From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 by mx.groups.io with SMTP id smtpd.web10.241.1582002979197771766
 for <devel@edk2.groups.io>;
 Mon, 17 Feb 2020 21:16:19 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: hao.a.wu@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga003.jf.intel.com ([10.7.209.27])
  by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Feb 2020 21:16:18 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,455,1574150400"; 
   d="scan'208";a="235421959"
Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204])
  by orsmga003.jf.intel.com with ESMTP; 17 Feb 2020 21:16:17 -0800
Received: from FMSMSX110.amr.corp.intel.com (10.18.116.10) by
 FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Mon, 17 Feb 2020 21:16:17 -0800
Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by
 fmsmsx110.amr.corp.intel.com (10.18.116.10) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Mon, 17 Feb 2020 21:16:16 -0800
Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.5]) by
 shsmsx102.ccr.corp.intel.com ([169.254.2.126]) with mapi id 14.03.0439.000;
 Tue, 18 Feb 2020 13:16:14 +0800
From: "Wu, Hao A" <hao.a.wu@intel.com>
To: "Wang, Jian J" <jian.j.wang@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "Ni, Ray" <ray.ni@intel.com>
Subject: Re: [edk2-devel] [PATCH v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-2019-14587)
Thread-Topic: [edk2-devel] [PATCH v1][edk2-stable202002]
 MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation
 (CVE-2019-14587)
Thread-Index: AQHV5UWzp+geirpdWEijd0wlJkHRMagePX+AgAIs6BA=
Date: Tue, 18 Feb 2020 05:16:14 +0000
Message-ID: <B80AF82E9BFB8E4FBD8C89DA810C6A093C9A8F19@SHSMSX104.ccr.corp.intel.com>
References: <20200217035229.16636-1-hao.a.wu@intel.com>
 <D827630B58408649ACB04F44C510003625A1005B@SHSMSX107.ccr.corp.intel.com>
In-Reply-To: <D827630B58408649ACB04F44C510003625A1005B@SHSMSX107.ccr.corp.intel.com>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Return-Path: hao.a.wu@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

> -----Original Message-----
> From: Wang, Jian J
> Sent: Monday, February 17, 2020 12:03 PM
> To: devel@edk2.groups.io; Wu, Hao A
> Cc: Ni, Ray
> Subject: RE: [edk2-devel] [PATCH v1][edk2-stable202002]
> MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation
> (CVE-2019-14587)
>=20
>=20
> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>


Thanks, pushed via commit e36d5ac7d1.

Best Regards,
Hao Wu


>=20
> Regards,
> Jian
>=20
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wu, Hao
> A
> > Sent: Monday, February 17, 2020 11:52 AM
> > To: devel@edk2.groups.io
> > Cc: Wu, Hao A <hao.a.wu@intel.com>; Wang, Jian J <jian.j.wang@intel.co=
m>;
> > Ni, Ray <ray.ni@intel.com>
> > Subject: [edk2-devel] [PATCH v1][edk2-stable202002]
> > MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation
> (CVE-
> > 2019-14587)
> >
> > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1989
> >
> > The commit will avoid unmapping the same resource in error handling lo=
gic
> > for function BuildAdmaDescTable() and SdMmcCreateTrb().
> >
> > For the error handling in BuildAdmaDescTable():
> > The error is directly related with the corresponding Map() operation
> > (mapped address beyond 4G, which is not supported in ADMA), so the
> Unmap()
> > operation is done in the error handling logic, and then setting
> > 'Trb->AdmaMap' to NULL to avoid double Unmap.
> >
> > For the error handling in SdMmcCreateTrb():
> > The error is not directly related with the corresponding Map() operati=
on,
> > so the commit will update the code to left SdMmcFreeTrb() for the Unma=
p
> > operation to avoid double Unmap.
> >
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Ray Ni <ray.ni@intel.com>
> > Signed-off-by: Hao A Wu <hao.a.wu@intel.com>
> > ---
> >  MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> > b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> > index da5559ae76..43626fff48 100644
> > --- a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> > +++ b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> > @@ -1544,6 +1544,8 @@ BuildAdmaDescTable (
> >        PciIo,
> >        Trb->AdmaMap
> >      );
> > +    Trb->AdmaMap =3D NULL;
> > +
> >      PciIo->FreeBuffer (
> >        PciIo,
> >        EFI_SIZE_TO_PAGES (TableSize),
> > @@ -1753,7 +1755,6 @@ SdMmcCreateTrb (
> >        }
> >        Status =3D BuildAdmaDescTable (Trb, Private->ControllerVersion[=
Slot]);
> >        if (EFI_ERROR (Status)) {
> > -        PciIo->Unmap (PciIo, Trb->DataMap);
> >          goto Error;
> >        }
> >      } else if (Private->Capability[Slot].Sdma !=3D 0) {
> > --
> > 2.12.0.windows.1
> >
> >
> >=20