diff --git a/.gitignore b/.gitignore index 84b2a04..77a9651 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz +SOURCES/openssl-fedora-d2ede125556ac99aa0faa7744c703af3f559094e.tar.xz SOURCES/ovmf-ee3198e672e2.tar.xz diff --git a/.ovmf.metadata b/.ovmf.metadata index 1c31019..0b066a8 100644 --- a/.ovmf.metadata +++ b/.ovmf.metadata @@ -1,2 +1,2 @@ -885bc596d198c8b1909f2199758e0eec6abe1904 SOURCES/openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz +e3df430bd2ac86a819720e5a548b56b0ef144a6f SOURCES/openssl-fedora-d2ede125556ac99aa0faa7744c703af3f559094e.tar.xz ef7bc42e3e6decf2619709fd776481a30f4b4e53 SOURCES/ovmf-ee3198e672e2.tar.xz diff --git a/SOURCES/ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch b/SOURCES/ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch new file mode 100644 index 0000000..1c4145c --- /dev/null +++ b/SOURCES/ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch @@ -0,0 +1,270 @@ +From 87af8da054900fd05701c6d60a496b83fb8dbb63 Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daude +Date: Wed, 13 Feb 2019 09:50:47 +0100 +Subject: [PATCH 04/13] BaseTools: Add more checker in Decompress algorithm to + access the valid buffer (CVE FIX) + +Message-id: <20190213085050.20766-5-philmd@redhat.com> +Patchwork-id: 84481 +O-Subject: [RHEL-7.7 ovmf PATCH v3 4/7] BaseTools: Add more checker in + Decompress algorithm to access the valid buffer (CVE FIX) +Bugzilla: 1666586 +Acked-by: Laszlo Ersek +Acked-by: Vitaly Kuznetsov + +From: Laszlo Ersek + +From: Liming Gao + +--v-- RHEL7 note start --v-- + +Unfortunately, the upstream patch series was not structured according to +the CVE reports. This patch contributes to fixing: + +- CVE-2017-5731 +- CVE-2017-5733 +- CVE-2017-5734 +- CVE-2017-5735 + +but not CVE-2017-5732 (contrarily to the upstream commit message). The +best I could achieve up-stream was to get the "CVE FIX" expression into +the subject, and a whole-sale dump of the CVEs into the body. I had not +been invited to the original (off-list, embargoed) analysis and review. + +The differences that "git-backport-diff" reports as "functional" for this +backport aren't actually functional differences. They are due to +downstream lacking two upstream commits: + +- f7496d717357 ("BaseTools: Clean up source files", 2018-07-09), with the + "usual" diffstat "289 files changed, 10645 insertions(+), 10645 + deletions(-)"; + +- more importantly, 472eb3b89682 ("BaseTools: Add --uefi option to enable + UefiCompress method", 2018-10-13). + +(Side note: in upstream, commit 472eb3b89682 was incorrectly reverted as +part of 1ccc4d895dd8 ("Revert BaseTools: PYTHON3 migration", 2018-10-15), +but then it was re-applied in f1400101a732.) + +In commit 472eb3b89682, the "UEFI" compression/decompression method was +added to BaseTools, beyond the original "Tiano" method. This caused the +Tiano method to be indented more deeply, in the main() function of +"TianoCompress.c". (Also the original Decompress() function was renamed to +TDecompress().) The CVE fix applies to the "Tiano" method, which RHEL8 +does have, but at a different nesting level. Therefore the changes have +been backported manually, and the difference in indentation is also why +"git-backport-diff" thinks the changes are functional. + +This backport, once applied, can be diffed against the upstream tree more +easily as follows: + + git diff -b HEAD..041d89bc0f01 -- \ + BaseTools/Source/C/Common/Decompress.c \ + BaseTools/Source/C/TianoCompress/TianoCompress.c + +--^-- RHEL7 note end --^-- + +Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735 +https://bugzilla.tianocore.org/show_bug.cgi?id=686 + +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Holtsclaw Brent +Signed-off-by: Liming Gao +Reviewed-by: Star Zeng +Acked-by: Laszlo Ersek +(cherry picked from commit 041d89bc0f0119df37a5fce1d0f16495ff905089) +Signed-off-by: Laszlo Ersek +(cherry picked from commit 29c394f110b1f769e629e8775874261e33d4abd9) +Signed-off-by: Philippe Mathieu-Daude +--- + BaseTools/Source/C/Common/Decompress.c | 23 +++++++++++++++++++-- + BaseTools/Source/C/TianoCompress/TianoCompress.c | 26 +++++++++++++++++++++++- + 2 files changed, 46 insertions(+), 3 deletions(-) + +diff --git a/BaseTools/Source/C/Common/Decompress.c b/BaseTools/Source/C/Common/Decompress.c +index 8f1afb4..bdc10f5 100644 +--- a/BaseTools/Source/C/Common/Decompress.c ++++ b/BaseTools/Source/C/Common/Decompress.c +@@ -194,12 +194,16 @@ Returns: + UINT16 Avail; + UINT16 NextCode; + UINT16 Mask; ++ UINT16 MaxTableLength; + + for (Index = 1; Index <= 16; Index++) { + Count[Index] = 0; + } + + for (Index = 0; Index < NumOfChar; Index++) { ++ if (BitLen[Index] > 16) { ++ return (UINT16) BAD_TABLE; ++ } + Count[BitLen[Index]]++; + } + +@@ -237,6 +241,7 @@ Returns: + + Avail = NumOfChar; + Mask = (UINT16) (1U << (15 - TableBits)); ++ MaxTableLength = (UINT16) (1U << TableBits); + + for (Char = 0; Char < NumOfChar; Char++) { + +@@ -250,6 +255,9 @@ Returns: + if (Len <= TableBits) { + + for (Index = Start[Len]; Index < NextCode; Index++) { ++ if (Index >= MaxTableLength) { ++ return (UINT16) BAD_TABLE; ++ } + Table[Index] = Char; + } + +@@ -643,10 +651,14 @@ Returns: (VOID) + + BytesRemain--; + while ((INT16) (BytesRemain) >= 0) { +- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++]; + if (Sd->mOutBuf >= Sd->mOrigSize) { + return ; + } ++ if (DataIdx >= Sd->mOrigSize) { ++ Sd->mBadTableFlag = (UINT16) BAD_TABLE; ++ return ; ++ } ++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++]; + + BytesRemain--; + } +@@ -684,6 +696,7 @@ Returns: + --*/ + { + UINT8 *Src; ++ UINT32 CompSize; + + *ScratchSize = sizeof (SCRATCH_DATA); + +@@ -692,7 +705,13 @@ Returns: + return EFI_INVALID_PARAMETER; + } + ++ CompSize = Src[0] + (Src[1] << 8) + (Src[2] << 16) + (Src[3] << 24); + *DstSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24); ++ ++ if (SrcSize < CompSize + 8 || (CompSize + 8) < 8) { ++ return EFI_INVALID_PARAMETER; ++ } ++ + return EFI_SUCCESS; + } + +@@ -752,7 +771,7 @@ Returns: + CompSize = Src[0] + (Src[1] << 8) + (Src[2] << 16) + (Src[3] << 24); + OrigSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24); + +- if (SrcSize < CompSize + 8) { ++ if (SrcSize < CompSize + 8 || (CompSize + 8) < 8) { + return EFI_INVALID_PARAMETER; + } + +diff --git a/BaseTools/Source/C/TianoCompress/TianoCompress.c b/BaseTools/Source/C/TianoCompress/TianoCompress.c +index 046fb36..d07fd9e 100644 +--- a/BaseTools/Source/C/TianoCompress/TianoCompress.c ++++ b/BaseTools/Source/C/TianoCompress/TianoCompress.c +@@ -1753,6 +1753,7 @@ Returns: + SCRATCH_DATA *Scratch; + UINT8 *Src; + UINT32 OrigSize; ++ UINT32 CompSize; + + SetUtilityName(UTILITY_NAME); + +@@ -1761,6 +1762,7 @@ Returns: + OutBuffer = NULL; + Scratch = NULL; + OrigSize = 0; ++ CompSize = 0; + InputLength = 0; + InputFileName = NULL; + OutputFileName = NULL; +@@ -1979,15 +1981,24 @@ Returns: + if (DebugMode) { + DebugMsg(UTILITY_NAME, 0, DebugLevel, "Decoding\n", NULL); + } ++ if (InputLength < 8){ ++ Error (NULL, 0, 3000, "Invalid", "The input file %s is too small.", InputFileName); ++ goto ERROR; ++ } + // + // Get Compressed file original size + // + Src = (UINT8 *)FileBuffer; + OrigSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24); ++ CompSize = Src[0] + (Src[1] << 8) + (Src[2] <<16) + (Src[3] <<24); + + // + // Allocate OutputBuffer + // ++ if (InputLength < CompSize + 8 || (CompSize + 8) < 8) { ++ Error (NULL, 0, 3000, "Invalid", "The input file %s data is invalid.", InputFileName); ++ goto ERROR; ++ } + OutBuffer = (UINT8 *)malloc(OrigSize); + if (OutBuffer == NULL) { + Error (NULL, 0, 4001, "Resource:", "Memory cannot be allocated!"); +@@ -2171,12 +2182,16 @@ Returns: + UINT16 Mask; + UINT16 WordOfStart; + UINT16 WordOfCount; ++ UINT16 MaxTableLength; + + for (Index = 0; Index <= 16; Index++) { + Count[Index] = 0; + } + + for (Index = 0; Index < NumOfChar; Index++) { ++ if (BitLen[Index] > 16) { ++ return (UINT16) BAD_TABLE; ++ } + Count[BitLen[Index]]++; + } + +@@ -2220,6 +2235,7 @@ Returns: + + Avail = NumOfChar; + Mask = (UINT16) (1U << (15 - TableBits)); ++ MaxTableLength = (UINT16) (1U << TableBits); + + for (Char = 0; Char < NumOfChar; Char++) { + +@@ -2233,6 +2249,9 @@ Returns: + if (Len <= TableBits) { + + for (Index = Start[Len]; Index < NextCode; Index++) { ++ if (Index >= MaxTableLength) { ++ return (UINT16) BAD_TABLE; ++ } + Table[Index] = Char; + } + +@@ -2617,11 +2636,16 @@ Returns: (VOID) + DataIdx = Sd->mOutBuf - DecodeP (Sd) - 1; + + BytesRemain--; ++ + while ((INT16) (BytesRemain) >= 0) { +- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++]; + if (Sd->mOutBuf >= Sd->mOrigSize) { + goto Done ; + } ++ if (DataIdx >= Sd->mOrigSize) { ++ Sd->mBadTableFlag = (UINT16) BAD_TABLE; ++ goto Done ; ++ } ++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++]; + + BytesRemain--; + } +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch b/SOURCES/ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch new file mode 100644 index 0000000..470e911 --- /dev/null +++ b/SOURCES/ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch @@ -0,0 +1,94 @@ +From 461390a9ced1986f752b2e64f36f3deee982eb6d Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daude +Date: Wed, 13 Feb 2019 09:50:48 +0100 +Subject: [PATCH 05/13] BaseTools: Fix UEFI and Tiano Decompression logic issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190213085050.20766-6-philmd@redhat.com> +Patchwork-id: 84484 +O-Subject: [RHEL-7.7 ovmf PATCH v3 5/7] BaseTools: Fix UEFI and Tiano + Decompression logic issue +Bugzilla: 1666586 +Acked-by: Laszlo Ersek +Acked-by: Vitaly Kuznetsov + +From: Philippe Mathieu-Daudé + +From: Liming Gao + +--v-- RHEL7 note start --v-- + +While reviewing the RHEL8 original of this backport, Laszlo had to look +at the "BaseTools/Source/C/TianoCompress/TianoCompress.c" hunk for a +while longer, due to commit 472eb3b89682 missing down-stream, which he +remembered from downstream commit 29c394f110b1. + +However, this hunk affects the Decode() function, which is not affected +by the upstream-only "UefiCompress method", and also not affected by the +related upstream-only Decompress()->TDecompress() rename. Decode() -- +i.e. the function being patched -- is called from Decompress() / +TDecompress(). + +Therefore, the "git backport-diff" report in the blurb which marks this +backport patch "identical", is credible. + +--^-- RHEL7 note end --^-- + +https://bugzilla.tianocore.org/show_bug.cgi?id=1317 + +This is a regression issue caused by 041d89bc0f0119df37a5fce1d0f16495ff905089. +In Decode() function, once mOutBuf is fully filled, Decode() should return. +Current logic misses the checker of mOutBuf after while() loop. + +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Liming Gao +Cc: Yonghong Zhu +Reviewed-by: Yonghong Zhu +(cherry picked from commit 5e45a1fdcfbf9b2b389122eb97475148594625f8) +Signed-off-by: Philippe Mathieu-Daudé +(cherry picked from commit 115cf260ac54a6793a184227d6ae6bfe3da74a56) +Signed-off-by: Philippe Mathieu-Daude +--- + BaseTools/Source/C/Common/Decompress.c | 6 ++++++ + BaseTools/Source/C/TianoCompress/TianoCompress.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/BaseTools/Source/C/Common/Decompress.c b/BaseTools/Source/C/Common/Decompress.c +index bdc10f5..af76f67 100644 +--- a/BaseTools/Source/C/Common/Decompress.c ++++ b/BaseTools/Source/C/Common/Decompress.c +@@ -662,6 +662,12 @@ Returns: (VOID) + + BytesRemain--; + } ++ // ++ // Once mOutBuf is fully filled, directly return ++ // ++ if (Sd->mOutBuf >= Sd->mOrigSize) { ++ return ; ++ } + } + } + +diff --git a/BaseTools/Source/C/TianoCompress/TianoCompress.c b/BaseTools/Source/C/TianoCompress/TianoCompress.c +index d07fd9e..369f7b3 100644 +--- a/BaseTools/Source/C/TianoCompress/TianoCompress.c ++++ b/BaseTools/Source/C/TianoCompress/TianoCompress.c +@@ -2649,6 +2649,12 @@ Returns: (VOID) + + BytesRemain--; + } ++ // ++ // Once mOutBuf is fully filled, directly return ++ // ++ if (Sd->mOutBuf >= Sd->mOrigSize) { ++ goto Done ; ++ } + } + } + +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch b/SOURCES/ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch new file mode 100644 index 0000000..4e37d43 --- /dev/null +++ b/SOURCES/ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch @@ -0,0 +1,128 @@ +From c48d7ac53b4b387fc70a3803e38d30b50513f90b Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daude +Date: Wed, 13 Feb 2019 09:50:46 +0100 +Subject: [PATCH 03/13] IntelFrameworkModulePkg: Add more checker in + UefiTianoDecompressLib (CVE FIX) + +Message-id: <20190213085050.20766-4-philmd@redhat.com> +Patchwork-id: 84483 +O-Subject: [RHEL-7.7 ovmf PATCH v3 3/7] IntelFrameworkModulePkg: Add more + checker in UefiTianoDecompressLib (CVE FIX) +Bugzilla: 1666586 +Acked-by: Laszlo Ersek +Acked-by: Vitaly Kuznetsov + +From: Laszlo Ersek + +From: Liming Gao + +--v-- RHEL7 note start --v-- + +Unfortunately, the upstream patch series was not structured according to +the CVE reports. This patch contributes to fixing: + +- CVE-2017-5733 +- CVE-2017-5734 +- CVE-2017-5735 + +but not CVE-2017-5731 or CVE-2017-5732 (contrarily to the upstream commit +message). The best I could achieve up-stream was to get the "CVE FIX" +expression into the subject, and a whole-sale dump of the CVEs into the +body. I had not been invited to the original (off-list, embargoed) +analysis and review. + +The trivial context difference (whitespace) is due to RHEL8 lacking +upstream commit 0a6f48249a60 ("IntelFrameworkModulePkg: Clean up source +files", 2018-06-28). I've considered backporting that (since it only +cleans up whitespace). However, the diffstat on that commit convinced me +otherwise: "246 files changed, 4067 insertions(+), 4067 deletions(-)". +I've decided not to do a partial backport of that (i.e. just for +"BaseUefiTianoCustomDecompressLib.c"). + +--^-- RHEL7 note end --^-- + +Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735 +https://bugzilla.tianocore.org/show_bug.cgi?id=686 +To make sure the valid buffer be accessed only. + +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Holtsclaw Brent +Signed-off-by: Liming Gao +Reviewed-by: Star Zeng +Acked-by: Laszlo Ersek +(cherry picked from commit 684db6da64bc7b5faee4e1174e801c245f563b5c) +Signed-off-by: Laszlo Ersek +(cherry picked from commit 8358e53013fc62c9556598ad842d233906de00ef) +Signed-off-by: Philippe Mathieu-Daude +--- + .../BaseUefiTianoCustomDecompressLib.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c +index cb009e7..9b00166 100644 +--- a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c ++++ b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c +@@ -143,6 +143,7 @@ MakeTable ( + UINT16 Mask; + UINT16 WordOfStart; + UINT16 WordOfCount; ++ UINT16 MaxTableLength; + + // + // The maximum mapping table width supported by this internal +@@ -155,6 +156,9 @@ MakeTable ( + } + + for (Index = 0; Index < NumOfChar; Index++) { ++ if (BitLen[Index] > 16) { ++ return (UINT16) BAD_TABLE; ++ } + Count[BitLen[Index]]++; + } + +@@ -196,6 +200,7 @@ MakeTable ( + + Avail = NumOfChar; + Mask = (UINT16) (1U << (15 - TableBits)); ++ MaxTableLength = (UINT16) (1U << TableBits); + + for (Char = 0; Char < NumOfChar; Char++) { + +@@ -209,6 +214,9 @@ MakeTable ( + if (Len <= TableBits) { + + for (Index = Start[Len]; Index < NextCode; Index++) { ++ if (Index >= MaxTableLength) { ++ return (UINT16) BAD_TABLE; ++ } + Table[Index] = Char; + } + +@@ -615,10 +623,14 @@ Decode ( + // + BytesRemain--; + while ((INT16) (BytesRemain) >= 0) { +- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++]; + if (Sd->mOutBuf >= Sd->mOrigSize) { + goto Done ; + } ++ if (DataIdx >= Sd->mOrigSize) { ++ Sd->mBadTableFlag = (UINT16) BAD_TABLE; ++ goto Done ; ++ } ++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++]; + + BytesRemain--; + } +@@ -688,7 +700,7 @@ UefiDecompressGetInfo ( + } + + CompressedSize = ReadUnaligned32 ((UINT32 *)Source); +- if (SourceSize < (CompressedSize + 8)) { ++ if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) { + return RETURN_INVALID_PARAMETER; + } + +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch b/SOURCES/ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch new file mode 100644 index 0000000..34e3254 --- /dev/null +++ b/SOURCES/ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch @@ -0,0 +1,58 @@ +From e63a98333b858e287b0e88ff0e06bef5d46c635f Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daude +Date: Wed, 13 Feb 2019 09:50:50 +0100 +Subject: [PATCH 07/13] IntelFrameworkModulePkg: Fix UEFI and Tiano + Decompression logic issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190213085050.20766-8-philmd@redhat.com> +Patchwork-id: 84482 +O-Subject: [RHEL-7.7 ovmf PATCH v3 7/7] IntelFrameworkModulePkg: Fix UEFI and + Tiano Decompression logic issue +Bugzilla: 1666586 +Acked-by: Laszlo Ersek +Acked-by: Vitaly Kuznetsov + +From: Philippe Mathieu-Daudé + +From: Liming Gao + +https://bugzilla.tianocore.org/show_bug.cgi?id=1317 + +This is a regression issue caused by 684db6da64bc7b5faee4e1174e801c245f563b5c. +In Decode() function, once mOutBuf is fully filled, Decode() should return. +Current logic misses the checker of mOutBuf after while() loop. + +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Liming Gao +Reviewed-by: Yonghong Zhu +(cherry picked from commit ade71c52a49d659b20c0b433fb11ddb4f4f543c4) +Signed-off-by: Philippe Mathieu-Daudé +(cherry picked from commit 601458a0a87bf4169d1f0c81c0bb454d22abe8f0) +Signed-off-by: Philippe Mathieu-Daude +--- + .../BaseUefiTianoCustomDecompressLib.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c +index 9b00166..e34bf4b 100644 +--- a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c ++++ b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c +@@ -634,6 +634,12 @@ Decode ( + + BytesRemain--; + } ++ // ++ // Once mOutBuf is fully filled, directly return ++ // ++ if (Sd->mOutBuf >= Sd->mOrigSize) { ++ goto Done ; ++ } + } + } + +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch b/SOURCES/ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch new file mode 100644 index 0000000..2b48653 --- /dev/null +++ b/SOURCES/ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch @@ -0,0 +1,278 @@ +From 9e68568e34bef0037bb16b3cbe361e559b8da369 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 22 Mar 2019 17:39:35 +0100 +Subject: [PATCH 1/8] MdeModulePkg/HiiDatabase: Fix potential integer overflow + (CVE-2018-12181) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190322163936.10835-2-lersek@redhat.com> +Patchwork-id: 85124 +O-Subject: [RHEL-7.7 ovmf PATCH 1/2] MdeModulePkg/HiiDatabase: Fix potential + integer overflow (CVE-2018-12181) +Bugzilla: 1691479 +Acked-by: Philippe Mathieu-Daudé +Acked-by: Vitaly Kuznetsov + +From: Ray Ni + +--v-- RHEL7 note --v-- + +A contextual conflict had to be resolved manually because we don't have +upstream commit 979b7d802c31 ("MdeModulePkg/HiiDB: Make sure database +update behaviors are atomic", 2018-10-26), which was written for upstream +BZ . More +specifically, the context to which upstream ffe5f7a6b4e9 (i.e. the patch +being backported) applies includes EfiAcquireLock() added in 979b7d802c31, +and our downstream context lacks that. + +While reviewing this, I noticed that some of the new error paths +introduced by the more rigorous checking in upstream ffe5f7a6b4e9 fail to +release the lock. For upstream I reported a new BZ about this +, but down-stream, we +don't have the EfiAcquireLock() in the first place, so there is no leak. + +--^-- RHEL7 note --^-- + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135 + +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Ray Ni +Cc: Dandan Bi +Cc: Hao A Wu +Reviewed-by: Hao Wu +Reviewed-by: Jian J Wang +(cherry picked from commit ffe5f7a6b4e978dffbe1df228963adc914451106) +--- + MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 126 +++++++++++++++++++++----- + 1 file changed, 103 insertions(+), 23 deletions(-) + +diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c +index 431a5b8..dc9566b 100644 +--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c ++++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c +@@ -16,6 +16,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + + #include "HiiDatabase.h" + ++#define MAX_UINT24 0xFFFFFF + + /** + Get the imageid of last image block: EFI_HII_IIBT_END_BLOCK when input +@@ -649,8 +650,16 @@ HiiNewImage ( + return EFI_NOT_FOUND; + } + +- NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) + +- BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height); ++ // ++ // Calcuate the size of new image. ++ // Make sure the size doesn't overflow UINT32. ++ // Note: 24Bit BMP occpuies 3 bytes per pixel. ++ // ++ NewBlockSize = (UINT32)Image->Width * Image->Height; ++ if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL))) / 3) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL)); + + // + // Get the image package in the package list, +@@ -669,6 +678,18 @@ HiiNewImage ( + // + // Update the package's image block by appending the new block to the end. + // ++ ++ // ++ // Make sure the final package length doesn't overflow. ++ // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24. ++ // ++ if (NewBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ // ++ // Because ImagePackage->ImageBlockSize < ImagePackage->ImagePkgHdr.Header.Length, ++ // So (ImagePackage->ImageBlockSize + NewBlockSize) <= MAX_UINT24 ++ // + ImageBlocks = AllocatePool (ImagePackage->ImageBlockSize + NewBlockSize); + if (ImageBlocks == NULL) { + return EFI_OUT_OF_RESOURCES; +@@ -699,6 +720,13 @@ HiiNewImage ( + + } else { + // ++ // Make sure the final package length doesn't overflow. ++ // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24. ++ // ++ if (NewBlockSize > MAX_UINT24 - (sizeof (EFI_HII_IMAGE_PACKAGE_HDR) + sizeof (EFI_HII_IIBT_END_BLOCK))) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ // + // The specified package list does not contain image package. + // Create one to add this image block. + // +@@ -895,8 +923,11 @@ IGetImage ( + // Use the common block code since the definition of these structures is the same. + // + CopyMem (&Iibt1bit, CurrentImageBlock, sizeof (EFI_HII_IIBT_IMAGE_1BIT_BLOCK)); +- ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * +- ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height); ++ ImageLength = (UINTN) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height; ++ if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ ImageLength *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL); + Image->Bitmap = AllocateZeroPool (ImageLength); + if (Image->Bitmap == NULL) { + return EFI_OUT_OF_RESOURCES; +@@ -945,9 +976,13 @@ IGetImage ( + // fall through + // + case EFI_HII_IIBT_IMAGE_24BIT: +- Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width); ++ Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width); + Height = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height); +- ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32) Width * Height); ++ ImageLength = (UINTN)Width * Height; ++ if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ ImageLength *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL); + Image->Bitmap = AllocateZeroPool (ImageLength); + if (Image->Bitmap == NULL) { + return EFI_OUT_OF_RESOURCES; +@@ -1114,8 +1149,23 @@ HiiSetImage ( + // + // Create the new image block according to input image. + // +- NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL) + +- BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height); ++ ++ // ++ // Make sure the final package length doesn't overflow. ++ // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24. ++ // 24Bit BMP occpuies 3 bytes per pixel. ++ // ++ NewBlockSize = (UINT32)Image->Width * Image->Height; ++ if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL))) / 3) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL)); ++ if ((NewBlockSize > OldBlockSize) && ++ (NewBlockSize - OldBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length) ++ ) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ + // + // Adjust the image package to remove the original block firstly then add the new block. + // +@@ -1207,8 +1257,8 @@ HiiDrawImage ( + EFI_IMAGE_OUTPUT *ImageOut; + EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer; + UINTN BufferLen; +- UINTN Width; +- UINTN Height; ++ UINT16 Width; ++ UINT16 Height; + UINTN Xpos; + UINTN Ypos; + UINTN OffsetY1; +@@ -1269,21 +1319,36 @@ HiiDrawImage ( + // + if (*Blt != NULL) { + // ++ // Make sure the BltX and BltY is inside the Blt area. ++ // ++ if ((BltX >= (*Blt)->Width) || (BltY >= (*Blt)->Height)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ // + // Clip the image by (Width, Height) + // + + Width = Image->Width; + Height = Image->Height; + +- if (Width > (*Blt)->Width - BltX) { +- Width = (*Blt)->Width - BltX; ++ if (Width > (*Blt)->Width - (UINT16)BltX) { ++ Width = (*Blt)->Width - (UINT16)BltX; + } +- if (Height > (*Blt)->Height - BltY) { +- Height = (*Blt)->Height - BltY; ++ if (Height > (*Blt)->Height - (UINT16)BltY) { ++ Height = (*Blt)->Height - (UINT16)BltY; + } + +- BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL); +- BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool (BufferLen); ++ // ++ // Prepare the buffer for the temporary image. ++ // Make sure the buffer size doesn't overflow UINTN. ++ // ++ BufferLen = Width * Height; ++ if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL); ++ BltBuffer = AllocateZeroPool (BufferLen); + if (BltBuffer == NULL) { + return EFI_OUT_OF_RESOURCES; + } +@@ -1346,11 +1411,26 @@ HiiDrawImage ( + // + // Allocate a new bitmap to hold the incoming image. + // +- Width = Image->Width + BltX; +- Height = Image->Height + BltY; + +- BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL); +- BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool (BufferLen); ++ // ++ // Make sure the final width and height doesn't overflow UINT16. ++ // ++ if ((BltX > (UINTN)MAX_UINT16 - Image->Width) || (BltY > (UINTN)MAX_UINT16 - Image->Height)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ Width = Image->Width + (UINT16)BltX; ++ Height = Image->Height + (UINT16)BltY; ++ ++ // ++ // Make sure the output image size doesn't overflow UINTN. ++ // ++ BufferLen = Width * Height; ++ if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL); ++ BltBuffer = AllocateZeroPool (BufferLen); + if (BltBuffer == NULL) { + return EFI_OUT_OF_RESOURCES; + } +@@ -1360,8 +1440,8 @@ HiiDrawImage ( + FreePool (BltBuffer); + return EFI_OUT_OF_RESOURCES; + } +- ImageOut->Width = (UINT16) Width; +- ImageOut->Height = (UINT16) Height; ++ ImageOut->Width = Width; ++ ImageOut->Height = Height; + ImageOut->Image.Bitmap = BltBuffer; + + // +@@ -1375,7 +1455,7 @@ HiiDrawImage ( + return Status; + } + ASSERT (FontInfo != NULL); +- for (Index = 0; Index < Width * Height; Index++) { ++ for (Index = 0; Index < (UINTN)Width * Height; Index++) { + BltBuffer[Index] = FontInfo->BackgroundColor; + } + FreePool (FontInfo); +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch b/SOURCES/ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch new file mode 100644 index 0000000..aff5831 --- /dev/null +++ b/SOURCES/ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch @@ -0,0 +1,66 @@ +From 44941e738b975e52a6494cfd9f71db5ad3f411b8 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 22 Mar 2019 17:39:36 +0100 +Subject: [PATCH 2/8] MdeModulePkg/HiiImage: Fix stack overflow when corrupted + BMP is parsed (CVE-2018-12181) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190322163936.10835-3-lersek@redhat.com> +Patchwork-id: 85123 +O-Subject: [RHEL-7.7 ovmf PATCH 2/2] MdeModulePkg/HiiImage: Fix stack overflow + when corrupted BMP is parsed (CVE-2018-12181) +Bugzilla: 1691479 +Acked-by: Philippe Mathieu-Daudé +Acked-by: Vitaly Kuznetsov + +From: Ray Ni + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135 + +For 4bit BMP, there are only 2^4 = 16 colors in the palette. +But when a corrupted BMP contains more than 16 colors in the palette, +today's implementation wrongly copies all colors to the local +PaletteValue[16] array which causes stack overflow. + +The similar issue also exists in the logic to handle 8bit BMP. + +The patch fixes the issue by only copies the first 16 or 256 colors +in the palette depending on the BMP type. + +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Ray Ni +Cc: Liming Gao +Cc: Jiewen Yao +Reviewed-by: Jian J Wang +(cherry picked from commit 89910a39dcfd788057caa5d88b7e76e112d187b5) +--- + MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c +index dc9566b..9829bdd 100644 +--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c ++++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c +@@ -370,7 +370,7 @@ Output4bitPixel ( + PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL)); + + ZeroMem (PaletteValue, sizeof (PaletteValue)); +- CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum); ++ CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum, ARRAY_SIZE (PaletteValue))); + FreePool (Palette); + + // +@@ -447,7 +447,7 @@ Output8bitPixel ( + CopyMem (Palette, PaletteInfo, PaletteSize); + PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL)); + ZeroMem (PaletteValue, sizeof (PaletteValue)); +- CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum); ++ CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum, ARRAY_SIZE (PaletteValue))); + FreePool (Palette); + + // +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch new file mode 100644 index 0000000..3aeb39d --- /dev/null +++ b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch @@ -0,0 +1,97 @@ +From 5c43edaf8f41ad18bc66c29fea9b039488d858c8 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 22 Mar 2019 21:53:19 +0100 +Subject: [PATCH 3/8] MdeModulePkg/PartitionDxe: Add check for underlying + device block size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190322205323.17693-2-lersek@redhat.com> +Patchwork-id: 85131 +O-Subject: [RHEL-7.7 ovmf PATCH 1/5] MdeModulePkg/PartitionDxe: Add check for + underlying device block size +Bugzilla: 1691647 +Acked-by: Philippe Mathieu-Daudé +Acked-by: Vitaly Kuznetsov + +From: Hao Wu + +REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828 + +Within FindAnchorVolumeDescriptorPointer(): + +Add a check for the underlying device block size to ensure it is greater +than the size of an Anchor Volume Descriptor Pointer. + +Cc: Ruiyu Ni +Cc: Jiewen Yao +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Hao Wu +Reviewed-by: Paulo Alcantara +Acked-by: Star Zeng +(cherry picked from commit 4df8f5bfa28b8b881e506437e8f08d92c1a00370) +Signed-off-by: Laszlo Ersek +--- + MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c | 29 ++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c +index 83bd174..49c56f6 100644 +--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c ++++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c +@@ -1,8 +1,17 @@ + /** @file + Scan for an UDF file system on a formatted media. + ++ Caution: This file requires additional review when modified. ++ This driver will have external input - CD/DVD media. ++ This external input must be validated carefully to avoid security issue like ++ buffer overflow, integer overflow. ++ ++ FindUdfFileSystem() routine will consume the media properties and do basic ++ validation. ++ + Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc. + Copyright (C) 2014-2017 Paulo Alcantara ++ Copyright (c) 2018, Intel Corporation. All rights reserved.
+ + This program and the accompanying materials are licensed and made available + under the terms and conditions of the BSD License which accompanies this +@@ -102,6 +111,20 @@ FindAnchorVolumeDescriptorPointer ( + AvdpsCount = 0; + + // ++ // Check if the block size of the underlying media can hold the data of an ++ // Anchor Volume Descriptor Pointer ++ // ++ if (BlockSize < sizeof (UDF_ANCHOR_VOLUME_DESCRIPTOR_POINTER)) { ++ DEBUG (( ++ DEBUG_ERROR, ++ "%a: Media block size 0x%x unable to hold an AVDP.\n", ++ __FUNCTION__, ++ BlockSize ++ )); ++ return EFI_UNSUPPORTED; ++ } ++ ++ // + // Find AVDP at block 256 + // + Status = DiskIo->ReadDisk ( +@@ -598,6 +621,12 @@ Out_Free: + /** + Find a supported UDF file system in block device. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from Partition. ++ ++ The CD/DVD media is the external input, so this routine will do basic ++ validation for the media. ++ + @param[in] BlockIo BlockIo interface. + @param[in] DiskIo DiskIo interface. + @param[out] StartingLBA UDF file system starting LBA. +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch index 9f0dfe7..f925de0 100644 --- a/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch +++ b/SOURCES/ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch @@ -1,26 +1,26 @@ -From 582ce8009e286361be2468d48c0c7763edc62718 Mon Sep 17 00:00:00 2001 +From 29d5545ca1b9cefb7e813b65e36eb9efc192fbc0 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek -Date: Fri, 1 Mar 2019 12:38:19 +0100 -Subject: [PATCH 2/3] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR +Date: Fri, 1 Mar 2019 13:16:46 +0100 +Subject: [PATCH 08/13] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR (CVE-2018-12180) -Message-id: <20190301113820.13948-3-lersek@redhat.com> -Patchwork-id: 84753 -O-Subject: [RHEL-7.6.z ovmf PATCH 2/3] MdeModulePkg/PartitionDxe: Ensure - blocksize holds MBR (CVE-2018-12180) -Bugzilla: 1684006 +Message-id: <20190301121647.16026-2-lersek@redhat.com> +Patchwork-id: 84756 +O-Subject: [RHEL-7.7 ovmf PATCH 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize + holds MBR (CVE-2018-12180) +Bugzilla: 1684007 Acked-by: Thomas Huth Acked-by: Vitaly Kuznetsov From: Hao Wu ---v-- RHEL-7.6 note --v-- +--v-- RHEL-7.7 note --v-- Trivial conflicts resolved in "Gpt.c" and "Mbr.c": up-stream, the Intel copyright notice got meanwhile extended to 2018, in commit d1102dba7210 ("MdeModulePkg: Clean up source files", 2018-06-28). ---^-- RHEL-7.6 note --^-- +--^-- RHEL-7.7 note --^-- REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134 diff --git a/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch b/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch index d12d1d1..6e3cf06 100644 --- a/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch +++ b/SOURCES/ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch @@ -1,14 +1,14 @@ -From 9d78bac116d939d3a833150747e29e861b75eedc Mon Sep 17 00:00:00 2001 +From 8104f654744067eca1cc96d2156742dc1155b5b7 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek -Date: Fri, 1 Mar 2019 12:38:20 +0100 -Subject: [PATCH 3/3] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size +Date: Fri, 1 Mar 2019 13:16:47 +0100 +Subject: [PATCH 09/13] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180) -Message-id: <20190301113820.13948-4-lersek@redhat.com> -Patchwork-id: 84754 -O-Subject: [RHEL-7.6.z ovmf PATCH 3/3] MdeModulePkg/RamDiskDxe: Restrict on RAM +Message-id: <20190301121647.16026-3-lersek@redhat.com> +Patchwork-id: 84757 +O-Subject: [RHEL-7.7 ovmf PATCH 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180) -Bugzilla: 1684006 +Bugzilla: 1684007 Acked-by: Thomas Huth Acked-by: Vitaly Kuznetsov diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch new file mode 100644 index 0000000..704ef2d --- /dev/null +++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch @@ -0,0 +1,57 @@ +From adfd3101494f52d71cbd8d15be9146e7570e6397 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 22 Mar 2019 21:53:22 +0100 +Subject: [PATCH 6/8] MdeModulePkg/UdfDxe: Add boundary check for + ComponentIdentifier decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190322205323.17693-5-lersek@redhat.com> +Patchwork-id: 85133 +O-Subject: [RHEL-7.7 ovmf PATCH 4/5] MdeModulePkg/UdfDxe: Add boundary check for + ComponentIdentifier decode +Bugzilla: 1691647 +Acked-by: Philippe Mathieu-Daudé +Acked-by: Vitaly Kuznetsov + +From: Hao Wu + +REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828 + +Within ResolveSymlink(): + +The boundary check will validate the 'LengthofComponentIdentifier' field +of a Path Component matches the data within the relating (Extended) File +Entry. + +Cc: Ruiyu Ni +Cc: Jiewen Yao +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Hao Wu +Reviewed-by: Paulo Alcantara +Acked-by: Star Zeng +(cherry picked from commit 89f75aa04a97293a8ed9db2a90851a5053730cf5) +Signed-off-by: Laszlo Ersek +--- + MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +index 0012075..1aefed8 100644 +--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c ++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +@@ -2137,6 +2137,10 @@ ResolveSymlink ( + return EFI_VOLUME_CORRUPTED; + } + ++ if ((UINTN)PathComp->ComponentIdentifier + PathCompLength > (UINTN)EndData) { ++ return EFI_VOLUME_CORRUPTED; ++ } ++ + Char = FileName; + for (Index = 1; Index < PathCompLength; Index++) { + if (CompressionId == 16) { +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch new file mode 100644 index 0000000..a7758b6 --- /dev/null +++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch @@ -0,0 +1,103 @@ +From 288997968e9c6352b09930c23fc05f53e3bc0dad Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 22 Mar 2019 21:53:23 +0100 +Subject: [PATCH 7/8] MdeModulePkg/UdfDxe: Add boundary check for getting + volume (free) size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190322205323.17693-6-lersek@redhat.com> +Patchwork-id: 85134 +O-Subject: [RHEL-7.7 ovmf PATCH 5/5] MdeModulePkg/UdfDxe: Add boundary check for + getting volume (free) size +Bugzilla: 1691647 +Acked-by: Philippe Mathieu-Daudé +Acked-by: Vitaly Kuznetsov + +From: Hao Wu + +REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828 + +Within GetVolumeSize(): + +The boundary check will validate the 'NumberOfPartitions' field of a +Logical Volume Integrity Descriptor matches the data within the relating +Logical Volume Descriptor. + +Cc: Ruiyu Ni +Cc: Jiewen Yao +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Hao Wu +Reviewed-by: Paulo Alcantara +Acked-by: Star Zeng +(cherry picked from commit 3b30351b75d70ea65701ac999875fbb81a89a5ca) +Signed-off-by: Laszlo Ersek +--- + .../Universal/Disk/UdfDxe/FileSystemOperations.c | 17 ++++++++++++++++- + MdeModulePkg/Universal/Disk/UdfDxe/Udf.h | 7 +++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +index 1aefed8..ae19a42 100644 +--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c ++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +@@ -2451,6 +2451,13 @@ SetFileInfo ( + /** + Get volume and free space size information of an UDF volume. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from FileSystem. ++ ++ The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are ++ external inputs, so this routine will do basic validation for both descriptors ++ and report status. ++ + @param[in] BlockIo BlockIo interface. + @param[in] DiskIo DiskIo interface. + @param[in] Volume UDF volume information structure. +@@ -2489,7 +2496,8 @@ GetVolumeSize ( + + ExtentAd = &LogicalVolDesc->IntegritySequenceExtent; + +- if (ExtentAd->ExtentLength == 0) { ++ if ((ExtentAd->ExtentLength == 0) || ++ (ExtentAd->ExtentLength < sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) { + return EFI_VOLUME_CORRUPTED; + } + +@@ -2529,6 +2537,13 @@ GetVolumeSize ( + goto Out_Free; + } + ++ if ((LogicalVolInt->NumberOfPartitions > MAX_UINT32 / sizeof (UINT32) / 2) || ++ (LogicalVolInt->NumberOfPartitions * sizeof (UINT32) * 2 > ++ ExtentAd->ExtentLength - sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) { ++ Status = EFI_VOLUME_CORRUPTED; ++ goto Out_Free; ++ } ++ + *VolumeSize = 0; + *FreeSpaceSize = 0; + +diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h +index 9b82441..b054c62 100644 +--- a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h ++++ b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h +@@ -903,6 +903,13 @@ SetFileInfo ( + /** + Get volume and free space size information of an UDF volume. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from FileSystem. ++ ++ The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are ++ external inputs, so this routine will do basic validation for both descriptors ++ and report status. ++ + @param[in] BlockIo BlockIo interface. + @param[in] DiskIo DiskIo interface. + @param[in] Volume UDF volume information structure. +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch new file mode 100644 index 0000000..539ce62 --- /dev/null +++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch @@ -0,0 +1,156 @@ +From 8a7cd4ba31848171f596a1eb1df0bc06633d3276 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 22 Mar 2019 21:53:21 +0100 +Subject: [PATCH 5/8] MdeModulePkg/UdfDxe: Add boundary check the read of + FE/EFE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190322205323.17693-4-lersek@redhat.com> +Patchwork-id: 85130 +O-Subject: [RHEL-7.7 ovmf PATCH 3/5] MdeModulePkg/UdfDxe: Add boundary check the + read of FE/EFE +Bugzilla: 1691647 +Acked-by: Philippe Mathieu-Daudé +Acked-by: Vitaly Kuznetsov + +From: Hao Wu + +REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828 + +Within ReadFile(): + +Add checks to ensure that when getting the raw data or the Allocation +Descriptors' data from a FE/EFE, it will not consume data beyond the +size of a FE/EFE. + +Cc: Ruiyu Ni +Cc: Jiewen Yao +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Hao Wu +Reviewed-by: Paulo Alcantara +Acked-by: Star Zeng +(cherry picked from commit 5c0748f43f4e1cc15fdd0be64a764eacd7df92f6) +Signed-off-by: Laszlo Ersek +--- + .../Universal/Disk/UdfDxe/FileSystemOperations.c | 54 ++++++++++++++++++++-- + 1 file changed, 50 insertions(+), 4 deletions(-) + +diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +index 424f41c..0012075 100644 +--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c ++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +@@ -504,15 +504,27 @@ DuplicateFe ( + + NOTE: The FE/EFE can be thought it was an inode. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from FileSystem. ++ ++ The (Extended) File Entry is external input, so this routine will do basic ++ validation for (Extended) File Entry and report status. ++ + @param[in] FileEntryData (Extended) File Entry pointer. ++ @param[in] FileEntrySize Size of the (Extended) File Entry specified ++ by FileEntryData. + @param[out] Data Buffer contains the raw data of a given + (Extended) File Entry. + @param[out] Length Length of the data in Buffer. + ++ @retval EFI_SUCCESS Raw data and size of the FE/EFE was read. ++ @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted. ++ + **/ +-VOID ++EFI_STATUS + GetFileEntryData ( + IN VOID *FileEntryData, ++ IN UINTN FileEntrySize, + OUT VOID **Data, + OUT UINT64 *Length + ) +@@ -536,20 +548,40 @@ GetFileEntryData ( + *Data = (VOID *)((UINT8 *)FileEntry->Data + + FileEntry->LengthOfExtendedAttributes); + } ++ ++ if ((*Length > FileEntrySize) || ++ ((UINTN)FileEntryData > (UINTN)(*Data)) || ++ ((UINTN)(*Data) - (UINTN)FileEntryData > FileEntrySize - *Length)) { ++ return EFI_VOLUME_CORRUPTED; ++ } ++ return EFI_SUCCESS; + } + + /** + Get Allocation Descriptors' data information from a given FE/EFE. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from FileSystem. ++ ++ The (Extended) File Entry is external input, so this routine will do basic ++ validation for (Extended) File Entry and report status. ++ + @param[in] FileEntryData (Extended) File Entry pointer. ++ @param[in] FileEntrySize Size of the (Extended) File Entry specified ++ by FileEntryData. + @param[out] AdsData Buffer contains the Allocation Descriptors' + data from a given FE/EFE. + @param[out] Length Length of the data in AdsData. + ++ @retval EFI_SUCCESS The data and size of Allocation Descriptors ++ were read from the FE/EFE. ++ @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted. ++ + **/ +-VOID ++EFI_STATUS + GetAdsInformation ( + IN VOID *FileEntryData, ++ IN UINTN FileEntrySize, + OUT VOID **AdsData, + OUT UINT64 *Length + ) +@@ -573,6 +605,13 @@ GetAdsInformation ( + *AdsData = (VOID *)((UINT8 *)FileEntry->Data + + FileEntry->LengthOfExtendedAttributes); + } ++ ++ if ((*Length > FileEntrySize) || ++ ((UINTN)FileEntryData > (UINTN)(*AdsData)) || ++ ((UINTN)(*AdsData) - (UINTN)FileEntryData > FileEntrySize - *Length)) { ++ return EFI_VOLUME_CORRUPTED; ++ } ++ return EFI_SUCCESS; + } + + /** +@@ -1066,7 +1105,10 @@ ReadFile ( + // + // There are no extents for this FE/EFE. All data is inline. + // +- GetFileEntryData (FileEntryData, &Data, &Length); ++ Status = GetFileEntryData (FileEntryData, Volume->FileEntrySize, &Data, &Length); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } + + if (ReadFileInfo->Flags == ReadFileGetFileSize) { + ReadFileInfo->ReadLength = Length; +@@ -1110,7 +1152,11 @@ ReadFile ( + // This FE/EFE contains a run of Allocation Descriptors. Get data + size + // for start reading them out. + // +- GetAdsInformation (FileEntryData, &Data, &Length); ++ Status = GetAdsInformation (FileEntryData, Volume->FileEntrySize, &Data, &Length); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ + AdOffset = 0; + + for (;;) { +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch new file mode 100644 index 0000000..75f4fb9 --- /dev/null +++ b/SOURCES/ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch @@ -0,0 +1,358 @@ +From 070a96e19dc08a87906035a1b0a67e8a3973a900 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 22 Mar 2019 21:53:20 +0100 +Subject: [PATCH 4/8] MdeModulePkg/UdfDxe: Refine boundary checks for file/path + name string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190322205323.17693-3-lersek@redhat.com> +Patchwork-id: 85132 +O-Subject: [RHEL-7.7 ovmf PATCH 2/5] MdeModulePkg/UdfDxe: Refine boundary checks + for file/path name string +Bugzilla: 1691647 +Acked-by: Philippe Mathieu-Daudé +Acked-by: Vitaly Kuznetsov + +From: Hao Wu + +REF:https://bugzilla.tianocore.org/show_bug.cgi?id=828 + +The commit refines the boundary checks for file/path name string to +prevent possible buffer overrun. + +Cc: Ruiyu Ni +Cc: Jiewen Yao +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Hao Wu +Reviewed-by: Paulo Alcantara +Acked-by: Star Zeng +(cherry picked from commit b9ae1705adfdd43668027a25a2b03c2e81960219) +Signed-off-by: Laszlo Ersek +--- + MdeModulePkg/Universal/Disk/UdfDxe/File.c | 30 ++++++++-- + .../Universal/Disk/UdfDxe/FileSystemOperations.c | 65 +++++++++++++++++++--- + MdeModulePkg/Universal/Disk/UdfDxe/Udf.h | 30 +++++++++- + 3 files changed, 110 insertions(+), 15 deletions(-) + +diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/File.c b/MdeModulePkg/Universal/Disk/UdfDxe/File.c +index 6f07bf2..bd723d0 100644 +--- a/MdeModulePkg/Universal/Disk/UdfDxe/File.c ++++ b/MdeModulePkg/Universal/Disk/UdfDxe/File.c +@@ -2,6 +2,7 @@ + Handle operations in files and directories from UDF/ECMA-167 file systems. + + Copyright (C) 2014-2017 Paulo Alcantara ++ Copyright (c) 2018, Intel Corporation. All rights reserved.
+ + This program and the accompanying materials are licensed and made available + under the terms and conditions of the BSD License which accompanies this +@@ -248,7 +249,7 @@ UdfOpen ( + FileName = TempFileName + 1; + } + +- StrCpyS (NewPrivFileData->FileName, UDF_PATH_LENGTH, FileName); ++ StrCpyS (NewPrivFileData->FileName, UDF_FILENAME_LENGTH, FileName); + + Status = GetFileSize ( + PrivFsData->BlockIo, +@@ -444,7 +445,7 @@ UdfRead ( + FreePool ((VOID *)NewFileEntryData); + NewFileEntryData = FoundFile.FileEntry; + +- Status = GetFileNameFromFid (NewFileIdentifierDesc, FileName); ++ Status = GetFileNameFromFid (NewFileIdentifierDesc, ARRAY_SIZE (FileName), FileName); + if (EFI_ERROR (Status)) { + FreePool ((VOID *)FoundFile.FileIdentifierDesc); + goto Error_Get_FileName; +@@ -456,7 +457,7 @@ UdfRead ( + FoundFile.FileIdentifierDesc = NewFileIdentifierDesc; + FoundFile.FileEntry = NewFileEntryData; + +- Status = GetFileNameFromFid (FoundFile.FileIdentifierDesc, FileName); ++ Status = GetFileNameFromFid (FoundFile.FileIdentifierDesc, ARRAY_SIZE (FileName), FileName); + if (EFI_ERROR (Status)) { + goto Error_Get_FileName; + } +@@ -718,6 +719,12 @@ UdfSetPosition ( + /** + Get information about a file. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from FileSystem. ++ ++ The File Set Descriptor is external input, so this routine will do basic ++ validation for File Set Descriptor and report status. ++ + @param This Protocol instance pointer. + @param InformationType Type of information to return in Buffer. + @param BufferSize On input size of buffer, on output amount of data in +@@ -794,6 +801,10 @@ UdfGetInfo ( + *String = *(UINT8 *)(OstaCompressed + Index) << 8; + Index++; + } else { ++ if (Index > ARRAY_SIZE (VolumeLabel)) { ++ return EFI_VOLUME_CORRUPTED; ++ } ++ + *String = 0; + } + +@@ -813,7 +824,11 @@ UdfGetInfo ( + String++; + } + +- *String = L'\0'; ++ Index = ((UINTN)String - (UINTN)VolumeLabel) / sizeof (CHAR16); ++ if (Index > ARRAY_SIZE (VolumeLabel) - 1) { ++ Index = ARRAY_SIZE (VolumeLabel) - 1; ++ } ++ VolumeLabel[Index] = L'\0'; + + FileSystemInfoLength = StrSize (VolumeLabel) + + sizeof (EFI_FILE_SYSTEM_INFO); +@@ -823,8 +838,11 @@ UdfGetInfo ( + } + + FileSystemInfo = (EFI_FILE_SYSTEM_INFO *)Buffer; +- StrCpyS (FileSystemInfo->VolumeLabel, ARRAY_SIZE (VolumeLabel), +- VolumeLabel); ++ StrCpyS ( ++ FileSystemInfo->VolumeLabel, ++ (*BufferSize - OFFSET_OF (EFI_FILE_SYSTEM_INFO, VolumeLabel)) / sizeof (CHAR16), ++ VolumeLabel ++ ); + Status = GetVolumeSize ( + PrivFsData->BlockIo, + PrivFsData->DiskIo, +diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +index ecc1723..424f41c 100644 +--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c ++++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c +@@ -2,6 +2,7 @@ + Handle on-disk format and volume structures in UDF/ECMA-167 file systems. + + Copyright (C) 2014-2017 Paulo Alcantara ++ Copyright (c) 2018, Intel Corporation. All rights reserved.
+ + This program and the accompanying materials are licensed and made available + under the terms and conditions of the BSD License which accompanies this +@@ -1412,7 +1413,7 @@ InternalFindFile ( + break; + } + } else { +- Status = GetFileNameFromFid (FileIdentifierDesc, FoundFileName); ++ Status = GetFileNameFromFid (FileIdentifierDesc, ARRAY_SIZE (FoundFileName), FoundFileName); + if (EFI_ERROR (Status)) { + break; + } +@@ -1705,6 +1706,11 @@ FindFile ( + while (*FilePath != L'\0') { + FileNamePointer = FileName; + while (*FilePath != L'\0' && *FilePath != L'\\') { ++ if ((((UINTN)FileNamePointer - (UINTN)FileName) / sizeof (CHAR16)) >= ++ (ARRAY_SIZE (FileName) - 1)) { ++ return EFI_NOT_FOUND; ++ } ++ + *FileNamePointer++ = *FilePath++; + } + +@@ -1882,22 +1888,38 @@ ReadDirectoryEntry ( + Get a filename (encoded in OSTA-compressed format) from a File Identifier + Descriptor on an UDF volume. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from FileSystem. ++ ++ The File Identifier Descriptor is external input, so this routine will do ++ basic validation for File Identifier Descriptor and report status. ++ + @param[in] FileIdentifierDesc File Identifier Descriptor pointer. ++ @param[in] CharMax The maximum number of FileName Unicode char, ++ including terminating null char. + @param[out] FileName Decoded filename. + + @retval EFI_SUCCESS Filename decoded and read. + @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted. ++ @retval EFI_BUFFER_TOO_SMALL The string buffer FileName cannot hold the ++ decoded filename. + **/ + EFI_STATUS + GetFileNameFromFid ( + IN UDF_FILE_IDENTIFIER_DESCRIPTOR *FileIdentifierDesc, ++ IN UINTN CharMax, + OUT CHAR16 *FileName + ) + { +- UINT8 *OstaCompressed; +- UINT8 CompressionId; +- UINT8 Length; +- UINTN Index; ++ UINT8 *OstaCompressed; ++ UINT8 CompressionId; ++ UINT8 Length; ++ UINTN Index; ++ CHAR16 *FileNameBak; ++ ++ if (CharMax == 0) { ++ return EFI_BUFFER_TOO_SMALL; ++ } + + OstaCompressed = + (UINT8 *)( +@@ -1910,10 +1932,22 @@ GetFileNameFromFid ( + return EFI_VOLUME_CORRUPTED; + } + ++ FileNameBak = FileName; ++ + // + // Decode filename. + // + Length = FileIdentifierDesc->LengthOfFileIdentifier; ++ if (CompressionId == 16) { ++ if (((UINTN)Length >> 1) > CharMax) { ++ return EFI_BUFFER_TOO_SMALL; ++ } ++ } else { ++ if ((Length != 0) && ((UINTN)Length - 1 > CharMax)) { ++ return EFI_BUFFER_TOO_SMALL; ++ } ++ } ++ + for (Index = 1; Index < Length; Index++) { + if (CompressionId == 16) { + *FileName = OstaCompressed[Index++] << 8; +@@ -1928,7 +1962,11 @@ GetFileNameFromFid ( + FileName++; + } + +- *FileName = L'\0'; ++ Index = ((UINTN)FileName - (UINTN)FileNameBak) / sizeof (CHAR16); ++ if (Index > CharMax - 1) { ++ Index = CharMax - 1; ++ } ++ FileNameBak[Index] = L'\0'; + + return EFI_SUCCESS; + } +@@ -1936,6 +1974,12 @@ GetFileNameFromFid ( + /** + Resolve a symlink file on an UDF volume. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from FileSystem. ++ ++ The Path Component is external input, so this routine will do basic ++ validation for Path Component and report status. ++ + @param[in] BlockIo BlockIo interface. + @param[in] DiskIo DiskIo interface. + @param[in] Volume UDF volume information structure. +@@ -2054,6 +2098,9 @@ ResolveSymlink ( + Index) << 8; + Index++; + } else { ++ if (Index > ARRAY_SIZE (FileName)) { ++ return EFI_UNSUPPORTED; ++ } + *Char = 0; + } + +@@ -2064,7 +2111,11 @@ ResolveSymlink ( + Char++; + } + +- *Char = L'\0'; ++ Index = ((UINTN)Char - (UINTN)FileName) / sizeof (CHAR16); ++ if (Index > ARRAY_SIZE (FileName) - 1) { ++ Index = ARRAY_SIZE (FileName) - 1; ++ } ++ FileName[Index] = L'\0'; + break; + } + +diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h +index d441539..9b82441 100644 +--- a/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h ++++ b/MdeModulePkg/Universal/Disk/UdfDxe/Udf.h +@@ -2,6 +2,7 @@ + UDF/ECMA-167 file system driver. + + Copyright (C) 2014-2017 Paulo Alcantara ++ Copyright (c) 2018, Intel Corporation. All rights reserved.
+ + This program and the accompanying materials are licensed and made available + under the terms and conditions of the BSD License which accompanies this +@@ -559,9 +560,16 @@ UdfSetPosition ( + /** + Get information about a file. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from FileSystem. ++ ++ The File Set Descriptor is external input, so this routine will do basic ++ validation for File Set Descriptor and report status. ++ + @param This Protocol instance pointer. + @param InformationType Type of information to return in Buffer. +- @param BufferSize On input size of buffer, on output amount of data in buffer. ++ @param BufferSize On input size of buffer, on output amount of data in ++ buffer. + @param Buffer The buffer to return data. + + @retval EFI_SUCCESS Data was returned. +@@ -571,7 +579,8 @@ UdfSetPosition ( + @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted. + @retval EFI_WRITE_PROTECTED The device is write protected. + @retval EFI_ACCESS_DENIED The file was open for read only. +- @retval EFI_BUFFER_TOO_SMALL Buffer was too small; required size returned in BufferSize. ++ @retval EFI_BUFFER_TOO_SMALL Buffer was too small; required size returned in ++ BufferSize. + + **/ + EFI_STATUS +@@ -769,21 +778,38 @@ ReadDirectoryEntry ( + Get a filename (encoded in OSTA-compressed format) from a File Identifier + Descriptor on an UDF volume. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from FileSystem. ++ ++ The File Identifier Descriptor is external input, so this routine will do ++ basic validation for File Identifier Descriptor and report status. ++ + @param[in] FileIdentifierDesc File Identifier Descriptor pointer. ++ @param[in] CharMax The maximum number of FileName Unicode char, ++ including terminating null char. + @param[out] FileName Decoded filename. + + @retval EFI_SUCCESS Filename decoded and read. + @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted. ++ @retval EFI_BUFFER_TOO_SMALL The string buffer FileName cannot hold the ++ decoded filename. + **/ + EFI_STATUS + GetFileNameFromFid ( + IN UDF_FILE_IDENTIFIER_DESCRIPTOR *FileIdentifierDesc, ++ IN UINTN CharMax, + OUT CHAR16 *FileName + ); + + /** + Resolve a symlink file on an UDF volume. + ++ @attention This is boundary function that may receive untrusted input. ++ @attention The input is from FileSystem. ++ ++ The Path Component is external input, so this routine will do basic ++ validation for Path Component and report status. ++ + @param[in] BlockIo BlockIo interface. + @param[in] DiskIo DiskIo interface. + @param[in] Volume UDF volume information structure. +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch b/SOURCES/ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch new file mode 100644 index 0000000..d093043 --- /dev/null +++ b/SOURCES/ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch @@ -0,0 +1,264 @@ +From 665567cda914855b29632120174ab28be8c6df58 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 9 Apr 2019 16:11:36 +0200 +Subject: [PATCH 8/8] MdeModulePkg UsbBusDxe: Fix wrong buffer length used to + read hub desc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190409141136.27390-2-lersek@redhat.com> +Patchwork-id: 85539 +O-Subject: [RHEL-7.7 ovmf PATCH 1/1] MdeModulePkg UsbBusDxe: Fix wrong buffer + length used to read hub desc +Bugzilla: 1697534 +Acked-by: Philippe Mathieu-Daudé +Acked-by: Vitaly Kuznetsov + +From: Star Zeng + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=973 + +HUB descriptor has variable length. +But the code uses stack (HubDesc in UsbHubInit) with fixed length +sizeof(EFI_USB_HUB_DESCRIPTOR) to hold HUB descriptor data. +It uses hard code length value (32 that is greater than +sizeof(EFI_USB_HUB_DESCRIPTOR)) for SuperSpeed path, then there will +be stack overflow when IOMMU is enabled because the Unmap operation +will copy the data from device buffer to host buffer. +And it uses HubDesc->Length for none SuperSpeed path, then there will +be stack overflow when HubDesc->Length is greater than +sizeof(EFI_USB_HUB_DESCRIPTOR). + +The patch updates the code to use a big enough buffer to hold the +descriptor data. +The definition EFI_USB_SUPER_SPEED_HUB_DESCRIPTOR is wrong (HubDelay +field should be UINT16 type) and no code is using it, the patch +removes it. + +Cc: Jiewen Yao +Cc: Ruiyu Ni +Cc: Bret Barkelew +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Star Zeng +Reviewed-by: Bret Barkelew +(cherry picked from commit acebdf14c985c5c9f50b37ece0b15ada87767359) +Signed-off-by: Laszlo Ersek +--- + MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c | 96 +++++++++++---------------------- + MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h | 14 +---- + 2 files changed, 32 insertions(+), 78 deletions(-) + +diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c +index fabb441..a962f76 100644 +--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c ++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.c +@@ -2,7 +2,7 @@ + + Unified interface for RootHub and Hub. + +-Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.
++Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.
+ This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at +@@ -201,42 +201,7 @@ UsbHubCtrlClearTTBuffer ( + } + + /** +- Usb hub control transfer to get the super speed hub descriptor. +- +- @param HubDev The hub device. +- @param Buf The buffer to hold the descriptor. +- +- @retval EFI_SUCCESS The hub descriptor is retrieved. +- @retval Others Failed to retrieve the hub descriptor. +- +-**/ +-EFI_STATUS +-UsbHubCtrlGetSuperSpeedHubDesc ( +- IN USB_DEVICE *HubDev, +- OUT VOID *Buf +- ) +-{ +- EFI_STATUS Status; +- +- Status = EFI_INVALID_PARAMETER; +- +- Status = UsbCtrlRequest ( +- HubDev, +- EfiUsbDataIn, +- USB_REQ_TYPE_CLASS, +- USB_HUB_TARGET_HUB, +- USB_HUB_REQ_GET_DESC, +- (UINT16) (USB_DESC_TYPE_HUB_SUPER_SPEED << 8), +- 0, +- Buf, +- 32 +- ); +- +- return Status; +-} +- +-/** +- Usb hub control transfer to get the hub descriptor. ++ Usb hub control transfer to get the (super speed) hub descriptor. + + @param HubDev The hub device. + @param Buf The buffer to hold the descriptor. +@@ -254,6 +219,11 @@ UsbHubCtrlGetHubDesc ( + ) + { + EFI_STATUS Status; ++ UINT8 DescType; ++ ++ DescType = (HubDev->Speed == EFI_USB_SPEED_SUPER) ? ++ USB_DESC_TYPE_HUB_SUPER_SPEED : ++ USB_DESC_TYPE_HUB; + + Status = UsbCtrlRequest ( + HubDev, +@@ -261,7 +231,7 @@ UsbHubCtrlGetHubDesc ( + USB_REQ_TYPE_CLASS, + USB_HUB_TARGET_HUB, + USB_HUB_REQ_GET_DESC, +- (UINT16) (USB_DESC_TYPE_HUB << 8), ++ (UINT16) (DescType << 8), + 0, + Buf, + Len +@@ -475,29 +445,19 @@ UsbHubReadDesc ( + { + EFI_STATUS Status; + +- if (HubDev->Speed == EFI_USB_SPEED_SUPER) { +- // +- // Get the super speed hub descriptor +- // +- Status = UsbHubCtrlGetSuperSpeedHubDesc (HubDev, HubDesc); +- } else { +- +- // +- // First get the hub descriptor length +- // +- Status = UsbHubCtrlGetHubDesc (HubDev, HubDesc, 2); +- +- if (EFI_ERROR (Status)) { +- return Status; +- } ++ // ++ // First get the hub descriptor length ++ // ++ Status = UsbHubCtrlGetHubDesc (HubDev, HubDesc, 2); + +- // +- // Get the whole hub descriptor +- // +- Status = UsbHubCtrlGetHubDesc (HubDev, HubDesc, HubDesc->Length); ++ if (EFI_ERROR (Status)) { ++ return Status; + } + +- return Status; ++ // ++ // Get the whole hub descriptor ++ // ++ return UsbHubCtrlGetHubDesc (HubDev, HubDesc, HubDesc->Length); + } + + +@@ -690,7 +650,8 @@ UsbHubInit ( + IN USB_INTERFACE *HubIf + ) + { +- EFI_USB_HUB_DESCRIPTOR HubDesc; ++ UINT8 HubDescBuffer[256]; ++ EFI_USB_HUB_DESCRIPTOR *HubDesc; + USB_ENDPOINT_DESC *EpDesc; + USB_INTERFACE_SETTING *Setting; + EFI_USB_IO_PROTOCOL *UsbIo; +@@ -725,14 +686,19 @@ UsbHubInit ( + return EFI_DEVICE_ERROR; + } + +- Status = UsbHubReadDesc (HubDev, &HubDesc); ++ // ++ // The length field of descriptor is UINT8 type, so the buffer ++ // with 256 bytes is enough to hold the descriptor data. ++ // ++ HubDesc = (EFI_USB_HUB_DESCRIPTOR *) HubDescBuffer; ++ Status = UsbHubReadDesc (HubDev, HubDesc); + + if (EFI_ERROR (Status)) { + DEBUG (( EFI_D_ERROR, "UsbHubInit: failed to read HUB descriptor %r\n", Status)); + return Status; + } + +- HubIf->NumOfPort = HubDesc.NumPorts; ++ HubIf->NumOfPort = HubDesc->NumPorts; + + DEBUG (( EFI_D_INFO, "UsbHubInit: hub %d has %d ports\n", HubDev->Address,HubIf->NumOfPort)); + +@@ -751,7 +717,7 @@ UsbHubInit ( + DEBUG ((EFI_D_INFO, "UsbHubInit: Set Hub Depth as 0x%x\n", Depth)); + UsbHubCtrlSetHubDepth (HubIf->Device, Depth); + +- for (Index = 0; Index < HubDesc.NumPorts; Index++) { ++ for (Index = 0; Index < HubDesc->NumPorts; Index++) { + UsbHubCtrlSetPortFeature (HubIf->Device, Index, USB_HUB_PORT_REMOTE_WAKE_MASK); + } + } else { +@@ -759,15 +725,15 @@ UsbHubInit ( + // Feed power to all the hub ports. It should be ok + // for both gang/individual powered hubs. + // +- for (Index = 0; Index < HubDesc.NumPorts; Index++) { ++ for (Index = 0; Index < HubDesc->NumPorts; Index++) { + UsbHubCtrlSetPortFeature (HubIf->Device, Index, (EFI_USB_PORT_FEATURE) USB_HUB_PORT_POWER); + } + + // + // Update for the usb hub has no power on delay requirement + // +- if (HubDesc.PwrOn2PwrGood > 0) { +- gBS->Stall (HubDesc.PwrOn2PwrGood * USB_SET_PORT_POWER_STALL); ++ if (HubDesc->PwrOn2PwrGood > 0) { ++ gBS->Stall (HubDesc->PwrOn2PwrGood * USB_SET_PORT_POWER_STALL); + } + UsbHubAckHubStatus (HubIf->Device); + } +diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h +index 4e5fcd8..fe9f1f7 100644 +--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h ++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbHub.h +@@ -2,7 +2,7 @@ + + The definition for USB hub. + +-Copyright (c) 2007 - 2010, Intel Corporation. All rights reserved.
++Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.
+ This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at +@@ -115,18 +115,6 @@ typedef struct { + UINT8 Filler[16]; + } EFI_USB_HUB_DESCRIPTOR; + +-typedef struct { +- UINT8 Length; +- UINT8 DescType; +- UINT8 NumPorts; +- UINT16 HubCharacter; +- UINT8 PwrOn2PwrGood; +- UINT8 HubContrCurrent; +- UINT8 HubHdrDecLat; +- UINT8 HubDelay; +- UINT8 DeviceRemovable; +-} EFI_USB_SUPER_SPEED_HUB_DESCRIPTOR; +- + #pragma pack() + + +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch b/SOURCES/ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch new file mode 100644 index 0000000..e77f913 --- /dev/null +++ b/SOURCES/ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch @@ -0,0 +1,80 @@ +From 0afba771bf42a9793e86bc565f23a8ca99d53dbb Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daude +Date: Wed, 13 Feb 2019 09:50:44 +0100 +Subject: [PATCH 01/13] MdeModulePkg Variable: Fix Timestamp zeroing issue on + APPEND_WRITE + +Message-id: <20190213085050.20766-2-philmd@redhat.com> +Patchwork-id: 84478 +O-Subject: [RHEL-7.7 ovmf PATCH v3 1/7] MdeModulePkg Variable: Fix Timestamp + zeroing issue on APPEND_WRITE +Bugzilla: 1666586 +Acked-by: Laszlo Ersek +Acked-by: Vitaly Kuznetsov + +From: Laszlo Ersek + +From: Star Zeng + +--v-- RHEL7 note start --v-- + +This patch fixes CVE-2018-3613. Unfortunately, the upstream subject line +does not include the CVE number. I've decided to stick with the upstream +subject verbatim in the backport, so we can more easily drop this patch at +the next rebase. On the upstream list, I did complain loudly, so there's +hope the next CVE fix will advertise the CVE number in the subject. + +In practice, the vulnerability is difficult to exploit. Please refer to +the following messages in the upstream discussion: + + https://lists.01.org/pipermail/edk2-devel/2018-October/031103.html + https://lists.01.org/pipermail/edk2-devel/2018-October/031140.html + +--^-- RHEL7 note end --^-- + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415 + +When SetVariable() to a time based auth variable with APPEND_WRITE +attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in +the input Data is earlier than current value, it will cause timestamp +zeroing. + +This issue may bring time based auth variable downgrade problem. +For example: +A vendor released three certs at 2014, 2015, and 2016, and system +integrated the 2016 cert. User can SetVariable() with 2015 cert and +APPEND_WRITE attribute to cause timestamp zeroing first, then +SetVariable() with 2014 cert to downgrade the cert. + +This patch fixes this issue. + +Cc: Jiewen Yao +Cc: Chao Zhang +Cc: Jian J Wang +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Star Zeng +Reviewed-by: Jiewen Yao +(cherry picked from commit b7dc8888f31402f410c53242839271ba3b94b619) +Signed-off-by: Laszlo Ersek +(cherry picked from commit 3b8ff18ad4ac1af740a979ad27fb83dbbdca70ef) +Signed-off-by: Philippe Mathieu-Daude +--- + MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c +index 6caf603..60439b5 100644 +--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c ++++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c +@@ -2460,6 +2460,8 @@ UpdateVariable ( + if (Variable->CurrPtr != NULL) { + if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) { + CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME)); ++ } else { ++ CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME)); + } + } + } +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch b/SOURCES/ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch new file mode 100644 index 0000000..5a90543 --- /dev/null +++ b/SOURCES/ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch @@ -0,0 +1,128 @@ +From 6e3079460fa075f4b44c1031b1e20709979d9424 Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daude +Date: Wed, 13 Feb 2019 09:50:45 +0100 +Subject: [PATCH 02/13] MdePkg: Add more checker in UefiDecompressLib to access + the valid buffer only (CVE FIX) + +Message-id: <20190213085050.20766-3-philmd@redhat.com> +Patchwork-id: 84480 +O-Subject: [RHEL-7.7 ovmf PATCH v3 2/7] MdePkg: Add more checker in + UefiDecompressLib to access the valid buffer only (CVE FIX) +Bugzilla: 1666586 +Acked-by: Laszlo Ersek +Acked-by: Vitaly Kuznetsov + +From: Laszlo Ersek + +From: Liming Gao + +--v-- RHEL7 note start --v-- +Unfortunately, the upstream patch series was not structured according to +the CVE reports. This patch contributes to fixing: + +- CVE-2017-5732 +- CVE-2017-5733 +- CVE-2017-5734 +- CVE-2017-5735 + +but not CVE-2017-5731 (contrarily to the upstream commit message). The +best I could achieve up-stream was to get the "CVE FIX" expression into +the subject, and a whole-sale dump of the CVEs into the body. I had not +been invited to the original (off-list, embargoed) analysis and review. + +The trivial context difference (whitespace) is due to RHEL8 lacking +upstream commit 9095d37b8fe5 ("MdePkg: Clean up source files", +2018-06-28). I've considered backporting that (since it only cleans up +whitespace). However, the diffstat on that commit convinced me otherwise: +"729 files changed, 15667 insertions(+), 15667 deletions(-)". I've decided +not to do a partial backport of that (i.e. just for +"BaseUefiDecompressLib.c"). + +--^-- RHEL7 note end --^-- + +Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735 +https://bugzilla.tianocore.org/show_bug.cgi?id=686 + +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Holtsclaw Brent +Signed-off-by: Liming Gao +Reviewed-by: Star Zeng +Acked-by: Laszlo Ersek +(cherry picked from commit 2ec7953d49677142c5f7552e9e3d96fb406ba0c4) +Signed-off-by: Laszlo Ersek +(cherry picked from commit 41129e136b621728eb5cb1c81aafcc5fedc53a12) +Signed-off-by: Philippe Mathieu-Daude +--- + .../BaseUefiDecompressLib/BaseUefiDecompressLib.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c +index e818543..0c6b1fe 100644 +--- a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c ++++ b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c +@@ -152,6 +152,7 @@ MakeTable ( + UINT16 Mask; + UINT16 WordOfStart; + UINT16 WordOfCount; ++ UINT16 MaxTableLength; + + // + // The maximum mapping table width supported by this internal +@@ -164,6 +165,9 @@ MakeTable ( + } + + for (Index = 0; Index < NumOfChar; Index++) { ++ if (BitLen[Index] > 16) { ++ return (UINT16) BAD_TABLE; ++ } + Count[BitLen[Index]]++; + } + +@@ -205,6 +209,7 @@ MakeTable ( + + Avail = NumOfChar; + Mask = (UINT16) (1U << (15 - TableBits)); ++ MaxTableLength = (UINT16) (1U << TableBits); + + for (Char = 0; Char < NumOfChar; Char++) { + +@@ -218,6 +223,9 @@ MakeTable ( + if (Len <= TableBits) { + + for (Index = Start[Len]; Index < NextCode; Index++) { ++ if (Index >= MaxTableLength) { ++ return (UINT16) BAD_TABLE; ++ } + Table[Index] = Char; + } + +@@ -620,11 +628,16 @@ Decode ( + // Write BytesRemain of bytes into mDstBase + // + BytesRemain--; ++ + while ((INT16) (BytesRemain) >= 0) { +- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++]; + if (Sd->mOutBuf >= Sd->mOrigSize) { + goto Done; + } ++ if (DataIdx >= Sd->mOrigSize) { ++ Sd->mBadTableFlag = (UINT16) BAD_TABLE; ++ goto Done; ++ } ++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++]; + + BytesRemain--; + } +@@ -694,7 +707,7 @@ UefiDecompressGetInfo ( + } + + CompressedSize = ReadUnaligned32 ((UINT32 *)Source); +- if (SourceSize < (CompressedSize + 8)) { ++ if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) { + return RETURN_INVALID_PARAMETER; + } + +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch b/SOURCES/ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch new file mode 100644 index 0000000..13ce299 --- /dev/null +++ b/SOURCES/ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch @@ -0,0 +1,59 @@ +From c3915e0546924db36fd1cd85bf77318302168ee6 Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daude +Date: Wed, 13 Feb 2019 09:50:49 +0100 +Subject: [PATCH 06/13] MdePkg BaseUefiDecompressLib: Fix UEFI Decompression + logic issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20190213085050.20766-7-philmd@redhat.com> +Patchwork-id: 84485 +O-Subject: [RHEL-7.7 ovmf PATCH v3 6/7] MdePkg BaseUefiDecompressLib: Fix UEFI + Decompression logic issue +Bugzilla: 1666586 +Acked-by: Laszlo Ersek +Acked-by: Vitaly Kuznetsov + +From: Philippe Mathieu-Daudé + +From: Liming Gao + +https://bugzilla.tianocore.org/show_bug.cgi?id=1317 + +This is a regression issue caused by 2ec7953d49677142c5f7552e9e3d96fb406ba0c4. +In Decode() function, once mOutBuf is fully filled, Decode() should return. +Current logic misses the checker of mOutBuf after while() loop. + +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Liming Gao +Cc: Michael Kinney +Reviewed-by: Yonghong Zhu +(cherry picked from commit 1c4cecc9fd314de0dce8125b0d4b45967637a401) +Signed-off-by: Philippe Mathieu-Daudé +(cherry picked from commit c46469847b68f6a1a5b42feaf0de7a83fd0bed85) +Signed-off-by: Philippe Mathieu-Daude +--- + MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c +index 0c6b1fe..8c30e97 100644 +--- a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c ++++ b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c +@@ -641,6 +641,12 @@ Decode ( + + BytesRemain--; + } ++ // ++ // Once mOutBuf is fully filled, directly return ++ // ++ if (Sd->mOutBuf >= Sd->mOrigSize) { ++ goto Done; ++ } + } + } + +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-Upgrade-OpenSSL-to-1.1.0j.patch b/SOURCES/ovmf-Upgrade-OpenSSL-to-1.1.0j.patch new file mode 100644 index 0000000..aa47c88 --- /dev/null +++ b/SOURCES/ovmf-Upgrade-OpenSSL-to-1.1.0j.patch @@ -0,0 +1,192 @@ +From 05565be8fdd79d641aa22b7b7a686dd68f158ce8 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 13 Feb 2019 22:06:28 +0100 +Subject: [PATCH 13/13] Upgrade OpenSSL to 1.1.0j + +RH-Author: Laszlo Ersek +Message-id: <20190213225928.17791-5-lersek@redhat.com> +Patchwork-id: 84502 +O-Subject: [RHEL-7.7 ovmf PATCH 4/4] Upgrade OpenSSL to 1.1.0j +Bugzilla: 1650390 +RH-Acked-by: Thomas Huth +RH-Acked-by: Miroslav Rezanina + +--v-- RHEL7 note start --v-- + +(1) NOTE: this is a partial cherry-pick. We're only advancing to 1.1.0i. + + The upstream commit advanced the OpenSSL git submodule from upstream + OpenSSL commit d4e4bd2a8163 ("Prepare for 1.1.0h release", 2018-03-27) + to upstream OpenSSL commit 74f2d9c1ec5f ("Prepare for 1.1.0j release", + 2018-11-20). Meaning, upstream edk2 skipped 1.1.0i. + + However, Fedora 28 only offers 1.1.0i at this point (and it will not + be rebased again until 1.1.0k is released). Therefore hunks in the + upstream CryptoPkg commit that relate specifically to 1.1.0j have to + be dropped from the backport. + + The only such hunks are the "crypto/getenv.c" additions to the INF + files. The related upstream OpenSSL change was commit 1abdf08284af + ("Use secure_getenv(3) when available.", 2018-09-24), part of tag + "OpenSSL_1_1_0j". + + The other hunks all relate to OpenSSL commits present in tag + "OpenSSL_1_1_0i" -- hence we keep those hunks: + + * 23dec58b9c2e ("Move the loading of the ssl_conf module to + libcrypto", 2018-04-05) + + This justifies the addition of "crypto/conf/conf_ssl.c" to the INF + files. + + * 6912debb881e ("Add APIs for custom X509_LOOKUP_METHOD creation", + 2018-05-30) + + This justifies the addition of "crypto/x509/x509_meth.c" to the INF + files. + + * dcb8333087d5 ("Avoid __GNUC__ warnings when defining + DECLARE_DEPRECATED", 2018-07-11) + + This justifies the ifdeffery update in "opensslconf.h". + +(2) After this downstream patch, the affected files almost match their + upstream counterparts at commit a18f784cfdbe (i.e., at the commit + being cherry-picked). What's missing (beyond the above 1.1.0j-specific + hunks) belong to the following upstream commits, which we don't need: + + * 630f67ddfea2 ("CryptoPkg: Clean up source files", 2018-06-28), + + * 94d67262d891 ("CryptoPkg: Removing ipf which is no longer supported + from edk2.", 2018-09-25) + + (IPF stands for Itanium.) + +--^-- RHEL7 note end --^-- + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1393 + +BZ#1089 (https://bugzilla.tianocore.org/show_bug.cgi?id=1089) requests +to upgrade the OpenSSL to the latest 1.1.1 release. Since OpenSSL-1.1.1 +has many changes, more porting efforts and feature evaluation are needed. +This might lead to a situation that it cannot catch the Q1'19 stable tag. + +One of the solution is upgrade current version (1.1.0h) to 1.1.0j. +According to following web page in openssl.org, all security issues +solved in 1.1.1 have been also back-ported to 1.1.0.j. This can make +sure that no security vulnerabilities left in edk2 master before 1.1.1. + +https://www.openssl.org/news/vulnerabilities-1.1.1.html + +Cc: Ting Ye +Cc: Gang Wei +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Jian J Wang +Reviewed-by: Gang Wei +Reviewed-by: Ting Ye +(cherry picked from commit a18f784cfdbe17855ec4376e80db927e1a81aaca) +--- + CryptoPkg/CryptoPkg.dsc | 1 + + CryptoPkg/Library/Include/openssl/opensslconf.h | 20 +++++++++++++------- + CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 ++ + CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 2 ++ + CryptoPkg/Library/OpensslLib/process_files.pl | 0 + 5 files changed, 18 insertions(+), 7 deletions(-) + mode change 100644 => 100755 CryptoPkg/Library/OpensslLib/process_files.pl + +diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc +index b49e587..f305f95 100644 +--- a/CryptoPkg/CryptoPkg.dsc ++++ b/CryptoPkg/CryptoPkg.dsc +@@ -124,6 +124,7 @@ + CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf + CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + CryptoPkg/Library/TlsLib/TlsLib.inf ++ CryptoPkg/Library/OpensslLib/OpensslLib.inf + + CryptoPkg/CryptRuntimeDxe/CryptRuntimeDxe.inf + +diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h +index 1917d7a..28dd9ab 100644 +--- a/CryptoPkg/Library/Include/openssl/opensslconf.h ++++ b/CryptoPkg/Library/Include/openssl/opensslconf.h +@@ -2,7 +2,7 @@ + * WARNING: do not edit! + * Generated from include/openssl/opensslconf.h.in + * +- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -235,12 +235,18 @@ extern "C" { + * still won't see them if the library has been built to disable deprecated + * functions. + */ +-#if defined(OPENSSL_NO_DEPRECATED) +-# define DECLARE_DEPRECATED(f) +-#elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) +-# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); +-#else +-# define DECLARE_DEPRECATED(f) f; ++#ifndef DECLARE_DEPRECATED ++# if defined(OPENSSL_NO_DEPRECATED) ++# define DECLARE_DEPRECATED(f) ++# else ++# define DECLARE_DEPRECATED(f) f; ++# ifdef __GNUC__ ++# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) ++# undef DECLARE_DEPRECATED ++# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); ++# endif ++# endif ++# endif + #endif + + #ifndef OPENSSL_FILE +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +index 55a6fa3..b44510d 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +@@ -175,6 +175,7 @@ + $(OPENSSL_PATH)/crypto/conf/conf_mall.c + $(OPENSSL_PATH)/crypto/conf/conf_mod.c + $(OPENSSL_PATH)/crypto/conf/conf_sap.c ++ $(OPENSSL_PATH)/crypto/conf/conf_ssl.c + $(OPENSSL_PATH)/crypto/cpt_err.c + $(OPENSSL_PATH)/crypto/cryptlib.c + $(OPENSSL_PATH)/crypto/cversion.c +@@ -418,6 +419,7 @@ + $(OPENSSL_PATH)/crypto/x509/x509_err.c + $(OPENSSL_PATH)/crypto/x509/x509_ext.c + $(OPENSSL_PATH)/crypto/x509/x509_lu.c ++ $(OPENSSL_PATH)/crypto/x509/x509_meth.c + $(OPENSSL_PATH)/crypto/x509/x509_obj.c + $(OPENSSL_PATH)/crypto/x509/x509_r2x.c + $(OPENSSL_PATH)/crypto/x509/x509_req.c +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +index f542998..46217cc 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +@@ -175,6 +175,7 @@ + $(OPENSSL_PATH)/crypto/conf/conf_mall.c + $(OPENSSL_PATH)/crypto/conf/conf_mod.c + $(OPENSSL_PATH)/crypto/conf/conf_sap.c ++ $(OPENSSL_PATH)/crypto/conf/conf_ssl.c + $(OPENSSL_PATH)/crypto/cpt_err.c + $(OPENSSL_PATH)/crypto/cryptlib.c + $(OPENSSL_PATH)/crypto/cversion.c +@@ -418,6 +419,7 @@ + $(OPENSSL_PATH)/crypto/x509/x509_err.c + $(OPENSSL_PATH)/crypto/x509/x509_ext.c + $(OPENSSL_PATH)/crypto/x509/x509_lu.c ++ $(OPENSSL_PATH)/crypto/x509/x509_meth.c + $(OPENSSL_PATH)/crypto/x509/x509_obj.c + $(OPENSSL_PATH)/crypto/x509/x509_r2x.c + $(OPENSSL_PATH)/crypto/x509/x509_req.c +diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl +old mode 100644 +new mode 100755 +-- +1.8.3.1 + diff --git a/SOURCES/ovmf-sb.json b/SOURCES/ovmf-sb.json new file mode 100644 index 0000000..c804ac1 --- /dev/null +++ b/SOURCES/ovmf-sb.json @@ -0,0 +1,36 @@ +{ + "description": "OVMF with SB+SMM, SB enabled, MS certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/OVMF/OVMF_CODE.secboot.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/OVMF/OVMF_VARS.secboot.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "amd-sev", + "enrolled-keys", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/SOURCES/ovmf.json b/SOURCES/ovmf.json new file mode 100644 index 0000000..5e8a94a --- /dev/null +++ b/SOURCES/ovmf.json @@ -0,0 +1,35 @@ +{ + "description": "OVMF with SB+SMM, empty varstore", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/OVMF/OVMF_CODE.secboot.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/OVMF/OVMF_VARS.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "amd-sev", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/SPECS/ovmf.spec b/SPECS/ovmf.spec index c77cd87..88f0aa7 100644 --- a/SPECS/ovmf.spec +++ b/SPECS/ovmf.spec @@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64 Name: ovmf Version: %{GITDATE} -Release: 3.git%{GITCOMMIT}%{?dist}.1 +Release: 6.git%{GITCOMMIT}%{?dist} Summary: UEFI firmware for 64-bit virtual machines Group: Applications/Emulators License: BSD and OpenSSL and MIT @@ -19,10 +19,13 @@ URL: http://www.tianocore.org # | xz -9ev >/tmp/ovmf-$COMMIT.tar.xz Source0: http://batcave.lab.eng.brq.redhat.com/www/ovmf-%{GITCOMMIT}.tar.xz Source1: ovmf-whitepaper-c770f8c.txt -Source2: openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz +Source2: openssl-fedora-d2ede125556ac99aa0faa7744c703af3f559094e.tar.xz Source3: ovmf-vars-generator Source4: LICENSE.qosb +Source10: ovmf-sb.json +Source11: ovmf.json + Patch0003: 0003-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch Patch0004: 0004-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch Patch0005: 0005-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch @@ -42,10 +45,42 @@ Patch0019: 0019-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch Patch20: ovmf-OvmfPkg-PlatformBootManagerLib-connect-consoles-unco.patch Patch21: ovmf-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch Patch22: ovmf-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch -# For bz#1684006 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z] -Patch23: ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch -# For bz#1684006 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z] -Patch24: ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch +# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7] +Patch23: ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch +# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7] +Patch24: ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch +# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7] +Patch25: ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch +# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7] +Patch26: ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch +# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7] +Patch27: ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch +# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7] +Patch28: ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch +# For bz#1666586 - CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7] +Patch29: ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch +# For bz#1684007 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.7] +Patch30: ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch +# For bz#1684007 - CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.7] +Patch31: ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch +# For bz#1650390 - CVE-2018-5407 OVMF: openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) [rhel-7] +Patch33: ovmf-Upgrade-OpenSSL-to-1.1.0j.patch +# For bz#1691479 - CVE-2018-12181 OVMF: edk2: Stack buffer overflow with corrupted BMP [rhel-7] +Patch34: ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch +# For bz#1691479 - CVE-2018-12181 OVMF: edk2: Stack buffer overflow with corrupted BMP [rhel-7] +Patch35: ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch +# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7] +Patch36: ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch +# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7] +Patch37: ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch +# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7] +Patch38: ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch +# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7] +Patch39: ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch +# For bz#1691647 - CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7] +Patch40: ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch +# For bz#1697534 - CVE-2019-0161 ovmf: edk2: stack overflow in XHCI causing denial of service [rhel-7] +Patch41: ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch # python2-devel and libuuid-devel are required for building tools @@ -81,7 +116,7 @@ Summary: UEFI firmware for x86_64 virtual machines BuildArch: noarch # OVMF includes the Secure Boot feature; it has a builtin OpenSSL library. -Provides: bundled(openssl) = 1.1.0h +Provides: bundled(openssl) = 1.1.0i License: BSD and OpenSSL # URL taken from the Maintainers.txt file. @@ -161,6 +196,7 @@ echo "Applied $COUNT patches" rm -f $PATCHLIST cp -a -- %{SOURCE1} %{SOURCE3} . +cp -a -- %{SOURCE10} %{SOURCE11} . tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x # Done by %setup, but we do not use it for the auxiliary tarballs @@ -278,6 +314,10 @@ install -m 0644 UefiShell.iso $RPM_BUILD_ROOT%{_data install -m 0644 OvmfPkg/README $RPM_BUILD_ROOT%{_docdir}/%{subpkgname}/README install -m 0644 ovmf-whitepaper-c770f8c.txt $RPM_BUILD_ROOT%{_docdir}/%{subpkgname}/ovmf-whitepaper-c770f8c.txt +mkdir -p $RPM_BUILD_ROOT%{_datadir}/qemu/firmware +install -m 0644 ovmf-sb.json $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/50-ovmf-sb.json +install -m 0644 ovmf.json $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/60-ovmf.json + copy_license CryptoPkg/Library/OpensslLib/openssl/LICENSE OpensslLib %else @@ -328,6 +368,11 @@ chmod 0644 -- $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_*.fd %{_datadir}/OVMF/OVMF_VARS.secboot.fd %{_datadir}/OVMF/UefiShell.iso +%dir %{_datadir}/qemu +%dir %{_datadir}/qemu/firmware +%{_datadir}/qemu/firmware/50-ovmf-sb.json +%{_datadir}/qemu/firmware/60-ovmf.json + %else %dir %{_datadir}/AAVMF/ %{_datadir}/AAVMF/AAVMF_CODE.verbose.fd @@ -360,11 +405,47 @@ true %endif %changelog -* Tue Mar 05 2019 Miroslav Rezanina - 20180508-3.gitee3198e672e2.el7_6.1 -- ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch [bz#1684006] -- ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch [bz#1684006] -- Resolves: bz#1684006 - (CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.6.z]) +* Mon Apr 15 2019 Miroslav Rezanina - 20180508-6.gitee3198e672e2.el7 +- ovmf-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch [bz#1691479] +- ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch [bz#1691479] +- ovmf-MdeModulePkg-PartitionDxe-Add-check-for-underlying-d.patch [bz#1691647] +- ovmf-MdeModulePkg-UdfDxe-Refine-boundary-checks-for-file-.patch [bz#1691647] +- ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-the-read-of-F.patch [bz#1691647] +- ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-Component.patch [bz#1691647] +- ovmf-MdeModulePkg-UdfDxe-Add-boundary-check-for-getting-v.patch [bz#1691647] +- ovmf-MdeModulePkg-UsbBusDxe-Fix-wrong-buffer-length-used-.patch [bz#1697534] +- Resolves: bz#1691479 + (CVE-2018-12181 OVMF: edk2: Stack buffer overflow with corrupted BMP [rhel-7]) +- Resolves: bz#1691647 + (CVE-2019-0160 OVMF: edk2: buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media [rhel-7]) +- Resolves: bz#1697534 + (CVE-2019-0161 ovmf: edk2: stack overflow in XHCI causing denial of service [rhel-7]) + +* Thu Mar 07 2019 Miroslav Rezanina - 20180508-5.gitee3198e672e2.el7 +- ovmf-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch [bz#1666586] +- ovmf-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch [bz#1666586] +- ovmf-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch [bz#1666586] +- ovmf-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch [bz#1666586] +- ovmf-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch [bz#1666586] +- ovmf-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch [bz#1666586] +- ovmf-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch [bz#1666586] +- ovmf-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch [bz#1684007] +- ovmf-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch [bz#1684007] +- ovmf-redhat-openssl-update-introduce-MOCK-shorthand-for-m.patch [bz#1650390] +- ovmf-redhat-openssl-update-enable-the-bootstrap-container.patch [bz#1650390] +- ovmf-redhat-consume-OpenSSL-1.1.0i-from-Fedora-28.patch [bz#1650390] +- ovmf-Upgrade-OpenSSL-to-1.1.0j.patch [bz#1650390] +- Resolves: bz#1650390 + (CVE-2018-5407 OVMF: openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) [rhel-7]) +- Resolves: bz#1666586 + (CVE-2017-5731 CVE-2017-5732 CVE-2017-5733 CVE-2017-5734 CVE-2017-5735 CVE-2018-3613 OVMF: various flaws [rhel-7]) +- Resolves: bz#1684007 + (CVE-2018-12180 OVMF: edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-7.7]) + +* Thu Nov 29 2018 Miroslav Rezanina - 20180508-4.gitee3198e672e2.el7 +- ovmf-redhat-provide-firmware-descriptor-meta-files.patch [bz#1608599] +- Resolves: bz#1608599 + ([RHEL 7.7] RFE: provide firmware descriptor meta-files for OVMF) * Fri Jul 27 2018 Miroslav Rezanina - 20180508-3.gitee3198e672e2.el7 - ovmf-redhat-provide-virtual-bundled-OpenSSL-in-OVMF.patch [bz#1607792]