SHA256
1
0
forked from pool/qemu

Accepting request 406664 from home:gary_lin:branches:Virtualization

- Fix OVMF iPXE network menu (bsc#986033, boo#987488)
  ipxe-efi-fix-garbage-bytes-in-device-path.patch
  ipxe-efi-fix-uninitialised-data-in-HII.patch

OBS-URL: https://build.opensuse.org/request/show/406664
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=302
This commit is contained in:
Andreas Färber 2016-07-05 15:38:07 +00:00 committed by Git OBS Bridge
parent 3c24c39f7c
commit 481f3ccdfb
7 changed files with 101 additions and 0 deletions

View File

@ -0,0 +1,40 @@
From 632e57f0f36d9b48f574db273a19e26bf592fc99 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 22 Jun 2016 09:07:20 +0100
Subject: [PATCH] [efi] Do not copy garbage bytes into SNP device path MAC
address
The SNP device path includes the network device's MAC address within
the MAC_ADDR_DEVICE_PATH.MacAddress field. We check that the
link-layer address will fit within this field, and then perform the
copy using the length of the destination buffer.
At 32 bytes, the MacAddress field is actually larger than the current
maximum iPXE link-layer address. The copy therefore overflows the
source buffer, resulting in trailing garbage bytes being appended to
the device path's MacAddress. This is invisible in debug messages,
since the DevicePathToText protocol will render only the length
implied by the interface type.
Fix by copying only the actual length of the link-layer address (which
we have already verified will not overflow the destination buffer).
Debugged-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
src/interface/efi/efi_snp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: ipxe/src/interface/efi/efi_snp.c
===================================================================
--- ipxe.orig/src/interface/efi/efi_snp.c
+++ ipxe/src/interface/efi/efi_snp.c
@@ -1049,7 +1049,7 @@ static int efi_snp_probe ( struct net_de
macpath->Header.SubType = MSG_MAC_ADDR_DP;
macpath->Header.Length[0] = sizeof ( *macpath );
memcpy ( &macpath->MacAddress, netdev->ll_addr,
- sizeof ( macpath->MacAddress ) );
+ netdev->ll_protocol->ll_addr_len );
macpath->IfType = ntohs ( netdev->ll_protocol->ll_proto );
memset ( path_end, 0, sizeof ( *path_end ) );
path_end->Type = END_DEVICE_PATH_TYPE;

View File

@ -0,0 +1,35 @@
From c9f6a8605955926017cdbe2fa99a4b72fd0985a2 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 29 Jun 2016 15:13:35 +0100
Subject: [PATCH] [efi] Fix uninitialised data in HII IFR structures
The HII IFR structures are allocated via realloc() rather than
zalloc(), and so are not automatically zeroed. This results in the
presence of uninitialised and invalid data, causing crashes elsewhere
in the UEFI firmware.
Fix by explicitly zeroing the newly allocated portion of any IFR
structure in efi_ifr_op().
Debugged-by: Laszlo Ersek <lersek@redhat.com>
Debugged-by: Gary Lin <glin@suse.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
src/interface/efi/efi_hii.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/interface/efi/efi_hii.c b/src/interface/efi/efi_hii.c
index 0ea970e..506fc88 100644
--- a/src/interface/efi/efi_hii.c
+++ b/src/interface/efi/efi_hii.c
@@ -117,6 +117,7 @@ static void * efi_ifr_op ( struct efi_ifr_builder *ifr, unsigned int opcode,
ifr->ops_len = new_ops_len;
/* Fill in opcode header */
+ memset ( op, 0, len );
op->OpCode = opcode;
op->Length = len;
--
2.8.4

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Jul 4 06:20:16 UTC 2016 - glin@suse.com
- Fix OVMF iPXE network menu (bsc#986033, boo#987488)
ipxe-efi-fix-garbage-bytes-in-device-path.patch
ipxe-efi-fix-uninitialised-data-in-HII.patch
-------------------------------------------------------------------
Fri Jun 10 20:25:21 UTC 2016 - brogers@suse.com

View File

@ -143,6 +143,8 @@ Patch1103: ipxe-skge-Fix-building-with-GCC-6.patch
Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch
Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch
Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch
Patch1107: ipxe-efi-fix-garbage-bytes-in-device-path.patch
Patch1108: ipxe-efi-fix-uninitialised-data-in-HII.patch
%endif
# this is to make lint happy
@ -749,6 +751,8 @@ pushd roms/ipxe
%patch1104 -p1
%patch1105 -p1
%patch1106 -p1
%patch1107 -p1
%patch1108 -p1
popd
# as a safeguard, delete the firmware files that we intend to build

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Jul 4 06:20:16 UTC 2016 - glin@suse.com
- Fix OVMF iPXE network menu (bsc#986033, boo#987488)
ipxe-efi-fix-garbage-bytes-in-device-path.patch
ipxe-efi-fix-uninitialised-data-in-HII.patch
-------------------------------------------------------------------
Fri Jun 10 20:25:21 UTC 2016 - brogers@suse.com

View File

@ -143,6 +143,8 @@ Patch1103: ipxe-skge-Fix-building-with-GCC-6.patch
Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch
Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch
Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch
Patch1107: ipxe-efi-fix-garbage-bytes-in-device-path.patch
Patch1108: ipxe-efi-fix-uninitialised-data-in-HII.patch
%endif
# this is to make lint happy
@ -749,6 +751,8 @@ pushd roms/ipxe
%patch1104 -p1
%patch1105 -p1
%patch1106 -p1
%patch1107 -p1
%patch1108 -p1
popd
# as a safeguard, delete the firmware files that we intend to build

View File

@ -83,6 +83,8 @@ Patch1103: ipxe-skge-Fix-building-with-GCC-6.patch
Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch
Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch
Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch
Patch1107: ipxe-efi-fix-garbage-bytes-in-device-path.patch
Patch1108: ipxe-efi-fix-uninitialised-data-in-HII.patch
%endif
# this is to make lint happy
@ -629,6 +631,8 @@ pushd roms/ipxe
%patch1104 -p1
%patch1105 -p1
%patch1106 -p1
%patch1107 -p1
%patch1108 -p1
popd