Package: edk2 / 0~20181115.85588389-3

Metadata

Package Version Patches format
edk2 0~20181115.85588389-3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
shell efiapi.patch | (download)

Shell/hexedit/libMemImage.c | 4 4 + 0 - 0 !
Shell/shellenv/cmddisp.c | 2 2 + 0 - 0 !
Shell/shellenv/echo.c | 1 1 + 0 - 0 !
Shell/shellenv/shelle.h | 1 1 + 0 - 0 !
4 files changed, 8 insertions(+)

 correct mismatched use of efiapi in efi shell code
 The EFIAPI define is not a no-op in GCC; it needs to be used consistently
 for both the prototype and the definition.

no missing braces.diff | (download)

BaseTools/Conf/tools_def.template | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 add -wno-missing-braces to cflags to avoid build failures
no stack protector all archs.diff | (download)

BaseTools/Conf/tools_def.template | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 pass -fno-stack-protector to all gcc toolchains
 The upstream build rules inexplicably pass -fno-stack-protector only
 when building for i386 and amd64.  Add this essential argument to the
 generic rules for gcc 4.4 and later.
Last-Updated: 2017-09-12
shell proper valist.patch | (download)

Shell/Library/IO.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 use va_copy() in shell
 Upstream edk2 has switched to using ms abi intrinsic va_list handling
 for x86-64.  Fix the Shell to do proper va_list handling instead of trying
 to treat them like pointers.
0001 MdeModulePkg PartitionDxe Ensure blocksize holds MBR.patch | (download)

MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 9 8 + 1 - 0 !
MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c | 9 8 + 1 - 0 !
2 files changed, 16 insertions(+), 2 deletions(-)

 [patch 1/2] mdemodulepkg/partitiondxe: ensure blocksize holds mbr
 (CVE-2018-12180)

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134

The commit adds checks for detecting GPT and MBR partitions.

These checks will ensure that the device block size is big enough to hold
an MBR (512 bytes).

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
0002 MdeModulePkg RamDiskDxe Restrict on RAM disk size CV.patch | (download)

MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskBlockIo.c | 20 14 + 6 - 0 !
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskImpl.h | 6 3 + 3 - 0 !
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskProtocol.c | 5 3 + 2 - 0 !
3 files changed, 20 insertions(+), 11 deletions(-)

 [patch 2/2] mdemodulepkg/ramdiskdxe: restrict on ram disk size
 (CVE-2018-12180)

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1134

Originally, the block size of created Ram disks is hard-coded to 512
bytes. However, if the total size of the Ram disk is not a multiple of 512
bytes, there will be potential memory access issues when dealing with the
last block of the Ram disk.

This commit will adjust the block size of the Ram disks to ensure that the
total size is a multiple of the block size.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
NetworkPkg DnsDxe CVE 2018 12178 Check the received .patch | (download)

NetworkPkg/DnsDxe/DnsImpl.c | 77 67 + 10 - 0 !
NetworkPkg/DnsDxe/DnsImpl.h | 2 2 + 0 - 0 !
2 files changed, 69 insertions(+), 10 deletions(-)

 [patch] networkpkg/dnsdxe: [cve-2018-12178] check the received packet
 size before parsing the message.

Fix CVE-2018-12178
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809

The DNS driver only checks the received packet size against the
minimum DNS header size in DnsOnPacketReceived(), later it accesses
the QueryName and QuerySection beyond the header scope, which might
cause the pointer within DNS driver points to an invalid entry or
modifies the memory content beyond the header scope.

This patch is to fix above problem.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wang Fan <fan.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
0001 MdeModulePkg HiiDatabase Fix potential integer overf.patch | (download)

MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 126 103 + 23 - 0 !
1 file changed, 103 insertions(+), 23 deletions(-)

 [patch] mdemodulepkg/hiidatabase: fix potential integer overflow
 (CVE-2018-12181)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ray Ni <ray.ni@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
0002 MdeModulePkg HiiImage Fix stack overflow when corrup.patch | (download)

MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] mdemodulepkg/hiiimage: fix stack overflow when corrupted bmp
 is parsed (CVE-2018-12181)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135

For 4bit BMP, there are only 2^4 = 16 colors in the palette.
But when a corrupted BMP contains more than 16 colors in the palette,
today's implementation wrongly copies all colors to the local
PaletteValue[16] array which causes stack overflow.

The similar issue also exists in the logic to handle 8bit BMP.

The patch fixes the issue by only copies the first 16 or 256 colors
in the palette depending on the BMP type.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ray Ni <ray.ni@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>