Re: [PATCH v3 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180)

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Ni, Ray" <ray.ni@intel.com>
To: "Wu, Hao A" <hao.a.wu@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Wang, Jian J" <jian.j.wang@intel.com>,
	"Zeng, Star" <star.zeng@intel.com>,
	Laszlo Ersek <lersek@redhat.com>
Subject: Re: [PATCH v3 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180)
Date: Wed, 27 Feb 2019 05:48:44 +0000	[thread overview]
Message-ID: <734D49CCEBEEF84792F5B80ED585239D5C03978F@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <20190226125651.14260-3-hao.a.wu@intel.com>

Reviewed-by: Ray Ni <ray.ni@intel.com>

> -----Original Message-----
> From: Wu, Hao A <hao.a.wu@intel.com>
> Sent: Tuesday, February 26, 2019 8:57 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Ni, Ray <ray.ni@intel.com>; Zeng, Star <star.zeng@intel.com>; Laszlo Ersek
> <lersek@redhat.com>
> Subject: [PATCH v3 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk
> size (CVE-2018-12180)
> 
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134
> 
> Originally, the block size of created Ram disks is hard-coded to 512 bytes.
> However, if the total size of the Ram disk is not a multiple of 512 bytes, there
> will be potential memory access issues when dealing with the last block of
> the Ram disk.
> 
> This commit will adjust the block size of the Ram disks to ensure that the total
> size is a multiple of the block size.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
>  MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h     |  6 +++---
>  MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c  | 20
> ++++++++++++++------
> MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c |  5 +++--
>  3 files changed, 20 insertions(+), 11 deletions(-)
> 
> diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> index 08a8ca94c9..72f2bfe179 100644
> --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h
> @@ -1,7 +1,7 @@
>  /** @file
>    The header file of RamDiskDxe driver.
> 
> -  Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +  Copyright (c) 2016 - 2019, Intel Corporation. All rights
> + reserved.<BR>
>    This program and the accompanying materials
>    are licensed and made available under the terms and conditions of the BSD
> License
>    which accompanies this distribution.  The full text of the license may be
> found at @@ -49,9 +49,9 @@  ///
> 
>  //
> -// Block size for RAM disk
> +// Default block size for RAM disk
>  //
> -#define RAM_DISK_BLOCK_SIZE 512
> +#define RAM_DISK_DEFAULT_BLOCK_SIZE 512
> 
>  //
>  // Iterate through the double linked list. NOT delete safe diff --git
> a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> index 4f74b5ef15..8926ad7d2f 100644
> --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c
> @@ -1,7 +1,7 @@
>  /** @file
>    Produce EFI_BLOCK_IO_PROTOCOL on a RAM disk device.
> 
> -  Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
> +  Copyright (c) 2016 - 2019, Intel Corporation. All rights
> + reserved.<BR>
>    This program and the accompanying materials
>    are licensed and made available under the terms and conditions of the BSD
> License
>    which accompanies this distribution.  The full text of the license may be
> found at @@ -54,6 +54,7 @@ RamDiskInitBlockIo (
>    EFI_BLOCK_IO_PROTOCOL           *BlockIo;
>    EFI_BLOCK_IO2_PROTOCOL          *BlockIo2;
>    EFI_BLOCK_IO_MEDIA              *Media;
> +  UINT32                          Remainder;
> 
>    BlockIo  = &PrivateData->BlockIo;
>    BlockIo2 = &PrivateData->BlockIo2;
> @@ -69,11 +70,18 @@ RamDiskInitBlockIo (
>    Media->LogicalPartition = FALSE;
>    Media->ReadOnly         = FALSE;
>    Media->WriteCaching     = FALSE;
> -  Media->BlockSize        = RAM_DISK_BLOCK_SIZE;
> -  Media->LastBlock        = DivU64x32 (
> -                              PrivateData->Size + RAM_DISK_BLOCK_SIZE - 1,
> -                              RAM_DISK_BLOCK_SIZE
> -                              ) - 1;
> +
> +  for (Media->BlockSize = RAM_DISK_DEFAULT_BLOCK_SIZE;
> +       Media->BlockSize >= 1;
> +       Media->BlockSize = Media->BlockSize >> 1) {
> +    Media->LastBlock = DivU64x32Remainder (PrivateData->Size, Media-
> >BlockSize, &Remainder) - 1;
> +    if (Remainder == 0) {
> +      break;
> +    }
> +  }
> +  ASSERT (Media->BlockSize != 0);
> +
> +  return;
>  }
> 
> 
> diff --git a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> index 6784e2b2f1..e8250d5c1b 100644
> --- a/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> +++ b/MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c
> @@ -1,7 +1,7 @@
>  /** @file
>    The realization of EFI_RAM_DISK_PROTOCOL.
> 
> -  Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +  Copyright (c) 2016 - 2019, Intel Corporation. All rights
> + reserved.<BR>
>    (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>    This program and the accompanying materials
>    are licensed and made available under the terms and conditions of the BSD
> License @@ -613,7 +613,8 @@ RamDiskRegister (
>    //
>    // Add check to prevent data read across the memory boundary
>    //
> -  if (RamDiskBase + RamDiskSize > ((UINTN) -1) - RAM_DISK_BLOCK_SIZE + 1)
> {
> +  if ((RamDiskSize > MAX_UINTN) ||
> +      (RamDiskBase > MAX_UINTN - RamDiskSize + 1)) {
>      return EFI_INVALID_PARAMETER;
>    }
> 
> --
> 2.12.0.windows.1

     prev parent reply	other threads:[~2019-02-27  5:52 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-26 12:56 [PATCH v3 0/2] MdeModulePkg: Resolve buffer cross boundary access in Ramdisk Hao Wu
2019-02-26 12:56 ` [PATCH v3 1/2] MdeModulePkg/PartitionDxe: Ensure blocksize holds MBR (CVE-2018-12180) Hao Wu
2019-02-27  5:47   ` Ni, Ray
2019-02-26 12:56 ` [PATCH v3 2/2] MdeModulePkg/RamDiskDxe: Restrict on RAM disk size (CVE-2018-12180) Hao Wu
2019-02-27  5:48   ` Ni, Ray [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=734D49CCEBEEF84792F5B80ED585239D5C03978F@SHSMSX104.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox