diff --git a/0090-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch b/0090-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch new file mode 100644 index 0000000000000000000000000000000000000000..878bd34099dd6a76411469f60b072e9effc0536e --- /dev/null +++ b/0090-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch @@ -0,0 +1,73 @@ +From b3a2f7ff24e156e8c4d694fffff01e95a048c536 Mon Sep 17 00:00:00 2001 +From: Santhosh Kumar V +Date: Wed, 7 May 2025 18:53:30 +0530 +Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for out of bound memory access for + bz4207 (CVE-2024-38805) + +In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len. +Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len . + +Signed-off-by: santhosh kumar V + +Origin: https://github.com/tianocore/edk2/commit/b3a2f7ff24e156e8c4d694fffff01e95a048c536 +Last-Updated: 2025-05-15 + +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c +index fb48e6304d..13394dbfc6 100644 +--- a/NetworkPkg/IScsiDxe/IScsiProto.c ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c +@@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList ( + { + LIST_ENTRY *ListHead; + ISCSI_KEY_VALUE_PAIR *KeyValuePair; ++ EFI_STATUS Status; ++ UINT32 Result; + + ListHead = AllocatePool (sizeof (LIST_ENTRY)); + if (ListHead == NULL) { +@@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList ( + Data++; + } + +- if (*Data == '=') { ++ // Here Len must not be zero. ++ // The value of Len is size of data buffer. Actually, Data is make up of strings. ++ // AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0 ++ // (1) Len == 0, *Data != '=' goto ON_ERROR ++ // (2) *Data == '=', Len != 0 normal case. ++ // (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error. ++ if ((Len > 0) && (*Data == '=')) { + *Data = '\0'; +- + Data++; + Len--; + } else { +@@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList ( + + KeyValuePair->Value = Data; + +- InsertTailList (ListHead, &KeyValuePair->List); ++ Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__)); ++ FreePool (KeyValuePair); ++ goto ON_ERROR; ++ } + +- Data += AsciiStrLen (KeyValuePair->Value) + 1; +- Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1; ++ Status = SafeUint32Sub (Len, Result, &Len); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__)); ++ FreePool (KeyValuePair); ++ goto ON_ERROR; ++ } ++ ++ InsertTailList (ListHead, &KeyValuePair->List); ++ Data += Result; + } + + return ListHead; +-- +2.49.0 + diff --git a/0091-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch b/0091-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch new file mode 100644 index 0000000000000000000000000000000000000000..b665ca6ec37577de87cb6d9655e202ad071370c5 --- /dev/null +++ b/0091-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch @@ -0,0 +1,45 @@ +From d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38 Mon Sep 17 00:00:00 2001 +From: John Mathews +Date: Fri, 30 May 2025 11:06:49 -0700 +Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on + SMM entry + +Mitigates CVE-2025-3770 + +Do not assume that IDT.limit is loaded with a zero value upon SMM entry. +Delay enabling Machine Check Exceptions in SMM until after the SMM IDT +has been reloaded. + +Signed-off-by: John Mathews + +Origin: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38 +Last-Updated: 2025-08-18 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110533 + +diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +index 644366ba19..6e1cd45c04 100644 +--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm ++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +@@ -113,7 +113,7 @@ ProtFlatMode: + mov eax, strict dword 0 ; source operand will be patched + ASM_PFX(gPatchSmiCr3): + mov cr3, rax +- mov eax, 0x668 ; as cr4.PGE is not set here, refresh cr3 ++ mov eax, 0x628 ; as cr4.PGE is not set here, refresh cr3 + + mov cl, strict byte 0 ; source operand will be patched + ASM_PFX(gPatch5LevelPagingNeeded): +@@ -204,6 +204,10 @@ SmiHandlerIdtrAbsAddr: + mov ax, [rbx + DSC_SS] + mov ss, eax + ++ mov rax, cr4 ; enable MCE ++ bts rax, 6 ++ mov cr4, rax ++ + mov rbx, [rsp + 0x8] ; rbx <- CpuIndex + + ; enable CET if supported +-- +2.47.2 + diff --git a/edk2.spec b/edk2.spec index 5f9c9953ecfb3a476f6337b7022dedf8a8f3989e..2de7e1457ec1bf42bc39a44b8235a018a363f4e7 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 23 +Release: 24 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -147,6 +147,10 @@ patch88: 0088-SecurityPkg-Out-of-bound-read-in-HashPeImageByType.patch #Fix CVE-2023-5678 patch89: 0089-CryptoPkg-Make-DH_check_pub_key-and.patch +#Fix CVE-2024-38805, CVE-2025-3770 +patch90: 0090-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch +patch91: 0091-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl %description @@ -416,6 +420,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Mon Sep 29 2025 taolinghongfei - 202308-24 +- fix CVE-2024-38805, CVE-2025-3770 + * Tue Jul 1 2025 taolinghongfei - 202308-23 - fix CVE-2023-5678