From b01c6b5a39cdeca9ecbcdbd9d64aa85ffa835d70 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Fri, 14 May 2021 04:11:58 +0000 Subject: [PATCH] import edk2-20200602gitca407c7246bf-5.el8 --- ...aCustomDecompressLib-catch-4GB-uncom.patch | 101 ++++++++++++++++++ SOURCES/edk2-ovmf-cc.json | 33 ++++++ SPECS/edk2.spec | 29 +++-- 3 files changed, 152 insertions(+), 11 deletions(-) create mode 100644 SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch create mode 100644 SOURCES/edk2-ovmf-cc.json diff --git a/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch b/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch new file mode 100644 index 0000000..91dacf5 --- /dev/null +++ b/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch @@ -0,0 +1,101 @@ +From 158bc30e7cefe14ae690e0b8da1e8803127b813e Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 19 Nov 2020 12:50:34 +0100 +Subject: [PATCH 1/2] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ + uncompressed buffer sizes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek (lersek) +RH-MergeRequest: 2: prevent integer overflow / heap corruption in LZMA decompression [rhel-8.5.0] +RH-Commit: [1/1] 97de3eab2b9fdf86195fe329c4391f5b3b98b6f8 +RH-Bugzilla: 1892318 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Philippe Mathieu-Daudé + +The LzmaUefiDecompressGetInfo() function +[MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c] currently +silently truncates the UINT64 "DecodedSize" property of the compressed +blob to the UINT32 "DestinationSize" output parameter. + +If "DecodedSize" is 0x1_0000_0100, for example, then the subsequent memory +allocation (for decompression) will likely succeed (allocating 0x100 bytes +only), but then the LzmaUefiDecompress() function (which re-fetches the +uncompressed buffer size from the same LZMA header into a "SizeT" +variable) will overwrite the buffer. + +Catch (DecodedSize > MAX_UINT32) in LzmaUefiDecompressGetInfo() at once. +This should not be a practical limitation. (The issue cannot be fixed for +32-bit systems without spec modifications anyway, given that the +"OutputSize" output parameter of +EFI_GUIDED_SECTION_EXTRACTION_PROTOCOL.ExtractSection() has type UINTN, +not UINT64.) + +Cc: Dandan Bi +Cc: Hao A Wu +Cc: Jian J Wang +Cc: Liming Gao +Cc: Philippe Mathieu-Daud +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816 +Signed-off-by: Laszlo Ersek +Reviewed-by: Liming Gao +Reviewed-by: Philippe Mathieu-Daud +Message-Id: <20201119115034.12897-2-lersek@redhat.com> +(cherry picked from commit e7bd0dd26db7e56aa8ca70132d6ea916ee6f3db0) +--- + .../Library/LzmaCustomDecompressLib/LzmaDecompress.c | 7 +++++++ + .../LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++ + 2 files changed, 12 insertions(+) + +diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c +index c58912eb6a..8f7c242dca 100644 +--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c ++++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c +@@ -127,6 +127,10 @@ GetDecodedSizeOfBuf( + in DestinationSize and the size of the scratch + buffer was returned in ScratchSize. + ++ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the ++ uncompressed buffer size (in bytes) does not fit ++ in a UINT32. Output parameters have not been ++ modified. + **/ + RETURN_STATUS + EFIAPI +@@ -142,6 +146,9 @@ LzmaUefiDecompressGetInfo ( + ASSERT(SourceSize >= LZMA_HEADER_SIZE); + + DecodedSize = GetDecodedSizeOfBuf((UINT8*)Source); ++ if (DecodedSize > MAX_UINT32) { ++ return RETURN_UNSUPPORTED; ++ } + + *DestinationSize = (UINT32)DecodedSize; + *ScratchSize = SCRATCH_BUFFER_REQUEST_SIZE; +diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h +index 26f110ba2a..fbafd5f100 100644 +--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h ++++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h +@@ -9,6 +9,7 @@ + #ifndef __LZMADECOMPRESSLIB_INTERNAL_H__ + #define __LZMADECOMPRESSLIB_INTERNAL_H__ + ++#include + #include + #include + #include +@@ -45,6 +46,10 @@ + in DestinationSize and the size of the scratch + buffer was returned in ScratchSize. + ++ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the ++ uncompressed buffer size (in bytes) does not fit ++ in a UINT32. Output parameters have not been ++ modified. + **/ + RETURN_STATUS + EFIAPI +-- +2.27.0 + diff --git a/SOURCES/edk2-ovmf-cc.json b/SOURCES/edk2-ovmf-cc.json new file mode 100644 index 0000000..2e52745 --- /dev/null +++ b/SOURCES/edk2-ovmf-cc.json @@ -0,0 +1,33 @@ +{ + "description": "OVMF with SEV-ES support", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/ovmf/OVMF_CODE.cc.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-rhel8.5.0" + ] + } + ], + "features": [ + "amd-sev", + "amd-sev-es", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index 3231b35..ef44f0f 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 4%{?dist} +Release: 5%{?dist} Summary: UEFI firmware for 64-bit virtual machines Group: Applications/Emulators License: BSD-2-Clause-Patent and OpenSSL and MIT @@ -28,6 +28,7 @@ Source10: edk2-aarch64-verbose.json Source11: edk2-aarch64.json Source12: edk2-ovmf-sb.json Source13: edk2-ovmf.json +Source14: edk2-ovmf-cc.json Patch0007: 0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch Patch0008: 0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch @@ -66,6 +67,8 @@ Patch33: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch Patch34: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch # For bz#1893806 - attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later) Patch35: edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch +# For bz#1892318 - edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8] +Patch36: edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch # python3-devel and libuuid-devel are required for building tools. @@ -197,7 +200,7 @@ echo "Applied $COUNT patches" rm -f $PATCHLIST cp -a -- %{SOURCE1} %{SOURCE3} . -cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} . +cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} . tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x # Format the Red Hat-issued certificate that is to be enrolled as both Platform @@ -320,12 +323,8 @@ mkdir -p \ $RPM_BUILD_ROOT%{_datadir}/OVMF \ $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf -# We don't ship the SB-less, SMM-less binary. -%if 0 install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \ - $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.fd -ln -s ../%{name}/ovmf/OVMF_CODE.fd $RPM_BUILD_ROOT%{_datadir}/OVMF/ -%endif + $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \ $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd @@ -350,6 +349,8 @@ install -m 0644 edk2-ovmf-sb.json \ $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json install -m 0644 edk2-ovmf.json \ $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/50-edk2-ovmf.json +install -m 0644 edk2-ovmf-cc.json \ + $RPM_BUILD_ROOT%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json %else mkdir -p \ @@ -434,10 +435,7 @@ install BaseTools/Scripts/GccBase.lds \ %doc ovmf-whitepaper-c770f8c.txt %dir %{_datadir}/OVMF/ %dir %{_datadir}/%{name}/ovmf/ -%if 0 -%{_datadir}/%{name}/ovmf/OVMF_CODE.fd -%{_datadir}/OVMF/OVMF_CODE.fd -%endif +%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd %{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd %{_datadir}/%{name}/ovmf/OVMF_VARS.fd %{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd @@ -449,6 +447,7 @@ install BaseTools/Scripts/GccBase.lds \ %{_datadir}/%{name}/ovmf/Shell.efi %{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi %{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json +%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json %{_datadir}/qemu/firmware/50-edk2-ovmf.json %else @@ -515,6 +514,14 @@ true %endif %changelog +* Wed May 12 2021 Miroslav Rezanina - 20200602gitca407c7246bf-5.el8 +- edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch [bz#1892318] +- edk2-redhat-add-OVMF-binary-that-will-support-SEV-ES.patch [bz#1956837] +- Resolves: bz#1892318 + (edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8]) +- Resolves: bz#1956837 + (Additional build of edk2 without SMM (dual build / sub-package) for SEV-ES) + * Mon Nov 23 2020 Miroslav Rezanina - 20200602gitca407c7246bf-4.el8 - edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch [bz#1849177] - edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch [bz#1849177]