diff --git a/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch b/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch new file mode 100644 index 0000000..bab07f4 --- /dev/null +++ b/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch @@ -0,0 +1,50 @@ +From effd0f360ea1186b2b6af0aa2420d4bf779d51ef Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 1 Oct 2024 18:40:41 -0400 +Subject: [PATCH 3/3] MdePkg: Fix overflow issue in BasePeCoffLib + +RH-Author: Jon Maloy +RH-MergeRequest: 78: MdePkg: Fix overflow issue in BasePeCoffLib +RH-Jira: RHEL-60833 +RH-Acked-by: Oliver Steffen +RH-Commit: [1/1] 812453d5d03bcd92dfa6aea594af6214569c419e + +JIRA: https://issues.redhat.com/browse/RHEL-60833 +CVE: CVE-2024-38796 +Upstream: Merged + +commit c95233b8525ca6828921affd1496146cff262e65 +Author: Doug Flick +Date: Fri Sep 27 12:08:55 2024 -0700 + + MdePkg: Fix overflow issue in BasePeCoffLib + + The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is + also a UINT32 value. The current code does not check for overflow when + adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a + check to ensure that the addition does not overflow. + + Signed-off-by: Doug Flick + Authored-by: sriraamx gobichettipalayam + +Signed-off-by: Jon Maloy +--- + MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +index 86ff2e769b..128090d98e 100644 +--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c ++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +@@ -1054,7 +1054,7 @@ PeCoffLoaderRelocateImage ( + RelocDir = &Hdr.Te->DataDirectory[0]; + } + +- if ((RelocDir != NULL) && (RelocDir->Size > 0)) { ++ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) { + RelocBase = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset); + RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress ( + ImageContext, +-- +2.39.3 + diff --git a/edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch b/edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch new file mode 100644 index 0000000..5be4623 --- /dev/null +++ b/edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch @@ -0,0 +1,65 @@ +From 126d004ce8884b68621394a62cf8a467c34d5d5b Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 23 Aug 2024 14:36:16 +0200 +Subject: [PATCH 2/3] OvmfPkg/QemuVideoDxe: ignore display resolutions smaller + than 640x480 + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 72: ignore display resolutions smaller than 640x480 +RH-Jira: RHEL-56248 +RH-Acked-by: Oliver Steffen +RH-Commit: [2/2] 376e5213497c007cd88bd8f7df9980d28f0fd143 (kraxel.rh/centos-src-edk2) + +GraphicsConsoleDxe will assert in case the resolution is too small. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 391666da2c1dc5671bbb3393079d86f46e3435af) +--- + OvmfPkg/QemuVideoDxe/Initialize.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/OvmfPkg/QemuVideoDxe/Initialize.c b/OvmfPkg/QemuVideoDxe/Initialize.c +index 050ae878ec..2d1f50637f 100644 +--- a/OvmfPkg/QemuVideoDxe/Initialize.c ++++ b/OvmfPkg/QemuVideoDxe/Initialize.c +@@ -293,6 +293,8 @@ QemuVideoBochsEdid ( + ) + { + EFI_STATUS Status; ++ UINT32 X; ++ UINT32 Y; + + if (Private->Variant != QEMU_VIDEO_BOCHS_MMIO) { + return; +@@ -344,16 +346,24 @@ QemuVideoBochsEdid ( + return; + } + +- *XRes = Private->Edid[56] | ((Private->Edid[58] & 0xf0) << 4); +- *YRes = Private->Edid[59] | ((Private->Edid[61] & 0xf0) << 4); ++ X = Private->Edid[56] | ((Private->Edid[58] & 0xf0) << 4); ++ Y = Private->Edid[59] | ((Private->Edid[61] & 0xf0) << 4); + DEBUG (( + DEBUG_INFO, + "%a: default resolution: %dx%d\n", + __func__, +- *XRes, +- *YRes ++ X, ++ Y + )); + ++ if ((X < 640) || (Y < 480)) { ++ /* ignore hint, GraphicsConsoleDxe needs 640x480 or larger */ ++ return; ++ } ++ ++ *XRes = X; ++ *YRes = Y; ++ + if (PcdGet8 (PcdVideoResolutionSource) == 0) { + Status = PcdSet32S (PcdVideoHorizontalResolution, *XRes); + ASSERT_RETURN_ERROR (Status); +-- +2.39.3 + diff --git a/edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch b/edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch new file mode 100644 index 0000000..111c4a6 --- /dev/null +++ b/edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch @@ -0,0 +1,37 @@ +From f53820c753be836a79d5743d4181f6827e12bcdf Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 23 Aug 2024 14:35:53 +0200 +Subject: [PATCH 1/3] OvmfPkg/VirtioGpuDxe: ignore display resolutions smaller + than 640x480 + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 72: ignore display resolutions smaller than 640x480 +RH-Jira: RHEL-56248 +RH-Acked-by: Oliver Steffen +RH-Commit: [1/2] 1d63fc76f46a6adb49e6c9447563d70ff9728b04 (kraxel.rh/centos-src-edk2) + +GraphicsConsoleDxe will assert in case the resolution is too small. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 58035e8b5e11cfe2b9e6428d14c7817b6b1c83a2) +--- + OvmfPkg/VirtioGpuDxe/Gop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/OvmfPkg/VirtioGpuDxe/Gop.c b/OvmfPkg/VirtioGpuDxe/Gop.c +index f64dfce5f4..d767114bbb 100644 +--- a/OvmfPkg/VirtioGpuDxe/Gop.c ++++ b/OvmfPkg/VirtioGpuDxe/Gop.c +@@ -265,7 +265,8 @@ GopInitialize ( + // query host for display resolution + // + GopNativeResolution (VgpuGop, &XRes, &YRes); +- if ((XRes == 0) || (YRes == 0)) { ++ if ((XRes < 640) || (YRes < 480)) { ++ /* ignore hint, GraphicsConsoleDxe needs 640x480 or larger */ + return; + } + +-- +2.39.3 + diff --git a/edk2.spec b/edk2.spec index 0de183b..689e2c7 100644 --- a/edk2.spec +++ b/edk2.spec @@ -21,7 +21,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE} -Release: 6%{?dist} +Release: 7%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and Apache-2.0 and MIT URL: http://www.tianocore.org @@ -101,6 +101,12 @@ Patch42: edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch Patch43: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch # For RHEL-56974 - qemu-kvm: warning: Blocked re-entrant IO on MemoryRegion: acpi-cpu-hotplug at addr: 0x0 [rhel-9] Patch44: edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch +# For RHEL-56248 - 507x510 display resolution should not crash the firmware [edk2,rhel-9.6] +Patch45: edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch +# For RHEL-56248 - 507x510 display resolution should not crash the firmware [edk2,rhel-9.6] +Patch46: edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch +# For RHEL-60833 - CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.6] +Patch47: edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -435,6 +441,15 @@ install -m 0644 \ %changelog +* Tue Oct 08 2024 Miroslav Rezanina - 20240524-7 +- edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch [RHEL-56248] +- edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch [RHEL-56248] +- edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60833] +- Resolves: RHEL-56248 + (507x510 display resolution should not crash the firmware [edk2,rhel-9.6]) +- Resolves: RHEL-60833 + (CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.6]) + * Fri Sep 13 2024 Miroslav Rezanina - 20240524-6 - edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch [RHEL-56974] - edk2-Bumped-openssl-submodule-version-to-0205b5898872.patch [RHEL-55336]