Bugzilla – Bug 1188371
VUL-0: CVE-2019-11098: ovmf: insufficient input validation in MdeModulePkg
Last modified: 2023-02-21 05:15:11 UTC
CVE-2019-11098 Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11098 https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability
Created attachment 851042 [details] Patch bundel 0000-cover-letter.patch 0001-MdeModulePkg-PeiCore-Enable-T-RAM-evacuation-in-PeiC.patch 0002-IntelSiliconPkg-PeiFirmwareInterfaceTableLib-Add-ini.patch 0003-UefiCpuPkg-CpuMpPei-Add-GDT-and-IDT-migration-suppor.patch 0004-UefiCpuPkg-SecMigrationPei-Add-initial-PEIM.patch 0005-UefiCpuPkg-UefiCpuPkg.dec-Add-gCpuInitMpLibHobGuid.patch 0006-IntelFsp2WrapperPkg-PeiFspWrapperSecMigrationLib-Add.patch 0007-UefiCpuPkg-MpInitLib-Allow-IDT-swap-on-AP-wakeup.patch 0008-MdeModulePkg-Core-Pei-fix-flash-pointer-in-FV_INFO_P.patch 0009-MdeModulePkg-DxeIplPeim-fix-s3-failure.patch
Upstream bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1614 I did a quick check of the patches. These two patches are not necessary: 0002-IntelSiliconPkg-PeiFirmwareInterfaceTableLib-Add-ini.patch 0006-IntelFsp2WrapperPkg-PeiFspWrapperSecMigrationLib-Add.patch Both of them are mainly for baremetals with Intel CPU, and OVMF doesn't use those modules.
Those fixes are already merged into edk2 git: a44f558a84c6..ffde22468e2f0
The catch-up fix was merged later: f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac UefiCpuPkg: Move MigrateGdt from DiscoverMemory to TempRamDone. (CVE-2019-11098)
(In reply to Gary Ching-Pang Lin from comment #3) > Those fixes are already merged into edk2 git: a44f558a84c6..ffde22468e2f0 The above patches are merged to edk2-stable202008 (In reply to Gary Ching-Pang Lin from comment #4) > The catch-up fix was merged later: > > f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac > UefiCpuPkg: Move MigrateGdt from DiscoverMemory to TempRamDone. > (CVE-2019-11098) The above patch be merged o edk2-stable202102 SLE12-SP2 ovmf-2015+git1462940744.321151f [checking] SLE12-SP3 ovmf-2017+git1492060560.b6d11d7c46 [checking] SLE12-SP4 ovmf-2017+git1510945757.b2662641d5 [checking] SLE12-SP5 ovmf-2017+git1510945757.b2662641d5 [checking] SLE15 ovmf-2017+git1510945757.b2662641d5 [checking] SLE15-SP1 ovmf-2017+git1510945757.b2662641d5 [checking] SLE15-SP2 edk2-stable201911 [checking] SLE15-SP3 edk2-stable202008 [NEED f6ec1dd34fb] SLE15-SP4 edk2-stable202202 [NOT affected] SLE15-SP5 edk2-stable202208 [NOT affected]
(In reply to Alexander Bergmann from comment #1) > Created attachment 851042 [details] > Patch bundel > > 0000-cover-letter.patch > 0001-MdeModulePkg-PeiCore-Enable-T-RAM-evacuation-in-PeiC.patch > 0002-IntelSiliconPkg-PeiFirmwareInterfaceTableLib-Add-ini.patch > 0003-UefiCpuPkg-CpuMpPei-Add-GDT-and-IDT-migration-suppor.patch > 0004-UefiCpuPkg-SecMigrationPei-Add-initial-PEIM.patch > 0005-UefiCpuPkg-UefiCpuPkg.dec-Add-gCpuInitMpLibHobGuid.patch > 0006-IntelFsp2WrapperPkg-PeiFspWrapperSecMigrationLib-Add.patch > 0007-UefiCpuPkg-MpInitLib-Allow-IDT-swap-on-AP-wakeup.patch > 0008-MdeModulePkg-Core-Pei-fix-flash-pointer-in-FV_INFO_P.patch > 0009-MdeModulePkg-DxeIplPeim-fix-s3-failure.patch I have no idea, this patch set is for "Add PEI migration support to EDK2". Does it relate to CVE-2019-11098?
(In reply to Joey Lee from comment #7) > (In reply to Gary Ching-Pang Lin from comment #3) > > Those fixes are already merged into edk2 git: a44f558a84c6..ffde22468e2f0 > > The above patches are merged to edk2-stable202008 > target patches for backporting: 1facb8fdef6389f390b66da6d8304f54cc93104a MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Wed, 8 Jul 2020 09:33:46 +0800 9bedaec05b7b8ba9aee248361bb61a85a26726cb MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore (CVE-2019-11098) 60b12e69fb1c8c7180fdda92f008248b9ec83db1 UefiCpuPkg/CpuMpPei: Add GDT migration support (CVE-2019-11098) 479613bd06546e30652354d5dd76ee7b377fb92c UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) 4b68cef04c70d8fd8a9bf745fc649c84d67531e8 MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash (CVE-2019-11098) 012809cdca4b876e675cbd181fee213133858a5e SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash (CVE-2019-11098) d7c9de51d249ee101b4d90357a4272b36c831047 UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) 92c19c68cb8f3f5313ff886c664b9286fb50632d UefiCpuPkg: Correct some typos. ffde22468e2f0e93b51f97b801e6c7a181088c61 SecurityPkg/TcgPei: Use Migrated FV Info Hob for calculating hash (CVE-2019-11098) f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac UefiCpuPkg: Move MigrateGdt from DiscoverMemory to TempRamDone. (CVE-2019-11098) Wed Jan 13 18:08:09 2021 +0800
SUSE-SU-2023:0004-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1188371 CVE References: CVE-2019-11098 JIRA References: Sources used: SUSE Manager Server 4.1 (src): ovmf-201911-150200.7.24.1 SUSE Manager Retail Branch Server 4.1 (src): ovmf-201911-150200.7.24.1 SUSE Manager Proxy 4.1 (src): ovmf-201911-150200.7.24.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): ovmf-201911-150200.7.24.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): ovmf-201911-150200.7.24.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): ovmf-201911-150200.7.24.1 SUSE Enterprise Storage 7 (src): ovmf-201911-150200.7.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0036-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1188371 CVE References: CVE-2019-11098 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): ovmf-202008-150300.10.17.1 SUSE Manager Server 4.2 (src): ovmf-202008-150300.10.17.1 SUSE Manager Retail Branch Server 4.2 (src): ovmf-202008-150300.10.17.1 SUSE Manager Proxy 4.2 (src): ovmf-202008-150300.10.17.1 SUSE Linux Enterprise Server for SAP 15-SP3 (src): ovmf-202008-150300.10.17.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): ovmf-202008-150300.10.17.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): ovmf-202008-150300.10.17.1 SUSE Linux Enterprise Micro 5.2 (src): ovmf-202008-150300.10.17.1 SUSE Linux Enterprise Micro 5.1 (src): ovmf-202008-150300.10.17.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): ovmf-202008-150300.10.17.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): ovmf-202008-150300.10.17.1 SUSE Enterprise Storage 7.1 (src): ovmf-202008-150300.10.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Joey Lee from comment #7) > (In reply to Gary Ching-Pang Lin from comment #3) > > Those fixes are already merged into edk2 git: a44f558a84c6..ffde22468e2f0 > > The above patches are merged to edk2-stable202008 > > (In reply to Gary Ching-Pang Lin from comment #4) > > The catch-up fix was merged later: > > > > f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac > > UefiCpuPkg: Move MigrateGdt from DiscoverMemory to TempRamDone. > > (CVE-2019-11098) > > The above patch be merged o edk2-stable202102 > > SLE12-SP2 ovmf-2015+git1462940744.321151f [checking] > SLE12-SP3 ovmf-2017+git1492060560.b6d11d7c46 [checking] > SLE12-SP4 ovmf-2017+git1510945757.b2662641d5 [checking] > SLE12-SP5 ovmf-2017+git1510945757.b2662641d5 [checking] > > SLE15 ovmf-2017+git1510945757.b2662641d5 [checking] > SLE15-SP1 ovmf-2017+git1510945757.b2662641d5 [checking] > SLE15-SP2 edk2-stable201911 [checking] > SLE15-SP3 edk2-stable202008 [NEED f6ec1dd34fb] > > SLE15-SP4 edk2-stable202202 [NOT affected] > SLE15-SP5 edk2-stable202208 [NOT affected] Backported patch/patches be merged to 15-SP2/15-SP3. Updated status: SLE12-SP2 ovmf-2015+git1462940744.321151f [checking] SLE12-SP3 ovmf-2017+git1492060560.b6d11d7c46 [checking] SLE12-SP4 ovmf-2017+git1510945757.b2662641d5 [checking] SLE12-SP5 ovmf-2017+git1510945757.b2662641d5 [checking] SLE15 ovmf-2017+git1510945757.b2662641d5 [checking] SLE15-SP1 ovmf-2017+git1510945757.b2662641d5 [checking] SLE15-SP2 edk2-stable201911 [OK] SLE15-SP3 edk2-stable202008 [OK] SLE15-SP4 edk2-stable202202 [INCLUDED] SLE15-SP5 edk2-stable202208 [INCLUDED]
(In reply to Joey Lee from comment #16) > (In reply to Joey Lee from comment #7) > > (In reply to Gary Ching-Pang Lin from comment #3) > > > Those fixes are already merged into edk2 git: a44f558a84c6..ffde22468e2f0 > > > > The above patches are merged to edk2-stable202008 > > > > (In reply to Gary Ching-Pang Lin from comment #4) > > > The catch-up fix was merged later: > > > > > > f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac > > > UefiCpuPkg: Move MigrateGdt from DiscoverMemory to TempRamDone. > > > (CVE-2019-11098) > > > > The above patch be merged o edk2-stable202102 > > > > SLE12-SP2 ovmf-2015+git1462940744.321151f [checking] > > SLE12-SP3 ovmf-2017+git1492060560.b6d11d7c46 [checking] > > SLE12-SP4 ovmf-2017+git1510945757.b2662641d5 [checking] > > SLE12-SP5 ovmf-2017+git1510945757.b2662641d5 [checking] > > > > SLE15 ovmf-2017+git1510945757.b2662641d5 [checking] > > SLE15-SP1 ovmf-2017+git1510945757.b2662641d5 [checking] > > SLE15-SP2 edk2-stable201911 [checking] > > SLE15-SP3 edk2-stable202008 [NEED f6ec1dd34fb] > > > > SLE15-SP4 edk2-stable202202 [NOT affected] > > SLE15-SP5 edk2-stable202208 [NOT affected] > > Backported patch/patches be merged to 15-SP2/15-SP3. > > Updated status: > > SLE12-SP2 ovmf-2015+git1462940744.321151f [checking] > SLE12-SP3 ovmf-2017+git1492060560.b6d11d7c46 [checking] > SLE12-SP4 ovmf-2017+git1510945757.b2662641d5 [checking] > SLE12-SP5 ovmf-2017+git1510945757.b2662641d5 [checking] > > SLE15 ovmf-2017+git1510945757.b2662641d5 [checking] > SLE15-SP1 ovmf-2017+git1510945757.b2662641d5 [checking] I have tried to backport patches to ovmf-2017+, but it missed too many patches in PEI. It doesn't make sense to backport all patches, and I am afraid it breaks other things. So, I want to set WONTFIX to SLE15-SP1 and previous versions. > SLE15-SP2 edk2-stable201911 [OK] > SLE15-SP3 edk2-stable202008 [OK] > > SLE15-SP4 edk2-stable202202 [INCLUDED] > SLE15-SP5 edk2-stable202208 [INCLUDED] I have backported patches to 15-SP2/SP3.