diff --git a/0116-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch b/0116-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch new file mode 100644 index 0000000000000000000000000000000000000000..7def0608cf9fe21930bdae5f27c6f7844dd02660 --- /dev/null +++ b/0116-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch @@ -0,0 +1,76 @@ +From a30ff2907700c506d10291d1f902f9e59b2bdc71 Mon Sep 17 00:00:00 2001 +From: TL <1045523086@qq.com> +Date: Fri, 26 Sep 2025 00:17:21 +0800 +Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for out of bound memory access for + bz4207 (CVE-2024-38805) + +In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len. +Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len . + +Signed-off-by: santhosh kumar V + +Origin: https://github.com/tianocore/edk2/commit/b3a2f7ff24e156e8c4d694fffff01e95a048c536 +Last-Updated: 2025-05-15 +--- + NetworkPkg/IScsiDxe/IScsiProto.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c +index ef587649..53a0ff80 100644 +--- a/NetworkPkg/IScsiDxe/IScsiProto.c ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c +@@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList ( + { + LIST_ENTRY *ListHead; + ISCSI_KEY_VALUE_PAIR *KeyValuePair; ++ EFI_STATUS Status; ++ UINT32 Result; + + ListHead = AllocatePool (sizeof (LIST_ENTRY)); + if (ListHead == NULL) { +@@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList ( + Data++; + } + +- if (*Data == '=') { ++ // Here Len must not be zero. ++ // The value of Len is size of data buffer. Actually, Data is make up of strings. ++ // AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0 ++ // (1) Len == 0, *Data != '=' goto ON_ERROR ++ // (2) *Data == '=', Len != 0 normal case. ++ // (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error. ++ if ((Len > 0) && (*Data == '=')) { + *Data = '\0'; +- + Data++; + Len--; + } else { +@@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList ( + + KeyValuePair->Value = Data; + +- InsertTailList (ListHead, &KeyValuePair->List); ++ Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__)); ++ FreePool (KeyValuePair); ++ goto ON_ERROR; ++ } + +- Data += AsciiStrLen (KeyValuePair->Value) + 1; +- Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1; ++ Status = SafeUint32Sub (Len, Result, &Len); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__)); ++ FreePool (KeyValuePair); ++ goto ON_ERROR; ++ } ++ ++ InsertTailList (ListHead, &KeyValuePair->List); ++ Data += Result; + } + + return ListHead; +-- +2.43.0 + diff --git a/0117-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch b/0117-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch new file mode 100644 index 0000000000000000000000000000000000000000..a2a150562f462e2bc3afb7fc9915bf6a408e305a --- /dev/null +++ b/0117-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch @@ -0,0 +1,48 @@ +From c867a2fbc63b03687c0530054e899ce95865ecf3 Mon Sep 17 00:00:00 2001 +From: TL <1045523086@qq.com> +Date: Fri, 26 Sep 2025 04:03:05 +0800 +Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on + SMM entry + +Mitigates CVE-2025-3770 + +Do not assume that IDT.limit is loaded with a zero value upon SMM entry. +Delay enabling Machine Check Exceptions in SMM until after the SMM IDT +has been reloaded. + +Signed-off-by: John Mathews + +Origin: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38 +Last-Updated: 2025-08-18 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110533 +--- + UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +index d302ca8d..d797f093 100644 +--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm ++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +@@ -126,7 +126,7 @@ ProtFlatMode: + mov eax, strict dword 0 ; source operand will be patched + ASM_PFX(gPatchSmiCr3): + mov cr3, rax +- mov eax, 0x668 ; as cr4.PGE is not set here, refresh cr3 ++ mov eax, 0x628 ; as cr4.PGE is not set here, refresh cr3 + + mov cl, strict byte 0 ; source operand will be patched + ASM_PFX(gPatch5LevelPagingNeeded): +@@ -217,6 +217,10 @@ SmiHandlerIdtrAbsAddr: + mov ax, [rbx + DSC_SS] + mov ss, eax + ++ mov rax, cr4 ; enable MCE ++ bts rax, 6 ++ mov cr4, rax ++ + mov rbx, [rsp + 0x8] ; rbx <- CpuIndex + + ; enable CET if supported +-- +2.43.0 + diff --git a/edk2.spec b/edk2.spec index c454645cf4c9fd3adeb932acd56a87db721274b1..4342a694b6a23bd5989f75976de26747168ac84e 100644 --- a/edk2.spec +++ b/edk2.spec @@ -184,6 +184,10 @@ patch114: 0114-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch # Encryption right out of the box. patch115: 0115-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch +# Fix CVE-2024-38805, CVE-2025-3770 +patch116: 0116-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch +patch117: 0117-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl %ifarch x86_64 @@ -495,6 +499,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Fri Sep 26 2025 taolinghongfei - 202308-26 +- fix CVE-2024-38805, CVE-2025-3370 + * Wed Jun 25 2025 hanliyang - 202308-25 - Build OVMF.fd using AmdSevX64.dsc to support Full Disk Encryption - Add build process that uses OvmfPkg/AmdSev/AmdSevX64.dsc