From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.151; helo=mga17.intel.com; envelope-from=liming.gao@intel.com; receiver=edk2-devel@lists.01.org Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 81ACE211CD63E for ; Wed, 27 Feb 2019 17:32:54 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Feb 2019 17:32:54 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.58,421,1544515200"; d="scan'208";a="125761036" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga007.fm.intel.com with ESMTP; 27 Feb 2019 17:32:53 -0800 Received: from fmsmsx111.amr.corp.intel.com (10.18.116.5) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 27 Feb 2019 17:32:53 -0800 Received: from shsmsx108.ccr.corp.intel.com (10.239.4.97) by fmsmsx111.amr.corp.intel.com (10.18.116.5) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 27 Feb 2019 17:32:53 -0800 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.74]) by SHSMSX108.ccr.corp.intel.com ([169.254.8.57]) with mapi id 14.03.0415.000; Thu, 28 Feb 2019 09:32:51 +0800 From: "Gao, Liming" To: Laszlo Ersek , "Wu, Hao A" , "edk2-devel@lists.01.org" CC: "Zeng, Star" Thread-Topic: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk Thread-Index: AQHUzad1J7KFvlRn9kuZet49i3cu5KXxcBkAgAFBsACAACH7gIAAxQBA///rtACAAOsMwA== Date: Thu, 28 Feb 2019 01:32:51 +0000 Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14E3F44B7@SHSMSX104.ccr.corp.intel.com> References: <20190226074557.11048-1-hao.a.wu@intel.com> <879920cf-8edd-575a-cb60-efe1cbd62cda@redhat.com> <4A89E2EF3DFEDB4C8BFDE51014F606A14E3E9CE9@SHSMSX104.ccr.corp.intel.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 01:32:54 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I update https://github.com/tianocore/tianocore.github.io/wiki/Commit-Messa= ge-Format with CVE example. Please check it.=20 >-----Original Message----- >From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of >Laszlo Ersek >Sent: Thursday, February 28, 2019 3:31 AM >To: Gao, Liming ; Wu, Hao A ; >edk2-devel@lists.01.org >Cc: Zeng, Star >Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross >boundary access in Ramdisk > >On 02/27/19 13:49, Gao, Liming wrote: >> Laszlo: >> I add my comments. >> >> Thanks >> Liming >>> -----Original Message----- >>> From: Laszlo Ersek [mailto:lersek@redhat.com] >>> Sent: Wednesday, February 27, 2019 4:58 PM >>> To: Wu, Hao A ; Gao, Liming >; edk2-devel@lists.01.org >>> Cc: Zeng, Star >>> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer cross >boundary access in Ramdisk >>> >>> On 02/27/19 07:56, Wu, Hao A wrote: >>>>> -----Original Message----- >>>>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf >Of >>>>> Laszlo Ersek >>>>> Sent: Tuesday, February 26, 2019 7:45 PM >>>>> To: Wu, Hao A; edk2-devel@lists.01.org >>>>> Cc: Zeng, Star >>>>> Subject: Re: [edk2] [PATCH v2 0/2] MdeModulePkg: Resolve buffer >cross >>>>> boundary access in Ramdisk >>>>> >>>>> On 02/26/19 08:45, Hao Wu wrote: >>>>>> V2 changes: >>>>>> >>>>>> Correct CC list information. >>>>>> >>>>>> >>>>>> V1 history: >>>>>> >>>>>> The series will resolve a buffer cross boundary access issue during = the >>>>>> use of RAM disks. It is the mitigation for issue CVE-2018-12180. >>>>>> >>>>>> Cc: Jian J Wang >>>>>> Cc: Ray Ni >>>>>> Cc: Star Zeng >>>>>> >>>>>> Hao Wu (2): >>>>>> MdeModulePkg/PartitionDxe: Ensure blocksize can hold MBR (CVE >FIX) >>>>>> MdeModulePkg/RamDiskDxe: Ramdisk size be multiple of BlkSize >(CVE >>>>> FIX) >>>>>> >>>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 >+++--- >>>>>> MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 >++++++++- >>>>>> MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 >++++++++- >>>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 >>>>> ++++++++++++++------ >>>>>> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 >+++-- >>>>>> 5 files changed, 36 insertions(+), 13 deletions(-) >>>>>> >>>>> >>>>> Please put the exact CVE numbers in the subject lines. >>>> >>>> Hello Laszlo and Liming, >>>> >>>> I totally agree the commit subject line should include the CVE number. >>>> But I have one feedback that, if the commit is for a CVE fix, is it >>>> possible to exempt the commit subject from 71 characters limit? >>> >>> In my opinion, that is absolutely the case. >>> >>>> I found it can be hard to summary the commit with the Package/Module >plus >>>> the CVE number information. >>> >>> I agree, it is hard. But, IMO, in this case, the precise CVE reference >>> takes priority. >>> >> For this case, I suggest to allow subject line length to be bigger, such= as 120 >character. >> I will update wiki >https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message- >Format for CVE commit message format. >> For example: Pkg-Module: Brief-single-line-summary (CVE-Year-Number) > >Thanks for that! >Laszlo >_______________________________________________ >edk2-devel mailing list >edk2-devel@lists.01.org >https://lists.01.org/mailman/listinfo/edk2-devel