import edk2-20200602gitca407c7246bf-5.el8

2021-05-14 04:11:58 +00:00 · 2021-05-14 04:11:58 +00:00 · b01c6b5a39
commit b01c6b5a39
parent cf77a070f7
3 changed files with 152 additions and 11 deletions
--- a/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch
+++ b/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch
@ -0,0 +1,101 @@
+From 158bc30e7cefe14ae690e0b8da1e8803127b813e Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Thu, 19 Nov 2020 12:50:34 +0100
+Subject: [PATCH 1/2] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+
+ uncompressed buffer sizes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek (lersek)
+RH-MergeRequest: 2: prevent integer overflow / heap corruption in LZMA decompression [rhel-8.5.0]
+RH-Commit: [1/1] 97de3eab2b9fdf86195fe329c4391f5b3b98b6f8
+RH-Bugzilla: 1892318
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+The LzmaUefiDecompressGetInfo() function
+[MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c] currently
+silently truncates the UINT64 "DecodedSize" property of the compressed
+blob to the UINT32 "DestinationSize" output parameter.
+
+If "DecodedSize" is 0x1_0000_0100, for example, then the subsequent memory
+allocation (for decompression) will likely succeed (allocating 0x100 bytes
+only), but then the LzmaUefiDecompress() function (which re-fetches the
+uncompressed buffer size from the same LZMA header into a "SizeT"
+variable) will overwrite the buffer.
+
+Catch (DecodedSize > MAX_UINT32) in LzmaUefiDecompressGetInfo() at once.
+This should not be a practical limitation. (The issue cannot be fixed for
+32-bit systems without spec modifications anyway, given that the
+"OutputSize" output parameter of
+EFI_GUIDED_SECTION_EXTRACTION_PROTOCOL.ExtractSection() has type UINTN,
+not UINT64.)
+
+Cc: Dandan Bi <dandan.bi@intel.com>
+Cc: Hao A Wu <hao.a.wu@intel.com>
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Liming Gao <gaoliming@byosoft.com.cn>
+Cc: Philippe Mathieu-Daud <philmd@redhat.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+Reviewed-by: Philippe Mathieu-Daud <philmd@redhat.com>
+Message-Id: <20201119115034.12897-2-lersek@redhat.com>
+(cherry picked from commit e7bd0dd26db7e56aa8ca70132d6ea916ee6f3db0)
+---
+ .../Library/LzmaCustomDecompressLib/LzmaDecompress.c       | 7 +++++++
+ .../LzmaCustomDecompressLib/LzmaDecompressLibInternal.h    | 5 +++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
+index c58912eb6a..8f7c242dca 100644
+--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
+++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
+@@ -127,6 +127,10 @@ GetDecodedSizeOfBuf(
+                           in DestinationSize and the size of the scratch
+                           buffer was returned in ScratchSize.
+ 
+  @retval RETURN_UNSUPPORTED  DestinationSize cannot be output because the
+                              uncompressed buffer size (in bytes) does not fit
+                              in a UINT32. Output parameters have not been
+                              modified.
+ **/
+ RETURN_STATUS
+ EFIAPI
+@@ -142,6 +146,9 @@ LzmaUefiDecompressGetInfo (
+   ASSERT(SourceSize >= LZMA_HEADER_SIZE);
+ 
+   DecodedSize = GetDecodedSizeOfBuf((UINT8*)Source);
+  if (DecodedSize > MAX_UINT32) {
+    return RETURN_UNSUPPORTED;
+  }
+ 
+   *DestinationSize = (UINT32)DecodedSize;
+   *ScratchSize = SCRATCH_BUFFER_REQUEST_SIZE;
+diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
+index 26f110ba2a..fbafd5f100 100644
+--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
+++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
+@@ -9,6 +9,7 @@
+ #ifndef __LZMADECOMPRESSLIB_INTERNAL_H__
+ #define __LZMADECOMPRESSLIB_INTERNAL_H__
+ 
+#include <Base.h>
+ #include <PiPei.h>
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
+@@ -45,6 +46,10 @@
+                           in DestinationSize and the size of the scratch
+                           buffer was returned in ScratchSize.
+ 
+  @retval RETURN_UNSUPPORTED  DestinationSize cannot be output because the
+                              uncompressed buffer size (in bytes) does not fit
+                              in a UINT32. Output parameters have not been
+                              modified.
+ **/
+ RETURN_STATUS
+ EFIAPI
+-- 
+2.27.0
+
--- a/SOURCES/edk2-ovmf-cc.json
+++ b/SOURCES/edk2-ovmf-cc.json
@ -0,0 +1,33 @@
+{
+    "description": "OVMF with SEV-ES support",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "executable": {
+            "filename": "/usr/share/edk2/ovmf/OVMF_CODE.cc.fd",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-rhel8.5.0"
+            ]
+        }
+    ],
+    "features": [
+        "amd-sev",
+        "amd-sev-es",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}
--- a/SPECS/edk2.spec
+++ b/SPECS/edk2.spec
@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64

 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    4%{?dist}
+Release:    5%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 Group:      Applications/Emulators
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
@ -28,6 +28,7 @@ Source10: edk2-aarch64-verbose.json
 Source11: edk2-aarch64.json
 Source12: edk2-ovmf-sb.json
 Source13: edk2-ovmf.json
+Source14: edk2-ovmf-cc.json

 Patch0007: 0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch
 Patch0008: 0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch
@ -66,6 +67,8 @@ Patch33: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch
 Patch34: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch
 # For bz#1893806 - attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later)
 Patch35: edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch
+# For bz#1892318 - edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8]
+Patch36: edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch


 # python3-devel and libuuid-devel are required for building tools.
@ -197,7 +200,7 @@ echo "Applied $COUNT patches"
 rm -f $PATCHLIST

 cp -a -- %{SOURCE1} %{SOURCE3} .
-cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} .
+cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} .
 tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x

 # Format the Red Hat-issued certificate that is to be enrolled as both Platform
@ -320,12 +323,8 @@ mkdir -p \
  $RPM_BUILD_ROOT%{_datadir}/OVMF \
  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf

-# We don't ship the SB-less, SMM-less binary.
-%if 0
 install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
-  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.fd
-ln -s ../%{name}/ovmf/OVMF_CODE.fd         $RPM_BUILD_ROOT%{_datadir}/OVMF/
-%endif
+  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd
 install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd

@ -350,6 +349,8 @@ install -m 0644 edk2-ovmf-sb.json \
  $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json
 install -m 0644 edk2-ovmf.json \
  $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/50-edk2-ovmf.json
+install -m 0644 edk2-ovmf-cc.json \
+  $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json

 %else
 mkdir -p \
@ -434,10 +435,7 @@ install BaseTools/Scripts/GccBase.lds \
 %doc ovmf-whitepaper-c770f8c.txt
 %dir %{_datadir}/OVMF/
 %dir %{_datadir}/%{name}/ovmf/
-%if 0
-%{_datadir}/%{name}/ovmf/OVMF_CODE.fd
-%{_datadir}/OVMF/OVMF_CODE.fd
-%endif
+%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd
 %{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
 %{_datadir}/%{name}/ovmf/OVMF_VARS.fd
 %{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
@ -449,6 +447,7 @@ install BaseTools/Scripts/GccBase.lds \
 %{_datadir}/%{name}/ovmf/Shell.efi
 %{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
 %{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json
+%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
 %{_datadir}/qemu/firmware/50-edk2-ovmf.json

 %else
@ -515,6 +514,14 @@ true
 %endif

 %changelog
+* Wed May 12 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-5.el8
+- edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch [bz#1892318]
+- edk2-redhat-add-OVMF-binary-that-will-support-SEV-ES.patch [bz#1956837]
+- Resolves: bz#1892318
+  (edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8])
+- Resolves: bz#1956837
+  (Additional build of edk2 without SMM (dual build / sub-package) for SEV-ES)
+
 * Mon Nov 23 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-4.el8
 - edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch [bz#1849177]
 - edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch [bz#1849177]