diff --git a/.gitignore b/.gitignore
index 84b2a04..77a9651 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz
+SOURCES/openssl-fedora-d2ede125556ac99aa0faa7744c703af3f559094e.tar.xz
SOURCES/ovmf-ee3198e672e2.tar.xz
diff --git a/.ovmf.metadata b/.ovmf.metadata
index 1c31019..0b066a8 100644
--- a/.ovmf.metadata
+++ b/.ovmf.metadata
@@ -1,2 +1,2 @@
-885bc596d198c8b1909f2199758e0eec6abe1904 SOURCES/openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz
+e3df430bd2ac86a819720e5a548b56b0ef144a6f SOURCES/openssl-fedora-d2ede125556ac99aa0faa7744c703af3f559094e.tar.xz
ef7bc42e3e6decf2619709fd776481a30f4b4e53 SOURCES/ovmf-ee3198e672e2.tar.xz
diff --git a/SOURCES/ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch b/SOURCES/ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch
new file mode 100644
index 0000000..1c4145c
--- /dev/null
+++ b/SOURCES/ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch
@@ -0,0 +1,270 @@
+From 87af8da054900fd05701c6d60a496b83fb8dbb63 Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:47 +0100
+Subject: [PATCH 04/13] BaseTools: Add more checker in Decompress algorithm to
+ access the valid buffer (CVE FIX)
+
+Message-id: <20190213085050.20766-5-philmd@redhat.com>
+Patchwork-id: 84481
+O-Subject: [RHEL-7.7 ovmf PATCH v3 4/7] BaseTools: Add more checker in
+ Decompress algorithm to access the valid buffer (CVE FIX)
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL7 note start --v--
+
+Unfortunately, the upstream patch series was not structured according to
+the CVE reports. This patch contributes to fixing:
+
+- CVE-2017-5731
+- CVE-2017-5733
+- CVE-2017-5734
+- CVE-2017-5735
+
+but not CVE-2017-5732 (contrarily to the upstream commit message). The
+best I could achieve up-stream was to get the "CVE FIX" expression into
+the subject, and a whole-sale dump of the CVEs into the body. I had not
+been invited to the original (off-list, embargoed) analysis and review.
+
+The differences that "git-backport-diff" reports as "functional" for this
+backport aren't actually functional differences. They are due to
+downstream lacking two upstream commits:
+
+- f7496d717357 ("BaseTools: Clean up source files", 2018-07-09), with the
+ "usual" diffstat "289 files changed, 10645 insertions(+), 10645
+ deletions(-)";
+
+- more importantly, 472eb3b89682 ("BaseTools: Add --uefi option to enable
+ UefiCompress method", 2018-10-13).
+
+(Side note: in upstream, commit 472eb3b89682 was incorrectly reverted as
+part of 1ccc4d895dd8 ("Revert BaseTools: PYTHON3 migration", 2018-10-15),
+but then it was re-applied in f1400101a732.)
+
+In commit 472eb3b89682, the "UEFI" compression/decompression method was
+added to BaseTools, beyond the original "Tiano" method. This caused the
+Tiano method to be indented more deeply, in the main() function of
+"TianoCompress.c". (Also the original Decompress() function was renamed to
+TDecompress().) The CVE fix applies to the "Tiano" method, which RHEL8
+does have, but at a different nesting level. Therefore the changes have
+been backported manually, and the difference in indentation is also why
+"git-backport-diff" thinks the changes are functional.
+
+This backport, once applied, can be diffed against the upstream tree more
+easily as follows:
+
+ git diff -b HEAD..041d89bc0f01 -- \
+ BaseTools/Source/C/Common/Decompress.c \
+ BaseTools/Source/C/TianoCompress/TianoCompress.c
+
+--^-- RHEL7 note end --^--
+
+Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
+https://bugzilla.tianocore.org/show_bug.cgi?id=686
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Star Zeng <star.zeng@intel.com>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 041d89bc0f0119df37a5fce1d0f16495ff905089)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 29c394f110b1f769e629e8775874261e33d4abd9)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ BaseTools/Source/C/Common/Decompress.c | 23 +++++++++++++++++++--
+ BaseTools/Source/C/TianoCompress/TianoCompress.c | 26 +++++++++++++++++++++++-
+ 2 files changed, 46 insertions(+), 3 deletions(-)
+
+diff --git a/BaseTools/Source/C/Common/Decompress.c b/BaseTools/Source/C/Common/Decompress.c
+index 8f1afb4..bdc10f5 100644
+--- a/BaseTools/Source/C/Common/Decompress.c
++++ b/BaseTools/Source/C/Common/Decompress.c
+@@ -194,12 +194,16 @@ Returns:
+ UINT16 Avail;
+ UINT16 NextCode;
+ UINT16 Mask;
++ UINT16 MaxTableLength;
+
+ for (Index = 1; Index <= 16; Index++) {
+ Count[Index] = 0;
+ }
+
+ for (Index = 0; Index < NumOfChar; Index++) {
++ if (BitLen[Index] > 16) {
++ return (UINT16) BAD_TABLE;
++ }
+ Count[BitLen[Index]]++;
+ }
+
+@@ -237,6 +241,7 @@ Returns:
+
+ Avail = NumOfChar;
+ Mask = (UINT16) (1U << (15 - TableBits));
++ MaxTableLength = (UINT16) (1U << TableBits);
+
+ for (Char = 0; Char < NumOfChar; Char++) {
+
+@@ -250,6 +255,9 @@ Returns:
+ if (Len <= TableBits) {
+
+ for (Index = Start[Len]; Index < NextCode; Index++) {
++ if (Index >= MaxTableLength) {
++ return (UINT16) BAD_TABLE;
++ }
+ Table[Index] = Char;
+ }
+
+@@ -643,10 +651,14 @@ Returns: (VOID)
+
+ BytesRemain--;
+ while ((INT16) (BytesRemain) >= 0) {
+- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ if (Sd->mOutBuf >= Sd->mOrigSize) {
+ return ;
+ }
++ if (DataIdx >= Sd->mOrigSize) {
++ Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++ return ;
++ }
++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+
+ BytesRemain--;
+ }
+@@ -684,6 +696,7 @@ Returns:
+ --*/
+ {
+ UINT8 *Src;
++ UINT32 CompSize;
+
+ *ScratchSize = sizeof (SCRATCH_DATA);
+
+@@ -692,7 +705,13 @@ Returns:
+ return EFI_INVALID_PARAMETER;
+ }
+
++ CompSize = Src[0] + (Src[1] << 8) + (Src[2] << 16) + (Src[3] << 24);
+ *DstSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
++
++ if (SrcSize < CompSize + 8 || (CompSize + 8) < 8) {
++ return EFI_INVALID_PARAMETER;
++ }
++
+ return EFI_SUCCESS;
+ }
+
+@@ -752,7 +771,7 @@ Returns:
+ CompSize = Src[0] + (Src[1] << 8) + (Src[2] << 16) + (Src[3] << 24);
+ OrigSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
+
+- if (SrcSize < CompSize + 8) {
++ if (SrcSize < CompSize + 8 || (CompSize + 8) < 8) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+diff --git a/BaseTools/Source/C/TianoCompress/TianoCompress.c b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+index 046fb36..d07fd9e 100644
+--- a/BaseTools/Source/C/TianoCompress/TianoCompress.c
++++ b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+@@ -1753,6 +1753,7 @@ Returns:
+ SCRATCH_DATA *Scratch;
+ UINT8 *Src;
+ UINT32 OrigSize;
++ UINT32 CompSize;
+
+ SetUtilityName(UTILITY_NAME);
+
+@@ -1761,6 +1762,7 @@ Returns:
+ OutBuffer = NULL;
+ Scratch = NULL;
+ OrigSize = 0;
++ CompSize = 0;
+ InputLength = 0;
+ InputFileName = NULL;
+ OutputFileName = NULL;
+@@ -1979,15 +1981,24 @@ Returns:
+ if (DebugMode) {
+ DebugMsg(UTILITY_NAME, 0, DebugLevel, "Decoding\n", NULL);
+ }
++ if (InputLength < 8){
++ Error (NULL, 0, 3000, "Invalid", "The input file %s is too small.", InputFileName);
++ goto ERROR;
++ }
+ //
+ // Get Compressed file original size
+ //
+ Src = (UINT8 *)FileBuffer;
+ OrigSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
++ CompSize = Src[0] + (Src[1] << 8) + (Src[2] <<16) + (Src[3] <<24);
+
+ //
+ // Allocate OutputBuffer
+ //
++ if (InputLength < CompSize + 8 || (CompSize + 8) < 8) {
++ Error (NULL, 0, 3000, "Invalid", "The input file %s data is invalid.", InputFileName);
++ goto ERROR;
++ }
+ OutBuffer = (UINT8 *)malloc(OrigSize);
+ if (OutBuffer == NULL) {
+ Error (NULL, 0, 4001, "Resource:", "Memory cannot be allocated!");
+@@ -2171,12 +2182,16 @@ Returns:
+ UINT16 Mask;
+ UINT16 WordOfStart;
+ UINT16 WordOfCount;
++ UINT16 MaxTableLength;
+
+ for (Index = 0; Index <= 16; Index++) {
+ Count[Index] = 0;
+ }
+
+ for (Index = 0; Index < NumOfChar; Index++) {
++ if (BitLen[Index] > 16) {
++ return (UINT16) BAD_TABLE;
++ }
+ Count[BitLen[Index]]++;
+ }
+
+@@ -2220,6 +2235,7 @@ Returns:
+
+ Avail = NumOfChar;
+ Mask = (UINT16) (1U << (15 - TableBits));
++ MaxTableLength = (UINT16) (1U << TableBits);
+
+ for (Char = 0; Char < NumOfChar; Char++) {
+
+@@ -2233,6 +2249,9 @@ Returns:
+ if (Len <= TableBits) {
+
+ for (Index = Start[Len]; Index < NextCode; Index++) {
++ if (Index >= MaxTableLength) {
++ return (UINT16) BAD_TABLE;
++ }
+ Table[Index] = Char;
+ }
+
+@@ -2617,11 +2636,16 @@ Returns: (VOID)
+ DataIdx = Sd->mOutBuf - DecodeP (Sd) - 1;
+
+ BytesRemain--;
++
+ while ((INT16) (BytesRemain) >= 0) {
+- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ if (Sd->mOutBuf >= Sd->mOrigSize) {
+ goto Done ;
+ }
++ if (DataIdx >= Sd->mOrigSize) {
++ Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++ goto Done ;
++ }
++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+
+ BytesRemain--;
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch b/SOURCES/ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch
new file mode 100644
index 0000000..470e911
--- /dev/null
+++ b/SOURCES/ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch
@@ -0,0 +1,94 @@
+From 461390a9ced1986f752b2e64f36f3deee982eb6d Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:48 +0100
+Subject: [PATCH 05/13] BaseTools: Fix UEFI and Tiano Decompression logic issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190213085050.20766-6-philmd@redhat.com>
+Patchwork-id: 84484
+O-Subject: [RHEL-7.7 ovmf PATCH v3 5/7] BaseTools: Fix UEFI and Tiano
+ Decompression logic issue
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL7 note start --v--
+
+While reviewing the RHEL8 original of this backport, Laszlo had to look
+at the "BaseTools/Source/C/TianoCompress/TianoCompress.c" hunk for a
+while longer, due to commit 472eb3b89682 missing down-stream, which he
+remembered from downstream commit 29c394f110b1.
+
+However, this hunk affects the Decode() function, which is not affected
+by the upstream-only "UefiCompress method", and also not affected by the
+related upstream-only Decompress()->TDecompress() rename. Decode() --
+i.e. the function being patched -- is called from Decompress() /
+TDecompress().
+
+Therefore, the "git backport-diff" report in the blurb which marks this
+backport patch "identical", is credible.
+
+--^-- RHEL7 note end --^--
+
+https://bugzilla.tianocore.org/show_bug.cgi?id=1317
+
+This is a regression issue caused by 041d89bc0f0119df37a5fce1d0f16495ff905089.
+In Decode() function, once mOutBuf is fully filled, Decode() should return.
+Current logic misses the checker of mOutBuf after while() loop.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
+(cherry picked from commit 5e45a1fdcfbf9b2b389122eb97475148594625f8)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+(cherry picked from commit 115cf260ac54a6793a184227d6ae6bfe3da74a56)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ BaseTools/Source/C/Common/Decompress.c | 6 ++++++
+ BaseTools/Source/C/TianoCompress/TianoCompress.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/BaseTools/Source/C/Common/Decompress.c b/BaseTools/Source/C/Common/Decompress.c
+index bdc10f5..af76f67 100644
+--- a/BaseTools/Source/C/Common/Decompress.c
++++ b/BaseTools/Source/C/Common/Decompress.c
+@@ -662,6 +662,12 @@ Returns: (VOID)
+
+ BytesRemain--;
+ }
++ //
++ // Once mOutBuf is fully filled, directly return
++ //
++ if (Sd->mOutBuf >= Sd->mOrigSize) {
++ return ;
++ }
+ }
+ }
+
+diff --git a/BaseTools/Source/C/TianoCompress/TianoCompress.c b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+index d07fd9e..369f7b3 100644
+--- a/BaseTools/Source/C/TianoCompress/TianoCompress.c
++++ b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+@@ -2649,6 +2649,12 @@ Returns: (VOID)
+
+ BytesRemain--;
+ }
++ //
++ // Once mOutBuf is fully filled, directly return
++ //
++ if (Sd->mOutBuf >= Sd->mOrigSize) {
++ goto Done ;
++ }
+ }
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch b/SOURCES/ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch
new file mode 100644
index 0000000..4e37d43
--- /dev/null
+++ b/SOURCES/ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch
@@ -0,0 +1,128 @@
+From c48d7ac53b4b387fc70a3803e38d30b50513f90b Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:46 +0100
+Subject: [PATCH 03/13] IntelFrameworkModulePkg: Add more checker in
+ UefiTianoDecompressLib (CVE FIX)
+
+Message-id: <20190213085050.20766-4-philmd@redhat.com>
+Patchwork-id: 84483
+O-Subject: [RHEL-7.7 ovmf PATCH v3 3/7] IntelFrameworkModulePkg: Add more
+ checker in UefiTianoDecompressLib (CVE FIX)
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL7 note start --v--
+
+Unfortunately, the upstream patch series was not structured according to
+the CVE reports. This patch contributes to fixing:
+
+- CVE-2017-5733
+- CVE-2017-5734
+- CVE-2017-5735
+
+but not CVE-2017-5731 or CVE-2017-5732 (contrarily to the upstream commit
+message). The best I could achieve up-stream was to get the "CVE FIX"
+expression into the subject, and a whole-sale dump of the CVEs into the
+body. I had not been invited to the original (off-list, embargoed)
+analysis and review.
+
+The trivial context difference (whitespace) is due to RHEL8 lacking
+upstream commit 0a6f48249a60 ("IntelFrameworkModulePkg: Clean up source
+files", 2018-06-28). I've considered backporting that (since it only
+cleans up whitespace). However, the diffstat on that commit convinced me
+otherwise: "246 files changed, 4067 insertions(+), 4067 deletions(-)".
+I've decided not to do a partial backport of that (i.e. just for
+"BaseUefiTianoCustomDecompressLib.c").
+
+--^-- RHEL7 note end --^--
+
+Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
+https://bugzilla.tianocore.org/show_bug.cgi?id=686
+To make sure the valid buffer be accessed only.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Star Zeng <star.zeng@intel.com>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 684db6da64bc7b5faee4e1174e801c245f563b5c)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 8358e53013fc62c9556598ad842d233906de00ef)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ .../BaseUefiTianoCustomDecompressLib.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+index cb009e7..9b00166 100644
+--- a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
++++ b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+@@ -143,6 +143,7 @@ MakeTable (
+ UINT16 Mask;
+ UINT16 WordOfStart;
+ UINT16 WordOfCount;
++ UINT16 MaxTableLength;
+
+ //
+ // The maximum mapping table width supported by this internal
+@@ -155,6 +156,9 @@ MakeTable (
+ }
+
+ for (Index = 0; Index < NumOfChar; Index++) {
++ if (BitLen[Index] > 16) {
++ return (UINT16) BAD_TABLE;
++ }
+ Count[BitLen[Index]]++;
+ }
+
+@@ -196,6 +200,7 @@ MakeTable (
+
+ Avail = NumOfChar;
+ Mask = (UINT16) (1U << (15 - TableBits));
++ MaxTableLength = (UINT16) (1U << TableBits);
+
+ for (Char = 0; Char < NumOfChar; Char++) {
+
+@@ -209,6 +214,9 @@ MakeTable (
+ if (Len <= TableBits) {
+
+ for (Index = Start[Len]; Index < NextCode; Index++) {
++ if (Index >= MaxTableLength) {
++ return (UINT16) BAD_TABLE;
++ }
+ Table[Index] = Char;
+ }
+
+@@ -615,10 +623,14 @@ Decode (
+ //
+ BytesRemain--;
+ while ((INT16) (BytesRemain) >= 0) {
+- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ if (Sd->mOutBuf >= Sd->mOrigSize) {
+ goto Done ;
+ }
++ if (DataIdx >= Sd->mOrigSize) {
++ Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++ goto Done ;
++ }
++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+
+ BytesRemain--;
+ }
+@@ -688,7 +700,7 @@ UefiDecompressGetInfo (
+ }
+
+ CompressedSize = ReadUnaligned32 ((UINT32 *)Source);
+- if (SourceSize < (CompressedSize + 8)) {
++ if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch b/SOURCES/ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch
new file mode 100644
index 0000000..34e3254
--- /dev/null
+++ b/SOURCES/ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch
@@ -0,0 +1,58 @@
+From e63a98333b858e287b0e88ff0e06bef5d46c635f Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:50 +0100
+Subject: [PATCH 07/13] IntelFrameworkModulePkg: Fix UEFI and Tiano
+ Decompression logic issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190213085050.20766-8-philmd@redhat.com>
+Patchwork-id: 84482
+O-Subject: [RHEL-7.7 ovmf PATCH v3 7/7] IntelFrameworkModulePkg: Fix UEFI and
+ Tiano Decompression logic issue
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+https://bugzilla.tianocore.org/show_bug.cgi?id=1317
+
+This is a regression issue caused by 684db6da64bc7b5faee4e1174e801c245f563b5c.
+In Decode() function, once mOutBuf is fully filled, Decode() should return.
+Current logic misses the checker of mOutBuf after while() loop.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
+(cherry picked from commit ade71c52a49d659b20c0b433fb11ddb4f4f543c4)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+(cherry picked from commit 601458a0a87bf4169d1f0c81c0bb454d22abe8f0)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ .../BaseUefiTianoCustomDecompressLib.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+index 9b00166..e34bf4b 100644
+--- a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
++++ b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+@@ -634,6 +634,12 @@ Decode (
+
+ BytesRemain--;
+ }
++ //
++ // Once mOutBuf is fully filled, directly return
++ //
++ if (Sd->mOutBuf >= Sd->mOrigSize) {
++ goto Done ;
++ }
+ }
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch b/SOURCES/ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
new file mode 100644
index 0000000..2b48653
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
@@ -0,0 +1,278 @@
+From 9e68568e34bef0037bb16b3cbe361e559b8da369 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 17:39:35 +0100
+Subject: [PATCH 1/8] MdeModulePkg/HiiDatabase: Fix potential integer overflow
+ (CVE-2018-12181)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322163936.10835-2-lersek@redhat.com>
+Patchwork-id: 85124
+O-Subject: [RHEL-7.7 ovmf PATCH 1/2] MdeModulePkg/HiiDatabase: Fix potential
+ integer overflow (CVE-2018-12181)
+Bugzilla: 1691479
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Ray Ni <ray.ni@intel.com>
+
+--v-- RHEL7 note --v--
+
+A contextual conflict had to be resolved manually because we don't have
+upstream commit 979b7d802c31 ("MdeModulePkg/HiiDB: Make sure database
+update behaviors are atomic", 2018-10-26), which was written for upstream
+BZ <https://bugzilla.tianocore.org/show_bug.cgi?id=1235>. More
+specifically, the context to which upstream ffe5f7a6b4e9 (i.e. the patch
+being backported) applies includes EfiAcquireLock() added in 979b7d802c31,
+and our downstream context lacks that.
+
+While reviewing this, I noticed that some of the new error paths
+introduced by the more rigorous checking in upstream ffe5f7a6b4e9 fail to
+release the lock. For upstream I reported a new BZ about this
+<https://bugzilla.tianocore.org/show_bug.cgi?id=1652>, but down-stream, we
+don't have the EfiAcquireLock() in the first place, so there is no leak.
+
+--^-- RHEL7 note --^--
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ray Ni <ray.ni@intel.com>
+Cc: Dandan Bi <dandan.bi@intel.com>
+Cc: Hao A Wu <hao.a.wu@intel.com>
+Reviewed-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
+(cherry picked from commit ffe5f7a6b4e978dffbe1df228963adc914451106)
+---
+ MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 126 +++++++++++++++++++++-----
+ 1 file changed, 103 insertions(+), 23 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index 431a5b8..dc9566b 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
++++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -16,6 +16,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+ #include "HiiDatabase.h"
+
++#define MAX_UINT24 0xFFFFFF
+
+ /**
+ Get the imageid of last image block: EFI_HII_IIBT_END_BLOCK when input
+@@ -649,8 +650,16 @@ HiiNewImage (
+ return EFI_NOT_FOUND;
+ }
+
+- NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) +
+- BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
++ //
++ // Calcuate the size of new image.
++ // Make sure the size doesn't overflow UINT32.
++ // Note: 24Bit BMP occpuies 3 bytes per pixel.
++ //
++ NewBlockSize = (UINT32)Image->Width * Image->Height;
++ if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL))) / 3) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL));
+
+ //
+ // Get the image package in the package list,
+@@ -669,6 +678,18 @@ HiiNewImage (
+ //
+ // Update the package's image block by appending the new block to the end.
+ //
++
++ //
++ // Make sure the final package length doesn't overflow.
++ // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24.
++ //
++ if (NewBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ //
++ // Because ImagePackage->ImageBlockSize < ImagePackage->ImagePkgHdr.Header.Length,
++ // So (ImagePackage->ImageBlockSize + NewBlockSize) <= MAX_UINT24
++ //
+ ImageBlocks = AllocatePool (ImagePackage->ImageBlockSize + NewBlockSize);
+ if (ImageBlocks == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+@@ -699,6 +720,13 @@ HiiNewImage (
+
+ } else {
+ //
++ // Make sure the final package length doesn't overflow.
++ // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24.
++ //
++ if (NewBlockSize > MAX_UINT24 - (sizeof (EFI_HII_IMAGE_PACKAGE_HDR) + sizeof (EFI_HII_IIBT_END_BLOCK))) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ //
+ // The specified package list does not contain image package.
+ // Create one to add this image block.
+ //
+@@ -895,8 +923,11 @@ IGetImage (
+ // Use the common block code since the definition of these structures is the same.
+ //
+ CopyMem (&Iibt1bit, CurrentImageBlock, sizeof (EFI_HII_IIBT_IMAGE_1BIT_BLOCK));
+- ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) *
+- ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
++ ImageLength = (UINTN) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height;
++ if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ ImageLength *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+ Image->Bitmap = AllocateZeroPool (ImageLength);
+ if (Image->Bitmap == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+@@ -945,9 +976,13 @@ IGetImage (
+ // fall through
+ //
+ case EFI_HII_IIBT_IMAGE_24BIT:
+- Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width);
++ Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width);
+ Height = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height);
+- ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32) Width * Height);
++ ImageLength = (UINTN)Width * Height;
++ if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ ImageLength *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+ Image->Bitmap = AllocateZeroPool (ImageLength);
+ if (Image->Bitmap == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+@@ -1114,8 +1149,23 @@ HiiSetImage (
+ //
+ // Create the new image block according to input image.
+ //
+- NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) +
+- BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
++
++ //
++ // Make sure the final package length doesn't overflow.
++ // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24.
++ // 24Bit BMP occpuies 3 bytes per pixel.
++ //
++ NewBlockSize = (UINT32)Image->Width * Image->Height;
++ if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL))) / 3) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL));
++ if ((NewBlockSize > OldBlockSize) &&
++ (NewBlockSize - OldBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length)
++ ) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++
+ //
+ // Adjust the image package to remove the original block firstly then add the new block.
+ //
+@@ -1207,8 +1257,8 @@ HiiDrawImage (
+ EFI_IMAGE_OUTPUT *ImageOut;
+ EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
+ UINTN BufferLen;
+- UINTN Width;
+- UINTN Height;
++ UINT16 Width;
++ UINT16 Height;
+ UINTN Xpos;
+ UINTN Ypos;
+ UINTN OffsetY1;
+@@ -1269,21 +1319,36 @@ HiiDrawImage (
+ //
+ if (*Blt != NULL) {
+ //
++ // Make sure the BltX and BltY is inside the Blt area.
++ //
++ if ((BltX >= (*Blt)->Width) || (BltY >= (*Blt)->Height)) {
++ return EFI_INVALID_PARAMETER;
++ }
++
++ //
+ // Clip the image by (Width, Height)
+ //
+
+ Width = Image->Width;
+ Height = Image->Height;
+
+- if (Width > (*Blt)->Width - BltX) {
+- Width = (*Blt)->Width - BltX;
++ if (Width > (*Blt)->Width - (UINT16)BltX) {
++ Width = (*Blt)->Width - (UINT16)BltX;
+ }
+- if (Height > (*Blt)->Height - BltY) {
+- Height = (*Blt)->Height - BltY;
++ if (Height > (*Blt)->Height - (UINT16)BltY) {
++ Height = (*Blt)->Height - (UINT16)BltY;
+ }
+
+- BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+- BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool (BufferLen);
++ //
++ // Prepare the buffer for the temporary image.
++ // Make sure the buffer size doesn't overflow UINTN.
++ //
++ BufferLen = Width * Height;
++ if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
++ BltBuffer = AllocateZeroPool (BufferLen);
+ if (BltBuffer == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+@@ -1346,11 +1411,26 @@ HiiDrawImage (
+ //
+ // Allocate a new bitmap to hold the incoming image.
+ //
+- Width = Image->Width + BltX;
+- Height = Image->Height + BltY;
+
+- BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
+- BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool (BufferLen);
++ //
++ // Make sure the final width and height doesn't overflow UINT16.
++ //
++ if ((BltX > (UINTN)MAX_UINT16 - Image->Width) || (BltY > (UINTN)MAX_UINT16 - Image->Height)) {
++ return EFI_INVALID_PARAMETER;
++ }
++
++ Width = Image->Width + (UINT16)BltX;
++ Height = Image->Height + (UINT16)BltY;
++
++ //
++ // Make sure the output image size doesn't overflow UINTN.
++ //
++ BufferLen = Width * Height;
++ if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++ BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
++ BltBuffer = AllocateZeroPool (BufferLen);
+ if (BltBuffer == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+@@ -1360,8 +1440,8 @@ HiiDrawImage (
+ FreePool (BltBuffer);
+ return EFI_OUT_OF_RESOURCES;
+ }
+- ImageOut->Width = (UINT16) Width;
+- ImageOut->Height = (UINT16) Height;
++ ImageOut->Width = Width;
++ ImageOut->Height = Height;
+ ImageOut->Image.Bitmap = BltBuffer;
+
+ //
+@@ -1375,7 +1455,7 @@ HiiDrawImage (
+ return Status;
+ }
+ ASSERT (FontInfo != NULL);
+- for (Index = 0; Index < Width * Height; Index++) {
++ for (Index = 0; Index < (UINTN)Width * Height; Index++) {
+ BltBuffer[Index] = FontInfo->BackgroundColor;
+ }
+ FreePool (FontInfo);
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch b/SOURCES/ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
new file mode 100644
index 0000000..aff5831
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
@@ -0,0 +1,66 @@
+From 44941e738b975e52a6494cfd9f71db5ad3f411b8 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 17:39:36 +0100
+Subject: [PATCH 2/8] MdeModulePkg/HiiImage: Fix stack overflow when corrupted
+ BMP is parsed (CVE-2018-12181)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322163936.10835-3-lersek@redhat.com>
+Patchwork-id: 85123
+O-Subject: [RHEL-7.7 ovmf PATCH 2/2] MdeModulePkg/HiiImage: Fix stack overflow
+ when corrupted BMP is parsed (CVE-2018-12181)
+Bugzilla: 1691479
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Ray Ni <ray.ni@intel.com>
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
+
+For 4bit BMP, there are only 2^4 = 16 colors in the palette.
+But when a corrupted BMP contains more than 16 colors in the palette,
+today's implementation wrongly copies all colors to the local
+PaletteValue[16] array which causes stack overflow.
+
+The similar issue also exists in the logic to handle 8bit BMP.
+
+The patch fixes the issue by only copies the first 16 or 256 colors
+in the palette depending on the BMP type.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ray Ni <ray.ni@intel.com>
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
+(cherry picked from commit 89910a39dcfd788057caa5d88b7e76e112d187b5)
+---
+ MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index dc9566b..9829bdd 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
++++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -370,7 +370,7 @@ Output4bitPixel (
+ PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
+
+ ZeroMem (PaletteValue, sizeof (PaletteValue));
+- CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
++ CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum, ARRAY_SIZE (PaletteValue)));
+ FreePool (Palette);
+
+ //
+@@ -447,7 +447,7 @@ Output8bitPixel (
+ CopyMem (Palette, PaletteInfo, PaletteSize);
+ PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
+ ZeroMem (PaletteValue, sizeof (PaletteValue));
+- CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
++ CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum, ARRAY_SIZE (PaletteValue)));
+ FreePool (Palette);
+
+ //
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch
new file mode 100644
index 0000000..3aeb39d
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch
@@ -0,0 +1,97 @@
+From 5c43edaf8f41ad18bc66c29fea9b039488d858c8 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 21:53:19 +0100
+Subject: [PATCH 3/8] MdeModulePkg/PartitionDxe: Add check for underlying
+ device block size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322205323.17693-2-lersek@redhat.com>
+Patchwork-id: 85131
+O-Subject: [RHEL-7.7 ovmf PATCH 1/5] MdeModulePkg/PartitionDxe: Add check for
+ underlying device block size
+Bugzilla: 1691647
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
+
+Within FindAnchorVolumeDescriptorPointer():
+
+Add a check for the underlying device block size to ensure it is greater
+than the size of an Anchor Volume Descriptor Pointer.
+
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Acked-by: Star Zeng <star.zeng@intel.com>
+(cherry picked from commit 4df8f5bfa28b8b881e506437e8f08d92c1a00370)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c | 29 ++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c
+index 83bd174..49c56f6 100644
+--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c
++++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c
+@@ -1,8 +1,17 @@
+ /** @file
+ Scan for an UDF file system on a formatted media.
+
++ Caution: This file requires additional review when modified.
++ This driver will have external input - CD/DVD media.
++ This external input must be validated carefully to avoid security issue like
++ buffer overflow, integer overflow.
++
++ FindUdfFileSystem() routine will consume the media properties and do basic
++ validation.
++
+ Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc.
+ Copyright (C) 2014-2017 Paulo Alcantara <pcacjr@zytor.com>
++ Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
+
+ This program and the accompanying materials are licensed and made available
+ under the terms and conditions of the BSD License which accompanies this
+@@ -102,6 +111,20 @@ FindAnchorVolumeDescriptorPointer (
+ AvdpsCount = 0;
+
+ //
++ // Check if the block size of the underlying media can hold the data of an
++ // Anchor Volume Descriptor Pointer
++ //
++ if (BlockSize < sizeof (UDF_ANCHOR_VOLUME_DESCRIPTOR_POINTER)) {
++ DEBUG ((
++ DEBUG_ERROR,
++ "%a: Media block size 0x%x unable to hold an AVDP.\n",
++ __FUNCTION__,
++ BlockSize
++ ));
++ return EFI_UNSUPPORTED;
++ }
++
++ //
+ // Find AVDP at block 256
+ //
+ Status = DiskIo->ReadDisk (
+@@ -598,6 +621,12 @@ Out_Free:
+ /**
+ Find a supported UDF file system in block device.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from Partition.
++
++ The CD/DVD media is the external input, so this routine will do basic
++ validation for the media.
++
+ @param[in] BlockIo BlockIo interface.
+ @param[in] DiskIo DiskIo interface.
+ @param[out] StartingLBA UDF file system starting LBA.
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
index 9f0dfe7..f925de0 100644
--- a/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
+++ b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
@@ -1,26 +1,26 @@
-From 582ce8009e286361be2468d48c0c7763edc62718 Mon Sep 17 00:00:00 2001
+From 29d5545ca1b9cefb7e813b65e36eb9efc192fbc0 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 1 Mar 2019 12:38:19 +0100
-Subject: [PATCH 2/3] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR
+Date: Fri, 1 Mar 2019 13:16:46 +0100
+Subject: [PATCH 08/13] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR
(CVE-2018-12180)
-Message-id: <20190301113820.13948-3-lersek@redhat.com>
-Patchwork-id: 84753
-O-Subject: [RHEL-7.6.z ovmf PATCH 2/3] MdeModulePkg/PartitionDxe: Ensure
- blocksize holds MBR (CVE-2018-12180)
-Bugzilla: 1684006
+Message-id: <20190301121647.16026-2-lersek@redhat.com>
+Patchwork-id: 84756
+O-Subject: [RHEL-7.7 ovmf PATCH 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize
+ holds MBR (CVE-2018-12180)
+Bugzilla: 1684007
Acked-by: Thomas Huth <thuth@redhat.com>
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
From: Hao Wu <hao.a.wu@intel.com>
---v-- RHEL-7.6 note --v--
+--v-- RHEL-7.7 note --v--
Trivial conflicts resolved in "Gpt.c" and "Mbr.c": up-stream, the Intel
copyright notice got meanwhile extended to 2018, in commit d1102dba7210
("MdeModulePkg: Clean up source files", 2018-06-28).
---^-- RHEL-7.6 note --^--
+--^-- RHEL-7.7 note --^--
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
diff --git a/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch b/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
index d12d1d1..6e3cf06 100644
--- a/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
+++ b/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
@@ -1,14 +1,14 @@
-From 9d78bac116d939d3a833150747e29e861b75eedc Mon Sep 17 00:00:00 2001
+From 8104f654744067eca1cc96d2156742dc1155b5b7 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 1 Mar 2019 12:38:20 +0100
-Subject: [PATCH 3/3] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size
+Date: Fri, 1 Mar 2019 13:16:47 +0100
+Subject: [PATCH 09/13] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size
(CVE-2018-12180)
-Message-id: <20190301113820.13948-4-lersek@redhat.com>
-Patchwork-id: 84754
-O-Subject: [RHEL-7.6.z ovmf PATCH 3/3] MdeModulePkg/RamDiskDxe: Restrict on RAM
+Message-id: <20190301121647.16026-3-lersek@redhat.com>
+Patchwork-id: 84757
+O-Subject: [RHEL-7.7 ovmf PATCH 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM
disk size (CVE-2018-12180)
-Bugzilla: 1684006
+Bugzilla: 1684007
Acked-by: Thomas Huth <thuth@redhat.com>
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch
new file mode 100644
index 0000000..704ef2d
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch
@@ -0,0 +1,57 @@
+From adfd3101494f52d71cbd8d15be9146e7570e6397 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 21:53:22 +0100
+Subject: [PATCH 6/8] MdeModulePkg/UdfDxe: Add boundary check for
+ ComponentIdentifier decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322205323.17693-5-lersek@redhat.com>
+Patchwork-id: 85133
+O-Subject: [RHEL-7.7 ovmf PATCH 4/5] MdeModulePkg/UdfDxe: Add boundary check for
+ ComponentIdentifier decode
+Bugzilla: 1691647
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
+
+Within ResolveSymlink():
+
+The boundary check will validate the 'LengthofComponentIdentifier' field
+of a Path Component matches the data within the relating (Extended) File
+Entry.
+
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Acked-by: Star Zeng <star.zeng@intel.com>
+(cherry picked from commit 89f75aa04a97293a8ed9db2a90851a5053730cf5)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+index 0012075..1aefed8 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+@@ -2137,6 +2137,10 @@ ResolveSymlink (
+ return EFI_VOLUME_CORRUPTED;
+ }
+
++ if ((UINTN)PathComp->ComponentIdentifier + PathCompLength > (UINTN)EndData) {
++ return EFI_VOLUME_CORRUPTED;
++ }
++
+ Char = FileName;
+ for (Index = 1; Index < PathCompLength; Index++) {
+ if (CompressionId == 16) {
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch
new file mode 100644
index 0000000..a7758b6
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch
@@ -0,0 +1,103 @@
+From 288997968e9c6352b09930c23fc05f53e3bc0dad Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 21:53:23 +0100
+Subject: [PATCH 7/8] MdeModulePkg/UdfDxe: Add boundary check for getting
+ volume (free) size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322205323.17693-6-lersek@redhat.com>
+Patchwork-id: 85134
+O-Subject: [RHEL-7.7 ovmf PATCH 5/5] MdeModulePkg/UdfDxe: Add boundary check for
+ getting volume (free) size
+Bugzilla: 1691647
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
+
+Within GetVolumeSize():
+
+The boundary check will validate the 'NumberOfPartitions' field of a
+Logical Volume Integrity Descriptor matches the data within the relating
+Logical Volume Descriptor.
+
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Acked-by: Star Zeng <star.zeng@intel.com>
+(cherry picked from commit 3b30351b75d70ea65701ac999875fbb81a89a5ca)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ .../Universal/Disk/UdfDxe/FileSystemOperations.c | 17 ++++++++++++++++-
+ MdeModulePkg/Universal/Disk/UdfDxe/Udf.h | 7 +++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+index 1aefed8..ae19a42 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+@@ -2451,6 +2451,13 @@ SetFileInfo (
+ /**
+ Get volume and free space size information of an UDF volume.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from FileSystem.
++
++ The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are
++ external inputs, so this routine will do basic validation for both descriptors
++ and report status.
++
+ @param[in] BlockIo BlockIo interface.
+ @param[in] DiskIo DiskIo interface.
+ @param[in] Volume UDF volume information structure.
+@@ -2489,7 +2496,8 @@ GetVolumeSize (
+
+ ExtentAd = &LogicalVolDesc->IntegritySequenceExtent;
+
+- if (ExtentAd->ExtentLength == 0) {
++ if ((ExtentAd->ExtentLength == 0) ||
++ (ExtentAd->ExtentLength < sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) {
+ return EFI_VOLUME_CORRUPTED;
+ }
+
+@@ -2529,6 +2537,13 @@ GetVolumeSize (
+ goto Out_Free;
+ }
+
++ if ((LogicalVolInt->NumberOfPartitions > MAX_UINT32 / sizeof (UINT32) / 2) ||
++ (LogicalVolInt->NumberOfPartitions * sizeof (UINT32) * 2 >
++ ExtentAd->ExtentLength - sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) {
++ Status = EFI_VOLUME_CORRUPTED;
++ goto Out_Free;
++ }
++
+ *VolumeSize = 0;
+ *FreeSpaceSize = 0;
+
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
+index 9b82441..b054c62 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
+@@ -903,6 +903,13 @@ SetFileInfo (
+ /**
+ Get volume and free space size information of an UDF volume.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from FileSystem.
++
++ The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are
++ external inputs, so this routine will do basic validation for both descriptors
++ and report status.
++
+ @param[in] BlockIo BlockIo interface.
+ @param[in] DiskIo DiskIo interface.
+ @param[in] Volume UDF volume information structure.
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch
new file mode 100644
index 0000000..539ce62
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch
@@ -0,0 +1,156 @@
+From 8a7cd4ba31848171f596a1eb1df0bc06633d3276 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 21:53:21 +0100
+Subject: [PATCH 5/8] MdeModulePkg/UdfDxe: Add boundary check the read of
+ FE/EFE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322205323.17693-4-lersek@redhat.com>
+Patchwork-id: 85130
+O-Subject: [RHEL-7.7 ovmf PATCH 3/5] MdeModulePkg/UdfDxe: Add boundary check the
+ read of FE/EFE
+Bugzilla: 1691647
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
+
+Within ReadFile():
+
+Add checks to ensure that when getting the raw data or the Allocation
+Descriptors' data from a FE/EFE, it will not consume data beyond the
+size of a FE/EFE.
+
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Acked-by: Star Zeng <star.zeng@intel.com>
+(cherry picked from commit 5c0748f43f4e1cc15fdd0be64a764eacd7df92f6)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ .../Universal/Disk/UdfDxe/FileSystemOperations.c | 54 ++++++++++++++++++++--
+ 1 file changed, 50 insertions(+), 4 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+index 424f41c..0012075 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+@@ -504,15 +504,27 @@ DuplicateFe (
+
+ NOTE: The FE/EFE can be thought it was an inode.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from FileSystem.
++
++ The (Extended) File Entry is external input, so this routine will do basic
++ validation for (Extended) File Entry and report status.
++
+ @param[in] FileEntryData (Extended) File Entry pointer.
++ @param[in] FileEntrySize Size of the (Extended) File Entry specified
++ by FileEntryData.
+ @param[out] Data Buffer contains the raw data of a given
+ (Extended) File Entry.
+ @param[out] Length Length of the data in Buffer.
+
++ @retval EFI_SUCCESS Raw data and size of the FE/EFE was read.
++ @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
++
+ **/
+-VOID
++EFI_STATUS
+ GetFileEntryData (
+ IN VOID *FileEntryData,
++ IN UINTN FileEntrySize,
+ OUT VOID **Data,
+ OUT UINT64 *Length
+ )
+@@ -536,20 +548,40 @@ GetFileEntryData (
+ *Data = (VOID *)((UINT8 *)FileEntry->Data +
+ FileEntry->LengthOfExtendedAttributes);
+ }
++
++ if ((*Length > FileEntrySize) ||
++ ((UINTN)FileEntryData > (UINTN)(*Data)) ||
++ ((UINTN)(*Data) - (UINTN)FileEntryData > FileEntrySize - *Length)) {
++ return EFI_VOLUME_CORRUPTED;
++ }
++ return EFI_SUCCESS;
+ }
+
+ /**
+ Get Allocation Descriptors' data information from a given FE/EFE.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from FileSystem.
++
++ The (Extended) File Entry is external input, so this routine will do basic
++ validation for (Extended) File Entry and report status.
++
+ @param[in] FileEntryData (Extended) File Entry pointer.
++ @param[in] FileEntrySize Size of the (Extended) File Entry specified
++ by FileEntryData.
+ @param[out] AdsData Buffer contains the Allocation Descriptors'
+ data from a given FE/EFE.
+ @param[out] Length Length of the data in AdsData.
+
++ @retval EFI_SUCCESS The data and size of Allocation Descriptors
++ were read from the FE/EFE.
++ @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
++
+ **/
+-VOID
++EFI_STATUS
+ GetAdsInformation (
+ IN VOID *FileEntryData,
++ IN UINTN FileEntrySize,
+ OUT VOID **AdsData,
+ OUT UINT64 *Length
+ )
+@@ -573,6 +605,13 @@ GetAdsInformation (
+ *AdsData = (VOID *)((UINT8 *)FileEntry->Data +
+ FileEntry->LengthOfExtendedAttributes);
+ }
++
++ if ((*Length > FileEntrySize) ||
++ ((UINTN)FileEntryData > (UINTN)(*AdsData)) ||
++ ((UINTN)(*AdsData) - (UINTN)FileEntryData > FileEntrySize - *Length)) {
++ return EFI_VOLUME_CORRUPTED;
++ }
++ return EFI_SUCCESS;
+ }
+
+ /**
+@@ -1066,7 +1105,10 @@ ReadFile (
+ //
+ // There are no extents for this FE/EFE. All data is inline.
+ //
+- GetFileEntryData (FileEntryData, &Data, &Length);
++ Status = GetFileEntryData (FileEntryData, Volume->FileEntrySize, &Data, &Length);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
+
+ if (ReadFileInfo->Flags == ReadFileGetFileSize) {
+ ReadFileInfo->ReadLength = Length;
+@@ -1110,7 +1152,11 @@ ReadFile (
+ // This FE/EFE contains a run of Allocation Descriptors. Get data + size
+ // for start reading them out.
+ //
+- GetAdsInformation (FileEntryData, &Data, &Length);
++ Status = GetAdsInformation (FileEntryData, Volume->FileEntrySize, &Data, &Length);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
+ AdOffset = 0;
+
+ for (;;) {
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch
new file mode 100644
index 0000000..75f4fb9
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch
@@ -0,0 +1,358 @@
+From 070a96e19dc08a87906035a1b0a67e8a3973a900 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 22 Mar 2019 21:53:20 +0100
+Subject: [PATCH 4/8] MdeModulePkg/UdfDxe: Refine boundary checks for file/path
+ name string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190322205323.17693-3-lersek@redhat.com>
+Patchwork-id: 85132
+O-Subject: [RHEL-7.7 ovmf PATCH 2/5] MdeModulePkg/UdfDxe: Refine boundary checks
+ for file/path name string
+Bugzilla: 1691647
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Hao Wu <hao.a.wu@intel.com>
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828
+
+The commit refines the boundary checks for file/path name string to
+prevent possible buffer overrun.
+
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Hao Wu <hao.a.wu@intel.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Acked-by: Star Zeng <star.zeng@intel.com>
+(cherry picked from commit b9ae1705adfdd43668027a25a2b03c2e81960219)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ MdeModulePkg/Universal/Disk/UdfDxe/File.c | 30 ++++++++--
+ .../Universal/Disk/UdfDxe/FileSystemOperations.c | 65 +++++++++++++++++++---
+ MdeModulePkg/Universal/Disk/UdfDxe/Udf.h | 30 +++++++++-
+ 3 files changed, 110 insertions(+), 15 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/File.c b/MdeModulePkg/Universal/Disk/UdfDxe/File.c
+index 6f07bf2..bd723d0 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/File.c
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/File.c
+@@ -2,6 +2,7 @@
+ Handle operations in files and directories from UDF/ECMA-167 file systems.
+
+ Copyright (C) 2014-2017 Paulo Alcantara <pcacjr@zytor.com>
++ Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
+
+ This program and the accompanying materials are licensed and made available
+ under the terms and conditions of the BSD License which accompanies this
+@@ -248,7 +249,7 @@ UdfOpen (
+ FileName = TempFileName + 1;
+ }
+
+- StrCpyS (NewPrivFileData->FileName, UDF_PATH_LENGTH, FileName);
++ StrCpyS (NewPrivFileData->FileName, UDF_FILENAME_LENGTH, FileName);
+
+ Status = GetFileSize (
+ PrivFsData->BlockIo,
+@@ -444,7 +445,7 @@ UdfRead (
+ FreePool ((VOID *)NewFileEntryData);
+ NewFileEntryData = FoundFile.FileEntry;
+
+- Status = GetFileNameFromFid (NewFileIdentifierDesc, FileName);
++ Status = GetFileNameFromFid (NewFileIdentifierDesc, ARRAY_SIZE (FileName), FileName);
+ if (EFI_ERROR (Status)) {
+ FreePool ((VOID *)FoundFile.FileIdentifierDesc);
+ goto Error_Get_FileName;
+@@ -456,7 +457,7 @@ UdfRead (
+ FoundFile.FileIdentifierDesc = NewFileIdentifierDesc;
+ FoundFile.FileEntry = NewFileEntryData;
+
+- Status = GetFileNameFromFid (FoundFile.FileIdentifierDesc, FileName);
++ Status = GetFileNameFromFid (FoundFile.FileIdentifierDesc, ARRAY_SIZE (FileName), FileName);
+ if (EFI_ERROR (Status)) {
+ goto Error_Get_FileName;
+ }
+@@ -718,6 +719,12 @@ UdfSetPosition (
+ /**
+ Get information about a file.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from FileSystem.
++
++ The File Set Descriptor is external input, so this routine will do basic
++ validation for File Set Descriptor and report status.
++
+ @param This Protocol instance pointer.
+ @param InformationType Type of information to return in Buffer.
+ @param BufferSize On input size of buffer, on output amount of data in
+@@ -794,6 +801,10 @@ UdfGetInfo (
+ *String = *(UINT8 *)(OstaCompressed + Index) << 8;
+ Index++;
+ } else {
++ if (Index > ARRAY_SIZE (VolumeLabel)) {
++ return EFI_VOLUME_CORRUPTED;
++ }
++
+ *String = 0;
+ }
+
+@@ -813,7 +824,11 @@ UdfGetInfo (
+ String++;
+ }
+
+- *String = L'\0';
++ Index = ((UINTN)String - (UINTN)VolumeLabel) / sizeof (CHAR16);
++ if (Index > ARRAY_SIZE (VolumeLabel) - 1) {
++ Index = ARRAY_SIZE (VolumeLabel) - 1;
++ }
++ VolumeLabel[Index] = L'\0';
+
+ FileSystemInfoLength = StrSize (VolumeLabel) +
+ sizeof (EFI_FILE_SYSTEM_INFO);
+@@ -823,8 +838,11 @@ UdfGetInfo (
+ }
+
+ FileSystemInfo = (EFI_FILE_SYSTEM_INFO *)Buffer;
+- StrCpyS (FileSystemInfo->VolumeLabel, ARRAY_SIZE (VolumeLabel),
+- VolumeLabel);
++ StrCpyS (
++ FileSystemInfo->VolumeLabel,
++ (*BufferSize - OFFSET_OF (EFI_FILE_SYSTEM_INFO, VolumeLabel)) / sizeof (CHAR16),
++ VolumeLabel
++ );
+ Status = GetVolumeSize (
+ PrivFsData->BlockIo,
+ PrivFsData->DiskIo,
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+index ecc1723..424f41c 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+@@ -2,6 +2,7 @@
+ Handle on-disk format and volume structures in UDF/ECMA-167 file systems.
+
+ Copyright (C) 2014-2017 Paulo Alcantara <pcacjr@zytor.com>
++ Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
+
+ This program and the accompanying materials are licensed and made available
+ under the terms and conditions of the BSD License which accompanies this
+@@ -1412,7 +1413,7 @@ InternalFindFile (
+ break;
+ }
+ } else {
+- Status = GetFileNameFromFid (FileIdentifierDesc, FoundFileName);
++ Status = GetFileNameFromFid (FileIdentifierDesc, ARRAY_SIZE (FoundFileName), FoundFileName);
+ if (EFI_ERROR (Status)) {
+ break;
+ }
+@@ -1705,6 +1706,11 @@ FindFile (
+ while (*FilePath != L'\0') {
+ FileNamePointer = FileName;
+ while (*FilePath != L'\0' && *FilePath != L'\\') {
++ if ((((UINTN)FileNamePointer - (UINTN)FileName) / sizeof (CHAR16)) >=
++ (ARRAY_SIZE (FileName) - 1)) {
++ return EFI_NOT_FOUND;
++ }
++
+ *FileNamePointer++ = *FilePath++;
+ }
+
+@@ -1882,22 +1888,38 @@ ReadDirectoryEntry (
+ Get a filename (encoded in OSTA-compressed format) from a File Identifier
+ Descriptor on an UDF volume.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from FileSystem.
++
++ The File Identifier Descriptor is external input, so this routine will do
++ basic validation for File Identifier Descriptor and report status.
++
+ @param[in] FileIdentifierDesc File Identifier Descriptor pointer.
++ @param[in] CharMax The maximum number of FileName Unicode char,
++ including terminating null char.
+ @param[out] FileName Decoded filename.
+
+ @retval EFI_SUCCESS Filename decoded and read.
+ @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
++ @retval EFI_BUFFER_TOO_SMALL The string buffer FileName cannot hold the
++ decoded filename.
+ **/
+ EFI_STATUS
+ GetFileNameFromFid (
+ IN UDF_FILE_IDENTIFIER_DESCRIPTOR *FileIdentifierDesc,
++ IN UINTN CharMax,
+ OUT CHAR16 *FileName
+ )
+ {
+- UINT8 *OstaCompressed;
+- UINT8 CompressionId;
+- UINT8 Length;
+- UINTN Index;
++ UINT8 *OstaCompressed;
++ UINT8 CompressionId;
++ UINT8 Length;
++ UINTN Index;
++ CHAR16 *FileNameBak;
++
++ if (CharMax == 0) {
++ return EFI_BUFFER_TOO_SMALL;
++ }
+
+ OstaCompressed =
+ (UINT8 *)(
+@@ -1910,10 +1932,22 @@ GetFileNameFromFid (
+ return EFI_VOLUME_CORRUPTED;
+ }
+
++ FileNameBak = FileName;
++
+ //
+ // Decode filename.
+ //
+ Length = FileIdentifierDesc->LengthOfFileIdentifier;
++ if (CompressionId == 16) {
++ if (((UINTN)Length >> 1) > CharMax) {
++ return EFI_BUFFER_TOO_SMALL;
++ }
++ } else {
++ if ((Length != 0) && ((UINTN)Length - 1 > CharMax)) {
++ return EFI_BUFFER_TOO_SMALL;
++ }
++ }
++
+ for (Index = 1; Index < Length; Index++) {
+ if (CompressionId == 16) {
+ *FileName = OstaCompressed[Index++] << 8;
+@@ -1928,7 +1962,11 @@ GetFileNameFromFid (
+ FileName++;
+ }
+
+- *FileName = L'\0';
++ Index = ((UINTN)FileName - (UINTN)FileNameBak) / sizeof (CHAR16);
++ if (Index > CharMax - 1) {
++ Index = CharMax - 1;
++ }
++ FileNameBak[Index] = L'\0';
+
+ return EFI_SUCCESS;
+ }
+@@ -1936,6 +1974,12 @@ GetFileNameFromFid (
+ /**
+ Resolve a symlink file on an UDF volume.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from FileSystem.
++
++ The Path Component is external input, so this routine will do basic
++ validation for Path Component and report status.
++
+ @param[in] BlockIo BlockIo interface.
+ @param[in] DiskIo DiskIo interface.
+ @param[in] Volume UDF volume information structure.
+@@ -2054,6 +2098,9 @@ ResolveSymlink (
+ Index) << 8;
+ Index++;
+ } else {
++ if (Index > ARRAY_SIZE (FileName)) {
++ return EFI_UNSUPPORTED;
++ }
+ *Char = 0;
+ }
+
+@@ -2064,7 +2111,11 @@ ResolveSymlink (
+ Char++;
+ }
+
+- *Char = L'\0';
++ Index = ((UINTN)Char - (UINTN)FileName) / sizeof (CHAR16);
++ if (Index > ARRAY_SIZE (FileName) - 1) {
++ Index = ARRAY_SIZE (FileName) - 1;
++ }
++ FileName[Index] = L'\0';
+ break;
+ }
+
+diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
+index d441539..9b82441 100644
+--- a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
++++ b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h
+@@ -2,6 +2,7 @@
+ UDF/ECMA-167 file system driver.
+
+ Copyright (C) 2014-2017 Paulo Alcantara <pcacjr@zytor.com>
++ Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
+
+ This program and the accompanying materials are licensed and made available
+ under the terms and conditions of the BSD License which accompanies this
+@@ -559,9 +560,16 @@ UdfSetPosition (
+ /**
+ Get information about a file.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from FileSystem.
++
++ The File Set Descriptor is external input, so this routine will do basic
++ validation for File Set Descriptor and report status.
++
+ @param This Protocol instance pointer.
+ @param InformationType Type of information to return in Buffer.
+- @param BufferSize On input size of buffer, on output amount of data in buffer.
++ @param BufferSize On input size of buffer, on output amount of data in
++ buffer.
+ @param Buffer The buffer to return data.
+
+ @retval EFI_SUCCESS Data was returned.
+@@ -571,7 +579,8 @@ UdfSetPosition (
+ @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
+ @retval EFI_WRITE_PROTECTED The device is write protected.
+ @retval EFI_ACCESS_DENIED The file was open for read only.
+- @retval EFI_BUFFER_TOO_SMALL Buffer was too small; required size returned in BufferSize.
++ @retval EFI_BUFFER_TOO_SMALL Buffer was too small; required size returned in
++ BufferSize.
+
+ **/
+ EFI_STATUS
+@@ -769,21 +778,38 @@ ReadDirectoryEntry (
+ Get a filename (encoded in OSTA-compressed format) from a File Identifier
+ Descriptor on an UDF volume.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from FileSystem.
++
++ The File Identifier Descriptor is external input, so this routine will do
++ basic validation for File Identifier Descriptor and report status.
++
+ @param[in] FileIdentifierDesc File Identifier Descriptor pointer.
++ @param[in] CharMax The maximum number of FileName Unicode char,
++ including terminating null char.
+ @param[out] FileName Decoded filename.
+
+ @retval EFI_SUCCESS Filename decoded and read.
+ @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
++ @retval EFI_BUFFER_TOO_SMALL The string buffer FileName cannot hold the
++ decoded filename.
+ **/
+ EFI_STATUS
+ GetFileNameFromFid (
+ IN UDF_FILE_IDENTIFIER_DESCRIPTOR *FileIdentifierDesc,
++ IN UINTN CharMax,
+ OUT CHAR16 *FileName
+ );
+
+ /**
+ Resolve a symlink file on an UDF volume.
+
++ @attention This is boundary function that may receive untrusted input.
++ @attention The input is from FileSystem.
++
++ The Path Component is external input, so this routine will do basic
++ validation for Path Component and report status.
++
+ @param[in] BlockIo BlockIo interface.
+ @param[in] DiskIo DiskIo interface.
+ @param[in] Volume UDF volume information structure.
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch b/SOURCES/ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch
new file mode 100644
index 0000000..d093043
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch
@@ -0,0 +1,264 @@
+From 665567cda914855b29632120174ab28be8c6df58 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 9 Apr 2019 16:11:36 +0200
+Subject: [PATCH 8/8] MdeModulePkg UsbBusDxe: Fix wrong buffer length used to
+ read hub desc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190409141136.27390-2-lersek@redhat.com>
+Patchwork-id: 85539
+O-Subject: [RHEL-7.7 ovmf PATCH 1/1] MdeModulePkg UsbBusDxe: Fix wrong buffer
+ length used to read hub desc
+Bugzilla: 1697534
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Star Zeng <star.zeng@intel.com>
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=973
+
+HUB descriptor has variable length.
+But the code uses stack (HubDesc in UsbHubInit) with fixed length
+sizeof(EFI_USB_HUB_DESCRIPTOR) to hold HUB descriptor data.
+It uses hard code length value (32 that is greater than
+sizeof(EFI_USB_HUB_DESCRIPTOR)) for SuperSpeed path, then there will
+be stack overflow when IOMMU is enabled because the Unmap operation
+will copy the data from device buffer to host buffer.
+And it uses HubDesc->Length for none SuperSpeed path, then there will
+be stack overflow when HubDesc->Length is greater than
+sizeof(EFI_USB_HUB_DESCRIPTOR).
+
+The patch updates the code to use a big enough buffer to hold the
+descriptor data.
+The definition EFI_USB_SUPER_SPEED_HUB_DESCRIPTOR is wrong (HubDelay
+field should be UINT16 type) and no code is using it, the patch
+removes it.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Bret Barkelew <bret.barkelew@microsoft.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Star Zeng <star.zeng@intel.com>
+Reviewed-by: Bret Barkelew <bret.barkelew@microsoft.com>
+(cherry picked from commit acebdf14c985c5c9f50b37ece0b15ada87767359)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c | 96 +++++++++++----------------------
+ MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h | 14 +----
+ 2 files changed, 32 insertions(+), 78 deletions(-)
+
+diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c
+index fabb441..a962f76 100644
+--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c
++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c
+@@ -2,7 +2,7 @@
+
+ Unified interface for RootHub and Hub.
+
+-Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution. The full text of the license may be found at
+@@ -201,42 +201,7 @@ UsbHubCtrlClearTTBuffer (
+ }
+
+ /**
+- Usb hub control transfer to get the super speed hub descriptor.
+-
+- @param HubDev The hub device.
+- @param Buf The buffer to hold the descriptor.
+-
+- @retval EFI_SUCCESS The hub descriptor is retrieved.
+- @retval Others Failed to retrieve the hub descriptor.
+-
+-**/
+-EFI_STATUS
+-UsbHubCtrlGetSuperSpeedHubDesc (
+- IN USB_DEVICE *HubDev,
+- OUT VOID *Buf
+- )
+-{
+- EFI_STATUS Status;
+-
+- Status = EFI_INVALID_PARAMETER;
+-
+- Status = UsbCtrlRequest (
+- HubDev,
+- EfiUsbDataIn,
+- USB_REQ_TYPE_CLASS,
+- USB_HUB_TARGET_HUB,
+- USB_HUB_REQ_GET_DESC,
+- (UINT16) (USB_DESC_TYPE_HUB_SUPER_SPEED << 8),
+- 0,
+- Buf,
+- 32
+- );
+-
+- return Status;
+-}
+-
+-/**
+- Usb hub control transfer to get the hub descriptor.
++ Usb hub control transfer to get the (super speed) hub descriptor.
+
+ @param HubDev The hub device.
+ @param Buf The buffer to hold the descriptor.
+@@ -254,6 +219,11 @@ UsbHubCtrlGetHubDesc (
+ )
+ {
+ EFI_STATUS Status;
++ UINT8 DescType;
++
++ DescType = (HubDev->Speed == EFI_USB_SPEED_SUPER) ?
++ USB_DESC_TYPE_HUB_SUPER_SPEED :
++ USB_DESC_TYPE_HUB;
+
+ Status = UsbCtrlRequest (
+ HubDev,
+@@ -261,7 +231,7 @@ UsbHubCtrlGetHubDesc (
+ USB_REQ_TYPE_CLASS,
+ USB_HUB_TARGET_HUB,
+ USB_HUB_REQ_GET_DESC,
+- (UINT16) (USB_DESC_TYPE_HUB << 8),
++ (UINT16) (DescType << 8),
+ 0,
+ Buf,
+ Len
+@@ -475,29 +445,19 @@ UsbHubReadDesc (
+ {
+ EFI_STATUS Status;
+
+- if (HubDev->Speed == EFI_USB_SPEED_SUPER) {
+- //
+- // Get the super speed hub descriptor
+- //
+- Status = UsbHubCtrlGetSuperSpeedHubDesc (HubDev, HubDesc);
+- } else {
+-
+- //
+- // First get the hub descriptor length
+- //
+- Status = UsbHubCtrlGetHubDesc (HubDev, HubDesc, 2);
+-
+- if (EFI_ERROR (Status)) {
+- return Status;
+- }
++ //
++ // First get the hub descriptor length
++ //
++ Status = UsbHubCtrlGetHubDesc (HubDev, HubDesc, 2);
+
+- //
+- // Get the whole hub descriptor
+- //
+- Status = UsbHubCtrlGetHubDesc (HubDev, HubDesc, HubDesc->Length);
++ if (EFI_ERROR (Status)) {
++ return Status;
+ }
+
+- return Status;
++ //
++ // Get the whole hub descriptor
++ //
++ return UsbHubCtrlGetHubDesc (HubDev, HubDesc, HubDesc->Length);
+ }
+
+
+@@ -690,7 +650,8 @@ UsbHubInit (
+ IN USB_INTERFACE *HubIf
+ )
+ {
+- EFI_USB_HUB_DESCRIPTOR HubDesc;
++ UINT8 HubDescBuffer[256];
++ EFI_USB_HUB_DESCRIPTOR *HubDesc;
+ USB_ENDPOINT_DESC *EpDesc;
+ USB_INTERFACE_SETTING *Setting;
+ EFI_USB_IO_PROTOCOL *UsbIo;
+@@ -725,14 +686,19 @@ UsbHubInit (
+ return EFI_DEVICE_ERROR;
+ }
+
+- Status = UsbHubReadDesc (HubDev, &HubDesc);
++ //
++ // The length field of descriptor is UINT8 type, so the buffer
++ // with 256 bytes is enough to hold the descriptor data.
++ //
++ HubDesc = (EFI_USB_HUB_DESCRIPTOR *) HubDescBuffer;
++ Status = UsbHubReadDesc (HubDev, HubDesc);
+
+ if (EFI_ERROR (Status)) {
+ DEBUG (( EFI_D_ERROR, "UsbHubInit: failed to read HUB descriptor %r\n", Status));
+ return Status;
+ }
+
+- HubIf->NumOfPort = HubDesc.NumPorts;
++ HubIf->NumOfPort = HubDesc->NumPorts;
+
+ DEBUG (( EFI_D_INFO, "UsbHubInit: hub %d has %d ports\n", HubDev->Address,HubIf->NumOfPort));
+
+@@ -751,7 +717,7 @@ UsbHubInit (
+ DEBUG ((EFI_D_INFO, "UsbHubInit: Set Hub Depth as 0x%x\n", Depth));
+ UsbHubCtrlSetHubDepth (HubIf->Device, Depth);
+
+- for (Index = 0; Index < HubDesc.NumPorts; Index++) {
++ for (Index = 0; Index < HubDesc->NumPorts; Index++) {
+ UsbHubCtrlSetPortFeature (HubIf->Device, Index, USB_HUB_PORT_REMOTE_WAKE_MASK);
+ }
+ } else {
+@@ -759,15 +725,15 @@ UsbHubInit (
+ // Feed power to all the hub ports. It should be ok
+ // for both gang/individual powered hubs.
+ //
+- for (Index = 0; Index < HubDesc.NumPorts; Index++) {
++ for (Index = 0; Index < HubDesc->NumPorts; Index++) {
+ UsbHubCtrlSetPortFeature (HubIf->Device, Index, (EFI_USB_PORT_FEATURE) USB_HUB_PORT_POWER);
+ }
+
+ //
+ // Update for the usb hub has no power on delay requirement
+ //
+- if (HubDesc.PwrOn2PwrGood > 0) {
+- gBS->Stall (HubDesc.PwrOn2PwrGood * USB_SET_PORT_POWER_STALL);
++ if (HubDesc->PwrOn2PwrGood > 0) {
++ gBS->Stall (HubDesc->PwrOn2PwrGood * USB_SET_PORT_POWER_STALL);
+ }
+ UsbHubAckHubStatus (HubIf->Device);
+ }
+diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h
+index 4e5fcd8..fe9f1f7 100644
+--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h
++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h
+@@ -2,7 +2,7 @@
+
+ The definition for USB hub.
+
+-Copyright (c) 2007 - 2010, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution. The full text of the license may be found at
+@@ -115,18 +115,6 @@ typedef struct {
+ UINT8 Filler[16];
+ } EFI_USB_HUB_DESCRIPTOR;
+
+-typedef struct {
+- UINT8 Length;
+- UINT8 DescType;
+- UINT8 NumPorts;
+- UINT16 HubCharacter;
+- UINT8 PwrOn2PwrGood;
+- UINT8 HubContrCurrent;
+- UINT8 HubHdrDecLat;
+- UINT8 HubDelay;
+- UINT8 DeviceRemovable;
+-} EFI_USB_SUPER_SPEED_HUB_DESCRIPTOR;
+-
+ #pragma pack()
+
+
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch b/SOURCES/ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch
new file mode 100644
index 0000000..e77f913
--- /dev/null
+++ b/SOURCES/ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch
@@ -0,0 +1,80 @@
+From 0afba771bf42a9793e86bc565f23a8ca99d53dbb Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:44 +0100
+Subject: [PATCH 01/13] MdeModulePkg Variable: Fix Timestamp zeroing issue on
+ APPEND_WRITE
+
+Message-id: <20190213085050.20766-2-philmd@redhat.com>
+Patchwork-id: 84478
+O-Subject: [RHEL-7.7 ovmf PATCH v3 1/7] MdeModulePkg Variable: Fix Timestamp
+ zeroing issue on APPEND_WRITE
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+From: Star Zeng <star.zeng@intel.com>
+
+--v-- RHEL7 note start --v--
+
+This patch fixes CVE-2018-3613. Unfortunately, the upstream subject line
+does not include the CVE number. I've decided to stick with the upstream
+subject verbatim in the backport, so we can more easily drop this patch at
+the next rebase. On the upstream list, I did complain loudly, so there's
+hope the next CVE fix will advertise the CVE number in the subject.
+
+In practice, the vulnerability is difficult to exploit. Please refer to
+the following messages in the upstream discussion:
+
+ https://lists.01.org/pipermail/edk2-devel/2018-October/031103.html
+ https://lists.01.org/pipermail/edk2-devel/2018-October/031140.html
+
+--^-- RHEL7 note end --^--
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415
+
+When SetVariable() to a time based auth variable with APPEND_WRITE
+attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in
+the input Data is earlier than current value, it will cause timestamp
+zeroing.
+
+This issue may bring time based auth variable downgrade problem.
+For example:
+A vendor released three certs at 2014, 2015, and 2016, and system
+integrated the 2016 cert. User can SetVariable() with 2015 cert and
+APPEND_WRITE attribute to cause timestamp zeroing first, then
+SetVariable() with 2014 cert to downgrade the cert.
+
+This patch fixes this issue.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Star Zeng <star.zeng@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+(cherry picked from commit b7dc8888f31402f410c53242839271ba3b94b619)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 3b8ff18ad4ac1af740a979ad27fb83dbbdca70ef)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+index 6caf603..60439b5 100644
+--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
++++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+@@ -2460,6 +2460,8 @@ UpdateVariable (
+ if (Variable->CurrPtr != NULL) {
+ if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) {
+ CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME));
++ } else {
++ CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME));
+ }
+ }
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch b/SOURCES/ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch
new file mode 100644
index 0000000..5a90543
--- /dev/null
+++ b/SOURCES/ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch
@@ -0,0 +1,128 @@
+From 6e3079460fa075f4b44c1031b1e20709979d9424 Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:45 +0100
+Subject: [PATCH 02/13] MdePkg: Add more checker in UefiDecompressLib to access
+ the valid buffer only (CVE FIX)
+
+Message-id: <20190213085050.20766-3-philmd@redhat.com>
+Patchwork-id: 84480
+O-Subject: [RHEL-7.7 ovmf PATCH v3 2/7] MdePkg: Add more checker in
+ UefiDecompressLib to access the valid buffer only (CVE FIX)
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL7 note start --v--
+Unfortunately, the upstream patch series was not structured according to
+the CVE reports. This patch contributes to fixing:
+
+- CVE-2017-5732
+- CVE-2017-5733
+- CVE-2017-5734
+- CVE-2017-5735
+
+but not CVE-2017-5731 (contrarily to the upstream commit message). The
+best I could achieve up-stream was to get the "CVE FIX" expression into
+the subject, and a whole-sale dump of the CVEs into the body. I had not
+been invited to the original (off-list, embargoed) analysis and review.
+
+The trivial context difference (whitespace) is due to RHEL8 lacking
+upstream commit 9095d37b8fe5 ("MdePkg: Clean up source files",
+2018-06-28). I've considered backporting that (since it only cleans up
+whitespace). However, the diffstat on that commit convinced me otherwise:
+"729 files changed, 15667 insertions(+), 15667 deletions(-)". I've decided
+not to do a partial backport of that (i.e. just for
+"BaseUefiDecompressLib.c").
+
+--^-- RHEL7 note end --^--
+
+Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
+https://bugzilla.tianocore.org/show_bug.cgi?id=686
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Star Zeng <star.zeng@intel.com>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 2ec7953d49677142c5f7552e9e3d96fb406ba0c4)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 41129e136b621728eb5cb1c81aafcc5fedc53a12)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ .../BaseUefiDecompressLib/BaseUefiDecompressLib.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+index e818543..0c6b1fe 100644
+--- a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
++++ b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+@@ -152,6 +152,7 @@ MakeTable (
+ UINT16 Mask;
+ UINT16 WordOfStart;
+ UINT16 WordOfCount;
++ UINT16 MaxTableLength;
+
+ //
+ // The maximum mapping table width supported by this internal
+@@ -164,6 +165,9 @@ MakeTable (
+ }
+
+ for (Index = 0; Index < NumOfChar; Index++) {
++ if (BitLen[Index] > 16) {
++ return (UINT16) BAD_TABLE;
++ }
+ Count[BitLen[Index]]++;
+ }
+
+@@ -205,6 +209,7 @@ MakeTable (
+
+ Avail = NumOfChar;
+ Mask = (UINT16) (1U << (15 - TableBits));
++ MaxTableLength = (UINT16) (1U << TableBits);
+
+ for (Char = 0; Char < NumOfChar; Char++) {
+
+@@ -218,6 +223,9 @@ MakeTable (
+ if (Len <= TableBits) {
+
+ for (Index = Start[Len]; Index < NextCode; Index++) {
++ if (Index >= MaxTableLength) {
++ return (UINT16) BAD_TABLE;
++ }
+ Table[Index] = Char;
+ }
+
+@@ -620,11 +628,16 @@ Decode (
+ // Write BytesRemain of bytes into mDstBase
+ //
+ BytesRemain--;
++
+ while ((INT16) (BytesRemain) >= 0) {
+- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ if (Sd->mOutBuf >= Sd->mOrigSize) {
+ goto Done;
+ }
++ if (DataIdx >= Sd->mOrigSize) {
++ Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++ goto Done;
++ }
++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+
+ BytesRemain--;
+ }
+@@ -694,7 +707,7 @@ UefiDecompressGetInfo (
+ }
+
+ CompressedSize = ReadUnaligned32 ((UINT32 *)Source);
+- if (SourceSize < (CompressedSize + 8)) {
++ if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch b/SOURCES/ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch
new file mode 100644
index 0000000..13ce299
--- /dev/null
+++ b/SOURCES/ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch
@@ -0,0 +1,59 @@
+From c3915e0546924db36fd1cd85bf77318302168ee6 Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Wed, 13 Feb 2019 09:50:49 +0100
+Subject: [PATCH 06/13] MdePkg BaseUefiDecompressLib: Fix UEFI Decompression
+ logic issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190213085050.20766-7-philmd@redhat.com>
+Patchwork-id: 84485
+O-Subject: [RHEL-7.7 ovmf PATCH v3 6/7] MdePkg BaseUefiDecompressLib: Fix UEFI
+ Decompression logic issue
+Bugzilla: 1666586
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+https://bugzilla.tianocore.org/show_bug.cgi?id=1317
+
+This is a regression issue caused by 2ec7953d49677142c5f7552e9e3d96fb406ba0c4.
+In Decode() function, once mOutBuf is fully filled, Decode() should return.
+Current logic misses the checker of mOutBuf after while() loop.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Cc: Michael Kinney <michael.d.kinney@intel.com>
+Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
+(cherry picked from commit 1c4cecc9fd314de0dce8125b0d4b45967637a401)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+(cherry picked from commit c46469847b68f6a1a5b42feaf0de7a83fd0bed85)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+---
+ MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+index 0c6b1fe..8c30e97 100644
+--- a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
++++ b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+@@ -641,6 +641,12 @@ Decode (
+
+ BytesRemain--;
+ }
++ //
++ // Once mOutBuf is fully filled, directly return
++ //
++ if (Sd->mOutBuf >= Sd->mOrigSize) {
++ goto Done;
++ }
+ }
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-Upgrade-OpenSSL-to-1.1.0j.patch b/SOURCES/ovmf-Upgrade-OpenSSL-to-1.1.0j.patch
new file mode 100644
index 0000000..aa47c88
--- /dev/null
+++ b/SOURCES/ovmf-Upgrade-OpenSSL-to-1.1.0j.patch
@@ -0,0 +1,192 @@
+From 05565be8fdd79d641aa22b7b7a686dd68f158ce8 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 13 Feb 2019 22:06:28 +0100
+Subject: [PATCH 13/13] Upgrade OpenSSL to 1.1.0j
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+Message-id: <20190213225928.17791-5-lersek@redhat.com>
+Patchwork-id: 84502
+O-Subject: [RHEL-7.7 ovmf PATCH 4/4] Upgrade OpenSSL to 1.1.0j
+Bugzilla: 1650390
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+--v-- RHEL7 note start --v--
+
+(1) NOTE: this is a partial cherry-pick. We're only advancing to 1.1.0i.
+
+ The upstream commit advanced the OpenSSL git submodule from upstream
+ OpenSSL commit d4e4bd2a8163 ("Prepare for 1.1.0h release", 2018-03-27)
+ to upstream OpenSSL commit 74f2d9c1ec5f ("Prepare for 1.1.0j release",
+ 2018-11-20). Meaning, upstream edk2 skipped 1.1.0i.
+
+ However, Fedora 28 only offers 1.1.0i at this point (and it will not
+ be rebased again until 1.1.0k is released). Therefore hunks in the
+ upstream CryptoPkg commit that relate specifically to 1.1.0j have to
+ be dropped from the backport.
+
+ The only such hunks are the "crypto/getenv.c" additions to the INF
+ files. The related upstream OpenSSL change was commit 1abdf08284af
+ ("Use secure_getenv(3) when available.", 2018-09-24), part of tag
+ "OpenSSL_1_1_0j".
+
+ The other hunks all relate to OpenSSL commits present in tag
+ "OpenSSL_1_1_0i" -- hence we keep those hunks:
+
+ * 23dec58b9c2e ("Move the loading of the ssl_conf module to
+ libcrypto", 2018-04-05)
+
+ This justifies the addition of "crypto/conf/conf_ssl.c" to the INF
+ files.
+
+ * 6912debb881e ("Add APIs for custom X509_LOOKUP_METHOD creation",
+ 2018-05-30)
+
+ This justifies the addition of "crypto/x509/x509_meth.c" to the INF
+ files.
+
+ * dcb8333087d5 ("Avoid __GNUC__ warnings when defining
+ DECLARE_DEPRECATED", 2018-07-11)
+
+ This justifies the ifdeffery update in "opensslconf.h".
+
+(2) After this downstream patch, the affected files almost match their
+ upstream counterparts at commit a18f784cfdbe (i.e., at the commit
+ being cherry-picked). What's missing (beyond the above 1.1.0j-specific
+ hunks) belong to the following upstream commits, which we don't need:
+
+ * 630f67ddfea2 ("CryptoPkg: Clean up source files", 2018-06-28),
+
+ * 94d67262d891 ("CryptoPkg: Removing ipf which is no longer supported
+ from edk2.", 2018-09-25)
+
+ (IPF stands for Itanium.)
+
+--^-- RHEL7 note end --^--
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1393
+
+BZ#1089 (https://bugzilla.tianocore.org/show_bug.cgi?id=1089) requests
+to upgrade the OpenSSL to the latest 1.1.1 release. Since OpenSSL-1.1.1
+has many changes, more porting efforts and feature evaluation are needed.
+This might lead to a situation that it cannot catch the Q1'19 stable tag.
+
+One of the solution is upgrade current version (1.1.0h) to 1.1.0j.
+According to following web page in openssl.org, all security issues
+solved in 1.1.1 have been also back-ported to 1.1.0.j. This can make
+sure that no security vulnerabilities left in edk2 master before 1.1.1.
+
+https://www.openssl.org/news/vulnerabilities-1.1.1.html
+
+Cc: Ting Ye <ting.ye@intel.com>
+Cc: Gang Wei <gang.wei@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Gang Wei <gang.wei@intel.com>
+Reviewed-by: Ting Ye <ting.ye@intel.com>
+(cherry picked from commit a18f784cfdbe17855ec4376e80db927e1a81aaca)
+---
+ CryptoPkg/CryptoPkg.dsc | 1 +
+ CryptoPkg/Library/Include/openssl/opensslconf.h | 20 +++++++++++++-------
+ CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 ++
+ CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 2 ++
+ CryptoPkg/Library/OpensslLib/process_files.pl | 0
+ 5 files changed, 18 insertions(+), 7 deletions(-)
+ mode change 100644 => 100755 CryptoPkg/Library/OpensslLib/process_files.pl
+
+diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
+index b49e587..f305f95 100644
+--- a/CryptoPkg/CryptoPkg.dsc
++++ b/CryptoPkg/CryptoPkg.dsc
+@@ -124,6 +124,7 @@
+ CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+ CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+ CryptoPkg/Library/TlsLib/TlsLib.inf
++ CryptoPkg/Library/OpensslLib/OpensslLib.inf
+
+ CryptoPkg/CryptRuntimeDxe/CryptRuntimeDxe.inf
+
+diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
+index 1917d7a..28dd9ab 100644
+--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
++++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
+@@ -2,7 +2,7 @@
+ * WARNING: do not edit!
+ * Generated from include/openssl/opensslconf.h.in
+ *
+- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+@@ -235,12 +235,18 @@ extern "C" {
+ * still won't see them if the library has been built to disable deprecated
+ * functions.
+ */
+-#if defined(OPENSSL_NO_DEPRECATED)
+-# define DECLARE_DEPRECATED(f)
+-#elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
+-# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
+-#else
+-# define DECLARE_DEPRECATED(f) f;
++#ifndef DECLARE_DEPRECATED
++# if defined(OPENSSL_NO_DEPRECATED)
++# define DECLARE_DEPRECATED(f)
++# else
++# define DECLARE_DEPRECATED(f) f;
++# ifdef __GNUC__
++# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
++# undef DECLARE_DEPRECATED
++# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
++# endif
++# endif
++# endif
+ #endif
+
+ #ifndef OPENSSL_FILE
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+index 55a6fa3..b44510d 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+@@ -175,6 +175,7 @@
+ $(OPENSSL_PATH)/crypto/conf/conf_mall.c
+ $(OPENSSL_PATH)/crypto/conf/conf_mod.c
+ $(OPENSSL_PATH)/crypto/conf/conf_sap.c
++ $(OPENSSL_PATH)/crypto/conf/conf_ssl.c
+ $(OPENSSL_PATH)/crypto/cpt_err.c
+ $(OPENSSL_PATH)/crypto/cryptlib.c
+ $(OPENSSL_PATH)/crypto/cversion.c
+@@ -418,6 +419,7 @@
+ $(OPENSSL_PATH)/crypto/x509/x509_err.c
+ $(OPENSSL_PATH)/crypto/x509/x509_ext.c
+ $(OPENSSL_PATH)/crypto/x509/x509_lu.c
++ $(OPENSSL_PATH)/crypto/x509/x509_meth.c
+ $(OPENSSL_PATH)/crypto/x509/x509_obj.c
+ $(OPENSSL_PATH)/crypto/x509/x509_r2x.c
+ $(OPENSSL_PATH)/crypto/x509/x509_req.c
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+index f542998..46217cc 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+@@ -175,6 +175,7 @@
+ $(OPENSSL_PATH)/crypto/conf/conf_mall.c
+ $(OPENSSL_PATH)/crypto/conf/conf_mod.c
+ $(OPENSSL_PATH)/crypto/conf/conf_sap.c
++ $(OPENSSL_PATH)/crypto/conf/conf_ssl.c
+ $(OPENSSL_PATH)/crypto/cpt_err.c
+ $(OPENSSL_PATH)/crypto/cryptlib.c
+ $(OPENSSL_PATH)/crypto/cversion.c
+@@ -418,6 +419,7 @@
+ $(OPENSSL_PATH)/crypto/x509/x509_err.c
+ $(OPENSSL_PATH)/crypto/x509/x509_ext.c
+ $(OPENSSL_PATH)/crypto/x509/x509_lu.c
++ $(OPENSSL_PATH)/crypto/x509/x509_meth.c
+ $(OPENSSL_PATH)/crypto/x509/x509_obj.c
+ $(OPENSSL_PATH)/crypto/x509/x509_r2x.c
+ $(OPENSSL_PATH)/crypto/x509/x509_req.c
+diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
+old mode 100644
+new mode 100755
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-sb.json b/SOURCES/ovmf-sb.json
new file mode 100644
index 0000000..c804ac1
--- /dev/null
+++ b/SOURCES/ovmf-sb.json
@@ -0,0 +1,36 @@
+{
+ "description": "OVMF with SB+SMM, SB enabled, MS certs enrolled",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "flash",
+ "executable": {
+ "filename": "/usr/share/OVMF/OVMF_CODE.secboot.fd",
+ "format": "raw"
+ },
+ "nvram-template": {
+ "filename": "/usr/share/OVMF/OVMF_VARS.secboot.fd",
+ "format": "raw"
+ }
+ },
+ "targets": [
+ {
+ "architecture": "x86_64",
+ "machines": [
+ "pc-q35-*"
+ ]
+ }
+ ],
+ "features": [
+ "acpi-s3",
+ "amd-sev",
+ "enrolled-keys",
+ "requires-smm",
+ "secure-boot",
+ "verbose-dynamic"
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/SOURCES/ovmf.json b/SOURCES/ovmf.json
new file mode 100644
index 0000000..5e8a94a
--- /dev/null
+++ b/SOURCES/ovmf.json
@@ -0,0 +1,35 @@
+{
+ "description": "OVMF with SB+SMM, empty varstore",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "flash",
+ "executable": {
+ "filename": "/usr/share/OVMF/OVMF_CODE.secboot.fd",
+ "format": "raw"
+ },
+ "nvram-template": {
+ "filename": "/usr/share/OVMF/OVMF_VARS.fd",
+ "format": "raw"
+ }
+ },
+ "targets": [
+ {
+ "architecture": "x86_64",
+ "machines": [
+ "pc-q35-*"
+ ]
+ }
+ ],
+ "features": [
+ "acpi-s3",
+ "amd-sev",
+ "requires-smm",
+ "secure-boot",
+ "verbose-dynamic"
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/SPECS/ovmf.spec b/SPECS/ovmf.spec
index c77cd87..88f0aa7 100644
--- a/SPECS/ovmf.spec
+++ b/SPECS/ovmf.spec
@@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
Name: ovmf
Version: %{GITDATE}
-Release: 3.git%{GITCOMMIT}%{?dist}.1
+Release: 6.git%{GITCOMMIT}%{?dist}
Summary: UEFI firmware for 64-bit virtual machines
Group: Applications/Emulators
License: BSD and OpenSSL and MIT
@@ -19,10 +19,13 @@ URL: http://www.tianocore.org
# | xz -9ev >/tmp/ovmf-$COMMIT.tar.xz
Source0: http://batcave.lab.eng.brq.redhat.com/www/ovmf-%{GITCOMMIT}.tar.xz
Source1: ovmf-whitepaper-c770f8c.txt
-Source2: openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz
+Source2: openssl-fedora-d2ede125556ac99aa0faa7744c703af3f559094e.tar.xz
Source3: ovmf-vars-generator
Source4: LICENSE.qosb
+Source10: ovmf-sb.json
+Source11: ovmf.json
+
Patch0003: 0003-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
Patch0004: 0004-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
Patch0005: 0005-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
@@ -42,10 +45,42 @@ Patch0019: 0019-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
Patch20: ovmf-OvmfPkg-PlatformBootManagerLib-connect-consoles-unco.patch
Patch21: ovmf-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch
Patch22: ovmf-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch
-# For bz#1684006 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z]
-Patch23: ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
-# For bz#1684006 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z]
-Patch24: ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch23: ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch24: ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch25: ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch26: ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch27: ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch28: ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch
+# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]
+Patch29: ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch
+# For bz#1684007 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.7]
+Patch30: ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch
+# For bz#1684007 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.7]
+Patch31: ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch
+# For bz#1650390 - CVE-2018-5407 OVMF: openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) [rhel-7]
+Patch33: ovmf-Upgrade-OpenSSL-to-1.1.0j.patch
+# For bz#1691479 - CVE-2018-12181 OVMF: edk2: Stack buffer overflow with corrupted BMP [rhel-7]
+Patch34: ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
+# For bz#1691479 - CVE-2018-12181 OVMF: edk2: Stack buffer overflow with corrupted BMP [rhel-7]
+Patch35: ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
+# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]
+Patch36: ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch
+# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]
+Patch37: ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch
+# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]
+Patch38: ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch
+# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]
+Patch39: ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch
+# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]
+Patch40: ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch
+# For bz#1697534 - CVE-2019-0161 ovmf: edk2: stack overflow in XHCI causing denial of service [rhel-7]
+Patch41: ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch
# python2-devel and libuuid-devel are required for building tools
@@ -81,7 +116,7 @@ Summary: UEFI firmware for x86_64 virtual machines
BuildArch: noarch
# OVMF includes the Secure Boot feature; it has a builtin OpenSSL library.
-Provides: bundled(openssl) = 1.1.0h
+Provides: bundled(openssl) = 1.1.0i
License: BSD and OpenSSL
# URL taken from the Maintainers.txt file.
@@ -161,6 +196,7 @@ echo "Applied $COUNT patches"
rm -f $PATCHLIST
cp -a -- %{SOURCE1} %{SOURCE3} .
+cp -a -- %{SOURCE10} %{SOURCE11} .
tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
# Done by %setup, but we do not use it for the auxiliary tarballs
@@ -278,6 +314,10 @@ install -m 0644 UefiShell.iso $RPM_BUILD_ROOT%{_data
install -m 0644 OvmfPkg/README $RPM_BUILD_ROOT%{_docdir}/%{subpkgname}/README
install -m 0644 ovmf-whitepaper-c770f8c.txt $RPM_BUILD_ROOT%{_docdir}/%{subpkgname}/ovmf-whitepaper-c770f8c.txt
+mkdir -p $RPM_BUILD_ROOT%{_datadir}/qemu/firmware
+install -m 0644 ovmf-sb.json $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/50-ovmf-sb.json
+install -m 0644 ovmf.json $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/60-ovmf.json
+
copy_license CryptoPkg/Library/OpensslLib/openssl/LICENSE OpensslLib
%else
@@ -328,6 +368,11 @@ chmod 0644 -- $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_*.fd
%{_datadir}/OVMF/OVMF_VARS.secboot.fd
%{_datadir}/OVMF/UefiShell.iso
+%dir %{_datadir}/qemu
+%dir %{_datadir}/qemu/firmware
+%{_datadir}/qemu/firmware/50-ovmf-sb.json
+%{_datadir}/qemu/firmware/60-ovmf.json
+
%else
%dir %{_datadir}/AAVMF/
%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd
@@ -360,11 +405,47 @@ true
%endif
%changelog
-* Tue Mar 05 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-3.gitee3198e672e2.el7_6.1
-- ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch [bz#1684006]
-- ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch [bz#1684006]
-- Resolves: bz#1684006
- (CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z])
+* Mon Apr 15 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-6.gitee3198e672e2.el7
+- ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch [bz#1691479]
+- ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch [bz#1691479]
+- ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch [bz#1691647]
+- ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch [bz#1691647]
+- ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch [bz#1691647]
+- ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch [bz#1691647]
+- ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch [bz#1691647]
+- ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch [bz#1697534]
+- Resolves: bz#1691479
+ (CVE-2018-12181 OVMF: edk2: Stack buffer overflow with corrupted BMP [rhel-7])
+- Resolves: bz#1691647
+ (CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7])
+- Resolves: bz#1697534
+ (CVE-2019-0161 ovmf: edk2: stack overflow in XHCI causing denial of service [rhel-7])
+
+* Thu Mar 07 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-5.gitee3198e672e2.el7
+- ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch [bz#1666586]
+- ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch [bz#1666586]
+- ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch [bz#1666586]
+- ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch [bz#1666586]
+- ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch [bz#1666586]
+- ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch [bz#1666586]
+- ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch [bz#1666586]
+- ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch [bz#1684007]
+- ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch [bz#1684007]
+- ovmf-redhat-openssl-update-introduce-MOCK-shorthand-for-m.patch [bz#1650390]
+- ovmf-redhat-openssl-update-enable-the-bootstrap-container.patch [bz#1650390]
+- ovmf-redhat-consume-OpenSSL-1.1.0i-from-Fedora-28.patch [bz#1650390]
+- ovmf-Upgrade-OpenSSL-to-1.1.0j.patch [bz#1650390]
+- Resolves: bz#1650390
+ (CVE-2018-5407 OVMF: openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) [rhel-7])
+- Resolves: bz#1666586
+ (CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7])
+- Resolves: bz#1684007
+ (CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.7])
+
+* Thu Nov 29 2018 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-4.gitee3198e672e2.el7
+- ovmf-redhat-provide-firmware-descriptor-meta-files.patch [bz#1608599]
+- Resolves: bz#1608599
+ ([RHEL 7.7] RFE: provide firmware descriptor meta-files for OVMF)
* Fri Jul 27 2018 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-3.gitee3198e672e2.el7
- ovmf-redhat-provide-virtual-bundled-OpenSSL-in-OVMF.patch [bz#1607792]