From: "Ni, Ray" <ray.ni@intel.com>
To: "Wu, Hao A" <hao.a.wu@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Wang, Jian J" <jian.j.wang@intel.com>,
"Zeng, Star" <star.zeng@intel.com>,
Laszlo Ersek <lersek@redhat.com>
Subject: Re: [PATCH v3 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180)
Date: Wed, 27 Feb 2019 05:48:44 +0000 [thread overview]
Message-ID: <734D49CCEBEEF84792F5B80ED585239D5C03978F@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <20190226125651.14260-3-hao.a.wu@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
> -----Original Message-----
> From: Wu, Hao A <hao.a.wu@intel.com>
> Sent: Tuesday, February 26, 2019 8:57 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Ni, Ray <ray.ni@intel.com>; Zeng, Star <star.zeng@intel.com>; Laszlo Ersek
> <lersek@redhat.com>
> Subject: [PATCH v3 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk
> size (CVE-2018-12180)
>
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
>
> Originally, the block size of created Ram disks is hard-coded to 512 bytes.
> However, if the total size of the Ram disk is not a multiple of 512 bytes, there
> will be potential memory access issues when dealing with the last block of
> the Ram disk.
>
> This commit will adjust the block size of the Ram disks to ensure that the total
> size is a multiple of the block size.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 +++---
> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20
> ++++++++++++++------
> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 +++--
> 3 files changed, 20 insertions(+), 11 deletions(-)
>
> diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> index 08a8ca94c9..72f2bfe179 100644
> --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> @@ -1,7 +1,7 @@
> /** @file
> The header file of RamDiskDxe driver.
>
> - Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> + Copyright (c) 2016 - 2019, Intel Corporation. All rights
> + reserved.<BR>
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> which accompanies this distribution. The full text of the license may be
> found at @@ -49,9 +49,9 @@ ///
>
> //
> -// Block size for RAM disk
> +// Default block size for RAM disk
> //
> -#define RAM_DISK_BLOCK_SIZE 512
> +#define RAM_DISK_DEFAULT_BLOCK_SIZE 512
>
> //
> // Iterate through the double linked list. NOT delete safe diff --git
> a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> index 4f74b5ef15..8926ad7d2f 100644
> --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> @@ -1,7 +1,7 @@
> /** @file
> Produce EFI_BLOCK_IO_PROTOCOL on a RAM disk device.
>
> - Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
> + Copyright (c) 2016 - 2019, Intel Corporation. All rights
> + reserved.<BR>
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> which accompanies this distribution. The full text of the license may be
> found at @@ -54,6 +54,7 @@ RamDiskInitBlockIo (
> EFI_BLOCK_IO_PROTOCOL *BlockIo;
> EFI_BLOCK_IO2_PROTOCOL *BlockIo2;
> EFI_BLOCK_IO_MEDIA *Media;
> + UINT32 Remainder;
>
> BlockIo = &PrivateData->BlockIo;
> BlockIo2 = &PrivateData->BlockIo2;
> @@ -69,11 +70,18 @@ RamDiskInitBlockIo (
> Media->LogicalPartition = FALSE;
> Media->ReadOnly = FALSE;
> Media->WriteCaching = FALSE;
> - Media->BlockSize = RAM_DISK_BLOCK_SIZE;
> - Media->LastBlock = DivU64x32 (
> - PrivateData->Size + RAM_DISK_BLOCK_SIZE - 1,
> - RAM_DISK_BLOCK_SIZE
> - ) - 1;
> +
> + for (Media->BlockSize = RAM_DISK_DEFAULT_BLOCK_SIZE;
> + Media->BlockSize >= 1;
> + Media->BlockSize = Media->BlockSize >> 1) {
> + Media->LastBlock = DivU64x32Remainder (PrivateData->Size, Media-
> >BlockSize, &Remainder) - 1;
> + if (Remainder == 0) {
> + break;
> + }
> + }
> + ASSERT (Media->BlockSize != 0);
> +
> + return;
> }
>
>
> diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> index 6784e2b2f1..e8250d5c1b 100644
> --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> @@ -1,7 +1,7 @@
> /** @file
> The realization of EFI_RAM_DISK_PROTOCOL.
>
> - Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> + Copyright (c) 2016 - 2019, Intel Corporation. All rights
> + reserved.<BR>
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License @@ -613,7 +613,8 @@ RamDiskRegister (
> //
> // Add check to prevent data read across the memory boundary
> //
> - if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1)
> {
> + if ((RamDiskSize > MAX_UINTN) ||
> + (RamDiskBase > MAX_UINTN - RamDiskSize + 1)) {
> return EFI_INVALID_PARAMETER;
> }
>
> --
> 2.12.0.windows.1
prev parent reply other threads:[~2019-02-27 5:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-26 12:56 [PATCH v3 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk Hao Wu
2019-02-26 12:56 ` [PATCH v3 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR (CVE-2018-12180) Hao Wu
2019-02-27 5:47 ` Ni, Ray
2019-02-26 12:56 ` [PATCH v3 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180) Hao Wu
2019-02-27 5:48 ` Ni, Ray [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=734D49CCEBEEF84792F5B80ED585239D5C03978F@SHSMSX104.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox