diff --git a/1001-fix-CVE-2022-2347.patch b/1001-fix-CVE-2022-2347.patch
new file mode 100644
index 0000000000000000000000000000000000000000..badf44466bf20a3df5684508ebe82dd3effb9ea9
--- /dev/null
+++ b/1001-fix-CVE-2022-2347.patch
@@ -0,0 +1,99 @@
+From bca390792c34e5b6442e828501dca54c7e372157 Mon Sep 17 00:00:00 2001
+From: mgb01105731 <mgb01105731@alibaba-inc.com>
+Date: Tue, 14 Jan 2025 02:32:39 -0500
+Subject: [PATCH 1/1] fix CVE-2022-2347
+
+---
+ drivers/usb/gadget/f_dfu.c | 48 ++++++++++++++++++++++++--------------
+ 1 file changed, 30 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
+index e9340ff5..593a42fc 100644
+--- a/drivers/usb/gadget/f_dfu.c
++++ b/drivers/usb/gadget/f_dfu.c
+@@ -321,23 +321,29 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
+ 	u16 len = le16_to_cpu(ctrl->wLength);
+ 	int value = 0;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_DNLOAD:
+-		if (len == 0) {
+-			f_dfu->dfu_state = DFU_STATE_dfuERROR;
+-			value = RET_STALL;
+-			break;
++		if (ctrl->bRequestType == USB_DIR_OUT) {
++			if (len == 0) {
++				f_dfu->dfu_state = DFU_STATE_dfuERROR;
++				value = RET_STALL;
++				break;
++			}
++			f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
++			f_dfu->blk_seq_num = w_value;
++			value = handle_dnload(gadget, len);
+ 		}
+-		f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
+-		f_dfu->blk_seq_num = w_value;
+-		value = handle_dnload(gadget, len);
+ 		break;
+ 	case USB_REQ_DFU_UPLOAD:
+-		f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
+-		f_dfu->blk_seq_num = 0;
+-		value = handle_upload(req, len);
+-		if (value >= 0 && value < len)
+-			f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++		if (ctrl->bRequestType == USB_DIR_IN) {
++			f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
++			f_dfu->blk_seq_num = 0;
++			value = handle_upload(req, len);
++			if (value >= 0 && value < len)
++				f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++		}
+ 		break;
+ 	case USB_REQ_DFU_ABORT:
+ 		/* no zlp? */
+@@ -513,13 +519,17 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
+ 	u16 len = le16_to_cpu(ctrl->wLength);
+ 	int value = 0;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_UPLOAD:
+-		/* state transition if less data then requested */
+-		f_dfu->blk_seq_num = w_value;
+-		value = handle_upload(req, len);
+-		if (value >= 0 && value < len)
+-			f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++		if (ctrl->bRequestType == USB_DIR_IN) {
++			/* state transition if less data then requested */
++			f_dfu->blk_seq_num = w_value;
++			value = handle_upload(req, len);
++			if (value >= 0 && value < len)
++				f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++		}
+ 		break;
+ 	case USB_REQ_DFU_ABORT:
+ 		f_dfu->dfu_state = DFU_STATE_dfuIDLE;
+@@ -595,6 +605,8 @@ dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
+ 	int value = 0;
+ 	u8 req_type = ctrl->bRequestType & USB_TYPE_MASK;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	debug("w_value: 0x%x len: 0x%x\n", w_value, len);
+ 	debug("req_type: 0x%x ctrl->bRequest: 0x%x f_dfu->dfu_state: 0x%x\n",
+ 	       req_type, ctrl->bRequest, f_dfu->dfu_state);
+@@ -614,7 +626,7 @@ dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
+ 		value = dfu_state[f_dfu->dfu_state] (f_dfu, ctrl, gadget, req);
+ 
+ 	if (value >= 0) {
+-		req->length = value;
++		req->length = value > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : value;
+ 		req->zero = value < len;
+ 		value = usb_ep_queue(gadget->ep0, req, 0);
+ 		if (value < 0) {
+-- 
+2.41.0
+
diff --git a/uboot-tools.spec b/uboot-tools.spec
index bb9946dbce1714016f7fad7e915a19eec9a61d73..8731f183bcc4603a5fdffc2e3e750564b20c4b18 100644
--- a/uboot-tools.spec
+++ b/uboot-tools.spec
@@ -1,4 +1,4 @@
-%define anolis_release 4
+%define anolis_release 5
 
 %bcond_without toolsonly
 
@@ -18,6 +18,7 @@ Source1:  aarch64-boards
 
 Patch0:  0001-fix-cve-2022-33967.patch
 Patch1:  0002-fix-CVE-2022-34835.patch
+Patch2:  1001-fix-CVE-2022-2347.patch
 
 BuildRequires:  bc bison dtc flex gcc
 BuildRequires:  gnutls-devel libuuid-devel ncurses-devel openssl-devel
@@ -217,6 +218,12 @@ cp -p board/rockchip/evb_rk3399/README builds/docs/README.evb_rk3399
 %doc builds/docs/* doc/board/amlogic/ doc/board/rockchip/ doc/board/ti/am335x_evm.rst
 
 %changelog
+* Tue Jan 14 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 2022.04-5
+- to #IB7HCR
+- add patch to fix CVE-2022-2347
+- Project: TC2024080204
+- Signed-off-by: mgb01105731 mgb01105731@alibaba-inc.com
+
 * Tue Dec 04 2024 Yuki Zhu <zhuyujie01@inspur.com> - 2022.04-4
 - fix cve-2022-34835