* [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core)
@ 2020-11-19 10:53 Laszlo Ersek
2020-11-19 10:53 ` [PATCH v2 RESEND 1/2] MdeModulePkg/Core/Dxe: assert SectionInstance invariant in FindChildNode() Laszlo Ersek
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Laszlo Ersek @ 2020-11-19 10:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Dandan Bi, Hao A Wu, Jian J Wang, Liming Gao,
Philippe Mathieu-Daudé
Repo: https://pagure.io/lersek/edk2.git
Branch: tianocore_1743_v2_resend
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1743
"RESEND" because I'm publicly posting the patches from
<https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c19>.
The Reviewed-by tags on the patches originate from
<https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c20> and
<https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c22>.
Retested with Liming's reproducer; see
<https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c16> and
<https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c18>.
This series targets edk2-stable202011. I plan to merge it later this
week, based on Liming's R-b.
Liming, highlighting TianoCore#1743 in the "proposed features" list
could be useful.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Thanks!
Laszlo
Laszlo Ersek (2):
MdeModulePkg/Core/Dxe: assert SectionInstance invariant in
FindChildNode()
MdeModulePkg/Core/Dxe: limit FwVol encapsulation section recursion
MdeModulePkg/MdeModulePkg.dec | 6 +++
MdeModulePkg/MdeModulePkg.uni | 6 +++
MdeModulePkg/Core/Dxe/DxeMain.inf | 1 +
MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c | 52 +++++++++++++++++---
4 files changed, 59 insertions(+), 6 deletions(-)
--
2.19.1.3.g30247aa5d201
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2 RESEND 1/2] MdeModulePkg/Core/Dxe: assert SectionInstance invariant in FindChildNode()
2020-11-19 10:53 [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core) Laszlo Ersek
@ 2020-11-19 10:53 ` Laszlo Ersek
2020-11-19 10:53 ` [PATCH v2 RESEND 2/2] MdeModulePkg/Core/Dxe: limit FwVol encapsulation section recursion Laszlo Ersek
2020-11-20 5:30 ` 回复: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core) gaoliming
2 siblings, 0 replies; 6+ messages in thread
From: Laszlo Ersek @ 2020-11-19 10:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Dandan Bi, Hao A Wu, Jian J Wang, Liming Gao,
Philippe Mathieu-Daudé
FindChildNode() has two callers: GetSection(), and FindChildNode() itself.
- At the GetSection() call site, a positive (i.e., nonzero)
SectionInstance is passed. This is because GetSection() takes a
zero-based (UINTN) SectionInstance, and then passes
Instance=(SectionInstance+1) to FindChildNode().
- For reaching the recursive FindChildNode() call site, a section type
mismatch, or a section instance mismatch, is necessary. This means,
respectively, that SectionInstance will either not have been decreased,
or not to zero anyway, at the recursive FindChildNode() call site.
Add two ASSERT()s to FindChildNode(), for expressing the (SectionSize>0)
invariant.
In turn, the invariant provides the explanation why, after the recursive
call, a zero SectionInstance implies success. Capture it in a comment.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
| 23 +++++++++++++++-----
1 file changed, 17 insertions(+), 6 deletions(-)
--git a/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c b/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c
index d678166db475..d7f7ef427422 100644
--- a/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c
+++ b/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c
@@ -952,8 +952,8 @@ CreateChildNode (
search.
@param SearchType Indicates the type of section to search for.
@param SectionInstance Indicates which instance of section to find.
- This is an in/out parameter to deal with
- recursions.
+ This is an in/out parameter and it is 1-based,
+ to deal with recursions.
@param SectionDefinitionGuid Guid of section definition
@param FoundChild Output indicating the child node that is found.
@param FoundStream Output indicating which section stream the child
@@ -988,6 +988,8 @@ FindChildNode (
EFI_STATUS ErrorStatus;
EFI_STATUS Status;
+ ASSERT (*SectionInstance > 0);
+
CurrentChildNode = NULL;
ErrorStatus = EFI_NOT_FOUND;
@@ -1037,6 +1039,11 @@ FindChildNode (
}
}
+ //
+ // Type mismatch, or we haven't found the desired instance yet.
+ //
+ ASSERT (*SectionInstance > 0);
+
if (CurrentChildNode->EncapsulatedStreamHandle != NULL_STREAM_HANDLE) {
//
// If the current node is an encapsulating node, recurse into it...
@@ -1050,16 +1057,20 @@ FindChildNode (
&RecursedFoundStream,
AuthenticationStatus
);
- //
- // If the status is not EFI_SUCCESS, just save the error code and continue
- // to find the request child node in the rest stream.
- //
if (*SectionInstance == 0) {
+ //
+ // The recursive FindChildNode() call decreased (*SectionInstance) to
+ // zero.
+ //
ASSERT_EFI_ERROR (Status);
*FoundChild = RecursedChildNode;
*FoundStream = RecursedFoundStream;
return EFI_SUCCESS;
} else {
+ //
+ // If the status is not EFI_SUCCESS, just save the error code and
+ // continue to find the request child node in the rest stream.
+ //
ErrorStatus = Status;
}
} else if ((CurrentChildNode->Type == EFI_SECTION_GUID_DEFINED) && (SearchType != EFI_SECTION_GUID_DEFINED)) {
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2 RESEND 2/2] MdeModulePkg/Core/Dxe: limit FwVol encapsulation section recursion
2020-11-19 10:53 [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core) Laszlo Ersek
2020-11-19 10:53 ` [PATCH v2 RESEND 1/2] MdeModulePkg/Core/Dxe: assert SectionInstance invariant in FindChildNode() Laszlo Ersek
@ 2020-11-19 10:53 ` Laszlo Ersek
2020-11-20 5:30 ` 回复: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core) gaoliming
2 siblings, 0 replies; 6+ messages in thread
From: Laszlo Ersek @ 2020-11-19 10:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Dandan Bi, Hao A Wu, Jian J Wang, Liming Gao,
Philippe Mathieu-Daudé
The DXE Core sets up a protocol notify function in its entry point, for
instances of the Firmware Volume Block2 Protocol:
DxeMain() [DxeMain/DxeMain.c]
FwVolDriverInit() [FwVol/FwVol.c]
Assume that a 3rd party UEFI driver or application installs an FVB
instance, with crafted contents. The notification function runs:
NotifyFwVolBlock() [FwVol/FwVol.c]
installing an instance of the Firmware Volume 2 Protocol on the handle.
(Alternatively, assume that a 3rd party application calls
gDS->ProcessFirmwareVolume(), which may also produce a Firmware Volume 2
Protocol instance.)
The EFI_FIRMWARE_VOLUME2_PROTOCOL.ReadSection() member performs "a
depth-first, left-to-right search algorithm through all sections found in
the specified file" (quoting the PI spec), as follows:
FvReadFileSection() [FwVol/FwVolRead.c]
GetSection() [SectionExtraction/CoreSectionExtraction.c]
FindChildNode() [SectionExtraction/CoreSectionExtraction.c]
FindChildNode() // recursive call
FindChildNode() is called recursively for encapsulation sections.
Currently this recursion is not limited. Introduce a new PCD
(fixed-at-build, or patchable-in-module), and make FindChildNode() track
the section nesting depth against that PCD.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1743
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
MdeModulePkg/MdeModulePkg.dec | 6 ++++
MdeModulePkg/MdeModulePkg.uni | 6 ++++
MdeModulePkg/Core/Dxe/DxeMain.inf | 1 +
| 33 ++++++++++++++++++--
4 files changed, 44 insertions(+), 2 deletions(-)
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 00075528198d..9b52b3449443 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -1529,6 +1529,12 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
# @Prompt Enable Capsule On Disk support.
gEfiMdeModulePkgTokenSpaceGuid.PcdCapsuleOnDiskSupport|FALSE|BOOLEAN|0x0000002d
+ ## Maximum permitted encapsulation levels of sections in a firmware volume,
+ # in the DXE phase. Minimum value is 1. Sections nested more deeply are
+ # rejected.
+ # @Prompt Maximum permitted FwVol section nesting depth (exclusive).
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFwVolDxeMaxEncapsulationDepth|0x10|UINT32|0x00000030
+
[PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## This PCD defines the Console output row. The default value is 25 according to UEFI spec.
# This PCD could be set to 0 then console output would be at max column and max row.
diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni
index 40884c57a460..1b347a75f684 100644
--- a/MdeModulePkg/MdeModulePkg.uni
+++ b/MdeModulePkg/MdeModulePkg.uni
@@ -1160,6 +1160,12 @@
"Note:<BR>"
"If Both Capsule In Ram and Capsule On Disk are provisioned at the same time, the Capsule On Disk will be bypassed."
+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdFwVolDxeMaxEncapsulationDepth_PROMPT #language en-US "Maximum permitted FwVol section nesting depth (exclusive)."
+
+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdFwVolDxeMaxEncapsulationDepth_HELP #language en-US "Maximum permitted encapsulation levels of sections in a firmware volume,<BR>"
+ "in the DXE phase. Minimum value is 1. Sections nested more deeply are<BR>"
+ "rejected."
+
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdCapsuleInRamSupport_PROMPT #language en-US "Enable Capsule In Ram support"
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdCapsuleInRamSupport_HELP #language en-US "Capsule In Ram is to use memory to deliver the capsules that will be processed after system reset.<BR><BR>"
diff --git a/MdeModulePkg/Core/Dxe/DxeMain.inf b/MdeModulePkg/Core/Dxe/DxeMain.inf
index 1d4b11dc7318..e4bca895773d 100644
--- a/MdeModulePkg/Core/Dxe/DxeMain.inf
+++ b/MdeModulePkg/Core/Dxe/DxeMain.inf
@@ -185,6 +185,7 @@ [Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPoolType ## CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask ## CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFwVolDxeMaxEncapsulationDepth ## CONSUMES
# [Hob]
# RESOURCE_DESCRIPTOR ## CONSUMES
--git a/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c b/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c
index d7f7ef427422..908617d1ca5c 100644
--- a/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c
+++ b/MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c
@@ -955,6 +955,9 @@ CreateChildNode (
This is an in/out parameter and it is 1-based,
to deal with recursions.
@param SectionDefinitionGuid Guid of section definition
+ @param Depth Nesting depth of encapsulation sections.
+ Callers different from FindChildNode() are
+ responsible for passing in a zero Depth.
@param FoundChild Output indicating the child node that is found.
@param FoundStream Output indicating which section stream the child
was found in. If this stream was generated as a
@@ -968,6 +971,9 @@ CreateChildNode (
@retval EFI_NOT_FOUND Requested child node does not exist.
@retval EFI_PROTOCOL_ERROR a required GUIDED section extraction protocol
does not exist
+ @retval EFI_ABORTED Recursion aborted because Depth has been
+ greater than or equal to
+ PcdFwVolDxeMaxEncapsulationDepth.
**/
EFI_STATUS
@@ -976,6 +982,7 @@ FindChildNode (
IN EFI_SECTION_TYPE SearchType,
IN OUT UINTN *SectionInstance,
IN EFI_GUID *SectionDefinitionGuid,
+ IN UINT32 Depth,
OUT CORE_SECTION_CHILD_NODE **FoundChild,
OUT CORE_SECTION_STREAM_NODE **FoundStream,
OUT UINT32 *AuthenticationStatus
@@ -990,6 +997,10 @@ FindChildNode (
ASSERT (*SectionInstance > 0);
+ if (Depth >= PcdGet32 (PcdFwVolDxeMaxEncapsulationDepth)) {
+ return EFI_ABORTED;
+ }
+
CurrentChildNode = NULL;
ErrorStatus = EFI_NOT_FOUND;
@@ -1053,6 +1064,7 @@ FindChildNode (
SearchType,
SectionInstance,
SectionDefinitionGuid,
+ Depth + 1,
&RecursedChildNode,
&RecursedFoundStream,
AuthenticationStatus
@@ -1067,9 +1079,17 @@ FindChildNode (
*FoundStream = RecursedFoundStream;
return EFI_SUCCESS;
} else {
+ if (Status == EFI_ABORTED) {
+ //
+ // If the recursive call was aborted due to nesting depth, stop
+ // looking for the requested child node. The skipped subtree could
+ // throw off the instance counting.
+ //
+ return Status;
+ }
//
- // If the status is not EFI_SUCCESS, just save the error code and
- // continue to find the request child node in the rest stream.
+ // Save the error code and continue to find the requested child node in
+ // the rest of the stream.
//
ErrorStatus = Status;
}
@@ -1272,11 +1292,20 @@ GetSection (
*SectionType,
&Instance,
SectionDefinitionGuid,
+ 0, // encapsulation depth
&ChildNode,
&ChildStreamNode,
&ExtractedAuthenticationStatus
);
if (EFI_ERROR (Status)) {
+ if (Status == EFI_ABORTED) {
+ DEBUG ((DEBUG_ERROR, "%a: recursion aborted due to nesting depth\n",
+ __FUNCTION__));
+ //
+ // Map "aborted" to "not found".
+ //
+ Status = EFI_NOT_FOUND;
+ }
goto GetSection_Done;
}
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 6+ messages in thread
* 回复: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core)
2020-11-19 10:53 [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core) Laszlo Ersek
2020-11-19 10:53 ` [PATCH v2 RESEND 1/2] MdeModulePkg/Core/Dxe: assert SectionInstance invariant in FindChildNode() Laszlo Ersek
2020-11-19 10:53 ` [PATCH v2 RESEND 2/2] MdeModulePkg/Core/Dxe: limit FwVol encapsulation section recursion Laszlo Ersek
@ 2020-11-20 5:30 ` gaoliming
2020-11-20 10:57 ` Laszlo Ersek
2020-11-21 1:43 ` Laszlo Ersek
2 siblings, 2 replies; 6+ messages in thread
From: gaoliming @ 2020-11-20 5:30 UTC (permalink / raw)
To: devel, lersek
Cc: 'Dandan Bi', 'Hao A Wu', 'Jian J Wang',
'Philippe Mathieu-Daudé'
Laszlo:
I am OK to merge this patch and the fix in LzmaUefiDecompressGetInfo for this stable tag. After you are done, I will update the proposed feature list to include them.
In BZ, there is no CVE number. So, I want to confirm whether CVE number is required.
Thanks
Liming
> -----邮件原件-----
> 发件人: bounce+27952+67707+4905953+8761045@groups.io
> <bounce+27952+67707+4905953+8761045@groups.io> 代表 Laszlo Ersek
> 发送时间: 2020年11月19日 18:54
> 收件人: edk2-devel-groups-io <devel@edk2.groups.io>
> 抄送: Dandan Bi <dandan.bi@intel.com>; Hao A Wu <hao.a.wu@intel.com>;
> Jian J Wang <jian.j.wang@intel.com>; Liming Gao
> <gaoliming@byosoft.com.cn>; Philippe Mathieu-Daudé <philmd@redhat.com>
> 主题: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV
> recursion, round 2 (DXE Core)
>
> Repo: https://pagure.io/lersek/edk2.git
> Branch: tianocore_1743_v2_resend
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1743
>
> "RESEND" because I'm publicly posting the patches from
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c19>.
>
> The Reviewed-by tags on the patches originate from
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c20> and
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c22>.
>
> Retested with Liming's reproducer; see
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c16> and
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c18>.
>
> This series targets edk2-stable202011. I plan to merge it later this
> week, based on Liming's R-b.
>
> Liming, highlighting TianoCore#1743 in the "proposed features" list
> could be useful.
>
> Cc: Dandan Bi <dandan.bi@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
>
> Thanks!
> Laszlo
>
> Laszlo Ersek (2):
> MdeModulePkg/Core/Dxe: assert SectionInstance invariant in
> FindChildNode()
> MdeModulePkg/Core/Dxe: limit FwVol encapsulation section recursion
>
> MdeModulePkg/MdeModulePkg.dec
> | 6 +++
> MdeModulePkg/MdeModulePkg.uni
> | 6 +++
> MdeModulePkg/Core/Dxe/DxeMain.inf
> | 1 +
> MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c | 52
> +++++++++++++++++---
> 4 files changed, 59 insertions(+), 6 deletions(-)
>
> --
> 2.19.1.3.g30247aa5d201
>
>
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: 回复: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core)
2020-11-20 5:30 ` 回复: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core) gaoliming
@ 2020-11-20 10:57 ` Laszlo Ersek
2020-11-21 1:43 ` Laszlo Ersek
1 sibling, 0 replies; 6+ messages in thread
From: Laszlo Ersek @ 2020-11-20 10:57 UTC (permalink / raw)
To: gaoliming, devel
Cc: 'Dandan Bi', 'Hao A Wu', 'Jian J Wang',
'Philippe Mathieu-Daudé'
On 11/20/20 06:30, gaoliming wrote:
> Laszlo:
> I am OK to merge this patch and the fix in LzmaUefiDecompressGetInfo for this stable tag. After you are done, I will update the proposed feature list to include them.
Thanks!
> In BZ, there is no CVE number. So, I want to confirm whether CVE number is required.
We seem to have failed getting a CVE number. I'm unaware of any CVE
being assigned to this issue.
Thanks
Laszlo
>
> Thanks
> Liming
>> -----邮件原件-----
>> 发件人: bounce+27952+67707+4905953+8761045@groups.io
>> <bounce+27952+67707+4905953+8761045@groups.io> 代表 Laszlo Ersek
>> 发送时间: 2020年11月19日 18:54
>> 收件人: edk2-devel-groups-io <devel@edk2.groups.io>
>> 抄送: Dandan Bi <dandan.bi@intel.com>; Hao A Wu <hao.a.wu@intel.com>;
>> Jian J Wang <jian.j.wang@intel.com>; Liming Gao
>> <gaoliming@byosoft.com.cn>; Philippe Mathieu-Daudé <philmd@redhat.com>
>> 主题: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV
>> recursion, round 2 (DXE Core)
>>
>> Repo: https://pagure.io/lersek/edk2.git
>> Branch: tianocore_1743_v2_resend
>> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1743
>>
>> "RESEND" because I'm publicly posting the patches from
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c19>.
>>
>> The Reviewed-by tags on the patches originate from
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c20> and
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c22>.
>>
>> Retested with Liming's reproducer; see
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c16> and
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c18>.
>>
>> This series targets edk2-stable202011. I plan to merge it later this
>> week, based on Liming's R-b.
>>
>> Liming, highlighting TianoCore#1743 in the "proposed features" list
>> could be useful.
>>
>> Cc: Dandan Bi <dandan.bi@intel.com>
>> Cc: Hao A Wu <hao.a.wu@intel.com>
>> Cc: Jian J Wang <jian.j.wang@intel.com>
>> Cc: Liming Gao <gaoliming@byosoft.com.cn>
>> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
>>
>> Thanks!
>> Laszlo
>>
>> Laszlo Ersek (2):
>> MdeModulePkg/Core/Dxe: assert SectionInstance invariant in
>> FindChildNode()
>> MdeModulePkg/Core/Dxe: limit FwVol encapsulation section recursion
>>
>> MdeModulePkg/MdeModulePkg.dec
>> | 6 +++
>> MdeModulePkg/MdeModulePkg.uni
>> | 6 +++
>> MdeModulePkg/Core/Dxe/DxeMain.inf
>> | 1 +
>> MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c | 52
>> +++++++++++++++++---
>> 4 files changed, 59 insertions(+), 6 deletions(-)
>>
>> --
>> 2.19.1.3.g30247aa5d201
>>
>>
>>
>>
>>
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: 回复: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core)
2020-11-20 5:30 ` 回复: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core) gaoliming
2020-11-20 10:57 ` Laszlo Ersek
@ 2020-11-21 1:43 ` Laszlo Ersek
1 sibling, 0 replies; 6+ messages in thread
From: Laszlo Ersek @ 2020-11-21 1:43 UTC (permalink / raw)
To: devel, gaoliming
Cc: 'Dandan Bi', 'Hao A Wu', 'Jian J Wang',
'Philippe Mathieu-Daudé'
On 11/20/20 06:30, gaoliming wrote:
> Laszlo:
> I am OK to merge this patch and the fix in LzmaUefiDecompressGetInfo for this stable tag. After you are done, I will update the proposed feature list to include them.
Merged as commit range 6c8dd15c4ae4..47343af30435, via
<https://github.com/tianocore/edk2/pull/1137>.
Thanks,
Laszlo
>
> In BZ, there is no CVE number. So, I want to confirm whether CVE number is required.
>
> Thanks
> Liming
>> -----邮件原件-----
>> 发件人: bounce+27952+67707+4905953+8761045@groups.io
>> <bounce+27952+67707+4905953+8761045@groups.io> 代表 Laszlo Ersek
>> 发送时间: 2020年11月19日 18:54
>> 收件人: edk2-devel-groups-io <devel@edk2.groups.io>
>> 抄送: Dandan Bi <dandan.bi@intel.com>; Hao A Wu <hao.a.wu@intel.com>;
>> Jian J Wang <jian.j.wang@intel.com>; Liming Gao
>> <gaoliming@byosoft.com.cn>; Philippe Mathieu-Daudé <philmd@redhat.com>
>> 主题: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV
>> recursion, round 2 (DXE Core)
>>
>> Repo: https://pagure.io/lersek/edk2.git
>> Branch: tianocore_1743_v2_resend
>> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1743
>>
>> "RESEND" because I'm publicly posting the patches from
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c19>.
>>
>> The Reviewed-by tags on the patches originate from
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c20> and
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c22>.
>>
>> Retested with Liming's reproducer; see
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c16> and
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=1743#c18>.
>>
>> This series targets edk2-stable202011. I plan to merge it later this
>> week, based on Liming's R-b.
>>
>> Liming, highlighting TianoCore#1743 in the "proposed features" list
>> could be useful.
>>
>> Cc: Dandan Bi <dandan.bi@intel.com>
>> Cc: Hao A Wu <hao.a.wu@intel.com>
>> Cc: Jian J Wang <jian.j.wang@intel.com>
>> Cc: Liming Gao <gaoliming@byosoft.com.cn>
>> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
>>
>> Thanks!
>> Laszlo
>>
>> Laszlo Ersek (2):
>> MdeModulePkg/Core/Dxe: assert SectionInstance invariant in
>> FindChildNode()
>> MdeModulePkg/Core/Dxe: limit FwVol encapsulation section recursion
>>
>> MdeModulePkg/MdeModulePkg.dec
>> | 6 +++
>> MdeModulePkg/MdeModulePkg.uni
>> | 6 +++
>> MdeModulePkg/Core/Dxe/DxeMain.inf
>> | 1 +
>> MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c | 52
>> +++++++++++++++++---
>> 4 files changed, 59 insertions(+), 6 deletions(-)
>>
>> --
>> 2.19.1.3.g30247aa5d201
>>
>>
>>
>>
>>
>
>
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-11-21 1:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-19 10:53 [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core) Laszlo Ersek
2020-11-19 10:53 ` [PATCH v2 RESEND 1/2] MdeModulePkg/Core/Dxe: assert SectionInstance invariant in FindChildNode() Laszlo Ersek
2020-11-19 10:53 ` [PATCH v2 RESEND 2/2] MdeModulePkg/Core/Dxe: limit FwVol encapsulation section recursion Laszlo Ersek
2020-11-20 5:30 ` 回复: [edk2-devel] [PATCH v2 RESEND 0/2] security fix: unlimited FV recursion, round 2 (DXE Core) gaoliming
2020-11-20 10:57 ` Laszlo Ersek
2020-11-21 1:43 ` Laszlo Ersek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox