Accepting request 406664 from home:gary_lin:branches:Virtualization

- Fix OVMF iPXE network menu (bsc#986033, boo#987488)
  ipxe-efi-fix-garbage-bytes-in-device-path.patch
  ipxe-efi-fix-uninitialised-data-in-HII.patch

OBS-URL: https://build.opensuse.org/request/show/406664
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=302

ipxe-efi-fix-garbage-bytes-in-device-path.patch

@@ -0,0 +1,40 @@
+From 632e57f0f36d9b48f574db273a19e26bf592fc99 Mon Sep 17 00:00:00 2001
+From: Michael Brown <mcb30@ipxe.org>
+Date: Wed, 22 Jun 2016 09:07:20 +0100
+Subject: [PATCH] [efi] Do not copy garbage bytes into SNP device path MAC
+ address
+
+The SNP device path includes the network device's MAC address within
+the MAC_ADDR_DEVICE_PATH.MacAddress field.  We check that the
+link-layer address will fit within this field, and then perform the
+copy using the length of the destination buffer.
+
+At 32 bytes, the MacAddress field is actually larger than the current
+maximum iPXE link-layer address.  The copy therefore overflows the
+source buffer, resulting in trailing garbage bytes being appended to
+the device path's MacAddress.  This is invisible in debug messages,
+since the DevicePathToText protocol will render only the length
+implied by the interface type.
+
+Fix by copying only the actual length of the link-layer address (which
+we have already verified will not overflow the destination buffer).
+
+Debugged-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Michael Brown <mcb30@ipxe.org>
+---
+ src/interface/efi/efi_snp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: ipxe/src/interface/efi/efi_snp.c
+===================================================================
+--- ipxe.orig/src/interface/efi/efi_snp.c
++++ ipxe/src/interface/efi/efi_snp.c
+@@ -1049,7 +1049,7 @@ static int efi_snp_probe ( struct net_de
+ 	macpath->Header.SubType = MSG_MAC_ADDR_DP;
+ 	macpath->Header.Length[0] = sizeof ( *macpath );
+ 	memcpy ( &macpath->MacAddress, netdev->ll_addr,
+-		 sizeof ( macpath->MacAddress ) );
++		 netdev->ll_protocol->ll_addr_len );
+ 	macpath->IfType = ntohs ( netdev->ll_protocol->ll_proto );
+ 	memset ( path_end, 0, sizeof ( *path_end ) );
+ 	path_end->Type = END_DEVICE_PATH_TYPE;

ipxe-efi-fix-uninitialised-data-in-HII.patch

@@ -0,0 +1,35 @@
+From c9f6a8605955926017cdbe2fa99a4b72fd0985a2 Mon Sep 17 00:00:00 2001
+From: Michael Brown <mcb30@ipxe.org>
+Date: Wed, 29 Jun 2016 15:13:35 +0100
+Subject: [PATCH] [efi] Fix uninitialised data in HII IFR structures
+
+The HII IFR structures are allocated via realloc() rather than
+zalloc(), and so are not automatically zeroed.  This results in the
+presence of uninitialised and invalid data, causing crashes elsewhere
+in the UEFI firmware.
+
+Fix by explicitly zeroing the newly allocated portion of any IFR
+structure in efi_ifr_op().
+
+Debugged-by: Laszlo Ersek <lersek@redhat.com>
+Debugged-by: Gary Lin <glin@suse.com>
+Signed-off-by: Michael Brown <mcb30@ipxe.org>
+---
+ src/interface/efi/efi_hii.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/interface/efi/efi_hii.c b/src/interface/efi/efi_hii.c
+index 0ea970e..506fc88 100644
+--- a/src/interface/efi/efi_hii.c
++++ b/src/interface/efi/efi_hii.c
+@@ -117,6 +117,7 @@ static void * efi_ifr_op ( struct efi_ifr_builder *ifr, unsigned int opcode,
+ 	ifr->ops_len = new_ops_len;
+ 
+ 	/* Fill in opcode header */
++	memset ( op, 0, len );
+ 	op->OpCode = opcode;
+ 	op->Length = len;
+ 
+-- 
+2.8.4
+

qemu-testsuite.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jul  4 06:20:16 UTC 2016 - glin@suse.com
+
+- Fix OVMF iPXE network menu (bsc#986033, boo#987488)
+  ipxe-efi-fix-garbage-bytes-in-device-path.patch
+  ipxe-efi-fix-uninitialised-data-in-HII.patch
+
 -------------------------------------------------------------------
 Fri Jun 10 20:25:21 UTC 2016 - brogers@suse.com
 

qemu-testsuite.spec

@@ -143,6 +143,8 @@ Patch1103:      ipxe-skge-Fix-building-with-GCC-6.patch
 Patch1104:      ipxe-ath-Fix-building-with-GCC-6.patch
 Patch1105:      ipxe-legacy-Fix-building-with-GCC-6.patch
 Patch1106:      ipxe-util-v5.24-perl-errors-on-redeclare.patch
+Patch1107:      ipxe-efi-fix-garbage-bytes-in-device-path.patch
+Patch1108:      ipxe-efi-fix-uninitialised-data-in-HII.patch
 %endif
 
 # this is to make lint happy
@@ -749,6 +751,8 @@ pushd roms/ipxe
 %patch1104 -p1
 %patch1105 -p1
 %patch1106 -p1
+%patch1107 -p1
+%patch1108 -p1
 popd
 
 # as a safeguard, delete the firmware files that we intend to build

qemu.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jul  4 06:20:16 UTC 2016 - glin@suse.com
+
+- Fix OVMF iPXE network menu (bsc#986033, boo#987488)
+  ipxe-efi-fix-garbage-bytes-in-device-path.patch
+  ipxe-efi-fix-uninitialised-data-in-HII.patch
+
 -------------------------------------------------------------------
 Fri Jun 10 20:25:21 UTC 2016 - brogers@suse.com
 

qemu.spec

@@ -143,6 +143,8 @@ Patch1103:      ipxe-skge-Fix-building-with-GCC-6.patch
 Patch1104:      ipxe-ath-Fix-building-with-GCC-6.patch
 Patch1105:      ipxe-legacy-Fix-building-with-GCC-6.patch
 Patch1106:      ipxe-util-v5.24-perl-errors-on-redeclare.patch
+Patch1107:      ipxe-efi-fix-garbage-bytes-in-device-path.patch
+Patch1108:      ipxe-efi-fix-uninitialised-data-in-HII.patch
 %endif
 
 # this is to make lint happy
@@ -749,6 +751,8 @@ pushd roms/ipxe
 %patch1104 -p1
 %patch1105 -p1
 %patch1106 -p1
+%patch1107 -p1
+%patch1108 -p1
 popd
 
 # as a safeguard, delete the firmware files that we intend to build

qemu.spec.in

@@ -83,6 +83,8 @@ Patch1103:      ipxe-skge-Fix-building-with-GCC-6.patch
 Patch1104:      ipxe-ath-Fix-building-with-GCC-6.patch
 Patch1105:      ipxe-legacy-Fix-building-with-GCC-6.patch
 Patch1106:      ipxe-util-v5.24-perl-errors-on-redeclare.patch
+Patch1107:      ipxe-efi-fix-garbage-bytes-in-device-path.patch
+Patch1108:      ipxe-efi-fix-uninitialised-data-in-HII.patch
 %endif
 
 # this is to make lint happy
@@ -629,6 +631,8 @@ pushd roms/ipxe
 %patch1104 -p1
 %patch1105 -p1
 %patch1106 -p1
+%patch1107 -p1
+%patch1108 -p1
 popd