From b045711f96003a53493cd334fe867981fb3cae2b Mon Sep 17 00:00:00 2001

From: Laszlo Ersek <lersek@redhat.com>

Date: Fri, 1 Mar 2019 13:45:07 +0100

Subject: [PATCH 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR

 (CVE-2018-12180)

Message-id: <20190301124508.18497-2-lersek@redhat.com>

Patchwork-id: 84759

O-Subject:  [RHEL-8.0 edk2 PATCH 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize

	holds MBR (CVE-2018-12180)

Bugzilla: 1690501

Acked-by: Thomas Huth <thuth@redhat.com>

Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>

From: Hao Wu <hao.a.wu@intel.com>

--v-- RHEL-8.0 note --v--

Trivial conflicts resolved in "Gpt.c" and "Mbr.c": up-stream, the Intel

copyright notice got meanwhile extended to 2018, in commit d1102dba7210

("MdeModulePkg: Clean up source files", 2018-06-28).

--^-- RHEL-8.0 note --^--

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134

The commit adds checks for detecting GPT and MBR partitions.

These checks will ensure that the device block size is big enough to hold

an MBR (512 bytes).

Cc: Jian J Wang <jian.j.wang@intel.com>

Cc: Star Zeng <star.zeng@intel.com>

Cc: Laszlo Ersek <lersek@redhat.com>

Contributed-under: TianoCore Contribution Agreement 1.1

Signed-off-by: Hao Wu <hao.a.wu@intel.com>

Reviewed-by: Ray Ni <ray.ni@intel.com>

(cherry picked from commit fccdb88022c1f6d85c773fce506b10c879063f1d)

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>

---

 MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 ++++++++-

 MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 ++++++++-

 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c

index fe26a64..141dca0 100644

--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c

+++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c

@@ -14,7 +14,7 @@

   partition content and validate the GPT table and GPT entry.

 Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.

-Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.

+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -237,6 +237,13 @@ PartitionInstallGptChildHandles (

   GptValidStatus = EFI_NOT_FOUND;

   //

+  // Ensure the block size can hold the MBR

+  //

+  if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {

+    return EFI_NOT_FOUND;

+  }

+

+  //

   // Allocate a buffer for the Protective MBR

   //

   ProtectiveMbr = AllocatePool (BlockSize);

diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c

index 479745b..d7a15b4 100644

--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c

+++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c

@@ -13,7 +13,7 @@

 Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.

 Copyright (c) 2014, Hewlett-Packard Development Company, L.P.

-Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.

+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -150,6 +150,13 @@ PartitionInstallMbrChildHandles (

   MediaId   = BlockIo->Media->MediaId;

   LastBlock = BlockIo->Media->LastBlock;

+  //

+  // Ensure the block size can hold the MBR

+  //

+  if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {

+    return EFI_NOT_FOUND;

+  }

+

   Mbr = AllocatePool (BlockSize);

   if (Mbr == NULL) {

     return Found;

-- 

1.8.3.1