Bug 1683372 (CVE-2018-12180) - CVE-2018-12180 edk2: Buffer Overflow in BlockIo service for RAM disk
Summary: CVE-2018-12180 edk2: Buffer Overflow in BlockIo service for RAM disk
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-12180
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1683374 1683373 1684005 1684006 1684007 1684983 1684984 1690501
Blocks: 1683333
TreeView+ depends on / blocked
 
Reported: 2019-02-26 17:40 UTC by Laura Pardo
Modified: 2020-04-27 18:19 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in edk2. When registering a RAM disk whose size is not a multiple of 512 bytes, the BlockIo protocol produced by the RamDiskDxe driver will incur memory read/write overrun. The memory overrun will happen when reading/writing the last block on the RAM disk. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:48:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0809 0 None None None 2019-04-23 14:27:32 UTC
Red Hat Product Errata RHSA-2019:0968 0 None None None 2019-05-07 04:18:18 UTC
Red Hat Product Errata RHSA-2019:1116 0 None None None 2019-05-08 13:43:54 UTC
TianoCore 1134 0 None None None 2019-08-01 19:32:35 UTC

Description Laura Pardo 2019-02-26 17:40:53 UTC 
A flaw was found in edk2. When registering a Ram disk whose size is not a multiple of 512 bytes, the BlockIo protocol produced by the RamDiskDxe driver will incur memory read/write overrun. The memory overrun will happen when reading/writing the last block on the Ram disk.


Upstream Bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=1134

Upstream Patch:
https://lists.01.org/pipermail/edk2-devel/2019-February/037248.html
https://lists.01.org/pipermail/edk2-devel/2019-February/037249.html
https://lists.01.org/pipermail/edk2-devel/2019-February/037250.html
Comment 1 Laura Pardo 2019-02-26 17:41:14 UTC 
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1683374]
Affects: fedora-all [bug 1683373]
Comment 11 Riccardo Schirone 2019-03-01 15:09:27 UTC 
Functions RamDiskBlkIoWriteBlocks() and RamDiskBlkIoReadBlocks() in RamDiskDxe/RamDiskBlockIo.c do not correctly check the last block when writing/reading to/from a RamDisk that has a size not multiple of 512 bytes. An attacker may use this flaw by loading a maliciously crafted ramdisk and making the firmware overwrites area of memory beyond the intended buffer, causing system crashes or other unspecified effects.
Comment 13 errata-xmlrpc 2019-04-23 14:27:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0809 https://access.redhat.com/errata/RHSA-2019:0809
Comment 27 errata-xmlrpc 2019-05-07 04:18:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:0968 https://access.redhat.com/errata/RHSA-2019:0968
Comment 28 errata-xmlrpc 2019-05-08 13:43:52 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1116 https://access.redhat.com/errata/RHSA-2019:1116
Note You need to log in before you can comment on or make changes to this bug.