Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
On 02/28/19 02:32, Gao, Liming wrote: > I update > https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message-Format > with CVE example. Please check it. "CVE fix needs to append CVE number in Brief-single-line-summary. The format is 'Pkg-Module: Brief-single-line-summary (CVE-Year-Number)'. Its length should be less than 92 characters." Let's use the following suffix as example: " (CVE-2018-12180)" (the Number part is supposed to fit into 5 digits) The length of this suffix is 17 characters. For normal cases, we have an inclusive limit of 74 characters. So for CVE subjects the inclusive limit is 74+17=91 characters. The wiki page states an exclusive limit of 92 chars, which is the same. So, I think the update is perfect. Thanks Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
I update https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message-Format with CVE example. Please check it. >-Original Message- >From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of >Laszlo Ersek >Sent: Thursday, February 28, 2019 3:31 AM >To: Gao, Liming ; Wu, Hao A ; >edk2-devel@lists.01.org >Cc: Zeng, Star >Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross >boundary access in Ramdisk > >On 02/27/19 13:49, Gao, Liming wrote: >> Laszlo: >> I add my comments. >> >> Thanks >> Liming >>> -Original Message- >>> From: Laszlo Ersek [mailto:ler...@redhat.com] >>> Sent: Wednesday, February 27, 2019 4:58 PM >>> To: Wu, Hao A ; Gao, Liming >; edk2-devel@lists.01.org >>> Cc: Zeng, Star >>> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross >boundary access in Ramdisk >>> >>> On 02/27/19 07:56, Wu, Hao A wrote: >>>>> -Original Message- >>>>> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf >Of >>>>> Laszlo Ersek >>>>> Sent: Tuesday, February 26, 2019 7:45 PM >>>>> To: Wu, Hao A; edk2-devel@lists.01.org >>>>> Cc: Zeng, Star >>>>> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer >cross >>>>> boundary access in Ramdisk >>>>> >>>>> On 02/26/19 08:45, Hao Wu wrote: >>>>>> V2 changes: >>>>>> >>>>>> Correct CC list information. >>>>>> >>>>>> >>>>>> V1 history: >>>>>> >>>>>> The series will resolve a buffer cross boundary access issue during the >>>>>> use of RAM disks. It is the mitigation for issue CVE-2018-12180. >>>>>> >>>>>> Cc: Jian J Wang >>>>>> Cc: Ray Ni >>>>>> Cc: Star Zeng >>>>>> >>>>>> Hao Wu (2): >>>>>> MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE >FIX) >>>>>> MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize >(CVE >>>>> FIX) >>>>>> >>>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 >+++--- >>>>>> MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 >- >>>>>> MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 >- >>>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 >>>>> ++-- >>>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 >+++-- >>>>>> 5 files changed, 36 insertions(+), 13 deletions(-) >>>>>> >>>>> >>>>> Please put the exact CVE numbers in the subject lines. >>>> >>>> Hello Laszlo and Liming, >>>> >>>> I totally agree the commit subject line should include the CVE number. >>>> But I have one feedback that, if the commit is for a CVE fix, is it >>>> possible to exempt the commit subject from 71 characters limit? >>> >>> In my opinion, that is absolutely the case. >>> >>>> I found it can be hard to summary the commit with the Package/Module >plus >>>> the CVE number information. >>> >>> I agree, it is hard. But, IMO, in this case, the precise CVE reference >>> takes priority. >>> >> For this case, I suggest to allow subject line length to be bigger, such as >> 120 >character. >> I will update wiki >https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message- >Format for CVE commit message format. >> For example: Pkg-Module: Brief-single-line-summary (CVE-Year-Number) > >Thanks for that! >Laszlo >___ >edk2-devel mailing list >edk2-devel@lists.01.org >https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
On 02/27/19 13:49, Gao, Liming wrote: > Laszlo: > I add my comments. > > Thanks > Liming >> -Original Message- >> From: Laszlo Ersek [mailto:ler...@redhat.com] >> Sent: Wednesday, February 27, 2019 4:58 PM >> To: Wu, Hao A ; Gao, Liming ; >> edk2-devel@lists.01.org >> Cc: Zeng, Star >> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross >> boundary access in Ramdisk >> >> On 02/27/19 07:56, Wu, Hao A wrote: >>>> -Original Message- >>>> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of >>>> Laszlo Ersek >>>> Sent: Tuesday, February 26, 2019 7:45 PM >>>> To: Wu, Hao A; edk2-devel@lists.01.org >>>> Cc: Zeng, Star >>>> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross >>>> boundary access in Ramdisk >>>> >>>> On 02/26/19 08:45, Hao Wu wrote: >>>>> V2 changes: >>>>> >>>>> Correct CC list information. >>>>> >>>>> >>>>> V1 history: >>>>> >>>>> The series will resolve a buffer cross boundary access issue during the >>>>> use of RAM disks. It is the mitigation for issue CVE-2018-12180. >>>>> >>>>> Cc: Jian J Wang >>>>> Cc: Ray Ni >>>>> Cc: Star Zeng >>>>> >>>>> Hao Wu (2): >>>>> MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) >>>>> MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE >>>> FIX) >>>>> >>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- >>>>> MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - >>>>> MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - >>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 >>>> ++-- >>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- >>>>> 5 files changed, 36 insertions(+), 13 deletions(-) >>>>> >>>> >>>> Please put the exact CVE numbers in the subject lines. >>> >>> Hello Laszlo and Liming, >>> >>> I totally agree the commit subject line should include the CVE number. >>> But I have one feedback that, if the commit is for a CVE fix, is it >>> possible to exempt the commit subject from 71 characters limit? >> >> In my opinion, that is absolutely the case. >> >>> I found it can be hard to summary the commit with the Package/Module plus >>> the CVE number information. >> >> I agree, it is hard. But, IMO, in this case, the precise CVE reference >> takes priority. >> > For this case, I suggest to allow subject line length to be bigger, such as > 120 character. > I will update wiki > https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message-Format > for CVE commit message format. > For example: Pkg-Module: Brief-single-line-summary (CVE-Year-Number) Thanks for that! Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
Laszlo: I add my comments. Thanks Liming > -Original Message- > From: Laszlo Ersek [mailto:ler...@redhat.com] > Sent: Wednesday, February 27, 2019 4:58 PM > To: Wu, Hao A ; Gao, Liming ; > edk2-devel@lists.01.org > Cc: Zeng, Star > Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross > boundary access in Ramdisk > > On 02/27/19 07:56, Wu, Hao A wrote: > >> -Original Message- > >> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > >> Laszlo Ersek > >> Sent: Tuesday, February 26, 2019 7:45 PM > >> To: Wu, Hao A; edk2-devel@lists.01.org > >> Cc: Zeng, Star > >> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross > >> boundary access in Ramdisk > >> > >> On 02/26/19 08:45, Hao Wu wrote: > >>> V2 changes: > >>> > >>> Correct CC list information. > >>> > >>> > >>> V1 history: > >>> > >>> The series will resolve a buffer cross boundary access issue during the > >>> use of RAM disks. It is the mitigation for issue CVE-2018-12180. > >>> > >>> Cc: Jian J Wang > >>> Cc: Ray Ni > >>> Cc: Star Zeng > >>> > >>> Hao Wu (2): > >>> MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) > >>> MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE > >> FIX) > >>> > >>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- > >>> MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - > >>> MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - > >>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 > >> ++-- > >>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- > >>> 5 files changed, 36 insertions(+), 13 deletions(-) > >>> > >> > >> Please put the exact CVE numbers in the subject lines. > > > > Hello Laszlo and Liming, > > > > I totally agree the commit subject line should include the CVE number. > > But I have one feedback that, if the commit is for a CVE fix, is it > > possible to exempt the commit subject from 71 characters limit? > > In my opinion, that is absolutely the case. > > > I found it can be hard to summary the commit with the Package/Module plus > > the CVE number information. > > I agree, it is hard. But, IMO, in this case, the precise CVE reference > takes priority. > For this case, I suggest to allow subject line length to be bigger, such as 120 character. I will update wiki https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message-Format for CVE commit message format. For example: Pkg-Module: Brief-single-line-summary (CVE-Year-Number) > Thanks > Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
On 02/27/19 07:56, Wu, Hao A wrote: >> -Original Message- >> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of >> Laszlo Ersek >> Sent: Tuesday, February 26, 2019 7:45 PM >> To: Wu, Hao A; edk2-devel@lists.01.org >> Cc: Zeng, Star >> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross >> boundary access in Ramdisk >> >> On 02/26/19 08:45, Hao Wu wrote: >>> V2 changes: >>> >>> Correct CC list information. >>> >>> >>> V1 history: >>> >>> The series will resolve a buffer cross boundary access issue during the >>> use of RAM disks. It is the mitigation for issue CVE-2018-12180. >>> >>> Cc: Jian J Wang >>> Cc: Ray Ni >>> Cc: Star Zeng >>> >>> Hao Wu (2): >>> MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) >>> MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE >> FIX) >>> >>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- >>> MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - >>> MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - >>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 >> ++-- >>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- >>> 5 files changed, 36 insertions(+), 13 deletions(-) >>> >> >> Please put the exact CVE numbers in the subject lines. > > Hello Laszlo and Liming, > > I totally agree the commit subject line should include the CVE number. > But I have one feedback that, if the commit is for a CVE fix, is it > possible to exempt the commit subject from 71 characters limit? In my opinion, that is absolutely the case. > I found it can be hard to summary the commit with the Package/Module plus > the CVE number information. I agree, it is hard. But, IMO, in this case, the precise CVE reference takes priority. Thanks Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
> -Original Message- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > Laszlo Ersek > Sent: Tuesday, February 26, 2019 7:45 PM > To: Wu, Hao A; edk2-devel@lists.01.org > Cc: Zeng, Star > Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross > boundary access in Ramdisk > > On 02/26/19 08:45, Hao Wu wrote: > > V2 changes: > > > > Correct CC list information. > > > > > > V1 history: > > > > The series will resolve a buffer cross boundary access issue during the > > use of RAM disks. It is the mitigation for issue CVE-2018-12180. > > > > Cc: Jian J Wang > > Cc: Ray Ni > > Cc: Star Zeng > > > > Hao Wu (2): > > MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) > > MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE > FIX) > > > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- > > MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - > > MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 > ++-- > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- > > 5 files changed, 36 insertions(+), 13 deletions(-) > > > > Please put the exact CVE numbers in the subject lines. Hello Laszlo and Liming, I totally agree the commit subject line should include the CVE number. But I have one feedback that, if the commit is for a CVE fix, is it possible to exempt the commit subject from 71 characters limit? I found it can be hard to summary the commit with the Package/Module plus the CVE number information. Best Regards, Hao Wu > > Thanks > Laszlo > ___ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
> -Original Message- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > Laszlo Ersek > Sent: Tuesday, February 26, 2019 7:45 PM > To: Wu, Hao A; edk2-devel@lists.01.org > Cc: Zeng, Star > Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross > boundary access in Ramdisk > > On 02/26/19 08:45, Hao Wu wrote: > > V2 changes: > > > > Correct CC list information. > > > > > > V1 history: > > > > The series will resolve a buffer cross boundary access issue during the > > use of RAM disks. It is the mitigation for issue CVE-2018-12180. > > > > Cc: Jian J Wang > > Cc: Ray Ni > > Cc: Star Zeng > > > > Hao Wu (2): > > MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) > > MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE > FIX) > > > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- > > MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - > > MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 > ++-- > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- > > 5 files changed, 36 insertions(+), 13 deletions(-) > > > > Please put the exact CVE numbers in the subject lines. Thanks. V3 series proposed. Best Regards, Hao Wu > > Thanks > Laszlo > ___ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
On 02/26/19 08:45, Hao Wu wrote: > V2 changes: > > Correct CC list information. > > > V1 history: > > The series will resolve a buffer cross boundary access issue during the > use of RAM disks. It is the mitigation for issue CVE-2018-12180. > > Cc: Jian J Wang > Cc: Ray Ni > Cc: Star Zeng > > Hao Wu (2): > MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) > MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE FIX) > > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- > MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - > MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 > ++-- > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- > 5 files changed, 36 insertions(+), 13 deletions(-) > Please put the exact CVE numbers in the subject lines. Thanks Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk
V2 changes: Correct CC list information. V1 history: The series will resolve a buffer cross boundary access issue during the use of RAM disks. It is the mitigation for issue CVE-2018-12180. Cc: Jian J Wang Cc: Ray Ni Cc: Star Zeng Hao Wu (2): MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE FIX) MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE FIX) MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 - MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 - MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 ++-- MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- 5 files changed, 36 insertions(+), 13 deletions(-) -- 2.12.0.windows.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel