From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.120; helo=mga04.intel.com; envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id AAD22211CFBF9 for ; Mon, 25 Feb 2019 23:39:11 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Feb 2019 23:39:11 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.58,414,1544515200"; d="scan'208";a="322146386" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.8]) by fmsmga006.fm.intel.com with ESMTP; 25 Feb 2019 23:39:10 -0800 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Jian J Wang , Ruiyu Ni , Star Zeng Date: Tue, 26 Feb 2019 15:39:04 +0800 Message-Id: <20190226073904.14112-3-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20190226073904.14112-1-hao.a.wu@intel.com> References: <20190226073904.14112-1-hao.a.wu@intel.com> Subject: [PATCH v1 2/2] MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize (CVE FIX) X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 07:39:11 -0000 Fix CVE-2018-12180 https://bugzilla.tianocore.org/show_bug.cgi?id=1134 Originally, the block size of created Ram disks is hard-coded to 512 bytes. However, if the total size of the Ram disk is not a multiple of 512 bytes, there will be potential memory access issues when dealing with the last block of the Ram disk. This commit will adjust the block size of the Ram disks to ensure that the total size is a multiple of the block size. Cc: Jian J Wang Cc: Ruiyu Ni Cc: Star Zeng Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu --- MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++--- MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 ++++++++++++++------ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++-- 3 files changed, 20 insertions(+), 11 deletions(-) diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h index 08a8ca94c9..72f2bfe179 100644 --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h @@ -1,7 +1,7 @@ /** @file The header file of RamDiskDxe driver. - Copyright (c) 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -49,9 +49,9 @@ /// // -// Block size for RAM disk +// Default block size for RAM disk // -#define RAM_DISK_BLOCK_SIZE 512 +#define RAM_DISK_DEFAULT_BLOCK_SIZE 512 // // Iterate through the double linked list. NOT delete safe diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c index 4f74b5ef15..8926ad7d2f 100644 --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c @@ -1,7 +1,7 @@ /** @file Produce EFI_BLOCK_IO_PROTOCOL on a RAM disk device. - Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
+ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -54,6 +54,7 @@ RamDiskInitBlockIo ( EFI_BLOCK_IO_PROTOCOL *BlockIo; EFI_BLOCK_IO2_PROTOCOL *BlockIo2; EFI_BLOCK_IO_MEDIA *Media; + UINT32 Remainder; BlockIo = &PrivateData->BlockIo; BlockIo2 = &PrivateData->BlockIo2; @@ -69,11 +70,18 @@ RamDiskInitBlockIo ( Media->LogicalPartition = FALSE; Media->ReadOnly = FALSE; Media->WriteCaching = FALSE; - Media->BlockSize = RAM_DISK_BLOCK_SIZE; - Media->LastBlock = DivU64x32 ( - PrivateData->Size + RAM_DISK_BLOCK_SIZE - 1, - RAM_DISK_BLOCK_SIZE - ) - 1; + + for (Media->BlockSize = RAM_DISK_DEFAULT_BLOCK_SIZE; + Media->BlockSize >= 1; + Media->BlockSize = Media->BlockSize >> 1) { + Media->LastBlock = DivU64x32Remainder (PrivateData->Size, Media->BlockSize, &Remainder) - 1; + if (Remainder == 0) { + break; + } + } + ASSERT (Media->BlockSize != 0); + + return; } diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c index 6784e2b2f1..e8250d5c1b 100644 --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c @@ -1,7 +1,7 @@ /** @file The realization of EFI_RAM_DISK_PROTOCOL. - Copyright (c) 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -613,7 +613,8 @@ RamDiskRegister ( // // Add check to prevent data read across the memory boundary // - if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1) { + if ((RamDiskSize > MAX_UINTN) || + (RamDiskBase > MAX_UINTN - RamDiskSize + 1)) { return EFI_INVALID_PARAMETER; } -- 2.12.0.windows.1