From e31501c5ae754c1dc64c29c046c92fa122918f7717955cc2b48ff5893fa92557 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Tue, 5 Jul 2016 15:38:07 +0000 Subject: [PATCH] Accepting request 406664 from home:gary_lin:branches:Virtualization - Fix OVMF iPXE network menu (bsc#986033, boo#987488) ipxe-efi-fix-garbage-bytes-in-device-path.patch ipxe-efi-fix-uninitialised-data-in-HII.patch OBS-URL: https://build.opensuse.org/request/show/406664 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=302 --- ...efi-fix-garbage-bytes-in-device-path.patch | 40 +++++++++++++++++++ ipxe-efi-fix-uninitialised-data-in-HII.patch | 35 ++++++++++++++++ qemu-testsuite.changes | 7 ++++ qemu-testsuite.spec | 4 ++ qemu.changes | 7 ++++ qemu.spec | 4 ++ qemu.spec.in | 4 ++ 7 files changed, 101 insertions(+) create mode 100644 ipxe-efi-fix-garbage-bytes-in-device-path.patch create mode 100644 ipxe-efi-fix-uninitialised-data-in-HII.patch diff --git a/ipxe-efi-fix-garbage-bytes-in-device-path.patch b/ipxe-efi-fix-garbage-bytes-in-device-path.patch new file mode 100644 index 00000000..af746f0e --- /dev/null +++ b/ipxe-efi-fix-garbage-bytes-in-device-path.patch @@ -0,0 +1,40 @@ +From 632e57f0f36d9b48f574db273a19e26bf592fc99 Mon Sep 17 00:00:00 2001 +From: Michael Brown +Date: Wed, 22 Jun 2016 09:07:20 +0100 +Subject: [PATCH] [efi] Do not copy garbage bytes into SNP device path MAC + address + +The SNP device path includes the network device's MAC address within +the MAC_ADDR_DEVICE_PATH.MacAddress field. We check that the +link-layer address will fit within this field, and then perform the +copy using the length of the destination buffer. + +At 32 bytes, the MacAddress field is actually larger than the current +maximum iPXE link-layer address. The copy therefore overflows the +source buffer, resulting in trailing garbage bytes being appended to +the device path's MacAddress. This is invisible in debug messages, +since the DevicePathToText protocol will render only the length +implied by the interface type. + +Fix by copying only the actual length of the link-layer address (which +we have already verified will not overflow the destination buffer). + +Debugged-by: Laszlo Ersek +Signed-off-by: Michael Brown +--- + src/interface/efi/efi_snp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: ipxe/src/interface/efi/efi_snp.c +=================================================================== +--- ipxe.orig/src/interface/efi/efi_snp.c ++++ ipxe/src/interface/efi/efi_snp.c +@@ -1049,7 +1049,7 @@ static int efi_snp_probe ( struct net_de + macpath->Header.SubType = MSG_MAC_ADDR_DP; + macpath->Header.Length[0] = sizeof ( *macpath ); + memcpy ( &macpath->MacAddress, netdev->ll_addr, +- sizeof ( macpath->MacAddress ) ); ++ netdev->ll_protocol->ll_addr_len ); + macpath->IfType = ntohs ( netdev->ll_protocol->ll_proto ); + memset ( path_end, 0, sizeof ( *path_end ) ); + path_end->Type = END_DEVICE_PATH_TYPE; diff --git a/ipxe-efi-fix-uninitialised-data-in-HII.patch b/ipxe-efi-fix-uninitialised-data-in-HII.patch new file mode 100644 index 00000000..6c118112 --- /dev/null +++ b/ipxe-efi-fix-uninitialised-data-in-HII.patch @@ -0,0 +1,35 @@ +From c9f6a8605955926017cdbe2fa99a4b72fd0985a2 Mon Sep 17 00:00:00 2001 +From: Michael Brown +Date: Wed, 29 Jun 2016 15:13:35 +0100 +Subject: [PATCH] [efi] Fix uninitialised data in HII IFR structures + +The HII IFR structures are allocated via realloc() rather than +zalloc(), and so are not automatically zeroed. This results in the +presence of uninitialised and invalid data, causing crashes elsewhere +in the UEFI firmware. + +Fix by explicitly zeroing the newly allocated portion of any IFR +structure in efi_ifr_op(). + +Debugged-by: Laszlo Ersek +Debugged-by: Gary Lin +Signed-off-by: Michael Brown +--- + src/interface/efi/efi_hii.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/interface/efi/efi_hii.c b/src/interface/efi/efi_hii.c +index 0ea970e..506fc88 100644 +--- a/src/interface/efi/efi_hii.c ++++ b/src/interface/efi/efi_hii.c +@@ -117,6 +117,7 @@ static void * efi_ifr_op ( struct efi_ifr_builder *ifr, unsigned int opcode, + ifr->ops_len = new_ops_len; + + /* Fill in opcode header */ ++ memset ( op, 0, len ); + op->OpCode = opcode; + op->Length = len; + +-- +2.8.4 + diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index afc6513c..71551775 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Jul 4 06:20:16 UTC 2016 - glin@suse.com + +- Fix OVMF iPXE network menu (bsc#986033, boo#987488) + ipxe-efi-fix-garbage-bytes-in-device-path.patch + ipxe-efi-fix-uninitialised-data-in-HII.patch + ------------------------------------------------------------------- Fri Jun 10 20:25:21 UTC 2016 - brogers@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index 28079b07..3fababac 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -143,6 +143,8 @@ Patch1103: ipxe-skge-Fix-building-with-GCC-6.patch Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch +Patch1107: ipxe-efi-fix-garbage-bytes-in-device-path.patch +Patch1108: ipxe-efi-fix-uninitialised-data-in-HII.patch %endif # this is to make lint happy @@ -749,6 +751,8 @@ pushd roms/ipxe %patch1104 -p1 %patch1105 -p1 %patch1106 -p1 +%patch1107 -p1 +%patch1108 -p1 popd # as a safeguard, delete the firmware files that we intend to build diff --git a/qemu.changes b/qemu.changes index afc6513c..71551775 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Jul 4 06:20:16 UTC 2016 - glin@suse.com + +- Fix OVMF iPXE network menu (bsc#986033, boo#987488) + ipxe-efi-fix-garbage-bytes-in-device-path.patch + ipxe-efi-fix-uninitialised-data-in-HII.patch + ------------------------------------------------------------------- Fri Jun 10 20:25:21 UTC 2016 - brogers@suse.com diff --git a/qemu.spec b/qemu.spec index 5241f5b3..19bb6019 100644 --- a/qemu.spec +++ b/qemu.spec @@ -143,6 +143,8 @@ Patch1103: ipxe-skge-Fix-building-with-GCC-6.patch Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch +Patch1107: ipxe-efi-fix-garbage-bytes-in-device-path.patch +Patch1108: ipxe-efi-fix-uninitialised-data-in-HII.patch %endif # this is to make lint happy @@ -749,6 +751,8 @@ pushd roms/ipxe %patch1104 -p1 %patch1105 -p1 %patch1106 -p1 +%patch1107 -p1 +%patch1108 -p1 popd # as a safeguard, delete the firmware files that we intend to build diff --git a/qemu.spec.in b/qemu.spec.in index f84e4a41..5c48cec4 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -83,6 +83,8 @@ Patch1103: ipxe-skge-Fix-building-with-GCC-6.patch Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch +Patch1107: ipxe-efi-fix-garbage-bytes-in-device-path.patch +Patch1108: ipxe-efi-fix-uninitialised-data-in-HII.patch %endif # this is to make lint happy @@ -629,6 +631,8 @@ pushd roms/ipxe %patch1104 -p1 %patch1105 -p1 %patch1106 -p1 +%patch1107 -p1 +%patch1108 -p1 popd