From 582ce8009e286361be2468d48c0c7763edc62718 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Fri, 1 Mar 2019 12:38:19 +0100
Subject: [PATCH 2/3] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR
(CVE-2018-12180)
Message-id: <20190301113820.13948-3-lersek@redhat.com>
Patchwork-id: 84753
O-Subject: [RHEL-7.6.z ovmf PATCH 2/3] MdeModulePkg/PartitionDxe: Ensure
blocksize holds MBR (CVE-2018-12180)
Bugzilla: 1684006
Acked-by: Thomas Huth <thuth@redhat.com>
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
From: Hao Wu <hao.a.wu@intel.com>
--v-- RHEL-7.6 note --v--
Trivial conflicts resolved in "Gpt.c" and "Mbr.c": up-stream, the Intel
copyright notice got meanwhile extended to 2018, in commit d1102dba7210
("MdeModulePkg: Clean up source files", 2018-06-28).
--^-- RHEL-7.6 note --^--
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
The commit adds checks for detecting GPT and MBR partitions.
These checks will ensure that the device block size is big enough to hold
an MBR (512 bytes).
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
(cherry picked from commit fccdb88022c1f6d85c773fce506b10c879063f1d)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 ++++++++-
MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 ++++++++-
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
index fe26a64..141dca0 100644
--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
@@ -14,7 +14,7 @@
partition content and validate the GPT table and GPT entry.
Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
-Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -237,6 +237,13 @@ PartitionInstallGptChildHandles (
GptValidStatus = EFI_NOT_FOUND;
//
+ // Ensure the block size can hold the MBR
+ //
+ if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
+ return EFI_NOT_FOUND;
+ }
+
+ //
// Allocate a buffer for the Protective MBR
//
ProtectiveMbr = AllocatePool (BlockSize);
diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
index 479745b..d7a15b4 100644
--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
+++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
@@ -13,7 +13,7 @@
Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
Copyright (c) 2014, Hewlett-Packard Development Company, L.P.<BR>
-Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -150,6 +150,13 @@ PartitionInstallMbrChildHandles (
MediaId = BlockIo->Media->MediaId;
LastBlock = BlockIo->Media->LastBlock;
+ //
+ // Ensure the block size can hold the MBR
+ //
+ if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
+ return EFI_NOT_FOUND;
+ }
+
Mbr = AllocatePool (BlockSize);
if (Mbr == NULL) {
return Found;
--
1.8.3.1