From: "Wu, Hao A" <hao.a.wu@intel.com>
To: devel@edk2.groups.io
Cc: Hao A Wu <hao.a.wu@intel.com>,
Jian J Wang <jian.j.wang@intel.com>, Ray Ni <ray.ni@intel.com>
Subject: [PATCH v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-2019-14587)
Date: Mon, 17 Feb 2020 11:52:29 +0800 [thread overview]
Message-ID: <20200217035229.16636-1-hao.a.wu@intel.com> (raw)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1989
The commit will avoid unmapping the same resource in error handling logic
for function BuildAdmaDescTable() and SdMmcCreateTrb().
For the error handling in BuildAdmaDescTable():
The error is directly related with the corresponding Map() operation
(mapped address beyond 4G, which is not supported in ADMA), so the Unmap()
operation is done in the error handling logic, and then setting
'Trb->AdmaMap' to NULL to avoid double Unmap.
For the error handling in SdMmcCreateTrb():
The error is not directly related with the corresponding Map() operation,
so the commit will update the code to left SdMmcFreeTrb() for the Unmap
operation to avoid double Unmap.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Signed-off-by: Hao A Wu <hao.a.wu@intel.com>
---
MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
index da5559ae76..43626fff48 100644
--- a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
+++ b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
@@ -1544,6 +1544,8 @@ BuildAdmaDescTable (
PciIo,
Trb->AdmaMap
);
+ Trb->AdmaMap = NULL;
+
PciIo->FreeBuffer (
PciIo,
EFI_SIZE_TO_PAGES (TableSize),
@@ -1753,7 +1755,6 @@ SdMmcCreateTrb (
}
Status = BuildAdmaDescTable (Trb, Private->ControllerVersion[Slot]);
if (EFI_ERROR (Status)) {
- PciIo->Unmap (PciIo, Trb->DataMap);
goto Error;
}
} else if (Private->Capability[Slot].Sdma != 0) {
--
2.12.0.windows.1
next reply other threads:[~2020-02-17 3:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-17 3:52 Wu, Hao A [this message]
2020-02-17 4:02 ` [edk2-devel] [PATCH v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-2019-14587) Wang, Jian J
2020-02-18 5:16 ` Wu, Hao A
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200217035229.16636-1-hao.a.wu@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox