commit ovmf for openSUSE:Factory
Hello community, here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2020-02-29 21:21:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ovmf (Old) and /work/SRC/openSUSE:Factory/.ovmf.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ovmf" Sat Feb 29 21:21:22 2020 rev:44 rq:779256 version:201911 Changes: -------- --- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2020-02-20 15:37:26.382744978 +0100 +++ /work/SRC/openSUSE:Factory/.ovmf.new.26092/ovmf.changes 2020-02-29 21:21:37.958174312 +0100 @@ -1,0 +2,10 @@ +Mon Feb 24 04:00:24 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com> + +- Add ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch to fix + dbx signature check (bsc#1163969, CVE-2019-14575) + + Also change the order of several patches to distinguish the + openssl patch +- Add ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch to fix memory + leakage in Ip4Dxe and ArpDxe (bsc#1163927, CVE-2019-14559) + +------------------------------------------------------------------- New: ---- ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.WB2zxY/_old 2020-02-29 21:21:38.830176038 +0100 +++ /var/tmp/diff_new_pack.WB2zxY/_new 2020-02-29 21:21:38.834176046 +0100 @@ -49,8 +49,10 @@ Patch3: %{name}-pie.patch Patch4: %{name}-disable-ia32-firmware-piepic.patch Patch5: %{name}-set-fixed-enroll-time.patch -Patch6: openssl-fix-syntax-error.patch -Patch7: %{name}-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch +Patch6: %{name}-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch +Patch7: %{name}-bsc1163969-fix-DxeImageVerificationHandler.patch +Patch8: %{name}-bsc1163927-fix-ip4dxe-and-arpdxe.patch +Patch100: openssl-fix-syntax-error.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bc BuildRequires: fdupes @@ -173,12 +175,14 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch7 -p1 +%patch8 -p1 # add openssl pushd CryptoPkg/Library/OpensslLib/openssl tar -xf %{SOURCE1} --strip 1 -%patch6 -p1 +%patch100 -p1 popd # add berkeley-softfloat-3 ++++++ ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch ++++++
From 7f9f7fccf58af2db5ac8c88801f56f4efe664fcb Mon Sep 17 00:00:00 2001 From: Jiaxin Wu <Jiaxin.wu@intel.com> Date: Mon, 29 Apr 2019 09:51:53 +0800 Subject: [PATCH 1/2] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559).
v3: correct the coding style. v2: correct the commit message & add BZ number. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610 This patch is to check the received package length to make sure the package has a valid length field. Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com> (cherry picked from commit 578bcdc2605e3438b9cbdac4e68339f90f5bf8af) --- NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c index 24c584658803..fc1a892f14eb 100644 --- a/NetworkPkg/Ip4Dxe/Ip4Input.c +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c @@ -1,7 +1,7 @@ /** @file IP4 input process. -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR> +Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR> (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR> SPDX-License-Identifier: BSD-2-Clause-Patent @@ -711,10 +711,6 @@ Ip4PreProcessPacket ( // // Check if the IP4 header is correctly formatted. // - if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) { - return EFI_INVALID_PARAMETER; - } - HeadLen = (Head->HeadLen << 2); TotalLen = NTOHS (Head->TotalLen); @@ -808,6 +804,30 @@ Ip4PreProcessPacket ( return EFI_SUCCESS; } +/** + This function checks the IPv4 packet length. + + @param[in] Packet Pointer to the IPv4 Packet to be checked. + + @retval TRUE The input IPv4 packet length is valid. + @retval FALSE The input IPv4 packet length is invalid. + +**/ +BOOLEAN +Ip4IsValidPacketLength ( + IN NET_BUF *Packet + ) +{ + // + // Check the IP4 packet length. + // + if (Packet->TotalSize < IP4_MIN_HEADLEN) { + return FALSE; + } + + return TRUE; +} + /** The IP4 input routine. It is called by the IP4_INTERFACE when a IP4 fragment is received from MNP. @@ -844,6 +864,10 @@ Ip4AccpetFrame ( goto DROP; } + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head != NULL); OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN; @@ -890,10 +914,14 @@ Ip4AccpetFrame ( // ZeroMem (&ZeroHead, sizeof (IP4_HEAD)); if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) { - // Packet may have been changed. Head, HeadLen, TotalLen, and - // info must be reloaded bofore use. The ownership of the packet - // is transfered to the packet process logic. - // + // Packet may have been changed. Head, HeadLen, TotalLen, and + // info must be reloaded before use. The ownership of the packet + // is transferred to the packet process logic. + // + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head != NULL); Status = Ip4PreProcessPacket ( -- 2.25.0
From 03225826203c978146e4067e1d14fe66fcb75e22 Mon Sep 17 00:00:00 2001 From: Siyuan Fu <siyuan.fu@intel.com> Date: Fri, 21 Feb 2020 10:14:18 +0800 Subject: [PATCH 2/2] NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031 This patch triggers the RecycleEvent for invalid ARP packets. Prior to this, we would just ignore invalid ARP packets, and never free them. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Nicholas Armour <nicholas.armour@intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com> (cherry picked from commit 1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8) --- NetworkPkg/ArpDxe/ArpImpl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/NetworkPkg/ArpDxe/ArpImpl.c b/NetworkPkg/ArpDxe/ArpImpl.c index 0e9ef103eff9..c7f770db0734 100644 --- a/NetworkPkg/ArpDxe/ArpImpl.c +++ b/NetworkPkg/ArpDxe/ArpImpl.c @@ -1,7 +1,7 @@ /** @file The implementation of the ARP protocol. -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR> +Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR> SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -113,7 +113,7 @@ ArpOnFrameRcvdDpc ( // // Restart the receiving if packet size is not correct. // - goto RESTART_RECEIVE; + goto RECYCLE_RXDATA; } // @@ -125,7 +125,7 @@ ArpOnFrameRcvdDpc ( Head->OpCode = NTOHS (Head->OpCode); if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) { - goto RESTART_RECEIVE; + goto RECYCLE_RXDATA; } if ((Head->HwType != ArpService->SnpMode.IfType) || -- 2.25.0 ++++++ ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch ++++++ ++++ 1870 lines (skipped)
participants (1)
-
root