[edk2-devel] [PATCH v7 01/10] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098)
Laszlo Ersek
lersek at redhat.com
Wed Jul 22 21:19:40 UTC 2020
On 07/22/20 10:36, Guomin Jiang wrote:
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
>
> The security researcher found that we can get control after NEM disable.
>
> The reason is that the flash content reside in NEM at startup and the
> code will get the content from flash directly after disable NEM.
>
> To avoid this vulnerability, the feature will copy the PEIMs from
> temporary memory to permanent memory and only execute the code in
> permanent memory.
>
> The vulnerability is exist in physical platform and haven't report in
> virtual platform, so the virtual can disable the feature currently.
>
> Cc: Jian J Wang <jian.j.wang at intel.com>
> Cc: Hao A Wu <hao.a.wu at intel.com>
> Signed-off-by: Guomin Jiang <guomin.jiang at intel.com>
> Acked-by: Laszlo Ersek <lersek at redhat.com>
> Reviewed-by: Jian J Wang <jian.j.wang at intel.com>
> ---
> MdeModulePkg/MdeModulePkg.dec | 8 ++++++++
> MdeModulePkg/MdeModulePkg.uni | 6 ++++++
> 2 files changed, 14 insertions(+)
Comparing this against v5 (which I last checked), my ACK stands.
Thanks
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#63153): https://edk2.groups.io/g/devel/message/63153
Mute This Topic: https://groups.io/mt/75720846/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list