From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 by mx.groups.io with SMTP id smtpd.web11.4270.1581912155559210931
 for <devel@edk2.groups.io>;
 Sun, 16 Feb 2020 20:02:35 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: jian.j.wang@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Feb 2020 20:02:35 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,451,1574150400"; 
   d="scan'208";a="435428081"
Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205])
  by fmsmga006.fm.intel.com with ESMTP; 16 Feb 2020 20:02:34 -0800
Received: from fmsmsx118.amr.corp.intel.com (10.18.116.18) by
 fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Sun, 16 Feb 2020 20:02:34 -0800
Received: from shsmsx153.ccr.corp.intel.com (10.239.6.53) by
 fmsmsx118.amr.corp.intel.com (10.18.116.18) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Sun, 16 Feb 2020 20:02:34 -0800
Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.46]) by
 SHSMSX153.ccr.corp.intel.com ([169.254.12.97]) with mapi id 14.03.0439.000;
 Mon, 17 Feb 2020 12:02:32 +0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>, "Wu, Hao A"
	<hao.a.wu@intel.com>
CC: "Ni, Ray" <ray.ni@intel.com>
Subject: Re: [edk2-devel] [PATCH v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-2019-14587)
Thread-Topic: [edk2-devel] [PATCH v1][edk2-stable202002]
 MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation
 (CVE-2019-14587)
Thread-Index: AQHV5UWyN1bMYHp2S06QuxyeJl4SF6gew44Q
Date: Mon, 17 Feb 2020 04:02:31 +0000
Message-ID: <D827630B58408649ACB04F44C510003625A1005B@SHSMSX107.ccr.corp.intel.com>
References: <20200217035229.16636-1-hao.a.wu@intel.com>
In-Reply-To: <20200217035229.16636-1-hao.a.wu@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNjIwYjJiMTgtMDlkZS00Mzc0LWI3ZjMtMzU0YmU4NmNiMmExIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiWjZ2TW9zRFdVSHJrZFQ3Wkd1eEVYUTlPMFdOQkl6K3JYWU5KVXEzU0JScjRIRDdJMWM2amFyRm5cL3NGeDBYV3IifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Return-Path: jian.j.wang@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Regards,
Jian

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wu, Hao A
> Sent: Monday, February 17, 2020 11:52 AM
> To: devel@edk2.groups.io
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Wang, Jian J <jian.j.wang@intel.com>=
;
> Ni, Ray <ray.ni@intel.com>
> Subject: [edk2-devel] [PATCH v1][edk2-stable202002]
> MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-
> 2019-14587)
>=20
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1989
>=20
> The commit will avoid unmapping the same resource in error handling logi=
c
> for function BuildAdmaDescTable() and SdMmcCreateTrb().
>=20
> For the error handling in BuildAdmaDescTable():
> The error is directly related with the corresponding Map() operation
> (mapped address beyond 4G, which is not supported in ADMA), so the Unmap=
()
> operation is done in the error handling logic, and then setting
> 'Trb->AdmaMap' to NULL to avoid double Unmap.
>=20
> For the error handling in SdMmcCreateTrb():
> The error is not directly related with the corresponding Map() operation=
,
> so the commit will update the code to left SdMmcFreeTrb() for the Unmap
> operation to avoid double Unmap.
>=20
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Signed-off-by: Hao A Wu <hao.a.wu@intel.com>
> ---
>  MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>=20
> diff --git a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> index da5559ae76..43626fff48 100644
> --- a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> +++ b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
> @@ -1544,6 +1544,8 @@ BuildAdmaDescTable (
>        PciIo,
>        Trb->AdmaMap
>      );
> +    Trb->AdmaMap =3D NULL;
> +
>      PciIo->FreeBuffer (
>        PciIo,
>        EFI_SIZE_TO_PAGES (TableSize),
> @@ -1753,7 +1755,6 @@ SdMmcCreateTrb (
>        }
>        Status =3D BuildAdmaDescTable (Trb, Private->ControllerVersion[Sl=
ot]);
>        if (EFI_ERROR (Status)) {
> -        PciIo->Unmap (PciIo, Trb->DataMap);
>          goto Error;
>        }
>      } else if (Private->Capability[Slot].Sdma !=3D 0) {
> --
> 2.12.0.windows.1
>=20
>=20
>=20