public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: Laszlo Ersek <lersek@redhat.com>, Paulo Alcantara <pcacjr@zytor.com>
Cc: "Ni, Ruiyu" <ruiyu.ni@intel.com>,
	"Dong, Eric" <eric.dong@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>,
	"Gao, Liming" <liming.gao@intel.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Zeng, Star" <star.zeng@intel.com>
Subject: Re: [PATCH 0/3] UDF partition driver fix
Date: Sat, 16 Sep 2017 23:52:45 +0000	[thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503A9BC765@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <4d74e669-964e-7910-2de6-b7e831f9c2eb@redhat.com>

Thank you Paulo, to provide a fix for this driver.

I do not have comment for this specific patch. I would defer the review work to Star and Ruiyu.
I do have some general question for the new UDF support and I would like to know more detail about the quality level.

As we are seeing some issues in the new UDF driver, would you please share what test you have done for the UDF support? (Not only for this patch, but also for the UDF partition and UDF file system which are already checked in)

I ask this specially, because UDF support (partition and file system) adds a brand new group of external input for the UEFI BIOS. For a long time, we are monitoring all the external input.
Per our security model, the external input means the input by an end user. The known external includes but not limited to UEFI image (OROM/OS Loader), Capsule Image, Recovery Image, file system, partition, network packet, variable, etc.

UDF is a new one, because with the new UDF support, now a malicious user may insert a mal-format UDF CDROM to the system and try to break the system. As such, we need evaluate it.


To be specific, would you please share:

1)       Which UDF spec these 2 drivers (FS and partition) are following?
I have seen you mentioned the header file follows "(revisions 1.02 through 2.60)". But I am not sure about the driver.

I found you mentioned:

Originally the driver was written to support UDF file systems as

specified by OSTA Universal Disk Format Specification 2.60. However,

some Windows 10 Enterprise ISO (UDF bridge) images that I tested

supported a revision of 1.02 thus I had to rework the driver a little

bit to support such revision as well.

Do you mean you only support 1.02 and 2.6 in driver, or you support 1.02 through 2.6?


2)       Which UDF function is supported? And more important, which UDF function is NOT supported?
I have seen "Compliance" section in UDF spec, and it lists some optional feature, such as multi-volume, multi-partition, multisession, file name translation, backward read, backward write, etc.

I also have interest to know the support level of current existing CDROM, and existing UDF driver in OS (such as Windows, or Linux). How many optional feature are implemented?

I ask this, because we want to understand how we declare the support level of this UEFI UDF driver. If we just say we support UDF, then naive people may believe we support everything. :)


3)       Which compatibility test has been done?
I am sorry that I cannot find the first version patch. I fund you mentioned Win10 ISO is tried in V2. Any more?
We would like to know how many existing OS installation CDROM (or any other CDROM) has been tried. Such as Linux (RedHat, Ubuntu, Suse, etc), or Windows (Win7, Win8, Win10)?
The more detail, the better. May a list.


4)       The last but not least important, which negative test (security test) has been done?
Have you run some fuzzing test?
Have you tried a mal-format UDF disc? For example, with bad offset or length?
Have you test the integer overflow / buffer over flow handing in the code?

NOTE: we should not use ASSERT to handle such error.
When I review the code, I found below:

    Status = ReadFileData (
      BlockIo,
      DiskIo,
      Volume,
      Parent,
      PrivFileData->FileSize,
      &PrivFileData->FilePosition,
      Buffer,
      &BufferSizeUint64
      );
    ASSERT (BufferSizeUint64 <= MAX_UINTN);
    *BufferSize = (UINTN)BufferSizeUint64;

I am not sure if we can use ASSERT (BufferSizeUint64 <= MAX_UINTN);
Can a malicious user construct a bad UDF and make BufferSizeUint64 > MAX_UINTN?
Does it might happen? Or never happen?

We documented Appendix B - EDKII code review top 5 in https://github.com/tianocore-docs/Docs/raw/master/White_Papers/A_Tour_Beyond_BIOS_Security_Design_Guide_in_EDK_II.pdf
3 of them are matched in these partition and file system drivers. I quote below:
===============================
If the code consumes input from an untrusted source or region,
Ensure that the input is rigorously and adequately validated.
Verify buffer overflow is handled. Avoid integer overflow.
Try to use subtraction instead of addition and division instead of multiplication.
Verify that ASSERT is used properly.
ASSERT is used to catch conditions that should never happen. If something might happen, use error handling instead. We can use both ASSERT and error handling to facilitate debugging - ASSERT allows for earlier detection and isolation of several classes of issues. [McConnell]
===============================

It is just a reminder. If you are already following that, it will be great. Please let us now.


I take a glance of UDF 2.6 specification, but I do not have chance to read all content at this moment.
If I asked some stupid question , please feel free to correct me.


All in all, we hope to understand the current quality level of the UDF partition support and UDF file system.
If you can help to provide the detail, it may help us to evaluate.



Thank you
Yao Jiewen


From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo Ersek
Sent: Sunday, September 17, 2017 6:17 AM
To: Paulo Alcantara <pcacjr@zytor.com>
Cc: Ni, Ruiyu <ruiyu.ni@intel.com>; Dong, Eric <eric.dong@intel.com>; edk2-devel@lists.01.org; Gao, Liming <liming.gao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Zeng, Star <star.zeng@intel.com>
Subject: Re: [edk2] [PATCH 0/3] UDF partition driver fix

Hi Paulo,

On 09/16/17 23:36, Paulo Alcantara wrote:
> This series fixes an UDF issue with Partition driver as discussed in ML:
>
> https://lists.01.org/pipermail/edk2-devel/2017-September/014694.html
>
> Thanks!
> Paulo
>
> Repo:   https://github.com/pcacjr/edk2.git
> Branch: udf-partition-fix
>
> Paulo Alcantara (3):
>   MdePkg: Add UDF volume structure definitions
>   MdeModulePkg/PartitionDxe: Fix creation of UDF logical partition
>   MdeModulePkg/UdfDxe: Rework driver to support PartitionDxe changes
>
>  MdeModulePkg/Universal/Disk/PartitionDxe/Udf.c     | 307 +++++++++++-
>  MdeModulePkg/Universal/Disk/UdfDxe/File.c          |  13 +-
>  .../Universal/Disk/UdfDxe/FileSystemOperations.c   | 525 ++++++++-------------
>  MdeModulePkg/Universal/Disk/UdfDxe/Udf.c           |   7 -
>  MdeModulePkg/Universal/Disk/UdfDxe/Udf.h           |  88 +---
>  MdePkg/Include/IndustryStandard/Udf.h              |  63 +++
>  6 files changed, 560 insertions(+), 443 deletions(-)
>

Thank you very much for submitting this patchset quickly. I hope it will
work out, and we won't need the PartitionExperimentalDxe.inf file!

I have some trivial process-level suggestions:

* when submitting a patchset, please collect the Cc: tags from all the
commit messages, and add them to the cover letter manually. This way
everybody you CC on at least some of the patches will get the cover
letter too, presonally.

This matters because otherwise replies to the blurb will also miss those
people, personally. (I'm now adding everyone manually.)

* Because edk2 uses long directory and file names, the diffstats are
frequently truncated like above (see "..."). You can avoid this if you
format the patches like this:

  --stat=1000 --stat-graph-width=20

this will make the pathname column just as wide as necessary, and will
also keep the chart to the right reasonably narrow.

* It's probably best to include a reference to
<https://bugzilla.tianocore.org/show_bug.cgi?id=707> in the commit
messages (in particular patch #2).

* Once you post a patchset for a TianoCore BZ, it's useful to link the
series (from the mailing list archive) in the BZ itself.


Regarding the code itself, I don't think I can help here in any sensible
way. (If UDF support were located under OvmfPkg, I would totally
consider you the owner of those files, verify your patches for them on a
formal level only, and if that part was fine, I'd give an Acked-by.)

Thanks!
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
https://lists.01.org/mailman/listinfo/edk2-devel


  reply	other threads:[~2017-09-16 23:49 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-16 21:36 [PATCH 0/3] UDF partition driver fix Paulo Alcantara
2017-09-16 21:36 ` [PATCH 1/3] MdePkg: Add UDF volume structure definitions Paulo Alcantara
2017-09-16 21:36 ` [PATCH 2/3] MdeModulePkg/PartitionDxe: Fix creation of UDF logical partition Paulo Alcantara
2017-09-16 21:36 ` [PATCH 3/3] MdeModulePkg/UdfDxe: Rework driver to support PartitionDxe changes Paulo Alcantara
2017-09-16 22:16 ` [PATCH 0/3] UDF partition driver fix Laszlo Ersek
2017-09-16 23:52   ` Yao, Jiewen [this message]
2017-09-17 10:07     ` Laszlo Ersek
2017-09-17 13:21       ` Yao, Jiewen
2017-09-17 14:09     ` Paulo Alcantara
2017-09-18  1:04 ` Ni, Ruiyu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=74D8A39837DF1E4DA445A8C0B3885C503A9BC765@shsmsx102.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox