From nobody Sun May 19 18:35:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54523+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54523+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581911557066227.7211976070056; Sun, 16 Feb 2020 19:52:37 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id O7BEYY1788612xy0ebDZ7PjS; Sun, 16 Feb 2020 19:52:36 -0800 X-Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web12.4246.1581911555337416414 for ; Sun, 16 Feb 2020 19:52:35 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Feb 2020 19:52:34 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,451,1574150400"; d="scan'208";a="228282261" X-Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.8]) by orsmga008.jf.intel.com with ESMTP; 16 Feb 2020 19:52:32 -0800 From: "Wu, Hao A" To: devel@edk2.groups.io Cc: Hao A Wu , Jian J Wang , Ray Ni Subject: [edk2-devel] [PATCH v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in TRB creation (CVE-2019-14587) Date: Mon, 17 Feb 2020 11:52:29 +0800 Message-Id: <20200217035229.16636-1-hao.a.wu@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,hao.a.wu@intel.com X-Gm-Message-State: 4HG3zpeG7uxy6ID6zDbtUZVIx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581911556; bh=4oUAKTmyrBRpEzsmhKGx3+CTDd2Mnbs0THIYTW/dkY8=; h=Cc:Date:From:Reply-To:Subject:To; b=OIRpnuEvY1rlI5/uw/oXNjsVJuNm6ULoJ2o8NxCtxYgl5Vedp0hn31jegzvbt5Y5j26 /NQ798/s05pxkwx3nwKLiuiuU6OW6VlT9jSp1MD5u47oDUD4OuWY40tLXGORWAyc4ScAK +PUgYfO7VtLOz9QSm5cSPpoKioNRQcvsuDM= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1989 The commit will avoid unmapping the same resource in error handling logic for function BuildAdmaDescTable() and SdMmcCreateTrb(). For the error handling in BuildAdmaDescTable(): The error is directly related with the corresponding Map() operation (mapped address beyond 4G, which is not supported in ADMA), so the Unmap() operation is done in the error handling logic, and then setting 'Trb->AdmaMap' to NULL to avoid double Unmap. For the error handling in SdMmcCreateTrb(): The error is not directly related with the corresponding Map() operation, so the commit will update the code to left SdMmcFreeTrb() for the Unmap operation to avoid double Unmap. Cc: Jian J Wang Cc: Ray Ni Signed-off-by: Hao A Wu Reviewed-by: Jian J Wang --- MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c b/MdeModulePk= g/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c index da5559ae76..43626fff48 100644 --- a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c +++ b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c @@ -1544,6 +1544,8 @@ BuildAdmaDescTable ( PciIo, Trb->AdmaMap ); + Trb->AdmaMap =3D NULL; + PciIo->FreeBuffer ( PciIo, EFI_SIZE_TO_PAGES (TableSize), @@ -1753,7 +1755,6 @@ SdMmcCreateTrb ( } Status =3D BuildAdmaDescTable (Trb, Private->ControllerVersion[Slot]= ); if (EFI_ERROR (Status)) { - PciIo->Unmap (PciIo, Trb->DataMap); goto Error; } } else if (Private->Capability[Slot].Sdma !=3D 0) { --=20 2.12.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54523): https://edk2.groups.io/g/devel/message/54523 Mute This Topic: https://groups.io/mt/71343065/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-