Bug 1683372 (CVE-2018-12180)

Summary: CVE-2018-12180 edk2: Buffer Overflow in BlockIo service for RAM disk
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: berrange, bmcclain, crobinso, cshao, dblechte, dfediuck, dmoppert, eedri, kraxel, lersek, lsvaty, mgoldboi, michal.skrivanek, pbonzini, philmd, rdlugyhe, rschiron, sbonazzo, security-response-team, sherold, virt-maint, virt-maint, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in edk2. When registering a RAM disk whose size is not a multiple of 512 bytes, the BlockIo protocol produced by the RamDiskDxe driver will incur memory read/write overrun. The memory overrun will happen when reading/writing the last block on the RAM disk. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:48:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1683374, 1683373, 1684005, 1684006, 1684007, 1684983, 1684984, 1690501    
Bug Blocks: 1683333    

Description Laura Pardo 2019-02-26 17:40:53 UTC 
A flaw was found in edk2. When registering a Ram disk whose size is not a multiple of 512 bytes, the BlockIo protocol produced by the RamDiskDxe driver will incur memory read/write overrun. The memory overrun will happen when reading/writing the last block on the Ram disk.


Upstream Bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=1134

Upstream Patch:
https://lists.01.org/pipermail/edk2-devel/2019-February/037248.html
https://lists.01.org/pipermail/edk2-devel/2019-February/037249.html
https://lists.01.org/pipermail/edk2-devel/2019-February/037250.html
Comment 1 Laura Pardo 2019-02-26 17:41:14 UTC 
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1683374]
Affects: fedora-all [bug 1683373]
Comment 11 Riccardo Schirone 2019-03-01 15:09:27 UTC 
Functions RamDiskBlkIoWriteBlocks() and RamDiskBlkIoReadBlocks() in RamDiskDxe/RamDiskBlockIo.c do not correctly check the last block when writing/reading to/from a RamDisk that has a size not multiple of 512 bytes. An attacker may use this flaw by loading a maliciously crafted ramdisk and making the firmware overwrites area of memory beyond the intended buffer, causing system crashes or other unspecified effects.
Comment 13 errata-xmlrpc 2019-04-23 14:27:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0809 https://access.redhat.com/errata/RHSA-2019:0809
Comment 27 errata-xmlrpc 2019-05-07 04:18:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:0968 https://access.redhat.com/errata/RHSA-2019:0968
Comment 28 errata-xmlrpc 2019-05-08 13:43:52 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1116 https://access.redhat.com/errata/RHSA-2019:1116