|
 |
bdb79c |
From 8104f654744067eca1cc96d2156742dc1155b5b7 Mon Sep 17 00:00:00 2001
|
|
|
bdb79c |
From: Laszlo Ersek <lersek@redhat.com>
|
|
|
bdb79c |
Date: Fri, 1 Mar 2019 13:16:47 +0100
|
|
|
bdb79c |
Subject: [PATCH 09/13] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size
|
|
|
bdb79c |
(CVE-2018-12180)
|
|
|
bdb79c |
|
|
|
bdb79c |
Message-id: <20190301121647.16026-3-lersek@redhat.com>
|
|
|
bdb79c |
Patchwork-id: 84757
|
|
|
bdb79c |
O-Subject: [RHEL-7.7 ovmf PATCH 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM
|
|
|
bdb79c |
disk size (CVE-2018-12180)
|
|
|
bdb79c |
Bugzilla: 1684007
|
|
|
bdb79c |
Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
bdb79c |
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
|
bdb79c |
|
|
|
bdb79c |
From: Hao Wu <hao.a.wu@intel.com>
|
|
|
bdb79c |
|
|
|
bdb79c |
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
|
|
|
bdb79c |
|
|
|
bdb79c |
Originally, the block size of created Ram disks is hard-coded to 512
|
|
|
bdb79c |
bytes. However, if the total size of the Ram disk is not a multiple of 512
|
|
|
bdb79c |
bytes, there will be potential memory access issues when dealing with the
|
|
|
bdb79c |
last block of the Ram disk.
|
|
|
bdb79c |
|
|
|
bdb79c |
This commit will adjust the block size of the Ram disks to ensure that the
|
|
|
bdb79c |
total size is a multiple of the block size.
|
|
|
bdb79c |
|
|
|
bdb79c |
Cc: Jian J Wang <jian.j.wang@intel.com>
|
|
|
bdb79c |
Cc: Star Zeng <star.zeng@intel.com>
|
|
|
bdb79c |
Cc: Laszlo Ersek <lersek@redhat.com>
|
|
|
bdb79c |
Contributed-under: TianoCore Contribution Agreement 1.1
|
|
|
bdb79c |
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
|
|
|
bdb79c |
Reviewed-by: Ray Ni <ray.ni@intel.com>
|
|
|
bdb79c |
(cherry picked from commit 38c9fbdcaa0219eb86fe82d90e3f8cfb5a54be9f)
|
|
|
bdb79c |
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
bdb79c |
---
|
|
|
bdb79c |
.../Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 ++++++++++++++------
|
|
|
bdb79c |
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++---
|
|
|
bdb79c |
.../Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++--
|
|
|
bdb79c |
3 files changed, 20 insertions(+), 11 deletions(-)
|
|
|
bdb79c |
|
|
|
bdb79c |
diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
|
|
|
bdb79c |
index 4f74b5e..8926ad7 100644
|
|
|
bdb79c |
--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
|
|
|
bdb79c |
+++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
|
|
|
bdb79c |
@@ -1,7 +1,7 @@
|
|
|
bdb79c |
/** @file
|
|
|
bdb79c |
Produce EFI_BLOCK_IO_PROTOCOL on a RAM disk device.
|
|
|
bdb79c |
|
|
|
bdb79c |
- Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
|
|
|
bdb79c |
+ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
|
|
|
bdb79c |
This program and the accompanying materials
|
|
|
bdb79c |
are licensed and made available under the terms and conditions of the BSD License
|
|
|
bdb79c |
which accompanies this distribution. The full text of the license may be found at
|
|
|
bdb79c |
@@ -54,6 +54,7 @@ RamDiskInitBlockIo (
|
|
|
bdb79c |
EFI_BLOCK_IO_PROTOCOL *BlockIo;
|
|
|
bdb79c |
EFI_BLOCK_IO2_PROTOCOL *BlockIo2;
|
|
|
bdb79c |
EFI_BLOCK_IO_MEDIA *Media;
|
|
|
bdb79c |
+ UINT32 Remainder;
|
|
|
bdb79c |
|
|
|
bdb79c |
BlockIo = &PrivateData->BlockIo;
|
|
|
bdb79c |
BlockIo2 = &PrivateData->BlockIo2;
|
|
|
bdb79c |
@@ -69,11 +70,18 @@ RamDiskInitBlockIo (
|
|
|
bdb79c |
Media->LogicalPartition = FALSE;
|
|
|
bdb79c |
Media->ReadOnly = FALSE;
|
|
|
bdb79c |
Media->WriteCaching = FALSE;
|
|
|
bdb79c |
- Media->BlockSize = RAM_DISK_BLOCK_SIZE;
|
|
|
bdb79c |
- Media->LastBlock = DivU64x32 (
|
|
|
bdb79c |
- PrivateData->Size + RAM_DISK_BLOCK_SIZE - 1,
|
|
|
bdb79c |
- RAM_DISK_BLOCK_SIZE
|
|
|
bdb79c |
- ) - 1;
|
|
|
bdb79c |
+
|
|
|
bdb79c |
+ for (Media->BlockSize = RAM_DISK_DEFAULT_BLOCK_SIZE;
|
|
|
bdb79c |
+ Media->BlockSize >= 1;
|
|
|
bdb79c |
+ Media->BlockSize = Media->BlockSize >> 1) {
|
|
|
bdb79c |
+ Media->LastBlock = DivU64x32Remainder (PrivateData->Size, Media->BlockSize, &Remainder) - 1;
|
|
|
bdb79c |
+ if (Remainder == 0) {
|
|
|
bdb79c |
+ break;
|
|
|
bdb79c |
+ }
|
|
|
bdb79c |
+ }
|
|
|
bdb79c |
+ ASSERT (Media->BlockSize != 0);
|
|
|
bdb79c |
+
|
|
|
bdb79c |
+ return;
|
|
|
bdb79c |
}
|
|
|
bdb79c |
|
|
|
bdb79c |
|
|
|
bdb79c |
diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
|
|
|
bdb79c |
index 077bb77..18c7bb2 100644
|
|
|
bdb79c |
--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
|
|
|
bdb79c |
+++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
|
|
|
bdb79c |
@@ -1,7 +1,7 @@
|
|
|
bdb79c |
/** @file
|
|
|
bdb79c |
The header file of RamDiskDxe driver.
|
|
|
bdb79c |
|
|
|
bdb79c |
- Copyright (c) 2016, Intel Corporation. All rights reserved.
|
|
|
bdb79c |
+ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
|
|
|
bdb79c |
This program and the accompanying materials
|
|
|
bdb79c |
are licensed and made available under the terms and conditions of the BSD License
|
|
|
bdb79c |
which accompanies this distribution. The full text of the license may be found at
|
|
|
bdb79c |
@@ -49,9 +49,9 @@
|
|
|
bdb79c |
///
|
|
|
bdb79c |
|
|
|
bdb79c |
//
|
|
|
bdb79c |
-// Block size for RAM disk
|
|
|
bdb79c |
+// Default block size for RAM disk
|
|
|
bdb79c |
//
|
|
|
bdb79c |
-#define RAM_DISK_BLOCK_SIZE 512
|
|
|
bdb79c |
+#define RAM_DISK_DEFAULT_BLOCK_SIZE 512
|
|
|
bdb79c |
|
|
|
bdb79c |
//
|
|
|
bdb79c |
// Iterate through the double linked list. NOT delete safe
|
|
|
bdb79c |
diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
|
|
|
bdb79c |
index 6784e2b..e8250d5 100644
|
|
|
bdb79c |
--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
|
|
|
bdb79c |
+++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
|
|
|
bdb79c |
@@ -1,7 +1,7 @@
|
|
|
bdb79c |
/** @file
|
|
|
bdb79c |
The realization of EFI_RAM_DISK_PROTOCOL.
|
|
|
bdb79c |
|
|
|
bdb79c |
- Copyright (c) 2016, Intel Corporation. All rights reserved.
|
|
|
bdb79c |
+ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
|
|
|
bdb79c |
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
|
|
|
bdb79c |
This program and the accompanying materials
|
|
|
bdb79c |
are licensed and made available under the terms and conditions of the BSD License
|
|
|
bdb79c |
@@ -613,7 +613,8 @@ RamDiskRegister (
|
|
|
bdb79c |
//
|
|
|
bdb79c |
// Add check to prevent data read across the memory boundary
|
|
|
bdb79c |
//
|
|
|
bdb79c |
- if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1) {
|
|
|
bdb79c |
+ if ((RamDiskSize > MAX_UINTN) ||
|
|
|
bdb79c |
+ (RamDiskBase > MAX_UINTN - RamDiskSize + 1)) {
|
|
|
bdb79c |
return EFI_INVALID_PARAMETER;
|
|
|
bdb79c |
}
|
|
|
bdb79c |
|
|
|
bdb79c |
--
|
|
|
bdb79c |
1.8.3.1
|
|
|
bdb79c |
|