* Tue Oct 08 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20240524-7

- edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch [RHEL-56248]
- edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch [RHEL-56248]
- edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60833]
- Resolves: RHEL-56248
  (507x510 display resolution should not crash the firmware [edk2,rhel-9.6])
- Resolves: RHEL-60833
  (CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.6])

edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch

@@ -0,0 +1,50 @@
+From effd0f360ea1186b2b6af0aa2420d4bf779d51ef Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 1 Oct 2024 18:40:41 -0400
+Subject: [PATCH 3/3] MdePkg: Fix overflow issue in BasePeCoffLib
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 78: MdePkg: Fix overflow issue in BasePeCoffLib
+RH-Jira: RHEL-60833
+RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
+RH-Commit: [1/1] 812453d5d03bcd92dfa6aea594af6214569c419e
+
+JIRA: https://issues.redhat.com/browse/RHEL-60833
+CVE: CVE-2024-38796
+Upstream: Merged
+
+commit c95233b8525ca6828921affd1496146cff262e65
+Author: Doug Flick <dougflick@microsoft.com>
+Date:   Fri Sep 27 12:08:55 2024 -0700
+
+    MdePkg: Fix overflow issue in BasePeCoffLib
+
+    The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
+    also a UINT32 value. The current code does not check for overflow when
+    adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
+    check to ensure that the addition does not overflow.
+
+    Signed-off-by: Doug Flick <dougflick@microsoft.com>
+    Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+index 86ff2e769b..128090d98e 100644
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -1054,7 +1054,7 @@ PeCoffLoaderRelocateImage (
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
++  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
+     RelocBase    = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
+                                                   ImageContext,
+-- 
+2.39.3
+

edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch

@@ -0,0 +1,65 @@
+From 126d004ce8884b68621394a62cf8a467c34d5d5b Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 23 Aug 2024 14:36:16 +0200
+Subject: [PATCH 2/3] OvmfPkg/QemuVideoDxe: ignore display resolutions smaller
+ than 640x480
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 72: ignore display resolutions smaller than 640x480
+RH-Jira: RHEL-56248
+RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
+RH-Commit: [2/2] 376e5213497c007cd88bd8f7df9980d28f0fd143 (kraxel.rh/centos-src-edk2)
+
+GraphicsConsoleDxe will assert in case the resolution is too small.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 391666da2c1dc5671bbb3393079d86f46e3435af)
+---
+ OvmfPkg/QemuVideoDxe/Initialize.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/OvmfPkg/QemuVideoDxe/Initialize.c b/OvmfPkg/QemuVideoDxe/Initialize.c
+index 050ae878ec..2d1f50637f 100644
+--- a/OvmfPkg/QemuVideoDxe/Initialize.c
++++ b/OvmfPkg/QemuVideoDxe/Initialize.c
+@@ -293,6 +293,8 @@ QemuVideoBochsEdid (
+   )
+ {
+   EFI_STATUS  Status;
++  UINT32      X;
++  UINT32      Y;
+ 
+   if (Private->Variant != QEMU_VIDEO_BOCHS_MMIO) {
+     return;
+@@ -344,16 +346,24 @@ QemuVideoBochsEdid (
+     return;
+   }
+ 
+-  *XRes = Private->Edid[56] | ((Private->Edid[58] & 0xf0) << 4);
+-  *YRes = Private->Edid[59] | ((Private->Edid[61] & 0xf0) << 4);
++  X = Private->Edid[56] | ((Private->Edid[58] & 0xf0) << 4);
++  Y = Private->Edid[59] | ((Private->Edid[61] & 0xf0) << 4);
+   DEBUG ((
+     DEBUG_INFO,
+     "%a: default resolution: %dx%d\n",
+     __func__,
+-    *XRes,
+-    *YRes
++    X,
++    Y
+     ));
+ 
++  if ((X < 640) || (Y < 480)) {
++    /* ignore hint, GraphicsConsoleDxe needs 640x480 or larger */
++    return;
++  }
++
++  *XRes = X;
++  *YRes = Y;
++
+   if (PcdGet8 (PcdVideoResolutionSource) == 0) {
+     Status = PcdSet32S (PcdVideoHorizontalResolution, *XRes);
+     ASSERT_RETURN_ERROR (Status);
+-- 
+2.39.3
+

edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch

@@ -0,0 +1,37 @@
+From f53820c753be836a79d5743d4181f6827e12bcdf Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 23 Aug 2024 14:35:53 +0200
+Subject: [PATCH 1/3] OvmfPkg/VirtioGpuDxe: ignore display resolutions smaller
+ than 640x480
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 72: ignore display resolutions smaller than 640x480
+RH-Jira: RHEL-56248
+RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
+RH-Commit: [1/2] 1d63fc76f46a6adb49e6c9447563d70ff9728b04 (kraxel.rh/centos-src-edk2)
+
+GraphicsConsoleDxe will assert in case the resolution is too small.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 58035e8b5e11cfe2b9e6428d14c7817b6b1c83a2)
+---
+ OvmfPkg/VirtioGpuDxe/Gop.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/VirtioGpuDxe/Gop.c b/OvmfPkg/VirtioGpuDxe/Gop.c
+index f64dfce5f4..d767114bbb 100644
+--- a/OvmfPkg/VirtioGpuDxe/Gop.c
++++ b/OvmfPkg/VirtioGpuDxe/Gop.c
+@@ -265,7 +265,8 @@ GopInitialize (
+   // query host for display resolution
+   //
+   GopNativeResolution (VgpuGop, &XRes, &YRes);
+-  if ((XRes == 0) || (YRes == 0)) {
++  if ((XRes < 640) || (YRes < 480)) {
++    /* ignore hint, GraphicsConsoleDxe needs 640x480 or larger */
+     return;
+   }
+ 
+-- 
+2.39.3
+

edk2.spec

@@ -21,7 +21,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       edk2
 Version:    %{GITDATE}
-Release:    6%{?dist}
+Release:    7%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and Apache-2.0 and MIT
 URL:        http://www.tianocore.org
@@ -101,6 +101,12 @@ Patch42: edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch
 Patch43: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch
 # For RHEL-56974 - qemu-kvm: warning: Blocked re-entrant IO on MemoryRegion: acpi-cpu-hotplug at addr: 0x0 [rhel-9]
 Patch44: edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch
+# For RHEL-56248 - 507x510 display resolution should not crash the firmware [edk2,rhel-9.6]
+Patch45: edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch
+# For RHEL-56248 - 507x510 display resolution should not crash the firmware [edk2,rhel-9.6]
+Patch46: edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch
+# For RHEL-60833 - CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.6]
+Patch47: edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -435,6 +441,15 @@ install -m 0644 \
 
 
 %changelog
+* Tue Oct 08 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20240524-7
+- edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch [RHEL-56248]
+- edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch [RHEL-56248]
+- edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60833]
+- Resolves: RHEL-56248
+  (507x510 display resolution should not crash the firmware [edk2,rhel-9.6])
+- Resolves: RHEL-60833
+  (CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.6])
+
 * Fri Sep 13 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20240524-6
 - edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch [RHEL-56974]
 - edk2-Bumped-openssl-submodule-version-to-0205b5898872.patch [RHEL-55336]