diff --git a/0116-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch b/0116-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch new file mode 100644 index 0000000000000000000000000000000000000000..878bd34099dd6a76411469f60b072e9effc0536e --- /dev/null +++ b/0116-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch @@ -0,0 +1,73 @@ +From b3a2f7ff24e156e8c4d694fffff01e95a048c536 Mon Sep 17 00:00:00 2001 +From: Santhosh Kumar V +Date: Wed, 7 May 2025 18:53:30 +0530 +Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for out of bound memory access for + bz4207 (CVE-2024-38805) + +In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len. +Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len . + +Signed-off-by: santhosh kumar V + +Origin: https://github.com/tianocore/edk2/commit/b3a2f7ff24e156e8c4d694fffff01e95a048c536 +Last-Updated: 2025-05-15 + +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c +index fb48e6304d..13394dbfc6 100644 +--- a/NetworkPkg/IScsiDxe/IScsiProto.c ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c +@@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList ( + { + LIST_ENTRY *ListHead; + ISCSI_KEY_VALUE_PAIR *KeyValuePair; ++ EFI_STATUS Status; ++ UINT32 Result; + + ListHead = AllocatePool (sizeof (LIST_ENTRY)); + if (ListHead == NULL) { +@@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList ( + Data++; + } + +- if (*Data == '=') { ++ // Here Len must not be zero. ++ // The value of Len is size of data buffer. Actually, Data is make up of strings. ++ // AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0 ++ // (1) Len == 0, *Data != '=' goto ON_ERROR ++ // (2) *Data == '=', Len != 0 normal case. ++ // (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error. ++ if ((Len > 0) && (*Data == '=')) { + *Data = '\0'; +- + Data++; + Len--; + } else { +@@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList ( + + KeyValuePair->Value = Data; + +- InsertTailList (ListHead, &KeyValuePair->List); ++ Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__)); ++ FreePool (KeyValuePair); ++ goto ON_ERROR; ++ } + +- Data += AsciiStrLen (KeyValuePair->Value) + 1; +- Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1; ++ Status = SafeUint32Sub (Len, Result, &Len); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__)); ++ FreePool (KeyValuePair); ++ goto ON_ERROR; ++ } ++ ++ InsertTailList (ListHead, &KeyValuePair->List); ++ Data += Result; + } + + return ListHead; +-- +2.49.0 + diff --git a/0117-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch b/0117-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch new file mode 100644 index 0000000000000000000000000000000000000000..b665ca6ec37577de87cb6d9655e202ad071370c5 --- /dev/null +++ b/0117-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch @@ -0,0 +1,45 @@ +From d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38 Mon Sep 17 00:00:00 2001 +From: John Mathews +Date: Fri, 30 May 2025 11:06:49 -0700 +Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on + SMM entry + +Mitigates CVE-2025-3770 + +Do not assume that IDT.limit is loaded with a zero value upon SMM entry. +Delay enabling Machine Check Exceptions in SMM until after the SMM IDT +has been reloaded. + +Signed-off-by: John Mathews + +Origin: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38 +Last-Updated: 2025-08-18 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110533 + +diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +index 644366ba19..6e1cd45c04 100644 +--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm ++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +@@ -113,7 +113,7 @@ ProtFlatMode: + mov eax, strict dword 0 ; source operand will be patched + ASM_PFX(gPatchSmiCr3): + mov cr3, rax +- mov eax, 0x668 ; as cr4.PGE is not set here, refresh cr3 ++ mov eax, 0x628 ; as cr4.PGE is not set here, refresh cr3 + + mov cl, strict byte 0 ; source operand will be patched + ASM_PFX(gPatch5LevelPagingNeeded): +@@ -204,6 +204,10 @@ SmiHandlerIdtrAbsAddr: + mov ax, [rbx + DSC_SS] + mov ss, eax + ++ mov rax, cr4 ; enable MCE ++ bts rax, 6 ++ mov cr4, rax ++ + mov rbx, [rsp + 0x8] ; rbx <- CpuIndex + + ; enable CET if supported +-- +2.47.2 + diff --git a/edk2.spec b/edk2.spec index c454645cf4c9fd3adeb932acd56a87db721274b1..c20f41465480d037003ef8810b816e65d9dbdeaa 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 25 +Release: 26 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -184,6 +184,10 @@ patch114: 0114-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch # Encryption right out of the box. patch115: 0115-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch +# fix CVE-2024-38805, CVE-2025-3770 +patch116: 0116-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch +patch117: 0117-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl %ifarch x86_64 @@ -495,6 +499,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Mon Sep 29 2025 taolinghongfei - 202308-26 +- fix CVE-2024-38805, CVE-2025-3770 + * Wed Jun 25 2025 hanliyang - 202308-25 - Build OVMF.fd using AmdSevX64.dsc to support Full Disk Encryption - Add build process that uses OvmfPkg/AmdSev/AmdSevX64.dsc