From 29a6ebeec50611ef49bbda107071cbfce64c9ddb Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Apr 23 2019 12:38:04 +0000
Subject: import ovmf-20180508-3.gitee3198e672e2.el7_6.1


---

diff --git a/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
new file mode 100644
index 0000000..9f0dfe7
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
@@ -0,0 +1,101 @@
+From 582ce8009e286361be2468d48c0c7763edc62718 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 1 Mar 2019 12:38:19 +0100
+Subject: [PATCH 2/3] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR
+ (CVE-2018-12180)
+
+Message-id: <20190301113820.13948-3-lersek@redhat.com>
+Patchwork-id: 84753
+O-Subject:  [RHEL-7.6.z ovmf PATCH 2/3] MdeModulePkg/PartitionDxe: Ensure
+	blocksize holds MBR (CVE-2018-12180)
+Bugzilla: 1684006
+Acked-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+--v-- RHEL-7.6 note --v--
+
+Trivial conflicts resolved in "Gpt.c" and "Mbr.c": up-stream, the Intel
+copyright notice got meanwhile extended to 2018, in commit d1102dba7210
+("MdeModulePkg: Clean up source files", 2018-06-28).
+
+--^-- RHEL-7.6 note --^--
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
+
+The commit adds checks for detecting GPT and MBR partitions.
+
+These checks will ensure that the device block size is big enough to hold
+an MBR (512 bytes).
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Star Zeng <star.zeng@intel.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Ray Ni <ray.ni@intel.com>
+(cherry picked from commit fccdb88022c1f6d85c773fce506b10c879063f1d)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 ++++++++-
+ MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 ++++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+index fe26a64..141dca0 100644
+--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
++++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+@@ -14,7 +14,7 @@
+   partition content and validate the GPT table and GPT entry.
+ 
+ Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
+-Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution.  The full text of the license may be found at
+@@ -237,6 +237,13 @@ PartitionInstallGptChildHandles (
+   GptValidStatus = EFI_NOT_FOUND;
+ 
+   //
++  // Ensure the block size can hold the MBR
++  //
++  if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
++    return EFI_NOT_FOUND;
++  }
++
++  //
+   // Allocate a buffer for the Protective MBR
+   //
+   ProtectiveMbr = AllocatePool (BlockSize);
+diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
+index 479745b..d7a15b4 100644
+--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
++++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
+@@ -13,7 +13,7 @@
+ 
+ Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
+ Copyright (c) 2014, Hewlett-Packard Development Company, L.P.<BR>
+-Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution.  The full text of the license may be found at
+@@ -150,6 +150,13 @@ PartitionInstallMbrChildHandles (
+   MediaId   = BlockIo->Media->MediaId;
+   LastBlock = BlockIo->Media->LastBlock;
+ 
++  //
++  // Ensure the block size can hold the MBR
++  //
++  if (BlockSize < sizeof (MASTER_BOOT_RECORD)) {
++    return EFI_NOT_FOUND;
++  }
++
+   Mbr = AllocatePool (BlockSize);
+   if (Mbr == NULL) {
+     return Found;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch b/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
new file mode 100644
index 0000000..d12d1d1
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
@@ -0,0 +1,136 @@
+From 9d78bac116d939d3a833150747e29e861b75eedc Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 1 Mar 2019 12:38:20 +0100
+Subject: [PATCH 3/3] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size
+ (CVE-2018-12180)
+
+Message-id: <20190301113820.13948-4-lersek@redhat.com>
+Patchwork-id: 84754
+O-Subject:  [RHEL-7.6.z ovmf PATCH 3/3] MdeModulePkg/RamDiskDxe: Restrict on RAM
+	disk size (CVE-2018-12180)
+Bugzilla: 1684006
+Acked-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
+
+Originally, the block size of created Ram disks is hard-coded to 512
+bytes. However, if the total size of the Ram disk is not a multiple of 512
+bytes, there will be potential memory access issues when dealing with the
+last block of the Ram disk.
+
+This commit will adjust the block size of the Ram disks to ensure that the
+total size is a multiple of the block size.
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Star Zeng <star.zeng@intel.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Ray Ni <ray.ni@intel.com>
+(cherry picked from commit 38c9fbdcaa0219eb86fe82d90e3f8cfb5a54be9f)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ .../Universal/Disk/RamDiskDxe/RamDiskBlockIo.c       | 20 ++++++++++++++------
+ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h |  6 +++---
+ .../Universal/Disk/RamDiskDxe/RamDiskProtocol.c      |  5 +++--
+ 3 files changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
+index 4f74b5e..8926ad7 100644
+--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
++++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
+@@ -1,7 +1,7 @@
+ /** @file
+   Produce EFI_BLOCK_IO_PROTOCOL on a RAM disk device.
+ 
+-  Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
++  Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>
+   This program and the accompanying materials
+   are licensed and made available under the terms and conditions of the BSD License
+   which accompanies this distribution.  The full text of the license may be found at
+@@ -54,6 +54,7 @@ RamDiskInitBlockIo (
+   EFI_BLOCK_IO_PROTOCOL           *BlockIo;
+   EFI_BLOCK_IO2_PROTOCOL          *BlockIo2;
+   EFI_BLOCK_IO_MEDIA              *Media;
++  UINT32                          Remainder;
+ 
+   BlockIo  = &PrivateData->BlockIo;
+   BlockIo2 = &PrivateData->BlockIo2;
+@@ -69,11 +70,18 @@ RamDiskInitBlockIo (
+   Media->LogicalPartition = FALSE;
+   Media->ReadOnly         = FALSE;
+   Media->WriteCaching     = FALSE;
+-  Media->BlockSize        = RAM_DISK_BLOCK_SIZE;
+-  Media->LastBlock        = DivU64x32 (
+-                              PrivateData->Size + RAM_DISK_BLOCK_SIZE - 1,
+-                              RAM_DISK_BLOCK_SIZE
+-                              ) - 1;
++
++  for (Media->BlockSize = RAM_DISK_DEFAULT_BLOCK_SIZE;
++       Media->BlockSize >= 1;
++       Media->BlockSize = Media->BlockSize >> 1) {
++    Media->LastBlock = DivU64x32Remainder (PrivateData->Size, Media->BlockSize, &Remainder) - 1;
++    if (Remainder == 0) {
++      break;
++    }
++  }
++  ASSERT (Media->BlockSize != 0);
++
++  return;
+ }
+ 
+ 
+diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
+index 077bb77..18c7bb2 100644
+--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
++++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
+@@ -1,7 +1,7 @@
+ /** @file
+   The header file of RamDiskDxe driver.
+ 
+-  Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
++  Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>
+   This program and the accompanying materials
+   are licensed and made available under the terms and conditions of the BSD License
+   which accompanies this distribution.  The full text of the license may be found at
+@@ -49,9 +49,9 @@
+ ///
+ 
+ //
+-// Block size for RAM disk
++// Default block size for RAM disk
+ //
+-#define RAM_DISK_BLOCK_SIZE 512
++#define RAM_DISK_DEFAULT_BLOCK_SIZE 512
+ 
+ //
+ // Iterate through the double linked list. NOT delete safe
+diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
+index 6784e2b..e8250d5 100644
+--- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
++++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
+@@ -1,7 +1,7 @@
+ /** @file
+   The realization of EFI_RAM_DISK_PROTOCOL.
+ 
+-  Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
++  Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>
+   (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+   This program and the accompanying materials
+   are licensed and made available under the terms and conditions of the BSD License
+@@ -613,7 +613,8 @@ RamDiskRegister (
+   //
+   // Add check to prevent data read across the memory boundary
+   //
+-  if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1) {
++  if ((RamDiskSize > MAX_UINTN) ||
++      (RamDiskBase > MAX_UINTN - RamDiskSize + 1)) {
+     return EFI_INVALID_PARAMETER;
+   }
+ 
+-- 
+1.8.3.1
+
diff --git a/SPECS/ovmf.spec b/SPECS/ovmf.spec
index 98eadc1..c77cd87 100644
--- a/SPECS/ovmf.spec
+++ b/SPECS/ovmf.spec
@@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       ovmf
 Version:    %{GITDATE}
-Release:    3.git%{GITCOMMIT}%{?dist}
+Release:    3.git%{GITCOMMIT}%{?dist}.1
 Summary:    UEFI firmware for 64-bit virtual machines
 Group:      Applications/Emulators
 License:    BSD and OpenSSL and MIT
@@ -42,6 +42,10 @@ Patch0019: 0019-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
 Patch20: ovmf-OvmfPkg-PlatformBootManagerLib-connect-consoles-unco.patch
 Patch21: ovmf-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch
 Patch22: ovmf-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch
+# For bz#1684006 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z]
+Patch23: ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
+# For bz#1684006 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z]
+Patch24: ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
 
 
 # python2-devel and libuuid-devel are required for building tools
@@ -356,6 +360,12 @@ true
 %endif
 
 %changelog
+* Tue Mar 05 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-3.gitee3198e672e2.el7_6.1
+- ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch [bz#1684006]
+- ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch [bz#1684006]
+- Resolves: bz#1684006
+  (CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z])
+
 * Fri Jul 27 2018 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-3.gitee3198e672e2.el7
 - ovmf-redhat-provide-virtual-bundled-OpenSSL-in-OVMF.patch [bz#1607792]
 - Resolves: bz#1607792