From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 7C23CD811BC for ; Thu, 11 Jan 2024 13:36:36 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=DiR7inqFAWsVYUYzWYc/QhIylIs2HsflYZbTHc2xfC4=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type; s=20140610; t=1704980195; v=1; b=ILpFPO16A02ohlJTWnsuAjc1Ydgkt4a6zjuOczjx4TyVPSn3CGterMPUMh7Uniie+hOhDZoM kC7dPt42C05RJ45TU5KMV2nqYIJ1NU3zDgfwvkMnmQgYxWOjUL4jBMb7fYXZfbpLIjygx2//cRC /LToJ84fbNldJkTQ30r4xUB4= X-Received: by 127.0.0.2 with SMTP id VruNYY7687511xTqUn2JrOK3; Thu, 11 Jan 2024 05:36:35 -0800 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web11.11356.1704980194531824054 for ; Thu, 11 Jan 2024 05:36:34 -0800 X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-215-OSy9MsHYNaqSjBg4lSeITw-1; Thu, 11 Jan 2024 08:36:29 -0500 X-MC-Unique: OSy9MsHYNaqSjBg4lSeITw-1 X-Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 169BB3811F22; Thu, 11 Jan 2024 13:36:29 +0000 (UTC) X-Received: from dobby.home.kraxel.org (unknown [10.39.194.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9B307492BF0; Thu, 11 Jan 2024 13:36:28 +0000 (UTC) X-Received: by dobby.home.kraxel.org (Postfix, from userid 1000) id 6F606AAAC7; Thu, 11 Jan 2024 14:36:27 +0100 (CET) From: "Gerd Hoffmann" To: devel@edk2.groups.io Cc: oliver@redhat.com, Jiewen Yao , Gerd Hoffmann , Laszlo Ersek , Ard Biesheuvel Subject: [edk2-devel] [PATCH 1/1] OvmfPkg/VirtNorFlashDxe: fix shadowbuffer reads Date: Thu, 11 Jan 2024 14:36:27 +0100 Message-ID: <20240111133627.156839-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kraxel@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 7NaacUHjWEzbnYXokUAbattBx7686176AA= Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=ILpFPO16; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none) In some cases (specifically when the flash update region is small but crosses a multiple of P30_MAX_BUFFER_SIZE_IN_BYTES) NorFlashWriteSingleBlock reads only one instead of two P30_MAX_BUFFER_SIZE_IN_BYTES blocks into the shadow buffer. That leads to random crap being written to the second block, which in turn can corrupt both the variable store and the FTW work space. This patch fixes the calculation. Signed-off-by: Gerd Hoffmann --- OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c index 1afd60ce66eb..cdc809d75e3d 100644 --- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c +++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c @@ -566,7 +566,7 @@ NorFlashWriteSingleBlock ( Instance, Lba, Offset & ~BOUNDARY_OF_32_WORDS, - (*NumBytes | BOUNDARY_OF_32_WORDS) + 1, + (((Offset & BOUNDARY_OF_32_WORDS) + *NumBytes) | BOUNDARY_OF_32_WORDS) + 1, Instance->ShadowBuffer ); if (EFI_ERROR (Status)) { -- 2.43.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113618): https://edk2.groups.io/g/devel/message/113618 Mute This Topic: https://groups.io/mt/103661868/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-