From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.126; helo=mga18.intel.com; envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D3C3A208AE2B8 for ; Tue, 26 Feb 2019 04:56:55 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Feb 2019 04:56:55 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.58,415,1544515200"; d="scan'208";a="323493861" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.8]) by fmsmga005.fm.intel.com with ESMTP; 26 Feb 2019 04:56:54 -0800 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Jian J Wang , Ray Ni , Star Zeng , Laszlo Ersek Date: Tue, 26 Feb 2019 20:56:50 +0800 Message-Id: <20190226125651.14260-2-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20190226125651.14260-1-hao.a.wu@intel.com> References: <20190226125651.14260-1-hao.a.wu@intel.com> Subject: [PATCH v3 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR (CVE-2018-12180) X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 12:56:56 -0000 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134 The commit adds checks for detecting GPT and MBR partitions. These checks will ensure that the device block size is big enough to hold an MBR (512 bytes). Cc: Jian J Wang Cc: Ray Ni Cc: Star Zeng Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu --- MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 ++++++++- MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 ++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c index fe87761bde..d679cc208b 100644 --- a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c +++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c @@ -14,7 +14,7 @@ partition content and validate the GPT table and GPT entry. Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc. -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -237,6 +237,13 @@ PartitionInstallGptChildHandles ( GptValidStatus = EFI_NOT_FOUND; // + // Ensure the block size can hold the MBR + // + if (BlockSize < sizeof (MASTER_BOOT_RECORD)) { + return EFI_NOT_FOUND; + } + + // // Allocate a buffer for the Protective MBR // ProtectiveMbr = AllocatePool (BlockSize); diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c index b1a99ee85b..419f8a17a7 100644 --- a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c +++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c @@ -13,7 +13,7 @@ Copyright (c) 2018 Qualcomm Datacenter Technologies, Inc. Copyright (c) 2014, Hewlett-Packard Development Company, L.P.
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -150,6 +150,13 @@ PartitionInstallMbrChildHandles ( MediaId = BlockIo->Media->MediaId; LastBlock = BlockIo->Media->LastBlock; + // + // Ensure the block size can hold the MBR + // + if (BlockSize < sizeof (MASTER_BOOT_RECORD)) { + return EFI_NOT_FOUND; + } + Mbr = AllocatePool (BlockSize); if (Mbr == NULL) { return Found; -- 2.12.0.windows.1