A flaw was found in edk2. When registering a Ram disk whose size is not a multiple of 512 bytes, the BlockIo protocol produced by the RamDiskDxe driver will incur memory read/write overrun. The memory overrun will happen when reading/writing the last block on the Ram disk. Upstream Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1134 Upstream Patch: https://lists.01.org/pipermail/edk2-devel/2019-February/037248.html https://lists.01.org/pipermail/edk2-devel/2019-February/037249.html https://lists.01.org/pipermail/edk2-devel/2019-February/037250.html
Created edk2 tracking bugs for this issue: Affects: epel-all [bug 1683374] Affects: fedora-all [bug 1683373]
Functions RamDiskBlkIoWriteBlocks() and RamDiskBlkIoReadBlocks() in RamDiskDxe/RamDiskBlockIo.c do not correctly check the last block when writing/reading to/from a RamDisk that has a size not multiple of 512 bytes. An attacker may use this flaw by loading a maliciously crafted ramdisk and making the firmware overwrites area of memory beyond the intended buffer, causing system crashes or other unspecified effects.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0809 https://access.redhat.com/errata/RHSA-2019:0809
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0968 https://access.redhat.com/errata/RHSA-2019:0968
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:1116 https://access.redhat.com/errata/RHSA-2019:1116