Accepting request 406664 from home:gary_lin:branches:Virtualization
- Fix OVMF iPXE network menu (bsc#986033, boo#987488) ipxe-efi-fix-garbage-bytes-in-device-path.patch ipxe-efi-fix-uninitialised-data-in-HII.patch OBS-URL: https://build.opensuse.org/request/show/406664 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=302
This commit is contained in:
parent
3c24c39f7c
commit
481f3ccdfb
40
ipxe-efi-fix-garbage-bytes-in-device-path.patch
Normal file
40
ipxe-efi-fix-garbage-bytes-in-device-path.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From 632e57f0f36d9b48f574db273a19e26bf592fc99 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Brown <mcb30@ipxe.org>
|
||||||
|
Date: Wed, 22 Jun 2016 09:07:20 +0100
|
||||||
|
Subject: [PATCH] [efi] Do not copy garbage bytes into SNP device path MAC
|
||||||
|
address
|
||||||
|
|
||||||
|
The SNP device path includes the network device's MAC address within
|
||||||
|
the MAC_ADDR_DEVICE_PATH.MacAddress field. We check that the
|
||||||
|
link-layer address will fit within this field, and then perform the
|
||||||
|
copy using the length of the destination buffer.
|
||||||
|
|
||||||
|
At 32 bytes, the MacAddress field is actually larger than the current
|
||||||
|
maximum iPXE link-layer address. The copy therefore overflows the
|
||||||
|
source buffer, resulting in trailing garbage bytes being appended to
|
||||||
|
the device path's MacAddress. This is invisible in debug messages,
|
||||||
|
since the DevicePathToText protocol will render only the length
|
||||||
|
implied by the interface type.
|
||||||
|
|
||||||
|
Fix by copying only the actual length of the link-layer address (which
|
||||||
|
we have already verified will not overflow the destination buffer).
|
||||||
|
|
||||||
|
Debugged-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Signed-off-by: Michael Brown <mcb30@ipxe.org>
|
||||||
|
---
|
||||||
|
src/interface/efi/efi_snp.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
Index: ipxe/src/interface/efi/efi_snp.c
|
||||||
|
===================================================================
|
||||||
|
--- ipxe.orig/src/interface/efi/efi_snp.c
|
||||||
|
+++ ipxe/src/interface/efi/efi_snp.c
|
||||||
|
@@ -1049,7 +1049,7 @@ static int efi_snp_probe ( struct net_de
|
||||||
|
macpath->Header.SubType = MSG_MAC_ADDR_DP;
|
||||||
|
macpath->Header.Length[0] = sizeof ( *macpath );
|
||||||
|
memcpy ( &macpath->MacAddress, netdev->ll_addr,
|
||||||
|
- sizeof ( macpath->MacAddress ) );
|
||||||
|
+ netdev->ll_protocol->ll_addr_len );
|
||||||
|
macpath->IfType = ntohs ( netdev->ll_protocol->ll_proto );
|
||||||
|
memset ( path_end, 0, sizeof ( *path_end ) );
|
||||||
|
path_end->Type = END_DEVICE_PATH_TYPE;
|
35
ipxe-efi-fix-uninitialised-data-in-HII.patch
Normal file
35
ipxe-efi-fix-uninitialised-data-in-HII.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From c9f6a8605955926017cdbe2fa99a4b72fd0985a2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Brown <mcb30@ipxe.org>
|
||||||
|
Date: Wed, 29 Jun 2016 15:13:35 +0100
|
||||||
|
Subject: [PATCH] [efi] Fix uninitialised data in HII IFR structures
|
||||||
|
|
||||||
|
The HII IFR structures are allocated via realloc() rather than
|
||||||
|
zalloc(), and so are not automatically zeroed. This results in the
|
||||||
|
presence of uninitialised and invalid data, causing crashes elsewhere
|
||||||
|
in the UEFI firmware.
|
||||||
|
|
||||||
|
Fix by explicitly zeroing the newly allocated portion of any IFR
|
||||||
|
structure in efi_ifr_op().
|
||||||
|
|
||||||
|
Debugged-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Debugged-by: Gary Lin <glin@suse.com>
|
||||||
|
Signed-off-by: Michael Brown <mcb30@ipxe.org>
|
||||||
|
---
|
||||||
|
src/interface/efi/efi_hii.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/interface/efi/efi_hii.c b/src/interface/efi/efi_hii.c
|
||||||
|
index 0ea970e..506fc88 100644
|
||||||
|
--- a/src/interface/efi/efi_hii.c
|
||||||
|
+++ b/src/interface/efi/efi_hii.c
|
||||||
|
@@ -117,6 +117,7 @@ static void * efi_ifr_op ( struct efi_ifr_builder *ifr, unsigned int opcode,
|
||||||
|
ifr->ops_len = new_ops_len;
|
||||||
|
|
||||||
|
/* Fill in opcode header */
|
||||||
|
+ memset ( op, 0, len );
|
||||||
|
op->OpCode = opcode;
|
||||||
|
op->Length = len;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.8.4
|
||||||
|
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jul 4 06:20:16 UTC 2016 - glin@suse.com
|
||||||
|
|
||||||
|
- Fix OVMF iPXE network menu (bsc#986033, boo#987488)
|
||||||
|
ipxe-efi-fix-garbage-bytes-in-device-path.patch
|
||||||
|
ipxe-efi-fix-uninitialised-data-in-HII.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Jun 10 20:25:21 UTC 2016 - brogers@suse.com
|
Fri Jun 10 20:25:21 UTC 2016 - brogers@suse.com
|
||||||
|
|
||||||
|
@ -143,6 +143,8 @@ Patch1103: ipxe-skge-Fix-building-with-GCC-6.patch
|
|||||||
Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch
|
Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch
|
||||||
Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch
|
Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch
|
||||||
Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch
|
Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch
|
||||||
|
Patch1107: ipxe-efi-fix-garbage-bytes-in-device-path.patch
|
||||||
|
Patch1108: ipxe-efi-fix-uninitialised-data-in-HII.patch
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# this is to make lint happy
|
# this is to make lint happy
|
||||||
@ -749,6 +751,8 @@ pushd roms/ipxe
|
|||||||
%patch1104 -p1
|
%patch1104 -p1
|
||||||
%patch1105 -p1
|
%patch1105 -p1
|
||||||
%patch1106 -p1
|
%patch1106 -p1
|
||||||
|
%patch1107 -p1
|
||||||
|
%patch1108 -p1
|
||||||
popd
|
popd
|
||||||
|
|
||||||
# as a safeguard, delete the firmware files that we intend to build
|
# as a safeguard, delete the firmware files that we intend to build
|
||||||
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jul 4 06:20:16 UTC 2016 - glin@suse.com
|
||||||
|
|
||||||
|
- Fix OVMF iPXE network menu (bsc#986033, boo#987488)
|
||||||
|
ipxe-efi-fix-garbage-bytes-in-device-path.patch
|
||||||
|
ipxe-efi-fix-uninitialised-data-in-HII.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Jun 10 20:25:21 UTC 2016 - brogers@suse.com
|
Fri Jun 10 20:25:21 UTC 2016 - brogers@suse.com
|
||||||
|
|
||||||
|
@ -143,6 +143,8 @@ Patch1103: ipxe-skge-Fix-building-with-GCC-6.patch
|
|||||||
Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch
|
Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch
|
||||||
Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch
|
Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch
|
||||||
Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch
|
Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch
|
||||||
|
Patch1107: ipxe-efi-fix-garbage-bytes-in-device-path.patch
|
||||||
|
Patch1108: ipxe-efi-fix-uninitialised-data-in-HII.patch
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# this is to make lint happy
|
# this is to make lint happy
|
||||||
@ -749,6 +751,8 @@ pushd roms/ipxe
|
|||||||
%patch1104 -p1
|
%patch1104 -p1
|
||||||
%patch1105 -p1
|
%patch1105 -p1
|
||||||
%patch1106 -p1
|
%patch1106 -p1
|
||||||
|
%patch1107 -p1
|
||||||
|
%patch1108 -p1
|
||||||
popd
|
popd
|
||||||
|
|
||||||
# as a safeguard, delete the firmware files that we intend to build
|
# as a safeguard, delete the firmware files that we intend to build
|
||||||
|
@ -83,6 +83,8 @@ Patch1103: ipxe-skge-Fix-building-with-GCC-6.patch
|
|||||||
Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch
|
Patch1104: ipxe-ath-Fix-building-with-GCC-6.patch
|
||||||
Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch
|
Patch1105: ipxe-legacy-Fix-building-with-GCC-6.patch
|
||||||
Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch
|
Patch1106: ipxe-util-v5.24-perl-errors-on-redeclare.patch
|
||||||
|
Patch1107: ipxe-efi-fix-garbage-bytes-in-device-path.patch
|
||||||
|
Patch1108: ipxe-efi-fix-uninitialised-data-in-HII.patch
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# this is to make lint happy
|
# this is to make lint happy
|
||||||
@ -629,6 +631,8 @@ pushd roms/ipxe
|
|||||||
%patch1104 -p1
|
%patch1104 -p1
|
||||||
%patch1105 -p1
|
%patch1105 -p1
|
||||||
%patch1106 -p1
|
%patch1106 -p1
|
||||||
|
%patch1107 -p1
|
||||||
|
%patch1108 -p1
|
||||||
popd
|
popd
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user