From 8dc7d6e1fb22d553f2e9f271802a41e13508ead3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E7=BF=BC?= <yizhang@cqsoftware.com.cn>
Date: Tue, 9 Sep 2025 16:46:59 +0800
Subject: [PATCH] fix CVE-2025-3770 && CVE-2025-38805

---
 ...Dxe-Fix-for-out-of-bound-memory-acce.patch | 73 +++++++++++++++++++
 ...CpuDxeSmm-Safe-handling-of-IDT-regis.patch | 45 ++++++++++++
 edk2.spec                                     | 14 +++-
 3 files changed, 131 insertions(+), 1 deletion(-)
 create mode 100644 0001-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch
 create mode 100644 0001-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch

diff --git a/0001-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch b/0001-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch
new file mode 100644
index 0000000..878bd34
--- /dev/null
+++ b/0001-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch
@@ -0,0 +1,73 @@
+From b3a2f7ff24e156e8c4d694fffff01e95a048c536 Mon Sep 17 00:00:00 2001
+From: Santhosh Kumar V <santhoshkumarv@ami.com>
+Date: Wed, 7 May 2025 18:53:30 +0530
+Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for out of bound memory access for
+ bz4207 (CVE-2024-38805)
+
+In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len.
+Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len .
+
+Signed-off-by: santhosh kumar V <santhoshkumarv@ami.com>
+
+Origin: https://github.com/tianocore/edk2/commit/b3a2f7ff24e156e8c4d694fffff01e95a048c536
+Last-Updated: 2025-05-15
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
+index fb48e6304d..13394dbfc6 100644
+--- a/NetworkPkg/IScsiDxe/IScsiProto.c
++++ b/NetworkPkg/IScsiDxe/IScsiProto.c
+@@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList (
+ {
+   LIST_ENTRY            *ListHead;
+   ISCSI_KEY_VALUE_PAIR  *KeyValuePair;
++  EFI_STATUS            Status;
++  UINT32                Result;
+ 
+   ListHead = AllocatePool (sizeof (LIST_ENTRY));
+   if (ListHead == NULL) {
+@@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList (
+       Data++;
+     }
+ 
+-    if (*Data == '=') {
++    // Here Len must not be zero.
++    // The value of Len is size of data buffer. Actually, Data is make up of strings.
++    // AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0
++    // (1) Len == 0, *Data != '=' goto ON_ERROR
++    // (2) *Data == '=', Len != 0 normal case.
++    // (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error.
++    if ((Len > 0) && (*Data == '=')) {
+       *Data = '\0';
+-
+       Data++;
+       Len--;
+     } else {
+@@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList (
+ 
+     KeyValuePair->Value = Data;
+ 
+-    InsertTailList (ListHead, &KeyValuePair->List);
++    Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result);
++    if (EFI_ERROR (Status)) {
++      DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__));
++      FreePool (KeyValuePair);
++      goto ON_ERROR;
++    }
+ 
+-    Data += AsciiStrLen (KeyValuePair->Value) + 1;
+-    Len  -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1;
++    Status = SafeUint32Sub (Len, Result, &Len);
++    if (EFI_ERROR (Status)) {
++      DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__));
++      FreePool (KeyValuePair);
++      goto ON_ERROR;
++    }
++
++    InsertTailList (ListHead, &KeyValuePair->List);
++    Data += Result;
+   }
+ 
+   return ListHead;
+-- 
+2.49.0
+
diff --git a/0001-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch b/0001-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
new file mode 100644
index 0000000..b665ca6
--- /dev/null
+++ b/0001-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
@@ -0,0 +1,45 @@
+From d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38 Mon Sep 17 00:00:00 2001
+From: John Mathews <john.mathews@intel.com>
+Date: Fri, 30 May 2025 11:06:49 -0700
+Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on
+ SMM entry
+
+Mitigates CVE-2025-3770
+
+Do not assume that IDT.limit is loaded with a zero value upon SMM entry.
+Delay enabling Machine Check Exceptions in SMM until after the SMM IDT
+has been reloaded.
+
+Signed-off-by: John Mathews <john.mathews@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38
+Last-Updated: 2025-08-18
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110533
+
+diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+index 644366ba19..6e1cd45c04 100644
+--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+@@ -113,7 +113,7 @@ ProtFlatMode:
+     mov eax, strict dword 0               ; source operand will be patched
+ ASM_PFX(gPatchSmiCr3):
+     mov     cr3, rax
+-    mov     eax, 0x668                   ; as cr4.PGE is not set here, refresh cr3
++    mov     eax, 0x628                   ; as cr4.PGE is not set here, refresh cr3
+ 
+     mov     cl, strict byte 0            ; source operand will be patched
+ ASM_PFX(gPatch5LevelPagingNeeded):
+@@ -204,6 +204,10 @@ SmiHandlerIdtrAbsAddr:
+     mov     ax, [rbx + DSC_SS]
+     mov     ss, eax
+ 
++    mov     rax, cr4                    ; enable MCE
++    bts     rax, 6
++    mov     cr4, rax
++
+     mov     rbx, [rsp + 0x8]             ; rbx <- CpuIndex
+ 
+ ; enable CET if supported
+-- 
+2.47.2
+
diff --git a/edk2.spec b/edk2.spec
index 65129e0..691127f 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -7,7 +7,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 27
+Release: 28
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent and OpenSSL and MIT 
 URL: https://github.com/tianocore/edk2
@@ -157,6 +157,14 @@ Patch91: 0002-LoongArchQemuPkg-Add-network-support.patch
 # Fix CVE-2023-5678
 Patch92: 0090-CryptoPkg-Make-DH_check_pub_key-and-DH_generat.patch
 
+#CVE-2024-38805
+#Reference: https://salsa.debian.org/qemu-team/edk2/-/commit/0f31a058150e16d9f51d0fb1d5a9b7773d635612
+Patch93: 0001-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch
+
+#CVE-2025-3770
+#Reference: https://salsa.debian.org/qemu-team/edk2/-/commit/18735c01be5dc3b1ffc1f604e68ae96542dcbf06
+Patch94: 0001-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
+
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl 
 
 %ifarch x86_64
@@ -460,6 +468,10 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Tue Sep 09 2025 Zhang Yi <yizhang@cqsoftware.com.cn> - 202308-28
+- fix CVE-2025-3770
+- fix CVE-2024-38805
+
 * Wed Jun 25 2025 taolinghongfei <taolinghongfei@h-partners.com> - 202308-27
 - fix CVE-2023-5678
 
-- 
Gitee