* [PATCH v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-2019-14587)
@ 2020-02-17 3:52 Wu, Hao A
2020-02-17 4:02 ` [edk2-devel] " Wang, Jian J
0 siblings, 1 reply; 3+ messages in thread
From: Wu, Hao A @ 2020-02-17 3:52 UTC (permalink / raw)
To: devel; +Cc: Hao A Wu, Jian J Wang, Ray Ni
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1989
The commit will avoid unmapping the same resource in error handling logic
for function BuildAdmaDescTable() and SdMmcCreateTrb().
For the error handling in BuildAdmaDescTable():
The error is directly related with the corresponding Map() operation
(mapped address beyond 4G, which is not supported in ADMA), so the Unmap()
operation is done in the error handling logic, and then setting
'Trb->AdmaMap' to NULL to avoid double Unmap.
For the error handling in SdMmcCreateTrb():
The error is not directly related with the corresponding Map() operation,
so the commit will update the code to left SdMmcFreeTrb() for the Unmap
operation to avoid double Unmap.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Signed-off-by: Hao A Wu <hao.a.wu@intel.com>
---
MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
index da5559ae76..43626fff48 100644
--- a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
+++ b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
@@ -1544,6 +1544,8 @@ BuildAdmaDescTable (
PciIo,
Trb->AdmaMap
);
+ Trb->AdmaMap = NULL;
+
PciIo->FreeBuffer (
PciIo,
EFI_SIZE_TO_PAGES (TableSize),
@@ -1753,7 +1755,6 @@ SdMmcCreateTrb (
}
Status = BuildAdmaDescTable (Trb, Private->ControllerVersion[Slot]);
if (EFI_ERROR (Status)) {
- PciIo->Unmap (PciIo, Trb->DataMap);
goto Error;
}
} else if (Private->Capability[Slot].Sdma != 0) {
--
2.12.0.windows.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [PATCH v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-2019-14587)
2020-02-17 3:52 [PATCH v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-2019-14587) Wu, Hao A
@ 2020-02-17 4:02 ` Wang, Jian J
2020-02-18 5:16 ` Wu, Hao A
0 siblings, 1 reply; 3+ messages in thread
From: Wang, Jian J @ 2020-02-17 4:02 UTC (permalink / raw)
To: devel@edk2.groups.io, Wu, Hao A; +Cc: Ni, Ray
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Regards,
Jian
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wu, Hao A
> Sent: Monday, February 17, 2020 11:52 AM
> To: devel@edk2.groups.io
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Ni, Ray <ray.ni@intel.com>
> Subject: [edk2-devel] [PATCH v1][edk2-stable202002]
> MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-
> 2019-14587)
>
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1989
>
> The commit will avoid unmapping the same resource in error handling logic
> for function BuildAdmaDescTable() and SdMmcCreateTrb().
>
> For the error handling in BuildAdmaDescTable():
> The error is directly related with the corresponding Map() operation
> (mapped address beyond 4G, which is not supported in ADMA), so the Unmap()
> operation is done in the error handling logic, and then setting
> 'Trb->AdmaMap' to NULL to avoid double Unmap.
>
> For the error handling in SdMmcCreateTrb():
> The error is not directly related with the corresponding Map() operation,
> so the commit will update the code to left SdMmcFreeTrb() for the Unmap
> operation to avoid double Unmap.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Signed-off-by: Hao A Wu <hao.a.wu@intel.com>
> ---
> MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> index da5559ae76..43626fff48 100644
> --- a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> +++ b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> @@ -1544,6 +1544,8 @@ BuildAdmaDescTable (
> PciIo,
> Trb->AdmaMap
> );
> + Trb->AdmaMap = NULL;
> +
> PciIo->FreeBuffer (
> PciIo,
> EFI_SIZE_TO_PAGES (TableSize),
> @@ -1753,7 +1755,6 @@ SdMmcCreateTrb (
> }
> Status = BuildAdmaDescTable (Trb, Private->ControllerVersion[Slot]);
> if (EFI_ERROR (Status)) {
> - PciIo->Unmap (PciIo, Trb->DataMap);
> goto Error;
> }
> } else if (Private->Capability[Slot].Sdma != 0) {
> --
> 2.12.0.windows.1
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [PATCH v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-2019-14587)
2020-02-17 4:02 ` [edk2-devel] " Wang, Jian J
@ 2020-02-18 5:16 ` Wu, Hao A
0 siblings, 0 replies; 3+ messages in thread
From: Wu, Hao A @ 2020-02-18 5:16 UTC (permalink / raw)
To: Wang, Jian J, devel@edk2.groups.io; +Cc: Ni, Ray
> -----Original Message-----
> From: Wang, Jian J
> Sent: Monday, February 17, 2020 12:03 PM
> To: devel@edk2.groups.io; Wu, Hao A
> Cc: Ni, Ray
> Subject: RE: [edk2-devel] [PATCH v1][edk2-stable202002]
> MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation
> (CVE-2019-14587)
>
>
> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Thanks, pushed via commit e36d5ac7d1.
Best Regards,
Hao Wu
>
> Regards,
> Jian
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wu, Hao
> A
> > Sent: Monday, February 17, 2020 11:52 AM
> > To: devel@edk2.groups.io
> > Cc: Wu, Hao A <hao.a.wu@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> > Ni, Ray <ray.ni@intel.com>
> > Subject: [edk2-devel] [PATCH v1][edk2-stable202002]
> > MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation
> (CVE-
> > 2019-14587)
> >
> > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1989
> >
> > The commit will avoid unmapping the same resource in error handling logic
> > for function BuildAdmaDescTable() and SdMmcCreateTrb().
> >
> > For the error handling in BuildAdmaDescTable():
> > The error is directly related with the corresponding Map() operation
> > (mapped address beyond 4G, which is not supported in ADMA), so the
> Unmap()
> > operation is done in the error handling logic, and then setting
> > 'Trb->AdmaMap' to NULL to avoid double Unmap.
> >
> > For the error handling in SdMmcCreateTrb():
> > The error is not directly related with the corresponding Map() operation,
> > so the commit will update the code to left SdMmcFreeTrb() for the Unmap
> > operation to avoid double Unmap.
> >
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Ray Ni <ray.ni@intel.com>
> > Signed-off-by: Hao A Wu <hao.a.wu@intel.com>
> > ---
> > MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> > b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> > index da5559ae76..43626fff48 100644
> > --- a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> > +++ b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> > @@ -1544,6 +1544,8 @@ BuildAdmaDescTable (
> > PciIo,
> > Trb->AdmaMap
> > );
> > + Trb->AdmaMap = NULL;
> > +
> > PciIo->FreeBuffer (
> > PciIo,
> > EFI_SIZE_TO_PAGES (TableSize),
> > @@ -1753,7 +1755,6 @@ SdMmcCreateTrb (
> > }
> > Status = BuildAdmaDescTable (Trb, Private->ControllerVersion[Slot]);
> > if (EFI_ERROR (Status)) {
> > - PciIo->Unmap (PciIo, Trb->DataMap);
> > goto Error;
> > }
> > } else if (Private->Capability[Slot].Sdma != 0) {
> > --
> > 2.12.0.windows.1
> >
> >
> >
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-02-18 5:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-02-17 3:52 [PATCH v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-2019-14587) Wu, Hao A
2020-02-17 4:02 ` [edk2-devel] " Wang, Jian J
2020-02-18 5:16 ` Wu, Hao A
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox