to be pushed during the soft
>> feature freeze?
>>
>> I suggest that we do.
I've tried applying this patch, and found two issues.
First, you didn't add:
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Rebecca Cran
Second, this patch is based on a very outdated state of the edk2 tree. I
have to apply it on top of commit 2d4fd226da42 ("BaseTools GenFw: Fix
XCODE5 build issue", 2019-01-15); otherwise it doesn't apply. It runs
into a conflict with commit 1f7b74831544 ("Maintainers.txt: Update mail
address", 2019-01-15).
I could fix issue #2 with a rebase myself; however, issue #1 has to be
fixed by you. Please post a v3, addressing both issues, and also picking
up the feedback tags that you received in this thread (from Liming and
myself).
Thanks,
Laszlo
-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
>> Laszlo Ersek
Sent: Monday, February 25, 2019 6:07 PM
To: Rebecca Cran ; edk2-devel@lists.01.org
Cc: Kinney, Michael D
Subject: Re: [edk2] [PATCH] Fix links in Maintainers.txt and remove slow,
>> outdated sourceforge git mirror
On 02/23/19 06:18, Rebecca Cran via edk2-devel wrote:
> ---
> Maintainers.txt | 7 +++
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/Maintainers.txt b/Maintainers.txt
> index 7f1061d6c1..d9d3d840c5 100644
> --- a/Maintainers.txt
> +++ b/Maintainers.txt
> @@ -31,11 +31,10 @@ Descriptions of section entries:
>
> EDK II
> --
> -W: http://www.tianocore.org/edk2/
> -L: https://lists.sourceforge.net/lists/listinfo/edk2-devel
> +W: https://github.com/tianocore/tianocore.github.io/wiki/EDK-II
> +L: https://lists.01.org/mailman/listinfo/edk2-devel
> T: git - https://github.com/tianocore/edk2.git
> T: git (mirror) - https://bitbucket.org/tianocore/edk2.git
> -T: git (mirror) - http://git.code.sf.net/p/tianocore/edk2
> T: svn (read-only, deprecated) -
>> https://svn.code.sf.net/p/edk2/code/trunk/edk2
>
> Tianocore Stewards
> @@ -203,7 +202,7 @@ W:
>> https://github.com/tianocore/tianocore.github.io/wiki/OptionRomPkg
> M: Ruiyu Ni
>
> OvmfPkg
> -W: http://www.tianocore.org/ovmf/
> +W: https://github.com/tianocore/tianocore.github.io/wiki/OVMF
> M: Jordan Justen
> M: Laszlo Ersek
> M: Ard Biesheuvel
>
Reviewed-by: Laszlo Ersek
I can help push this change, but first let's wait for more feedback. I
think the only point that might see a bit of discussion is dropping
(as you highlight in your followup).
Thanks!
Laszlo
>>
>>
>> ___
>> edk2-devel mailing list
>> edk2-devel@lists.01.org
>> https://lists.01.org/mailman/listinfo/edk2-devel
> ___
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
>
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH] StdLib: Update resolv.conf to use Google's public DNS servers
On 02/25/19 22:16, Carsey, Jaben wrote: >> -Original Message- >> From: Laszlo Ersek [mailto:ler...@redhat.com] >> Sent: Monday, February 25, 2019 11:41 AM >> To: Rebecca Cran ; edk2-devel@lists.01.org >> Cc: Carsey, Jaben ; Daryl McDaniel > li...@mc2research.org> >> Subject: Re: [edk2] [PATCH] StdLib: Update resolv.conf to use Google's public >> DNS servers >> Importance: High >> >> On 02/25/19 19:36, Rebecca Cran via edk2-devel wrote: >>> The current servers listed appear to be unusable. I suspect most >>> people will get correct DNS servers via DHCP, but the defaults >>> should work for anyone. >>> >>> Change the entries to be Google's public DNS servers. >>> Also, change the domain name to be example.com, to be more applicable >>> to consumers outside Intel. >>> --- >>> StdLib/Efi/StdLib/etc/resolv.conf | 6 +++--- >>> 1 file changed, 3 insertions(+), 3 deletions(-) >>> >>> diff --git a/StdLib/Efi/StdLib/etc/resolv.conf >> b/StdLib/Efi/StdLib/etc/resolv.conf >>> index 3ac16ac230..724e6297b2 100644 >>> --- a/StdLib/Efi/StdLib/etc/resolv.conf >>> +++ b/StdLib/Efi/StdLib/etc/resolv.conf >>> @@ -1,13 +1,13 @@ >>> # >>> # Domain name >>> # >>> -domain intel.com >>> +domain example.com >>> >>> ; >>> ; Name Servers >>> ; >>> -nameserver 206.63.63.61 >>> -nameserver 216.251.100.1 >>> +nameserver 8.8.8.8 >>> +nameserver 8.8.4.4 >>> >>> ; nameserver 10.248.2.1 >>> ; nameserver 10.22.224.204 >>> >> >> Reviewed-by: Laszlo Ersek >> >> I'm quite undecided, but I vaguely feel that this should be pushed only >> after we tag "edk2-stable201903". The domain name change doesn't look >> like a pure bugfix, especially for Intel associates. Opinions? > > Reviewed-by: Jaben Carsey > > I have no strong opinion on timing. OK, let's delay this one. I'll keep it tagged. Thanks, Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [edk2-announce] Soft Feature Freeze starts today for edk2-stable201903
On 02/26/19 04:30, Gao, Liming wrote: > Hi, all > Two features (Add SMM CET support and Add WiFi Connection Manager) get > Acked-By or Reviewed-by near the soft feature freeze date. CET is X86 > specific feature. WiFi connection manager is the standalone feature. Their > impact should be small. So, I suggest to include them in this stable tag > edk2-stable201903. If you have different opinion, please raise. If no > objection, I will push them late this week. > > Add SMM CET support > https://lists.01.org/pipermail/edk2-devel/2019-February/037128.html > NetworkPkg: Add WiFi Connection Manager to NetworkPkg > https://lists.01.org/pipermail/edk2-devel/2019-February/037137.html I think the required feedback tags arrived on time, but just barely. (At least in my time zone, CET = UTC+01:00.) - For Jiewen's "[edk2] [PATCH V3 0/4] Add SMM CET support": - Ray's R-b appeared at 02/22/19 15:29 - My Regression-tested-by appeared at 02/22/19 22:41 - For Wang Fan's "[edk2] [Patch V2] NetworkPkg: Add WiFi Connection Manager to NetworkPkg": - Jiaxin's R-b appeared at 02/22/19 08:56. I'm OK if both features are pushed. However, I do have a suggestion for the announcement email, for the future. Given that we've already encountered three cases in this cycle where the feedback tags are on the boundary, I suggest to include an exact timestamp (in the UTC zone) in each announcement. I never expected that this accuracy would be necessary, but apparently it is. Thanks! Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
On 02/26/19 08:45, Hao Wu wrote: > V2 changes: > > Correct CC list information. > > > V1 history: > > The series will resolve a buffer cross boundary access issue during the > use of RAM disks. It is the mitigation for issue CVE-2018-12180. > > Cc: Jian J Wang > Cc: Ray Ni > Cc: Star Zeng > > Hao Wu (2): > MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) > MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE FIX) > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- > MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - > MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 > ++-- > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- > 5 files changed, 36 insertions(+), 13 deletions(-) > Please put the exact CVE numbers in the subject lines. Thanks Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v1] NetworkPkg/DnsDxe: Check the received packet size before parsing the message.
On 02/26/19 09:14, Jiaxin Wu wrote: > Fix CVE-2018-12178 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809 > > The DNS driver only checks the received packet size against the > minimum DNS header size in DnsOnPacketReceived(), later it accesses > the QueryName and QuerySection beyond the header scope, which might > cause the pointer within DNS driver points to an invalid entry or > modifies the memory content beyond the header scope. > > This patch is to fix above problem. > > Cc: Ye Ting > Cc: Fu Siyuan > Cc: Wang Fan > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Wu Jiaxin > --- > NetworkPkg/DnsDxe/DnsImpl.c | 77 - > NetworkPkg/DnsDxe/DnsImpl.h | 2 + > 2 files changed, 69 insertions(+), 10 deletions(-) Please put the precise CVE number in the subject line. Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v1 0/6] Revert DynamicTablesPkg: Framework updates and fixes
On 02/26/19 12:01, Laszlo Ersek wrote: > On 02/26/19 09:44, Sami Mujawar wrote: >> Reverting this patch series as Soft Feature Freeze for >> edk2-stable201903 started on 22 Feb 2019. >> >> Cc: Laszlo Ersek >> Cc: Alexei Fedorov >> Contributed-under: TianoCore Contribution Agreement 1.1 >> Signed-off-by: Sami Mujawar >> >> The changes can be seen at >> https://github.com/samimujawar/edk2/tree/Revert_473_dynamic_tables_framework_v1 >> >> Sami Mujawar (6): >> Revert "DynamicTablesPkg: Minor updates and fix typos" >> Revert "DynamicTablesPkg: Remove GIC Distributor Id field" >> Revert "DynamicTablesPkg: DGB2: Update DBG2_DEBUG_PORT_DDI" >> Revert "DynamicTablesPkg: Add OEM Info" >> Revert "DynamicTablesPkg: Rename enum used for ID Mapping" >> Revert "DynamicTablesPkg: Fix protocol section" >> >> DynamicTablesPkg/Drivers/DynamicTableFactoryDxe/DynamicTableFactoryDxe.inf >> | 7 +- >> DynamicTablesPkg/Drivers/DynamicTableManagerDxe/DynamicTableManagerDxe.inf >> | 7 +- >> DynamicTablesPkg/Include/ArmNameSpaceObjects.h >> | 73 +--- >> DynamicTablesPkg/Include/Library/TableHelperLib.h >> | 4 +- >> DynamicTablesPkg/Include/StandardNameSpaceObjects.h >> | 18 - >> DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c >> | 7 +- >> DynamicTablesPkg/Library/Acpi/Arm/AcpiFadtLibArm/FadtGenerator.c >> | 2 +- >> DynamicTablesPkg/Library/Acpi/Arm/AcpiGtdtLibArm/GtdtGenerator.c >> | 2 +- >> DynamicTablesPkg/Library/Acpi/Arm/AcpiIortLibArm/IortGenerator.c >> | 8 +-- >> DynamicTablesPkg/Library/Acpi/Arm/AcpiMadtLibArm/MadtGenerator.c >> | 6 +- >> DynamicTablesPkg/Library/Acpi/Arm/AcpiMcfgLibArm/McfgGenerator.c >> | 2 +- >> DynamicTablesPkg/Library/Acpi/Arm/AcpiSpcrLibArm/SpcrGenerator.c >> | 2 +- >> DynamicTablesPkg/Library/Common/TableHelperLib/TableHelper.c >> | 26 ++- >> 13 files changed, 48 insertions(+), 116 deletions(-) >> > > Thank you. Sorry about the inconvenience. > > Acked-by: Laszlo Ersek > > Laszlo > Note: if you have small individual patches that cleanly qualify as bugfixes, especially for features introduced during this development cycle (since the last table tag), those should be acceptable even during the hard feature freeze. https://github.com/tianocore/tianocore.github.io/wiki/HardFeatureFreeze So if you have fixes like that (possibly a subset of the present patch set), I certainly encourage you to repost those. I'm not familiar with DynamicTablesPkg, and so I can't evaluate this question myself, on a patch-by-patch basis. It's also possible that you'll have to split out parts of larger patches (refactor them) so that only the strict-sense fixes can be posted and applied. Thanks! Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v1 0/6] Revert DynamicTablesPkg: Framework updates and fixes
On 02/26/19 09:44, Sami Mujawar wrote: > Reverting this patch series as Soft Feature Freeze for > edk2-stable201903 started on 22 Feb 2019. > > Cc: Laszlo Ersek > Cc: Alexei Fedorov > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Sami Mujawar > > The changes can be seen at > https://github.com/samimujawar/edk2/tree/Revert_473_dynamic_tables_framework_v1 > > Sami Mujawar (6): > Revert "DynamicTablesPkg: Minor updates and fix typos" > Revert "DynamicTablesPkg: Remove GIC Distributor Id field" > Revert "DynamicTablesPkg: DGB2: Update DBG2_DEBUG_PORT_DDI" > Revert "DynamicTablesPkg: Add OEM Info" > Revert "DynamicTablesPkg: Rename enum used for ID Mapping" > Revert "DynamicTablesPkg: Fix protocol section" > > DynamicTablesPkg/Drivers/DynamicTableFactoryDxe/DynamicTableFactoryDxe.inf | > 7 +- > DynamicTablesPkg/Drivers/DynamicTableManagerDxe/DynamicTableManagerDxe.inf | > 7 +- > DynamicTablesPkg/Include/ArmNameSpaceObjects.h | > 73 +--- > DynamicTablesPkg/Include/Library/TableHelperLib.h | > 4 +- > DynamicTablesPkg/Include/StandardNameSpaceObjects.h| > 18 - > DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c | > 7 +- > DynamicTablesPkg/Library/Acpi/Arm/AcpiFadtLibArm/FadtGenerator.c | > 2 +- > DynamicTablesPkg/Library/Acpi/Arm/AcpiGtdtLibArm/GtdtGenerator.c | > 2 +- > DynamicTablesPkg/Library/Acpi/Arm/AcpiIortLibArm/IortGenerator.c | > 8 +-- > DynamicTablesPkg/Library/Acpi/Arm/AcpiMadtLibArm/MadtGenerator.c | > 6 +- > DynamicTablesPkg/Library/Acpi/Arm/AcpiMcfgLibArm/McfgGenerator.c | > 2 +- > DynamicTablesPkg/Library/Acpi/Arm/AcpiSpcrLibArm/SpcrGenerator.c | > 2 +- > DynamicTablesPkg/Library/Common/TableHelperLib/TableHelper.c | > 26 ++- > 13 files changed, 48 insertions(+), 116 deletions(-) > Thank you. Sorry about the inconvenience. Acked-by: Laszlo Ersek Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v1 0/6] Revert DynamicTablesPkg: Framework updates and fixes
Reviewed-by: Alexei Fedorov Alexei From: Sami Mujawar Sent: 26 February 2019 08:44 To: edk2-devel@lists.01.org Cc: ler...@redhat.com; Alexei Fedorov; leif.lindh...@linaro.org; Matteo Carlini; Stephanie Hughes-Fitt; nd Subject: [PATCH v1 0/6] Revert DynamicTablesPkg: Framework updates and fixes Reverting this patch series as Soft Feature Freeze for edk2-stable201903 started on 22 Feb 2019. Cc: Laszlo Ersek Cc: Alexei Fedorov Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sami Mujawar The changes can be seen at https://github.com/samimujawar/edk2/tree/Revert_473_dynamic_tables_framework_v1 Sami Mujawar (6): Revert "DynamicTablesPkg: Minor updates and fix typos" Revert "DynamicTablesPkg: Remove GIC Distributor Id field" Revert "DynamicTablesPkg: DGB2: Update DBG2_DEBUG_PORT_DDI" Revert "DynamicTablesPkg: Add OEM Info" Revert "DynamicTablesPkg: Rename enum used for ID Mapping" Revert "DynamicTablesPkg: Fix protocol section" DynamicTablesPkg/Drivers/DynamicTableFactoryDxe/DynamicTableFactoryDxe.inf | 7 +- DynamicTablesPkg/Drivers/DynamicTableManagerDxe/DynamicTableManagerDxe.inf | 7 +- DynamicTablesPkg/Include/ArmNameSpaceObjects.h | 73 +--- DynamicTablesPkg/Include/Library/TableHelperLib.h | 4 +- DynamicTablesPkg/Include/StandardNameSpaceObjects.h| 18 - DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c | 7 +- DynamicTablesPkg/Library/Acpi/Arm/AcpiFadtLibArm/FadtGenerator.c | 2 +- DynamicTablesPkg/Library/Acpi/Arm/AcpiGtdtLibArm/GtdtGenerator.c | 2 +- DynamicTablesPkg/Library/Acpi/Arm/AcpiIortLibArm/IortGenerator.c | 8 +-- DynamicTablesPkg/Library/Acpi/Arm/AcpiMadtLibArm/MadtGenerator.c | 6 +- DynamicTablesPkg/Library/Acpi/Arm/AcpiMcfgLibArm/McfgGenerator.c | 2 +- DynamicTablesPkg/Library/Acpi/Arm/AcpiSpcrLibArm/SpcrGenerator.c | 2 +- DynamicTablesPkg/Library/Common/TableHelperLib/TableHelper.c | 26 ++- 13 files changed, 48 insertions(+), 116 deletions(-) -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH v1 1/6] Revert "DynamicTablesPkg: Minor updates and fix typos"
This reverts commit 07f4e26eb6fe5203028ecfe9bad90d3b67dc72c8.
Reverting this patch as Soft Feature Freeze for
edk2-stable201903 started on 22 Feb 2019.
Cc: Laszlo Ersek
Cc: Alexei Fedorov
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Sami Mujawar
---
DynamicTablesPkg/Include/ArmNameSpaceObjects.h | 66
1 file changed, 11 insertions(+), 55 deletions(-)
diff --git a/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
b/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
index
ec31c40449d0658f98a89ce0bb6f604b491f1f34..73139eb3273e89205ef9e6bee67b1b842f7f516b
100644
--- a/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
+++ b/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
@@ -59,8 +59,6 @@ typedef enum ArmObjectID {
/** A structure that describes the
ARM Boot Architecture flags.
-
-ID: EArmObjBootArchInfo
*/
typedef struct CmArmBootArchInfo {
/** This is the ARM_BOOT_ARCH flags field of the FADT Table
@@ -73,10 +71,13 @@ typedef struct CmArmCpuInfo {
// Reserved for use when SMBIOS tables are implemented
} CM_ARM_CPU_INFO;
+typedef struct CmArmCpuInfoList {
+ UINT32 CpuCount;
+ CM_ARM_CPU_INFO * CpuInfo;
+} CM_ARM_CPU_INFO_LIST;
+
/** A structure that describes the
Power Management Profile Information for the Platform.
-
-ID: EArmObjPowerManagementProfileInfo
*/
typedef struct CmArmPowerManagementProfileInfo {
/** This is the Preferred_PM_Profile field of the FADT Table
@@ -87,8 +88,6 @@ typedef struct CmArmPowerManagementProfileInfo {
/** A structure that describes the
GIC CPU Interface for the Platform.
-
-ID: EArmObjGicCInfo
*/
typedef struct CmArmGicCInfo {
/// The GIC CPU Interface number.
@@ -165,8 +164,6 @@ typedef struct CmArmGicCInfo {
/** A structure that describes the
GIC Distributor information for the Platform.
-
-ID: EArmObjGicDInfo
*/
typedef struct CmArmGicDInfo {
/// The Physical Base address for the GIC Distributor.
@@ -187,8 +184,6 @@ typedef struct CmArmGicDInfo {
/** A structure that describes the
GIC MSI Frame information for the Platform.
-
-ID: EArmObjGicMsiFrameInfo
*/
typedef struct CmArmGicMsiFrameInfo {
/// The GIC MSI Frame ID
@@ -212,8 +207,6 @@ typedef struct CmArmGicMsiFrameInfo {
/** A structure that describes the
GIC Redistributor information for the Platform.
-
-ID: EArmObjGicRedistributorInfo
*/
typedef struct CmArmGicRedistInfo {
/** The physical address of a page range
@@ -227,8 +220,6 @@ typedef struct CmArmGicRedistInfo {
/** A structure that describes the
GIC Interrupt Translation Service information for the Platform.
-
-ID: EArmObjGicItsInfo
*/
typedef struct CmArmGicItsInfo {
/// The GIC ITS ID
@@ -240,9 +231,6 @@ typedef struct CmArmGicItsInfo {
/** A structure that describes the
Serial Port information for the Platform.
-
-ID: EArmObjSerialConsolePortInfo or
-EArmObjSerialDebugPortInfo
*/
typedef struct CmArmSerialPortInfo {
/// The physical base address for the serial port
@@ -263,8 +251,6 @@ typedef struct CmArmSerialPortInfo {
/** A structure that describes the
Generic Timer information for the Platform.
-
-ID: EArmObjGenericTimerInfo
*/
typedef struct CmArmGenericTimerInfo {
/// The physical base address for the counter control frame
@@ -300,8 +286,6 @@ typedef struct CmArmGenericTimerInfo {
/** A structure that describes the
Platform Generic Block Timer Frame information for the Platform.
-
-ID: EArmObjGTBlockTimerFrameInfo
*/
typedef struct CmArmGTBlockTimerFrameInfo {
/// The Generic Timer frame number
@@ -337,8 +321,6 @@ typedef struct CmArmGTBlockTimerFrameInfo {
/** A structure that describes the
Platform Generic Block Timer information for the Platform.
-
-ID: EArmObjPlatformGTBlockInfo
*/
typedef struct CmArmGTBlockInfo {
/// The physical base address for the GT Block Timer structure
@@ -353,8 +335,6 @@ typedef struct CmArmGTBlockInfo {
/** A structure that describes the
SBSA Generic Watchdog information for the Platform.
-
-ID: EArmObjPlatformGenericWatchdogInfo
*/
typedef struct CmArmGenericWatchdogInfo {
/// The physical base address of the SBSA Watchdog control frame
@@ -374,8 +354,6 @@ typedef struct CmArmGenericWatchdogInfo {
/** A structure that describes the
PCI Configuration Space information for the Platform.
-
-ID: EArmObjPciConfigSpaceInfo
*/
typedef struct CmArmPciConfigSpaceInfo {
/// The physical base address for the PCI segment
@@ -393,8 +371,6 @@ typedef struct CmArmPciConfigSpaceInfo {
/** A structure that describes the
Hypervisor Vendor ID information for the Platform.
-
-ID: EArmObjHypervisorVendorIdentity
*/
typedef struct CmArmHypervisorVendorId {
/// The hypervisor Vendor ID
@@ -403,8 +379,6 @@ typedef struct CmArmHypervisorVendorId {
/** A structure that describes the
Fixed feature flags for the Platform.
-
-ID:
[edk2] [PATCH v1 4/6] Revert "DynamicTablesPkg: Add OEM Info"
This reverts commit c788bdaba47536447ae37518a96d92e0da54aad7.
Reverting this patch as Soft Feature Freeze for
edk2-stable201903 started on 22 Feb 2019.
Cc: Laszlo Ersek
Cc: Alexei Fedorov
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Sami Mujawar
---
DynamicTablesPkg/Include/Library/TableHelperLib.h| 4 +--
DynamicTablesPkg/Include/StandardNameSpaceObjects.h | 18
--
DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c | 2 +-
DynamicTablesPkg/Library/Acpi/Arm/AcpiFadtLibArm/FadtGenerator.c | 2 +-
DynamicTablesPkg/Library/Acpi/Arm/AcpiGtdtLibArm/GtdtGenerator.c | 2 +-
DynamicTablesPkg/Library/Acpi/Arm/AcpiIortLibArm/IortGenerator.c | 2 +-
DynamicTablesPkg/Library/Acpi/Arm/AcpiMadtLibArm/MadtGenerator.c | 2 +-
DynamicTablesPkg/Library/Acpi/Arm/AcpiMcfgLibArm/McfgGenerator.c | 2 +-
DynamicTablesPkg/Library/Acpi/Arm/AcpiSpcrLibArm/SpcrGenerator.c | 2 +-
DynamicTablesPkg/Library/Common/TableHelperLib/TableHelper.c | 26
++--
10 files changed, 16 insertions(+), 46 deletions(-)
diff --git a/DynamicTablesPkg/Include/Library/TableHelperLib.h
b/DynamicTablesPkg/Include/Library/TableHelperLib.h
index
0f872bc3d08bf78e33bd8dab866e7bf57e00cb8c..3c4e1d23d2e6955388ab0b51fb57779f2225beb2
100644
--- a/DynamicTablesPkg/Include/Library/TableHelperLib.h
+++ b/DynamicTablesPkg/Include/Library/TableHelperLib.h
@@ -45,7 +45,7 @@ GetCgfMgrInfo (
@param [in] Generator Pointer to the ACPI table Generator.
@param [in,out] AcpiHeader Pointer to the ACPI table header to be
updated.
- @param [in] AcpiTableInfo Pointer to the ACPI table info structure.
+ @param [in] Revision Revision of the ACPI table.
@param [in] Length Length of the ACPI table.
@retval EFI_SUCCESS The ACPI table is updated successfully.
@@ -61,7 +61,7 @@ AddAcpiHeader (
IN CONST EDKII_CONFIGURATION_MANAGER_PROTOCOL * CONST CfgMgrProtocol,
IN CONST ACPI_TABLE_GENERATOR * CONST Generator,
IN OUT EFI_ACPI_DESCRIPTION_HEADER * CONST AcpiHeader,
- IN CONST CM_STD_OBJ_ACPI_TABLE_INFO* CONST AcpiTableInfo,
+ IN CONST UINT32Revision,
IN CONST UINT32Length
);
diff --git a/DynamicTablesPkg/Include/StandardNameSpaceObjects.h
b/DynamicTablesPkg/Include/StandardNameSpaceObjects.h
index
58503858b27141cf7647a410c4b0b3fa574033de..4377ee8f785399b02fec824f3a34d2f4ed3b1c01
100644
--- a/DynamicTablesPkg/Include/StandardNameSpaceObjects.h
+++ b/DynamicTablesPkg/Include/StandardNameSpaceObjects.h
@@ -93,24 +93,6 @@ typedef struct CmAStdObjAcpiTableInfo {
/// Optional pointer to the ACPI table data
EFI_ACPI_DESCRIPTION_HEADER * AcpiTableData;
- /// An OEM-supplied string that the OEM uses to identify the particular
- /// data table. This field is particularly useful when defining a definition
- /// block to distinguish definition block functions. The OEM assigns each
- /// dissimilar table a new OEM Table ID.
- /// This field could be constructed using the SIGNATURE_64() macro.
- /// e.g. SIGNATURE_64 ('A','R','M','H','G','T','D','T')
- /// Note: If this field is not populated (has value of Zero), then the
- /// Generators shall populate this information using part of the
- /// CM_STD_OBJ_CONFIGURATION_MANAGER_INFO.OemId field and the
- /// ACPI table signature.
- UINT64 OemTableId;
-
- /// An OEM-supplied revision number. Larger numbers are assumed to be
- /// newer revisions.
- /// Note: If this field is not populated (has value of Zero), then the
- /// Generators shall populate this information using the revision of the
- /// Configuration Manager (CM_STD_OBJ_CONFIGURATION_MANAGER_INFO.Revision).
- UINT32 OemRevision;
} CM_STD_OBJ_ACPI_TABLE_INFO;
/** A structure used to describe the SMBIOS table generators to be invoked.
diff --git a/DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c
b/DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c
index
697cfc46abaedf34d30abf26e7ebb2b4d271822a..e21e2b660634b1aedce8167b74573694d6df2a3b
100644
--- a/DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c
+++ b/DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c
@@ -342,7 +342,7 @@ BuildDbg2Table (
CfgMgrProtocol,
This,
(EFI_ACPI_DESCRIPTION_HEADER*),
- AcpiTableInfo,
+ AcpiTableInfo->AcpiTableRevision,
sizeof (DBG2_TABLE)
);
if (EFI_ERROR (Status)) {
diff --git a/DynamicTablesPkg/Library/Acpi/Arm/AcpiFadtLibArm/FadtGenerator.c
b/DynamicTablesPkg/Library/Acpi/Arm/AcpiFadtLibArm/FadtGenerator.c
index
6699901b42a63a152027de59887ed097748ece91..62927b51d6d7c1585da1cb0d59785e2382639002
[edk2] [PATCH v1 0/6] Revert DynamicTablesPkg: Framework updates and fixes
Reverting this patch series as Soft Feature Freeze for edk2-stable201903 started on 22 Feb 2019. Cc: Laszlo Ersek Cc: Alexei Fedorov Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sami Mujawar The changes can be seen at https://github.com/samimujawar/edk2/tree/Revert_473_dynamic_tables_framework_v1 Sami Mujawar (6): Revert "DynamicTablesPkg: Minor updates and fix typos" Revert "DynamicTablesPkg: Remove GIC Distributor Id field" Revert "DynamicTablesPkg: DGB2: Update DBG2_DEBUG_PORT_DDI" Revert "DynamicTablesPkg: Add OEM Info" Revert "DynamicTablesPkg: Rename enum used for ID Mapping" Revert "DynamicTablesPkg: Fix protocol section" DynamicTablesPkg/Drivers/DynamicTableFactoryDxe/DynamicTableFactoryDxe.inf | 7 +- DynamicTablesPkg/Drivers/DynamicTableManagerDxe/DynamicTableManagerDxe.inf | 7 +- DynamicTablesPkg/Include/ArmNameSpaceObjects.h | 73 +--- DynamicTablesPkg/Include/Library/TableHelperLib.h | 4 +- DynamicTablesPkg/Include/StandardNameSpaceObjects.h| 18 - DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c | 7 +- DynamicTablesPkg/Library/Acpi/Arm/AcpiFadtLibArm/FadtGenerator.c | 2 +- DynamicTablesPkg/Library/Acpi/Arm/AcpiGtdtLibArm/GtdtGenerator.c | 2 +- DynamicTablesPkg/Library/Acpi/Arm/AcpiIortLibArm/IortGenerator.c | 8 +-- DynamicTablesPkg/Library/Acpi/Arm/AcpiMadtLibArm/MadtGenerator.c | 6 +- DynamicTablesPkg/Library/Acpi/Arm/AcpiMcfgLibArm/McfgGenerator.c | 2 +- DynamicTablesPkg/Library/Acpi/Arm/AcpiSpcrLibArm/SpcrGenerator.c | 2 +- DynamicTablesPkg/Library/Common/TableHelperLib/TableHelper.c | 26 ++- 13 files changed, 48 insertions(+), 116 deletions(-) -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH v1 5/6] Revert "DynamicTablesPkg: Rename enum used for ID Mapping"
This reverts commit 1d49a75367ef6827b8b8f77f61e9ce245d1bdee3.
Reverting this patch as Soft Feature Freeze for
edk2-stable201903 started on 22 Feb 2019.
Cc: Laszlo Ersek
Cc: Alexei Fedorov
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Sami Mujawar
---
DynamicTablesPkg/Include/ArmNameSpaceObjects.h | 2 +-
DynamicTablesPkg/Library/Acpi/Arm/AcpiIortLibArm/IortGenerator.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
b/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
index
2adaa788083e4e15d049f5f6b6312f77f3c02488..93cb6949f0eb2ac2ad3524494e4a14c7a6fab4b8
100644
--- a/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
+++ b/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
@@ -52,7 +52,7 @@ typedef enum ArmObjectID {
EArmObjSmmuV3, ///< 22 - SMMUv3
EArmObjPmcg,///< 23 - PMCG
EArmObjGicItsIdentifierArray, ///< 24 - GIC ITS Identifier Array
- EArmObjIdMappingArray, ///< 25 - ID Mapping Array
+ EArmObjIdMapping, ///< 25 - ID Mapping
EArmObjSmmuInterruptArray, ///< 26 - SMMU Interrupt Array
EArmObjMax
} EARM_OBJECT_ID;
diff --git a/DynamicTablesPkg/Library/Acpi/Arm/AcpiIortLibArm/IortGenerator.c
b/DynamicTablesPkg/Library/Acpi/Arm/AcpiIortLibArm/IortGenerator.c
index
b53c4bb47798d4ad441db1fe1b1e5b180e313403..a3ee60664ecbeb1b12b01683f838e11804884daf
100644
--- a/DynamicTablesPkg/Library/Acpi/Arm/AcpiIortLibArm/IortGenerator.c
+++ b/DynamicTablesPkg/Library/Acpi/Arm/AcpiIortLibArm/IortGenerator.c
@@ -44,7 +44,7 @@ Requirements:
- EArmObjSmmuV3
- EArmObjPmcg
- EArmObjGicItsIdentifierArray
- - EArmObjIdMappingArray
+ - EArmObjIdMapping
- EArmObjGicItsIdentifierArray
*/
@@ -116,7 +116,7 @@ GET_OBJECT_LIST (
*/
GET_OBJECT_LIST (
EObjNameSpaceArm,
- EArmObjIdMappingArray,
+ EArmObjIdMapping,
CM_ARM_ID_MAPPING
);
@@ -653,7 +653,7 @@ AddIdMappingArray (
Generator = (ACPI_IORT_GENERATOR*)This;
// Get the Id Mapping Array
- Status = GetEArmObjIdMappingArray (
+ Status = GetEArmObjIdMapping (
CfgMgrProtocol,
IdMappingToken,
,
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH v1 6/6] Revert "DynamicTablesPkg: Fix protocol section"
This reverts commit bde673b2dcd1b087af7f49dd5f0c3b82b02172a5. Reverting this patch as Soft Feature Freeze for edk2-stable201903 started on 22 Feb 2019. Cc: Laszlo Ersek Cc: Alexei Fedorov Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sami Mujawar --- DynamicTablesPkg/Drivers/DynamicTableFactoryDxe/DynamicTableFactoryDxe.inf | 7 +-- DynamicTablesPkg/Drivers/DynamicTableManagerDxe/DynamicTableManagerDxe.inf | 7 +++ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/DynamicTablesPkg/Drivers/DynamicTableFactoryDxe/DynamicTableFactoryDxe.inf b/DynamicTablesPkg/Drivers/DynamicTableFactoryDxe/DynamicTableFactoryDxe.inf index 02c907c38023e8b44829a38ed93436904d8cf3d3..740811d0fc0590543a62360e6753eb04fb675d70 100644 --- a/DynamicTablesPkg/Drivers/DynamicTableFactoryDxe/DynamicTableFactoryDxe.inf +++ b/DynamicTablesPkg/Drivers/DynamicTableFactoryDxe/DynamicTableFactoryDxe.inf @@ -1,7 +1,7 @@ ## @file # Module to manage the list of available table factories. # -# Copyright (c) 2017 - 2019, ARM Limited. All rights reserved. +# Copyright (c) 2017 - 2018, ARM Limited. All rights reserved. # # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -51,7 +51,10 @@ [FixedPcd] gEfiMdeModulePkgTokenSpaceGuid.PcdMaxCustomDTGenerators [Protocols] - gEdkiiDynamicTableFactoryProtocolGuid # PRODUCES + gEfiAcpiTableProtocolGuid # PROTOCOL ALWAYS_CONSUMED + gEfiSmbiosProtocolGuid# PROTOCOL ALWAYS_CONSUMED + gEdkiiConfigurationManagerProtocolGuid + gEdkiiDynamicTableFactoryProtocolGuid [Depex] TRUE diff --git a/DynamicTablesPkg/Drivers/DynamicTableManagerDxe/DynamicTableManagerDxe.inf b/DynamicTablesPkg/Drivers/DynamicTableManagerDxe/DynamicTableManagerDxe.inf index e78218a914ce993f3e605841e2bffae700076dd0..fef8b20672fb943b78302a152fcf0f66db264b0a 100644 --- a/DynamicTablesPkg/Drivers/DynamicTableManagerDxe/DynamicTableManagerDxe.inf +++ b/DynamicTablesPkg/Drivers/DynamicTableManagerDxe/DynamicTableManagerDxe.inf @@ -1,7 +1,7 @@ ## @file # Module that drives the table generation and installation process. # -# Copyright (c) 2017 - 2019, ARM Limited. All rights reserved. +# Copyright (c) 2017 - 2018, ARM Limited. All rights reserved. # # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -42,9 +42,8 @@ [LibraryClasses] [Protocols] gEfiAcpiTableProtocolGuid # PROTOCOL ALWAYS_CONSUMED - - gEdkiiConfigurationManagerProtocolGuid# PROTOCOL ALWAYS_CONSUMED - gEdkiiDynamicTableFactoryProtocolGuid # PROTOCOL ALWAYS_CONSUMED + gEdkiiConfigurationManagerProtocolGuid + gEdkiiDynamicTableFactoryProtocolGuid [Depex] gEfiAcpiTableProtocolGuid AND -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH v1 2/6] Revert "DynamicTablesPkg: Remove GIC Distributor Id field"
This reverts commit d3a15f435f9716aa2f2ea5e9b35fcda04f267ab4.
Reverting this patch as Soft Feature Freeze for
edk2-stable201903 started on 22 Feb 2019.
Cc: Laszlo Ersek
Cc: Alexei Fedorov
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Sami Mujawar
---
DynamicTablesPkg/Include/ArmNameSpaceObjects.h | 5 -
DynamicTablesPkg/Library/Acpi/Arm/AcpiMadtLibArm/MadtGenerator.c | 4 +---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
b/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
index
73139eb3273e89205ef9e6bee67b1b842f7f516b..2adaa788083e4e15d049f5f6b6312f77f3c02488
100644
--- a/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
+++ b/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
@@ -1,6 +1,6 @@
/** @file
- Copyright (c) 2017 - 2019, ARM Limited. All rights reserved.
+ Copyright (c) 2017 - 2018, ARM Limited. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
@@ -166,6 +166,9 @@ typedef struct CmArmGicCInfo {
GIC Distributor information for the Platform.
*/
typedef struct CmArmGicDInfo {
+ /// The GIC Distributor ID.
+ UINT32 GicId;
+
/// The Physical Base address for the GIC Distributor.
UINT64 PhysicalBaseAddress;
diff --git a/DynamicTablesPkg/Library/Acpi/Arm/AcpiMadtLibArm/MadtGenerator.c
b/DynamicTablesPkg/Library/Acpi/Arm/AcpiMadtLibArm/MadtGenerator.c
index
6b89c3f65d36ff35fcfc81cdffdeae8e4306c976..1ee0b9e006bfa00ea5bbf6aa64209dac244c90a0
100644
--- a/DynamicTablesPkg/Library/Acpi/Arm/AcpiMadtLibArm/MadtGenerator.c
+++ b/DynamicTablesPkg/Library/Acpi/Arm/AcpiMadtLibArm/MadtGenerator.c
@@ -192,9 +192,7 @@ AddGICD (
// UINT16 Reserved
Gicd->Reserved1 = EFI_ACPI_RESERVED_WORD;
// UINT32 Identifier
- // One, and only one, GIC distributor structure must be present
- // in the MADT for an ARM based system
- Gicd->GicId = 0;
+ Gicd->GicId = GicDInfo->GicId;
// UINT64 PhysicalBaseAddress
Gicd->PhysicalBaseAddress = GicDInfo->PhysicalBaseAddress;
// UINT32 VectorBase
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH v1 3/6] Revert "DynamicTablesPkg: DGB2: Update DBG2_DEBUG_PORT_DDI"
This reverts commit 6814256083a90ef218e7ae240e51922045175df1.
Reverting this patch as Soft Feature Freeze for
edk2-stable201903 started on 22 Feb 2019.
Cc: Laszlo Ersek
Cc: Alexei Fedorov
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Sami Mujawar
---
DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c
b/DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c
index
90380f48da017b257476ee63bcc1beae5efe1d65..697cfc46abaedf34d30abf26e7ebb2b4d271822a
100644
--- a/DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c
+++ b/DynamicTablesPkg/Library/Acpi/Arm/AcpiDbg2LibArm/Dbg2Generator.c
@@ -97,12 +97,14 @@ typedef struct {
/** A helper macro used for initializing the debug port device
information structure.
+ @param [in] NumReg The number of generic address registers.
@param [in] SubType The DBG Port SubType.
@param [in] UartBase The UART port base address.
@param [in] UartAddrLen The UART port address range length.
@param [in] UartNameStr The UART port name string.
**/
#define DBG2_DEBUG_PORT_DDI( \
+ NumReg, \
SubType,\
UartBase, \
UartAddrLen,\
@@ -114,7 +116,7 @@ typedef struct {
/* UINT16Length */ \
sizeof (DBG2_DEBUG_DEVICE_INFORMATION), \
/* UINT8 NumberofGenericAddressRegisters */ \
- DBG2_NUMBER_OF_GENERIC_ADDRESS_REGISTERS, \
+ NumReg, \
/* UINT16NameSpaceStringLength */ \
DBG2_NAMESPACESTRING_FIELD_SIZE,\
/* UINT16NameSpaceStringOffset */ \
@@ -162,6 +164,7 @@ DBG2_TABLE AcpiDbg2 = {
* Debug port 1
*/
DBG2_DEBUG_PORT_DDI (
+ DBG2_NUMBER_OF_GENERIC_ADDRESS_REGISTERS,
0,// {Template}: Serial Port Subtype
0,// {Template}: Serial Port Base Address
PL011_UART_LENGTH,
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v1] NetworkPkg/DnsDxe: Check the received packet size before parsing the message.
Reviewed-by: Siyuan Fu
> -Original Message-
> From: Wu, Jiaxin
> Sent: Tuesday, February 26, 2019 4:14 PM
> To: edk2-devel@lists.01.org
> Cc: Ye, Ting ; Fu, Siyuan ; Wang, Fan
> ; Wu, Jiaxin
> Subject: [PATCH v1] NetworkPkg/DnsDxe: Check the received packet size before
> parsing the message.
>
> Fix CVE-2018-12178
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809
>
> The DNS driver only checks the received packet size against the
> minimum DNS header size in DnsOnPacketReceived(), later it accesses
> the QueryName and QuerySection beyond the header scope, which might
> cause the pointer within DNS driver points to an invalid entry or
> modifies the memory content beyond the header scope.
>
> This patch is to fix above problem.
>
> Cc: Ye Ting
> Cc: Fu Siyuan
> Cc: Wang Fan
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin
> ---
> NetworkPkg/DnsDxe/DnsImpl.c | 77 -
> NetworkPkg/DnsDxe/DnsImpl.h | 2 +
> 2 files changed, 69 insertions(+), 10 deletions(-)
>
> diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c
> index 89ea755cb2..26a718987c 100644
> --- a/NetworkPkg/DnsDxe/DnsImpl.c
> +++ b/NetworkPkg/DnsDxe/DnsImpl.c
> @@ -1112,26 +1112,29 @@ IsValidDnsResponse (
> /**
>Parse Dns Response.
>
>@param Instance The DNS instance
>@param RxString Received buffer.
> + @param LengthReceived buffer length.
>@param Completed Flag to indicate that Dns response is valid.
>
>@retval EFI_SUCCESS Parse Dns Response successfully.
>@retval OthersFailed to parse Dns Response.
>
> **/
> EFI_STATUS
> ParseDnsResponse (
>IN OUT DNS_INSTANCE *Instance,
>IN UINT8 *RxString,
> + IN UINT32Length,
> OUT BOOLEAN *Completed
>)
> {
>DNS_HEADER*DnsHeader;
>
>CHAR8 *QueryName;
> + UINT32QueryNameLen;
>DNS_QUERY_SECTION *QuerySection;
>
>CHAR8 *AnswerName;
>DNS_ANSWER_SECTION*AnswerSection;
>UINT8 *AnswerData;
> @@ -1153,10 +1156,11 @@ ParseDnsResponse (
>
>DNS_RESOURCE_RECORD *Dns4RR;
>DNS6_RESOURCE_RECORD *Dns6RR;
>
>EFI_STATUSStatus;
> + UINT32RemainingLength;
>
>EFI_TPL OldTpl;
>
>Item = NULL;
>Dns4TokenEntry = NULL;
> @@ -1176,10 +1180,21 @@ ParseDnsResponse (
>Dns4RR = NULL;
>Dns6RR = NULL;
>
>*Completed = TRUE;
>Status = EFI_SUCCESS;
> + RemainingLength = Length;
> +
> + //
> + // Check whether the remaining packet length is avaiable or not.
> + //
> + if (RemainingLength <= sizeof (DNS_HEADER)) {
> +*Completed = FALSE;
> +return EFI_ABORTED;
> + } else {
> +RemainingLength -= sizeof (DNS_HEADER);
> + }
>
>//
>// Get header
>//
>DnsHeader = (DNS_HEADER *) RxString;
> @@ -1189,26 +1204,42 @@ ParseDnsResponse (
>DnsHeader->QuestionsNum = NTOHS (DnsHeader->QuestionsNum);
>DnsHeader->AnswersNum = NTOHS (DnsHeader->AnswersNum);
>DnsHeader->AuthorityNum = NTOHS (DnsHeader->AuthorityNum);
>DnsHeader->AditionalNum = NTOHS (DnsHeader->AditionalNum);
>
> + //
> + // There is always one QuestionsNum in DNS message. The capability to
> handle more
> + // than one requires to redesign the message format. Currently, it's not
> supported.
> + //
> + if (DnsHeader->QuestionsNum > 1) {
> +*Completed = FALSE;
> +return EFI_UNSUPPORTED;
> + }
> +
>//
>// Get Query name
>//
>QueryName = (CHAR8 *) (RxString + sizeof (*DnsHeader));
>
> + QueryNameLen = (UINT32) AsciiStrLen (QueryName) + 1;
> +
>//
> - // Get query section
> + // Check whether the remaining packet length is avaiable or not.
>//
> - QuerySection = (DNS_QUERY_SECTION *) (QueryName + AsciiStrLen (QueryName) +
> 1);
> - QuerySection->Type = NTOHS (QuerySection->Type);
> - QuerySection->Class = NTOHS (QuerySection->Class);
> + if (RemainingLength <= QueryNameLen + sizeof (DNS_QUERY_SECTION)) {
> +*Completed = FALSE;
> +return EFI_ABORTED;
> + } else {
> +RemainingLength -= (QueryNameLen + sizeof (DNS_QUERY_SECTION));
> + }
>
>//
> - // Get Answer name
> + // Get query section
>//
> - AnswerName = (CHAR8 *) QuerySection + sizeof (*QuerySection);
> + QuerySection = (DNS_QUERY_SECTION *) (QueryName + QueryNameLen);
> + QuerySection->Type = NTOHS (QuerySection->Type);
> + QuerySection->Class = NTOHS (QuerySection->Class);
>
>OldTpl = gBS->RaiseTPL (TPL_CALLBACK);
>
>//
>// Check DnsResponse Validity, if so, also get a valid NET_MAP_ITEM.
> @@ -1339,14 +1370,30 @@ ParseDnsResponse (
> }
>}
>
>Status = EFI_NOT_FOUND;
>
> + //
> + // Get Answer name
> + //
> +
[edk2] [PATCH v1] NetworkPkg/DnsDxe: Check the received packet size before parsing the message.
Fix CVE-2018-12178
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809
The DNS driver only checks the received packet size against the
minimum DNS header size in DnsOnPacketReceived(), later it accesses
the QueryName and QuerySection beyond the header scope, which might
cause the pointer within DNS driver points to an invalid entry or
modifies the memory content beyond the header scope.
This patch is to fix above problem.
Cc: Ye Ting
Cc: Fu Siyuan
Cc: Wang Fan
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin
---
NetworkPkg/DnsDxe/DnsImpl.c | 77 -
NetworkPkg/DnsDxe/DnsImpl.h | 2 +
2 files changed, 69 insertions(+), 10 deletions(-)
diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c
index 89ea755cb2..26a718987c 100644
--- a/NetworkPkg/DnsDxe/DnsImpl.c
+++ b/NetworkPkg/DnsDxe/DnsImpl.c
@@ -1112,26 +1112,29 @@ IsValidDnsResponse (
/**
Parse Dns Response.
@param Instance The DNS instance
@param RxString Received buffer.
+ @param LengthReceived buffer length.
@param Completed Flag to indicate that Dns response is valid.
@retval EFI_SUCCESS Parse Dns Response successfully.
@retval OthersFailed to parse Dns Response.
**/
EFI_STATUS
ParseDnsResponse (
IN OUT DNS_INSTANCE *Instance,
IN UINT8 *RxString,
+ IN UINT32Length,
OUT BOOLEAN *Completed
)
{
DNS_HEADER*DnsHeader;
CHAR8 *QueryName;
+ UINT32QueryNameLen;
DNS_QUERY_SECTION *QuerySection;
CHAR8 *AnswerName;
DNS_ANSWER_SECTION*AnswerSection;
UINT8 *AnswerData;
@@ -1153,10 +1156,11 @@ ParseDnsResponse (
DNS_RESOURCE_RECORD *Dns4RR;
DNS6_RESOURCE_RECORD *Dns6RR;
EFI_STATUSStatus;
+ UINT32RemainingLength;
EFI_TPL OldTpl;
Item = NULL;
Dns4TokenEntry = NULL;
@@ -1176,10 +1180,21 @@ ParseDnsResponse (
Dns4RR = NULL;
Dns6RR = NULL;
*Completed = TRUE;
Status = EFI_SUCCESS;
+ RemainingLength = Length;
+
+ //
+ // Check whether the remaining packet length is avaiable or not.
+ //
+ if (RemainingLength <= sizeof (DNS_HEADER)) {
+*Completed = FALSE;
+return EFI_ABORTED;
+ } else {
+RemainingLength -= sizeof (DNS_HEADER);
+ }
//
// Get header
//
DnsHeader = (DNS_HEADER *) RxString;
@@ -1189,26 +1204,42 @@ ParseDnsResponse (
DnsHeader->QuestionsNum = NTOHS (DnsHeader->QuestionsNum);
DnsHeader->AnswersNum = NTOHS (DnsHeader->AnswersNum);
DnsHeader->AuthorityNum = NTOHS (DnsHeader->AuthorityNum);
DnsHeader->AditionalNum = NTOHS (DnsHeader->AditionalNum);
+ //
+ // There is always one QuestionsNum in DNS message. The capability to handle
more
+ // than one requires to redesign the message format. Currently, it's not
supported.
+ //
+ if (DnsHeader->QuestionsNum > 1) {
+*Completed = FALSE;
+return EFI_UNSUPPORTED;
+ }
+
//
// Get Query name
//
QueryName = (CHAR8 *) (RxString + sizeof (*DnsHeader));
+ QueryNameLen = (UINT32) AsciiStrLen (QueryName) + 1;
+
//
- // Get query section
+ // Check whether the remaining packet length is avaiable or not.
//
- QuerySection = (DNS_QUERY_SECTION *) (QueryName + AsciiStrLen (QueryName) +
1);
- QuerySection->Type = NTOHS (QuerySection->Type);
- QuerySection->Class = NTOHS (QuerySection->Class);
+ if (RemainingLength <= QueryNameLen + sizeof (DNS_QUERY_SECTION)) {
+*Completed = FALSE;
+return EFI_ABORTED;
+ } else {
+RemainingLength -= (QueryNameLen + sizeof (DNS_QUERY_SECTION));
+ }
//
- // Get Answer name
+ // Get query section
//
- AnswerName = (CHAR8 *) QuerySection + sizeof (*QuerySection);
+ QuerySection = (DNS_QUERY_SECTION *) (QueryName + QueryNameLen);
+ QuerySection->Type = NTOHS (QuerySection->Type);
+ QuerySection->Class = NTOHS (QuerySection->Class);
OldTpl = gBS->RaiseTPL (TPL_CALLBACK);
//
// Check DnsResponse Validity, if so, also get a valid NET_MAP_ITEM.
@@ -1339,14 +1370,30 @@ ParseDnsResponse (
}
}
Status = EFI_NOT_FOUND;
+ //
+ // Get Answer name
+ //
+ AnswerName = (CHAR8 *) QuerySection + sizeof (*QuerySection);
+
//
// Processing AnswerSection.
//
while (AnswerSectionNum < DnsHeader->AnswersNum) {
+//
+// Check whether the remaining packet length is avaiable or not.
+//
+if (RemainingLength <= sizeof (UINT16) + sizeof (DNS_ANSWER_SECTION)) {
+ *Completed = FALSE;
+ Status = EFI_ABORTED;
+ goto ON_EXIT;
+} else {
+ RemainingLength -= (sizeof (UINT16) + sizeof (DNS_ANSWER_SECTION));
+}
+
//
// Answer name should be PTR, else EFI_UNSUPPORTED returned.
//
if
