diff --git a/0100-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch b/0100-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch new file mode 100644 index 0000000000000000000000000000000000000000..9496dc5392756cede6431e1d5460e0aa7af1e617 --- /dev/null +++ b/0100-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch @@ -0,0 +1,76 @@ +From cab8a61b1dcffe8ee94b8a29840f7936f788e18d Mon Sep 17 00:00:00 2001 +From: TL <1045523086@qq.com> +Date: Fri, 26 Sep 2025 11:04:32 +0800 +Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for out of bound memory access for + bz4207 (CVE-2024-38805) + +In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len. +Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len . + +Signed-off-by: santhosh kumar V + +Origin: https://github.com/tianocore/edk2/commit/b3a2f7ff24e156e8c4d694fffff01e95a048c536 +Last-Updated: 2025-05-15 +--- + NetworkPkg/IScsiDxe/IScsiProto.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c +index 6983f0f..c256a04 100644 +--- a/NetworkPkg/IScsiDxe/IScsiProto.c ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c +@@ -1853,6 +1853,8 @@ IScsiBuildKeyValueList ( + { + LIST_ENTRY *ListHead; + ISCSI_KEY_VALUE_PAIR *KeyValuePair; ++ EFI_STATUS Status; ++ UINT32 Result; + + ListHead = AllocatePool (sizeof (LIST_ENTRY)); + if (ListHead == NULL) { +@@ -1876,9 +1878,14 @@ IScsiBuildKeyValueList ( + Data++; + } + +- if (*Data == '=') { ++ // Here Len must not be zero. ++ // The value of Len is size of data buffer. Actually, Data is make up of strings. ++ // AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0 ++ // (1) Len == 0, *Data != '=' goto ON_ERROR ++ // (2) *Data == '=', Len != 0 normal case. ++ // (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error. ++ if ((Len > 0) && (*Data == '=')) { + *Data = '\0'; +- + Data++; + Len--; + } else { +@@ -1888,10 +1895,22 @@ IScsiBuildKeyValueList ( + + KeyValuePair->Value = Data; + +- InsertTailList (ListHead, &KeyValuePair->List);; ++ Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__)); ++ FreePool (KeyValuePair); ++ goto ON_ERROR; ++ } ++ ++ Status = SafeUint32Sub (Len, Result, &Len); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__)); ++ FreePool (KeyValuePair); ++ goto ON_ERROR; ++ } + +- Data += AsciiStrLen (KeyValuePair->Value) + 1; +- Len -= (UINT32) AsciiStrLen (KeyValuePair->Value) + 1; ++ InsertTailList (ListHead, &KeyValuePair->List); ++ Data += Result; + } + + return ListHead; +-- +2.33.0 + diff --git a/0101-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch b/0101-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch new file mode 100644 index 0000000000000000000000000000000000000000..f835c8e91ab83836e921432eb87ea88f8813669f --- /dev/null +++ b/0101-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch @@ -0,0 +1,48 @@ +From b3f72ab3ce7829295b8596062bf576351c8d6022 Mon Sep 17 00:00:00 2001 +From: TL <1045523086@qq.com> +Date: Fri, 26 Sep 2025 11:08:08 +0800 +Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on + SMM entry + +Mitigates CVE-2025-3770 + +Do not assume that IDT.limit is loaded with a zero value upon SMM entry. +Delay enabling Machine Check Exceptions in SMM until after the SMM IDT +has been reloaded. + +Signed-off-by: John Mathews + +Origin: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38 +Last-Updated: 2025-08-18 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110533 +--- + UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +index 0e154e5..0749345 100644 +--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm ++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +@@ -126,7 +126,7 @@ ProtFlatMode: + mov eax, strict dword 0 ; source operand will be patched + ASM_PFX(gPatchSmiCr3): + mov cr3, rax +- mov eax, 0x668 ; as cr4.PGE is not set here, refresh cr3 ++ mov eax, 0x628 ; as cr4.PGE is not set here, refresh cr3 + + mov cl, strict byte 0 ; source operand will be patched + ASM_PFX(gPatch5LevelPagingNeeded): +@@ -217,6 +217,10 @@ SmiHandlerIdtrAbsAddr: + mov ax, [rbx + DSC_SS] + mov ss, eax + ++ mov rax, cr4 ; enable MCE ++ bts rax, 6 ++ mov cr4, rax ++ + mov rbx, [rsp + 0x8] ; rbx <- CpuIndex + + ; enable CET if supported +-- +2.33.0 + diff --git a/edk2.spec b/edk2.spec index 6323658a4a42fd6aa8614f990e5dd536538ed0f1..da434153f4fff467bd99230155f9af40cfb3a6d9 100644 --- a/edk2.spec +++ b/edk2.spec @@ -5,7 +5,7 @@ Name: edk2 Version: %{stable_date} -Release: 28 +Release: 29 Summary: EFI Development Kit II License: BSD-2-Clause-Patent URL: https://github.com/tianocore/edk2 @@ -151,6 +151,10 @@ patch98: 0098-SecurityPkg-Out-of-bound-read-in-HashPeImageByType.patch # Fix CVE-2023-5678 patch99: 0099-CryptoPkg-Make-DH_check_pub_key-and.patch +# Fix CVE-2024-38805, CVE-2025-3770 +patch100: 0100-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch +patch101: 0101-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command %description @@ -351,6 +355,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Mon Sep 29 2025 taolinghongfei -202011-29 +- fix CVE-2024-38805, CVE-2025-3770 + * Sat Jun 28 2025 taolinghongfei -202011-28 - fix CVE-2023-5678