From 8cd78ff71e47631d602aab9492a13222221f5108 Mon Sep 17 00:00:00 2001
From: root <root@hebei.10.60.in-addr.arpa>
Date: Tue, 29 Oct 2024 17:02:53 +0800
Subject: [PATCH] fix cve-2023-40547\40548

---
 0001-fix-cve-2023-40547.patch |  42 +++++++++++++
 0002-fix-cve-2023-40548.patch | 109 ++++++++++++++++++++++++++++++++++
 shim-unsigned-x64.spec        |  10 +++-
 3 files changed, 160 insertions(+), 1 deletion(-)
 create mode 100644 0001-fix-cve-2023-40547.patch
 create mode 100644 0002-fix-cve-2023-40548.patch

diff --git a/0001-fix-cve-2023-40547.patch b/0001-fix-cve-2023-40547.patch
new file mode 100644
index 0000000..9d4ec6e
--- /dev/null
+++ b/0001-fix-cve-2023-40547.patch
@@ -0,0 +1,42 @@
+From 0226b56513b2b8bd5fd281bce77c40c9bf07c66d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 2 Aug 2023 14:19:31 -0400
+Subject: [PATCH] CVE-2023-40547 - avoid incorrectly trusting HTTP headers
+
+When retrieving files via HTTP or related protocols, shim attempts to
+allocate a buffer to store the received data.  Unfortunately, this means
+getting the size from an HTTP header, which can be manipulated to
+specify a size that's smaller than the received data.  In this case, the
+code accidentally uses the header for the allocation but the protocol
+metadata to copy it from the rx buffer, resulting in an out-of-bounds
+write.
+
+This patch adds an additional check to test that the rx buffer is not
+larger than the allocation.
+
+Resolves: CVE-2023-40547
+Reported-by: Bill Demirkapi, Microsoft Security Response Center
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ httpboot.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/httpboot.c b/httpboot.c
+index dfa493bf5..b34dd49c2 100644
+--- a/httpboot.c
++++ b/httpboot.c
+@@ -578,7 +578,13 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size)
+ 	}
+ 
+ 	if (*buf_size == 0) {
+-		perror(L"Failed to get Content-Lenght\n");
++		perror(L"Failed to get Content-Length\n");
++		goto error;
++	}
++
++	if (*buf_size < rx_message.BodyLength) {
++		efi_status = EFI_BAD_BUFFER_SIZE;
++		perror(L"Invalid Content-Length\n");
+ 		goto error;
+ 	}
+ 
diff --git a/0002-fix-cve-2023-40548.patch b/0002-fix-cve-2023-40548.patch
new file mode 100644
index 0000000..f694a33
--- /dev/null
+++ b/0002-fix-cve-2023-40548.patch
@@ -0,0 +1,109 @@
+From 96dccc255b16e9465dbee50b3cef6b3db74d11c8 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 27 Jul 2023 15:21:31 -0400
+Subject: [PATCH] CVE-2023-40548 Fix integer overflow on SBAT section size on
+ 32-bit system
+
+In verify_sbat_section(), we do some math on data that comes from the
+binary being verified - in this case, we add 1 to the size of the
+".sbat" section as reported in the section header, which is then used as
+the input to the size of an allocation.  The original value is then used
+for a size in a memcpy(), which means there's an out-of-bounds write in
+the overflow case.
+
+Due to the type of the variable being size_t, but the type in the
+section header being uint32_t, this is only plausibly accomplished on
+32-bit systems.
+
+This patch makes the arithmetic use a checked add operation to avoid
+overflow.  Additionally, it adds a check in verify_buffer_sbat() to
+guarantee that the data is within the binary.
+
+It's not currently known if this is actually exploitable on such
+systems; the memory layout on a particular machine may further mitigate
+this scenario.
+
+Resolves: CVE-2023-40548
+Reported-by: gkirkpatrick@google.com
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ pe.c   | 6 +++++-
+ shim.c | 6 ++++++
+ include/compiler.h | 25 +++++++++++++++++++++++++
+ 3 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/pe.c b/pe.c
+index e15b89f62..b3a9d46fb 100644
+--- a/pe.c
++++ b/pe.c
+@@ -851,7 +851,11 @@ verify_sbat_section(char *SBATBase, size_t SBATSize)
+ 		return in_protocol ? EFI_SUCCESS : EFI_SECURITY_VIOLATION;
+ 	}
+ 
+-	sbat_size = SBATSize + 1;
++	if (checked_add(SBATSize, 1, &sbat_size)) {
++		dprint(L"SBATSize + 1 would overflow\n");
++		return EFI_SECURITY_VIOLATION;
++	}
++
+ 	sbat_data = AllocatePool(sbat_size);
+ 	if (!sbat_data) {
+ 		console_print(L"Failed to allocate .sbat section buffer\n");
+diff --git a/shim.c b/shim.c
+index 3fd1e2a04..84a98cab9 100644
+--- a/shim.c
++++ b/shim.c
+@@ -731,11 +731,17 @@ verify_buffer_sbat (char *data, int datasize,
+ 		 * and ignore the section if it isn't. */
+ 		if (Section->SizeOfRawData &&
+ 		    Section->SizeOfRawData >= Section->Misc.VirtualSize) {
++			uint64_t boundary;
+ 			SBATBase = ImageAddress(data, datasize,
+ 						Section->PointerToRawData);
+ 			SBATSize = Section->SizeOfRawData;
+ 			dprint(L"sbat section base:0x%lx size:0x%lx\n",
+ 			       SBATBase, SBATSize);
++			if (checked_add((uint64_t)(uintptr_t)SBATBase, SBATSize, &boundary) ||
++			    (boundary > (uint64_t)(uintptr_t)data + datasize)) {
++				perror(L"Section exceeds bounds of image\n");
++				return EFI_UNSUPPORTED;
++			}
+ 		}
+ 	}
+ 
+diff --git a/include/compiler.h b/include/compiler.h
+index b0d595f..67d91c8 100644
+--- a/include/compiler.h
++++ b/include/compiler.h
+@@ -198,5 +198,30 @@
+ #error shim has no cache_invalidate() implementation for this compiler
+ #endif /* __GNUC__ */
+
++#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
++#define checked_add(addend0, addend1, sum) \
++       __builtin_add_overflow(addend0, addend1, sum)
++#define checked_sub(minuend, subtrahend, difference) \
++       __builtin_sub_overflow(minuend, subtrahend, difference)
++#define checked_mul(factor0, factor1, product) \
++       __builtin_mul_overflow(factor0, factor1, product)
++#else
++#define checked_add(a0, a1, s)         \
++       ({                              \
++               (*s) = ((a0) + (a1));   \
++               0;                      \
++       })
++#define checked_sub(s0, s1, d)         \
++       ({                              \
++               (*d) = ((s0) - (s1));   \
++               0;                      \
++       })
++#define checked_mul(f0, f1, p)         \
++       ({                              \
++               (*p) = ((f0) * (f1));   \
++               0;                      \
++       })
++#endif
++
+ #endif /* !COMPILER_H_ */
+ // vim:fenc=utf-8:tw=75:et
+
diff --git a/shim-unsigned-x64.spec b/shim-unsigned-x64.spec
index 233b9fc..d87c6ea 100644
--- a/shim-unsigned-x64.spec
+++ b/shim-unsigned-x64.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 1.1
 
 %global pesign_vre 0.106-1
 %global openssl_vre 1.0.2j
@@ -27,6 +27,11 @@ Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{vers
 
 Source100:	shim-find-debuginfo.sh
 
+#https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d
+Patch0001:  0001-fix-cve-2023-40547.patch
+#https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8
+Patch0002:  0002-fix-cve-2023-40548.patch
+
 BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
@@ -158,6 +163,9 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
+* Tue Oct 29 2024 yangxinyu<yangxinyu@nfschina.com> - 15.7-1.1
+- fx cve-2023-40547\40548
+
 * Wed Feb 8 2023 Guyu Wang<guyu.wgy@linux.alibaba.com> - 15.7-1
 - update to 15.7
 
-- 
Gitee