rpms/edk2
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'c9' into a9

Browse Source
This commit is contained in:
eabdullin 2024-09-03 12:31:26 +03:00
commit 19eb2b4b8d
12 changed files with 1064 additions and 825 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
SOURCES/edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch
View File

@ -1,36 +1,57 @@
From 94961b8817eec6f8d0434555ac50a7aa51c22201 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 14 Jun 2024 11:45:49 +0200
Subject: [PATCH] CryptoPkg/Test: call ProcessLibraryConstructorList
From b8793ffc6a7e7cfe3ecd9bd0da566ffd913a4544 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 20 Jun 2024 10:34:52 -0400
Subject: [PATCH 7/8] CryptoPkg/Test: call ProcessLibraryConstructorList
Needed to properly initialize BaseRngLib.
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237
RH-Jira: RHEL-40270 RHEL-40272
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [7/8] 7b09b94bfb56f5b81df2ccf1e6dbe21a7354a723
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-40270
Upstream: Merged
CVE: CVE-2023-45237
commit 94961b8817eec6f8d0434555ac50a7aa51c22201
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri Jun 14 11:45:49 2024 +0200
CryptoPkg/Test: call ProcessLibraryConstructorList
Needed to properly initialize BaseRngLib.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
index d0c1c7a4f7e0..48d463b8ad49 100644
index d0c1c7a4f7..48d463b8ad 100644
--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
+++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
@@ -8,6 +8,12 @@
**/
#include "TestBaseCryptLib.h"
+VOID
+EFIAPI
+ProcessLibraryConstructorList (
+ VOID
+ );
+
/**
Initialize the unit test framework, suite, and unit tests for the
sample unit tests and run the unit tests.
**/
#include "TestBaseCryptLib.h"
+VOID
+EFIAPI
+ProcessLibraryConstructorList (
+ VOID
+ );
+
/**
Initialize the unit test framework, suite, and unit tests for the
sample unit tests and run the unit tests.
@@ -76,5 +82,6 @@ main (
char *argv[]
)
{
+ ProcessLibraryConstructorList ();
return UefiTestMain ();
}
char *argv[]
)
{
+ ProcessLibraryConstructorList ();
return UefiTestMain ();
}
--
2.39.3

112
SOURCES/edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch
View File

@ -1,39 +1,58 @@
From aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 Mon Sep 17 00:00:00 2001
From: Gua Guo <gua.guo@intel.com>
Date: Thu, 11 Jan 2024 13:07:50 +0800
Subject: [PATCH] EmbeddedPkg/Hob: Integer Overflow in CreateHob()
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```
No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.
Reported-by: Marc Beatove <mbeatove@google.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@amd.com>
Cc: John Mathew <john.mathews@intel.com>
Authored-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gua Guo <gua.guo@intel.com>
---
EmbeddedPkg/Library/PrePiHobLib/Hob.c | 43 +++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
index 8eb175aa96f9..cbc35152ccbc 100644
--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c
+++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
@@ -110,6 +110,13 @@ CreateHob (
From f01b34eaeff2ccdd0ee7f2cf6371542efc0b13f5 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Sat, 6 Apr 2024 11:00:29 -0400
Subject: [PATCH 1/2] EmbeddedPkg/Hob: Integer Overflow in CreateHob()
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 69: EmbeddedPkg/Hob: Integer Overflow in CreateHob()
RH-Jira: RHEL-30156
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [1/2] 1b851d3ecf23092f7961cd0320221dc56b69adc4
JIRA: https://issues.redhat.com/browse/RHEL-30156
CVE: CVE-2022-36765
Upstream: Merged
commit aeaee8944f0eaacbf4cdf39279785b9ba4836bb6
Author: Gua Guo <gua.guo@intel.com>
Date: Thu Jan 11 13:07:50 2024 +0800
EmbeddedPkg/Hob: Integer Overflow in CreateHob()
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```
No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.
Reported-by: Marc Beatove <mbeatove@google.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Abner Chang <abner.chang@amd.com>
Cc: John Mathew <john.mathews@intel.com>
Authored-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gua Guo <gua.guo@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
EmbeddedPkg/Library/PrePiHobLib/Hob.c | 43 +++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
index 8eb175aa96..cbc35152cc 100644
--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c
+++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
@@ -110,6 +110,13 @@ CreateHob (
HandOffHob = GetHobList ();
@ -47,7 +66,7 @@ index 8eb175aa96f9..cbc35152ccbc 100644
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
@@ -160,6 +167,9 @@ BuildResourceDescriptorHob (
@@ -160,6 +167,9 @@ BuildResourceDescriptorHob (
Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
ASSERT (Hob != NULL);
@ -57,7 +76,7 @@ index 8eb175aa96f9..cbc35152ccbc 100644
Hob->ResourceType = ResourceType;
Hob->ResourceAttribute = ResourceAttribute;
@@ -401,6 +411,10 @@ BuildModuleHob (
@@ -401,6 +411,10 @@ BuildModuleHob (
);
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
@ -68,7 +87,7 @@ index 8eb175aa96f9..cbc35152ccbc 100644
CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
@@ -449,6 +463,11 @@ BuildGuidHob (
@@ -449,6 +463,11 @@ BuildGuidHob (
ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
@ -80,7 +99,7 @@ index 8eb175aa96f9..cbc35152ccbc 100644
CopyGuid (&Hob->Name, Guid);
return Hob + 1;
}
@@ -512,6 +531,10 @@ BuildFvHob (
@@ -512,6 +531,10 @@ BuildFvHob (
EFI_HOB_FIRMWARE_VOLUME *Hob;
Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
@ -91,7 +110,7 @@ index 8eb175aa96f9..cbc35152ccbc 100644
Hob->BaseAddress = BaseAddress;
Hob->Length = Length;
@@ -543,6 +566,10 @@ BuildFv2Hob (
@@ -543,6 +566,10 @@ BuildFv2Hob (
EFI_HOB_FIRMWARE_VOLUME2 *Hob;
Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
@ -102,7 +121,7 @@ index 8eb175aa96f9..cbc35152ccbc 100644
Hob->BaseAddress = BaseAddress;
Hob->Length = Length;
@@ -584,6 +611,10 @@ BuildFv3Hob (
@@ -584,6 +611,10 @@ BuildFv3Hob (
EFI_HOB_FIRMWARE_VOLUME3 *Hob;
Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3));
@ -113,7 +132,7 @@ index 8eb175aa96f9..cbc35152ccbc 100644
Hob->BaseAddress = BaseAddress;
Hob->Length = Length;
@@ -639,6 +670,10 @@ BuildCpuHob (
@@ -639,6 +670,10 @@ BuildCpuHob (
EFI_HOB_CPU *Hob;
Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
@ -124,7 +143,7 @@ index 8eb175aa96f9..cbc35152ccbc 100644
Hob->SizeOfMemorySpace = SizeOfMemorySpace;
Hob->SizeOfIoSpace = SizeOfIoSpace;
@@ -676,6 +711,10 @@ BuildStackHob (
@@ -676,6 +711,10 @@ BuildStackHob (
);
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK));
@ -135,7 +154,7 @@ index 8eb175aa96f9..cbc35152ccbc 100644
CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid);
Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
@@ -756,6 +795,10 @@ BuildMemoryAllocationHob (
@@ -756,6 +795,10 @@ BuildMemoryAllocationHob (
);
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
@ -146,3 +165,6 @@ index 8eb175aa96f9..cbc35152ccbc 100644
ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
--
2.39.3

116
SOURCES/edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-check-CPUID.patch → SOURCES/edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch
View File

@ -1,44 +1,63 @@
From c3a8ca7b54a9fd17acdf16c6282a92cc989fa92a Mon Sep 17 00:00:00 2001
From: Pedro Falcato <pedro.falcato@gmail.com>
Date: Tue, 22 Nov 2022 22:31:03 +0000
Subject: [PATCH] MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID
RDRAND has notoriously been broken many times over its lifespan.
Add a smoketest to RDRAND, in order to better sniff out potential
security concerns.
Also add a proper CPUID test in order to support older CPUs which may
not have it; it was previously being tested but then promptly ignored.
Testing algorithm inspired by linux's arch/x86/kernel/cpu/rdrand.c
:x86_init_rdrand() per commit 049f9ae9..
Many thanks to Jason Donenfeld for relicensing his linux RDRAND detection
code to MIT and the public domain.
>On Tue, Nov 22, 2022 at 2:21 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
<..>
> I (re)wrote that function in Linux. I hereby relicense it as MIT, and
> also place it into public domain. Do with it what you will now.
>
> Jason
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4163
Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
---
MdePkg/Library/BaseRngLib/Rand/RdRand.c | 99 +++++++++++++++++++++++--
1 file changed, 91 insertions(+), 8 deletions(-)
diff --git a/MdePkg/Library/BaseRngLib/Rand/RdRand.c b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
index 9bd68352f9f7..06d2a6f12d2e 100644
--- a/MdePkg/Library/BaseRngLib/Rand/RdRand.c
+++ b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
@@ -3,6 +3,7 @@
From a0f61781d9d7d816363704823688ba251fe7e0ba Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 20 Jun 2024 10:32:29 -0400
Subject: [PATCH 4/8] MdePkg/BaseRngLib: Add a smoketest for RDRAND and check
CPUID
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237
RH-Jira: RHEL-40270 RHEL-40272
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [4/8] 4fe23181254479e4a0f1abd31cedabacaec22944
JIRA: https://issues.redhat.com/browse/RHEL-40270
Upstream: Merged
CVE: CVE-2023-45237
commit c3a8ca7b54a9fd17acdf16c6282a92cc989fa92a
Author: Pedro Falcato <pedro.falcato@gmail.com>
Date: Tue Nov 22 22:31:03 2022 +0000
MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID
RDRAND has notoriously been broken many times over its lifespan.
Add a smoketest to RDRAND, in order to better sniff out potential
security concerns.
Also add a proper CPUID test in order to support older CPUs which may
not have it; it was previously being tested but then promptly ignored.
Testing algorithm inspired by linux's arch/x86/kernel/cpu/rdrand.c
:x86_init_rdrand() per commit 049f9ae9..
Many thanks to Jason Donenfeld for relicensing his linux RDRAND detection
code to MIT and the public domain.
>On Tue, Nov 22, 2022 at 2:21 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
<..>
> I (re)wrote that function in Linux. I hereby relicense it as MIT, and
> also place it into public domain. Do with it what you will now.
>
> Jason
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4163
Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Jon Maloy <jmaloy@gmail.com>
---
MdePkg/Library/BaseRngLib/Rand/RdRand.c | 99 +++++++++++++++++++++++--
1 file changed, 91 insertions(+), 8 deletions(-)
diff --git a/MdePkg/Library/BaseRngLib/Rand/RdRand.c b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
index 9bd68352f9..06d2a6f12d 100644
--- a/MdePkg/Library/BaseRngLib/Rand/RdRand.c
+++ b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
@@ -3,6 +3,7 @@
to provide high-quality random numbers.
Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
@ -46,7 +65,7 @@ index 9bd68352f9f7..06d2a6f12d2e 100644
Copyright (c) 2021, NUVIA Inc. All rights reserved.<BR>
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
@@ -24,6 +25,88 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -24,6 +25,88 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
STATIC BOOLEAN mRdRandSupported;
@ -135,7 +154,7 @@ index 9bd68352f9f7..06d2a6f12d2e 100644
/**
The constructor function checks whether or not RDRAND instruction is supported
by the host hardware.
@@ -48,10 +131,13 @@ BaseRngLibConstructor (
@@ -48,10 +131,13 @@ BaseRngLibConstructor (
// CPUID. A value of 1 indicates that processor support RDRAND instruction.
//
AsmCpuid (1, 0, 0, &RegEcx, 0);
@ -150,7 +169,7 @@ index 9bd68352f9f7..06d2a6f12d2e 100644
return EFI_SUCCESS;
}
@@ -70,6 +156,7 @@ ArchGetRandomNumber16 (
@@ -70,6 +156,7 @@ ArchGetRandomNumber16 (
OUT UINT16 *Rand
)
{
@ -158,7 +177,7 @@ index 9bd68352f9f7..06d2a6f12d2e 100644
return AsmRdRand16 (Rand);
}
@@ -88,6 +175,7 @@ ArchGetRandomNumber32 (
@@ -88,6 +175,7 @@ ArchGetRandomNumber32 (
OUT UINT32 *Rand
)
{
@ -166,7 +185,7 @@ index 9bd68352f9f7..06d2a6f12d2e 100644
return AsmRdRand32 (Rand);
}
@@ -106,6 +194,7 @@ ArchGetRandomNumber64 (
@@ -106,6 +194,7 @@ ArchGetRandomNumber64 (
OUT UINT64 *Rand
)
{
@ -174,7 +193,7 @@ index 9bd68352f9f7..06d2a6f12d2e 100644
return AsmRdRand64 (Rand);
}
@@ -122,13 +211,7 @@ ArchIsRngSupported (
@@ -122,13 +211,7 @@ ArchIsRngSupported (
VOID
)
{
@ -189,3 +208,6 @@ index 9bd68352f9f7..06d2a6f12d2e 100644
}
/**
--
2.39.3

59
SOURCES/edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch
View File

@ -1,21 +1,39 @@
From 5e776299a2604b336a947e68593012ab2cc16eb4 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 14 Jun 2024 11:45:53 +0200
Subject: [PATCH] MdePkg/X86UnitTestHost: set rdrand cpuid bit
Set the rdrand feature bit when faking cpuid for host test cases.
Needed to make the CryptoPkg test cases work.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
MdePkg/Library/BaseLib/X86UnitTestHost.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/MdePkg/Library/BaseLib/X86UnitTestHost.c b/MdePkg/Library/BaseLib/X86UnitTestHost.c
index 8ba4f54a385d..7f7276f7f4b8 100644
--- a/MdePkg/Library/BaseLib/X86UnitTestHost.c
+++ b/MdePkg/Library/BaseLib/X86UnitTestHost.c
@@ -66,6 +66,15 @@ UnitTestHostBaseLibAsmCpuid (
From 90461020e9b7534dc03baeea7b485045ed5962e9 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 20 Jun 2024 10:35:27 -0400
Subject: [PATCH 8/8] MdePkg/X86UnitTestHost: set rdrand cpuid bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237
RH-Jira: RHEL-40270 RHEL-40272
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [8/8] 5bacbf3cf6fadd3362dfd6f31743707e65b4f119
JIRA: https://issues.redhat.com/browse/RHEL-40270
Upstream: Merged
CVE: CVE-2023-45237
commit 5e776299a2604b336a947e68593012ab2cc16eb4
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri Jun 14 11:45:53 2024 +0200
MdePkg/X86UnitTestHost: set rdrand cpuid bit
Set the rdrand feature bit when faking cpuid for host test cases.
Needed to make the CryptoPkg test cases work.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
MdePkg/Library/BaseLib/X86UnitTestHost.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/MdePkg/Library/BaseLib/X86UnitTestHost.c b/MdePkg/Library/BaseLib/X86UnitTestHost.c
index 8ba4f54a38..7f7276f7f4 100644
--- a/MdePkg/Library/BaseLib/X86UnitTestHost.c
+++ b/MdePkg/Library/BaseLib/X86UnitTestHost.c
@@ -66,6 +66,15 @@ UnitTestHostBaseLibAsmCpuid (
OUT UINT32 *Edx OPTIONAL
)
{
@ -31,7 +49,7 @@ index 8ba4f54a385d..7f7276f7f4b8 100644
if (Eax != NULL) {
*Eax = 0;
}
@@ -75,7 +84,7 @@ UnitTestHostBaseLibAsmCpuid (
@@ -75,7 +84,7 @@ UnitTestHostBaseLibAsmCpuid (
}
if (Ecx != NULL) {
@ -40,3 +58,6 @@ index 8ba4f54a385d..7f7276f7f4b8 100644
}
if (Edx != NULL) {
--
2.39.3

592
SOURCES/edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch
View File

File diff suppressed because it is too large Load Diff

74
SOURCES/edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch Normal file
View File

@ -0,0 +1,74 @@
From 5e93f6c09a57dd69f1b05654455452c4a0154a79 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 13 Jun 2024 18:35:46 -0400
Subject: [PATCH 3/8] NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in
iPXE environment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237
RH-Jira: RHEL-40270 RHEL-40272
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [3/8] 9307e82e90d6f526d303607255a4c469ebe574d4
JIRA: https://issues.redhat.com/browse/RHEL-40272
Upstream: Merged
CVE: CVE-2023-45236
commit ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3
Author: Sam <Sam_Tsai@wiwynn.com>
Date: Wed May 29 07:46:03 2024 +0800
NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in iPXE environment
This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH"
REF: 1904a64
Issue Description:
An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was:
NetworkPkg\TcpDxe\TcpDriver.c
Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, &mHash2ServiceHandle);
Root Cause Analysis:
The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle.
Implemented Solution:
To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly:
NetworkPkg\TcpDxe\TcpDriver.c
Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle);
This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error.
Verification:
Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment.
Cc: Doug Flick [MSFT] <doug.edk2@gmail.com>
Signed-off-by: Sam Tsai [Wiwynn] <sam_tsai@wiwynn.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/TcpDxe/TcpDriver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
index 40bba4080c..c6e7c0df54 100644
--- a/NetworkPkg/TcpDxe/TcpDriver.c
+++ b/NetworkPkg/TcpDxe/TcpDriver.c
@@ -509,7 +509,7 @@ TcpDestroyService (
//
// Destroy the instance of the hashing protocol for this controller.
//
- Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, mHash2ServiceHandle);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}
--
2.39.3

53
SOURCES/edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flow-in.patch
View File

@ -1,53 +0,0 @@
From ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3 Mon Sep 17 00:00:00 2001
From: Sam <Sam_Tsai@wiwynn.com>
Date: Wed, 29 May 2024 07:46:03 +0800
Subject: [PATCH] NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in
iPXE environment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH"
REF: 1904a64
Issue Description:
An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was:
NetworkPkg\TcpDxe\TcpDriver.c
Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, &mHash2ServiceHandle);
Root Cause Analysis:
The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle.
Implemented Solution:
To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly:
NetworkPkg\TcpDxe\TcpDriver.c
Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle);
This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error.
Verification:
Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment.
Cc: Doug Flick [MSFT] <doug.edk2@gmail.com>
Signed-off-by: Sam Tsai [Wiwynn] <sam_tsai@wiwynn.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
---
NetworkPkg/TcpDxe/TcpDriver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
index 40bba4080c87..c6e7c0df540a 100644
--- a/NetworkPkg/TcpDxe/TcpDriver.c
+++ b/NetworkPkg/TcpDxe/TcpDriver.c
@@ -509,7 +509,7 @@ TcpDestroyService (
//
// Destroy the instance of the hashing protocol for this controller.
//
- Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, mHash2ServiceHandle);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}

295
SOURCES/edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch
View File

@ -1,80 +1,98 @@
From 1904a64bcc18199738e5be183d28887ac5d837d7 Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Wed, 8 May 2024 22:56:29 -0700
Subject: [PATCH] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
REF: https://www.rfc-editor.org/rfc/rfc1948.txt
REF: https://www.rfc-editor.org/rfc/rfc6528.txt
REF: https://www.rfc-editor.org/rfc/rfc9293.txt
Bug Overview:
PixieFail Bug #8
CVE-2023-45236
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Updates TCP ISN generation to use a cryptographic hash of the
connection's identifying parameters and a secret key.
This prevents an attacker from guessing the ISN used for some other
connection.
This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.
RFC: 9293 Section 3.4.1. Initial Sequence Number Selection
A TCP implementation MUST use the above type of "clock" for clock-
driven selection of initial sequence numbers (MUST-8), and SHOULD
generate its initial sequence numbers with the expression:
ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
where M is the 4 microsecond timer, and F() is a pseudorandom
function (PRF) of the connection's identifying parameters ("localip,
localport, remoteip, remoteport") and a secret key ("secretkey")
(SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or
an attacker could still guess at sequence numbers from the ISN used
for some other connection. The PRF could be implemented as a
cryptographic hash of the concatenation of the TCP connection
parameters and some secret data. For discussion of the selection of
a specific hash algorithm and management of the secret key data,
please see Section 3 of [42].
For each connection there is a send sequence number and a receive
sequence number. The initial send sequence number (ISS) is chosen by
the data sending TCP peer, and the initial receive sequence number
(IRS) is learned during the connection-establishing procedure.
For a connection to be established or initialized, the two TCP peers
must synchronize on each other's initial sequence numbers. This is
done in an exchange of connection-establishing segments carrying a
control bit called "SYN" (for synchronize) and the initial sequence
numbers. As a shorthand, segments carrying the SYN bit are also
called "SYNs". Hence, the solution requires a suitable mechanism for
picking an initial sequence number and a slightly involved handshake
to exchange the ISNs.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
---
NetworkPkg/SecurityFixes.yaml | 22 +++
NetworkPkg/TcpDxe/TcpDriver.c | 92 ++++++++++++-
NetworkPkg/TcpDxe/TcpDxe.inf | 8 +-
NetworkPkg/TcpDxe/TcpFunc.h | 23 ++--
NetworkPkg/TcpDxe/TcpInput.c | 13 +-
NetworkPkg/TcpDxe/TcpMain.h | 59 ++++++--
NetworkPkg/TcpDxe/TcpMisc.c | 244 ++++++++++++++++++++++++++++++++--
NetworkPkg/TcpDxe/TcpTimer.c | 3 +-
8 files changed, 415 insertions(+), 49 deletions(-)
diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
index 20a4555019d9..4305328425d0 100644
--- a/NetworkPkg/SecurityFixes.yaml
+++ b/NetworkPkg/SecurityFixes.yaml
@@ -122,6 +122,28 @@ CVE_2023_45235:
From 6f0cf9f14b1abefa62416c1611f01d6fb3353c44 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 11 Jun 2024 15:20:29 -0400
Subject: [PATCH 2/8] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237
RH-Jira: RHEL-40270 RHEL-40272
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [2/8] 18e88b5def6b058ecd4ffa565ef6f3bafe6f03ad
JIRA: https://issues.redhat.com/browse/RHEL-40272
Upstream: Merged
CVE: CVE-2023-45236
commit 1904a64bcc18199738e5be183d28887ac5d837d7
Author: Doug Flick <dougflick@microsoft.com>
Date: Wed May 8 22:56:29 2024 -0700
NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
REF: https://www.rfc-editor.org/rfc/rfc1948.txt
REF: https://www.rfc-editor.org/rfc/rfc6528.txt
REF: https://www.rfc-editor.org/rfc/rfc9293.txt
Bug Overview:
PixieFail Bug #8
CVE-2023-45236
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Updates TCP ISN generation to use a cryptographic hash of the
connection's identifying parameters and a secret key.
This prevents an attacker from guessing the ISN used for some other
connection.
This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.
RFC: 9293 Section 3.4.1. Initial Sequence Number Selection
A TCP implementation MUST use the above type of "clock" for clock-
driven selection of initial sequence numbers (MUST-8), and SHOULD
generate its initial sequence numbers with the expression:
ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
where M is the 4 microsecond timer, and F() is a pseudorandom
function (PRF) of the connection's identifying parameters ("localip,
localport, remoteip, remoteport") and a secret key ("secretkey")
(SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or
an attacker could still guess at sequence numbers from the ISN used
for some other connection. The PRF could be implemented as a
cryptographic hash of the concatenation of the TCP connection
parameters and some secret data. For discussion of the selection of
a specific hash algorithm and management of the secret key data,
please see Section 3 of [42].
For each connection there is a send sequence number and a receive
sequence number. The initial send sequence number (ISS) is chosen by
the data sending TCP peer, and the initial receive sequence number
(IRS) is learned during the connection-establishing procedure.
For a connection to be established or initialized, the two TCP peers
must synchronize on each other's initial sequence numbers. This is
done in an exchange of connection-establishing segments carrying a
control bit called "SYN" (for synchronize) and the initial sequence
numbers. As a shorthand, segments carrying the SYN bit are also
called "SYNs". Hence, the solution requires a suitable mechanism for
picking an initial sequence number and a slightly involved handshake
to exchange the ISNs.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/SecurityFixes.yaml | 22 +++
NetworkPkg/TcpDxe/TcpDriver.c | 92 ++++++++++++-
NetworkPkg/TcpDxe/TcpDxe.inf | 8 +-
NetworkPkg/TcpDxe/TcpFunc.h | 23 ++--
NetworkPkg/TcpDxe/TcpInput.c | 13 +-
NetworkPkg/TcpDxe/TcpMain.h | 59 ++++++--
NetworkPkg/TcpDxe/TcpMisc.c | 244 ++++++++++++++++++++++++++++++++--
NetworkPkg/TcpDxe/TcpTimer.c | 3 +-
8 files changed, 415 insertions(+), 49 deletions(-)
diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
index 20a4555019..4305328425 100644
--- a/NetworkPkg/SecurityFixes.yaml
+++ b/NetworkPkg/SecurityFixes.yaml
@@ -122,6 +122,28 @@ CVE_2023_45235:
- http://www.openwall.com/lists/oss-security/2024/01/16/2
- http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
- https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
@ -103,11 +121,11 @@ index 20a4555019d9..4305328425d0 100644
CVE_2023_45237:
commit_titles:
- "NetworkPkg:: SECURITY PATCH CVE 2023-45237"
diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
index 8fe6badd687c..40bba4080c87 100644
--- a/NetworkPkg/TcpDxe/TcpDriver.c
+++ b/NetworkPkg/TcpDxe/TcpDriver.c
@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL gTcpServiceBinding = {
diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
index 8fe6badd68..40bba4080c 100644
--- a/NetworkPkg/TcpDxe/TcpDriver.c
+++ b/NetworkPkg/TcpDxe/TcpDriver.c
@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL gTcpServiceBinding = {
TcpServiceBindingDestroyChild
};
@ -120,7 +138,7 @@ index 8fe6badd687c..40bba4080c87 100644
/**
Create and start the heartbeat timer for the TCP driver.
@@ -165,6 +171,23 @@ TcpDriverEntryPoint (
@@ -165,6 +171,23 @@ TcpDriverEntryPoint (
EFI_STATUS Status;
UINT32 Random;
@ -144,7 +162,7 @@ index 8fe6badd687c..40bba4080c87 100644
Status = PseudoRandomU32 (&Random);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));
@@ -207,9 +230,8 @@ TcpDriverEntryPoint (
@@ -207,9 +230,8 @@ TcpDriverEntryPoint (
}
//
@ -155,7 +173,7 @@ index 8fe6badd687c..40bba4080c87 100644
mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN));
mTcp6RandomPort = mTcp4RandomPort;
@@ -224,6 +246,8 @@ TcpDriverEntryPoint (
@@ -224,6 +246,8 @@ TcpDriverEntryPoint (
@param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.
@retval EFI_OUT_OF_RESOURCES Failed to allocate some resources.
@ -164,7 +182,7 @@ index 8fe6badd687c..40bba4080c87 100644
@retval EFI_SUCCESS A new IP6 service binding private was created.
**/
@@ -234,11 +258,13 @@ TcpCreateService (
@@ -234,11 +258,13 @@ TcpCreateService (
IN UINT8 IpVersion
)
{
@ -183,7 +201,7 @@ index 8fe6badd687c..40bba4080c87 100644
if (IpVersion == IP_VERSION_4) {
IpServiceBindingGuid = &gEfiIp4ServiceBindingProtocolGuid;
@@ -272,6 +298,33 @@ TcpCreateService (
@@ -272,6 +298,33 @@ TcpCreateService (
return EFI_UNSUPPORTED;
}
@ -217,7 +235,7 @@ index 8fe6badd687c..40bba4080c87 100644
//
// Create the TCP service data.
//
@@ -423,6 +476,7 @@ TcpDestroyService (
@@ -423,6 +476,7 @@ TcpDestroyService (
EFI_STATUS Status;
LIST_ENTRY *List;
TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT Context;
@ -225,7 +243,7 @@ index 8fe6badd687c..40bba4080c87 100644
ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6));
@@ -439,6 +493,30 @@ TcpDestroyService (
@@ -439,6 +493,30 @@ TcpDestroyService (
return EFI_SUCCESS;
}
@ -256,11 +274,11 @@ index 8fe6badd687c..40bba4080c87 100644
Status = gBS->OpenProtocol (
NicHandle,
ServiceBindingGuid,
diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
index cf5423f4c537..76de4cf9ec3d 100644
--- a/NetworkPkg/TcpDxe/TcpDxe.inf
+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
@@ -6,6 +6,7 @@
diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
index cf5423f4c5..76de4cf9ec 100644
--- a/NetworkPkg/TcpDxe/TcpDxe.inf
+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
@@ -6,6 +6,7 @@
# stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack.
#
# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
@ -268,7 +286,7 @@ index cf5423f4c537..76de4cf9ec3d 100644
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -68,7 +69,6 @@
@@ -68,7 +69,6 @@
NetLib
IpIoLib
@ -276,7 +294,7 @@ index cf5423f4c537..76de4cf9ec3d 100644
[Protocols]
## SOMETIMES_CONSUMES
## SOMETIMES_PRODUCES
@@ -81,6 +81,12 @@
@@ -81,6 +81,12 @@
gEfiIp6ServiceBindingProtocolGuid ## TO_START
gEfiTcp6ProtocolGuid ## BY_START
gEfiTcp6ServiceBindingProtocolGuid ## BY_START
@ -289,11 +307,11 @@ index cf5423f4c537..76de4cf9ec3d 100644
[Depex]
gEfiHash2ServiceBindingProtocolGuid
diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h
index a7af01fff246..c707bee3e548 100644
--- a/NetworkPkg/TcpDxe/TcpFunc.h
+++ b/NetworkPkg/TcpDxe/TcpFunc.h
@@ -2,7 +2,7 @@
diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h
index a7af01fff2..c707bee3e5 100644
--- a/NetworkPkg/TcpDxe/TcpFunc.h
+++ b/NetworkPkg/TcpDxe/TcpFunc.h
@@ -2,7 +2,7 @@
Declaration of external functions shared in TCP driver.
Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
@ -302,7 +320,7 @@ index a7af01fff246..c707bee3e548 100644
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -36,8 +36,11 @@ VOID
@@ -36,8 +36,11 @@ VOID
@param[in, out] Tcb Pointer to the TCP_CB of this TCP instance.
@ -315,7 +333,7 @@ index a7af01fff246..c707bee3e548 100644
TcpInitTcbLocal (
IN OUT TCP_CB *Tcb
);
@@ -128,17 +131,6 @@ TcpCloneTcb (
@@ -128,17 +131,6 @@ TcpCloneTcb (
IN TCP_CB *Tcb
);
@ -333,7 +351,7 @@ index a7af01fff246..c707bee3e548 100644
/**
Get the local mss.
@@ -202,8 +194,11 @@ TcpFormatNetbuf (
@@ -202,8 +194,11 @@ TcpFormatNetbuf (
@param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a
connection.
@ -346,11 +364,11 @@ index a7af01fff246..c707bee3e548 100644
TcpOnAppConnect (
IN OUT TCP_CB *Tcb
);
diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
index 97633a3908be..a5d575ccafeb 100644
--- a/NetworkPkg/TcpDxe/TcpInput.c
+++ b/NetworkPkg/TcpDxe/TcpInput.c
@@ -724,6 +724,7 @@ TcpInput (
diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
index 7b329be64d..86dd7c4907 100644
--- a/NetworkPkg/TcpDxe/TcpInput.c
+++ b/NetworkPkg/TcpDxe/TcpInput.c
@@ -724,6 +724,7 @@ TcpInput (
TCP_SEQNO Urg;
UINT16 Checksum;
INT32 Usable;
@ -358,7 +376,7 @@ index 97633a3908be..a5d575ccafeb 100644
ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6));
@@ -872,7 +873,17 @@ TcpInput (
@@ -872,7 +873,17 @@ TcpInput (
Tcb->LocalEnd.Port = Head->DstPort;
Tcb->RemoteEnd.Port = Head->SrcPort;
@ -377,11 +395,11 @@ index 97633a3908be..a5d575ccafeb 100644
TcpInitTcbPeer (Tcb, Seg, &Option);
TcpSetState (Tcb, TCP_SYN_RCVD);
diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
index c0c9b7f46ebe..4d5566ab9379 100644
--- a/NetworkPkg/TcpDxe/TcpMain.h
+++ b/NetworkPkg/TcpDxe/TcpMain.h
@@ -3,7 +3,7 @@
diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
index c0c9b7f46e..4d5566ab93 100644
--- a/NetworkPkg/TcpDxe/TcpMain.h
+++ b/NetworkPkg/TcpDxe/TcpMain.h
@@ -3,7 +3,7 @@
It is the common head file for all Tcp*.c in TCP driver.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
@ -390,7 +408,7 @@ index c0c9b7f46ebe..4d5566ab9379 100644
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -13,6 +13,7 @@
@@ -13,6 +13,7 @@
#include <Protocol/ServiceBinding.h>
#include <Protocol/DriverBinding.h>
@ -398,7 +416,7 @@ index c0c9b7f46ebe..4d5566ab9379 100644
#include <Library/IpIoLib.h>
#include <Library/DevicePathLib.h>
#include <Library/PrintLib.h>
@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE *gTcpControllerNameTable;
@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE *gTcpControllerNameTable;
extern LIST_ENTRY mTcpRunQue;
extern LIST_ENTRY mTcpListenQue;
@ -407,7 +425,7 @@ index c0c9b7f46ebe..4d5566ab9379 100644
extern UINT32 mTcpTick;
///
@@ -45,14 +46,6 @@ extern UINT32 mTcpTick;
@@ -45,14 +46,6 @@ extern UINT32 mTcpTick;
#define TCP_EXPIRE_TIME 65535
@ -422,7 +440,7 @@ index c0c9b7f46ebe..4d5566ab9379 100644
typedef union {
EFI_TCP4_CONFIG_DATA Tcp4CfgData;
EFI_TCP6_CONFIG_DATA Tcp6CfgData;
@@ -774,4 +767,50 @@ Tcp6Poll (
@@ -774,4 +767,50 @@ Tcp6Poll (
IN EFI_TCP6_PROTOCOL *This
);
@ -473,11 +491,11 @@ index c0c9b7f46ebe..4d5566ab9379 100644
+ );
+
#endif
diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
index c93212d47ded..3310306f639c 100644
--- a/NetworkPkg/TcpDxe/TcpMisc.c
+++ b/NetworkPkg/TcpDxe/TcpMisc.c
@@ -3,7 +3,7 @@
diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
index c93212d47d..3310306f63 100644
--- a/NetworkPkg/TcpDxe/TcpMisc.c
+++ b/NetworkPkg/TcpDxe/TcpMisc.c
@@ -3,7 +3,7 @@
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
@ -486,7 +504,7 @@ index c93212d47ded..3310306f639c 100644
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -20,7 +20,34 @@ LIST_ENTRY mTcpListenQue = {
@@ -20,7 +20,34 @@ LIST_ENTRY mTcpListenQue = {
&mTcpListenQue
};
@ -522,7 +540,7 @@ index c93212d47ded..3310306f639c 100644
CHAR16 *mTcpStateName[] = {
L"TCP_CLOSED",
@@ -41,12 +68,18 @@ CHAR16 *mTcpStateName[] = {
@@ -41,12 +68,18 @@ CHAR16 *mTcpStateName[] = {
@param[in, out] Tcb Pointer to the TCP_CB of this TCP instance.
@ -542,7 +560,7 @@ index c93212d47ded..3310306f639c 100644
//
// Compute the checksum of the fixed parts of pseudo header
//
@@ -57,6 +90,16 @@ TcpInitTcbLocal (
@@ -57,6 +90,16 @@ TcpInitTcbLocal (
0x06,
0
);
@ -559,7 +577,7 @@ index c93212d47ded..3310306f639c 100644
} else {
Tcb->HeadSum = NetIp6PseudoHeadChecksum (
&Tcb->LocalEnd.Ip.v6,
@@ -64,9 +107,25 @@ TcpInitTcbLocal (
@@ -64,9 +107,25 @@ TcpInitTcbLocal (
0x06,
0
);
@ -586,7 +604,7 @@ index c93212d47ded..3310306f639c 100644
Tcb->SndUna = Tcb->Iss;
Tcb->SndNxt = Tcb->Iss;
@@ -82,6 +141,8 @@ TcpInitTcbLocal (
@@ -82,6 +141,8 @@ TcpInitTcbLocal (
Tcb->RetxmitSeqMax = 0;
Tcb->ProbeTimerOn = FALSE;
@ -595,7 +613,7 @@ index c93212d47ded..3310306f639c 100644
}
/**
@@ -506,18 +567,162 @@ TcpCloneTcb (
@@ -506,18 +567,162 @@ TcpCloneTcb (
}
/**
@ -766,7 +784,7 @@ index c93212d47ded..3310306f639c 100644
}
/**
@@ -721,17 +926,28 @@ TcpFormatNetbuf (
@@ -721,17 +926,28 @@ TcpFormatNetbuf (
@param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a
connection.
@ -797,11 +815,11 @@ index c93212d47ded..3310306f639c 100644
}
/**
diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
index 5d2e124977d9..065b1bdf5feb 100644
--- a/NetworkPkg/TcpDxe/TcpTimer.c
+++ b/NetworkPkg/TcpDxe/TcpTimer.c
@@ -2,7 +2,7 @@
diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
index 5d2e124977..065b1bdf5f 100644
--- a/NetworkPkg/TcpDxe/TcpTimer.c
+++ b/NetworkPkg/TcpDxe/TcpTimer.c
@@ -2,7 +2,7 @@
TCP timer related functions.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
@ -810,7 +828,7 @@ index 5d2e124977d9..065b1bdf5feb 100644
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -483,7 +483,6 @@ TcpTickingDpc (
@@ -483,7 +483,6 @@ TcpTickingDpc (
INT16 Index;
mTcpTick++;
@ -818,3 +836,6 @@ index 5d2e124977d9..065b1bdf5feb 100644
//
// Don't use LIST_FOR_EACH, which isn't delete safe.
--
2.39.3

259
SOURCES/edk2-OvmfPkg-wire-up-RngDxe.patch
View File

@ -1,42 +1,62 @@
From 0aa96c512c689426838ec1cf4aa78ff088c03a1e Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 24 May 2024 12:51:17 +0200
Subject: [PATCH] OvmfPkg: wire up RngDxe
Add OvmfRng include snippets with the random number generator
configuration for OVMF. Include RngDxe, build with BaseRngLib,
so the rdrand instruction is used (if available).
Also move VirtioRng to the include snippets.
Use the new include snippets for OVMF builds.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 712797cf19acd292bf203522a79e40e7e13d268b)
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +-
OvmfPkg/AmdSev/AmdSevX64.fdf | 3 ++-
OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc | 9 +++++++++
OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc | 6 ++++++
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 2 +-
OvmfPkg/IntelTdx/IntelTdxX64.fdf | 3 ++-
OvmfPkg/Microvm/MicrovmX64.dsc | 2 +-
OvmfPkg/Microvm/MicrovmX64.fdf | 3 ++-
OvmfPkg/OvmfPkgIa32.dsc | 2 +-
OvmfPkg/OvmfPkgIa32.fdf | 3 ++-
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
OvmfPkg/OvmfPkgIa32X64.fdf | 3 ++-
OvmfPkg/OvmfPkgX64.dsc | 2 +-
OvmfPkg/OvmfPkgX64.fdf | 3 ++-
14 files changed, 33 insertions(+), 12 deletions(-)
create mode 100644 OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
create mode 100644 OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index cf1ad83e09..4edc2a9069 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -651,7 +651,6 @@
From e22e11cc37c3bf3530ea8db1d18371c47c9e4440 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 20 Jun 2024 10:34:22 -0400
Subject: [PATCH 6/8] OvmfPkg: wire up RngDxe
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237
RH-Jira: RHEL-40270 RHEL-40272
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [6/8] 4adf88888386923ee824469cf836b4f63117807d
JIRA: https://issues.redhat.com/browse/RHEL-40270
Upstream: Merged
CVE: CVE-2023-45237
Conflicts: Cherry pick wanted to add include files from the
missing 'add ShellComponents' (commit 2cb466cc2cbf...)
series. This had to be handled manually.
commit 712797cf19acd292bf203522a79e40e7e13d268b
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri May 24 12:51:17 2024 +0200
OvmfPkg: wire up RngDxe
Add OvmfRng include snippets with the random number generator
configuration for OVMF. Include RngDxe, build with BaseRngLib,
so the rdrand instruction is used (if available).
Also move VirtioRng to the include snippets.
Use the new include snippets for OVMF builds.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +-
OvmfPkg/AmdSev/AmdSevX64.fdf | 3 ++-
OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc | 9 +++++++++
OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc | 6 ++++++
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 2 +-
OvmfPkg/IntelTdx/IntelTdxX64.fdf | 3 ++-
OvmfPkg/Microvm/MicrovmX64.dsc | 2 +-
OvmfPkg/Microvm/MicrovmX64.fdf | 3 ++-
OvmfPkg/OvmfPkgIa32.dsc | 2 +-
OvmfPkg/OvmfPkgIa32.fdf | 3 ++-
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
OvmfPkg/OvmfPkgIa32X64.fdf | 3 ++-
OvmfPkg/OvmfPkgX64.dsc | 2 +-
OvmfPkg/OvmfPkgX64.fdf | 3 ++-
14 files changed, 33 insertions(+), 12 deletions(-)
create mode 100644 OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
create mode 100644 OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 7bb6ffb3f0..5d50e77002 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -651,7 +651,6 @@
OvmfPkg/Virtio10Dxe/Virtio10.inf
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -44,7 +64,7 @@ index cf1ad83e09..4edc2a9069 100644
!if $(PVSCSI_ENABLE) == TRUE
OvmfPkg/PvScsiDxe/PvScsiDxe.inf
!endif
@@ -763,6 +762,7 @@
@@ -763,6 +762,7 @@
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
!endif
@ -52,11 +72,11 @@ index cf1ad83e09..4edc2a9069 100644
OvmfPkg/PlatformDxe/Platform.inf
OvmfPkg/AmdSevDxe/AmdSevDxe.inf {
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index c56c98dc85..480837b0fa 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -220,7 +220,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 0e3d7bea2b..c94f2d34ee 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -220,7 +220,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -64,7 +84,7 @@ index c56c98dc85..480837b0fa 100644
!if $(PVSCSI_ENABLE) == TRUE
INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
!endif
@@ -316,6 +315,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -316,6 +315,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
#
!include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
@ -73,12 +93,12 @@ index c56c98dc85..480837b0fa 100644
################################################################################
[FV.FVMAIN_COMPACT]
diff --git a/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
new file mode 100644
index 0000000000..68839a0caa
--- /dev/null
+++ b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
@@ -0,0 +1,9 @@
diff --git a/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
new file mode 100644
index 0000000000..68839a0caa
--- /dev/null
+++ b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
@@ -0,0 +1,9 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
@ -88,23 +108,23 @@ index 0000000000..68839a0caa
+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+ }
+ OvmfPkg/VirtioRngDxe/VirtioRng.inf
diff --git a/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
new file mode 100644
index 0000000000..99cb4a32b1
--- /dev/null
+++ b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
@@ -0,0 +1,6 @@
diff --git a/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
new file mode 100644
index 0000000000..99cb4a32b1
--- /dev/null
+++ b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
@@ -0,0 +1,6 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index 9f49b60ff0..4b7e1596fc 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -641,7 +641,6 @@
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index fd6722499a..d38fed2171 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -641,7 +641,6 @@
OvmfPkg/Virtio10Dxe/Virtio10.inf
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -112,7 +132,7 @@ index 9f49b60ff0..4b7e1596fc 100644
!if $(PVSCSI_ENABLE) == TRUE
OvmfPkg/PvScsiDxe/PvScsiDxe.inf
!endif
@@ -752,6 +751,7 @@
@@ -752,6 +751,7 @@
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
!endif
@ -120,11 +140,11 @@ index 9f49b60ff0..4b7e1596fc 100644
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
index ce5d542048..88d0f75ae2 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
@@ -285,7 +285,6 @@ READ_LOCK_STATUS = TRUE
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
index 69ed7a9bc6..077a5c8637 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
@@ -285,7 +285,6 @@ READ_LOCK_STATUS = TRUE
#
INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -132,7 +152,7 @@ index ce5d542048..88d0f75ae2 100644
!if $(PVSCSI_ENABLE) == TRUE
INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
!endif
@@ -333,6 +332,8 @@ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
@@ -333,6 +332,8 @@ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
INF OvmfPkg/PlatformDxe/Platform.inf
@ -141,11 +161,11 @@ index ce5d542048..88d0f75ae2 100644
################################################################################
[FV.FVMAIN_COMPACT]
diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
index fb73f2e089..9206f01816 100644
--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
@@ -754,7 +754,6 @@
diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
index 79f14b5c05..ca6902971f 100644
--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
@@ -754,7 +754,6 @@
OvmfPkg/Virtio10Dxe/Virtio10.inf
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -153,7 +173,7 @@ index fb73f2e089..9206f01816 100644
OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
@@ -880,6 +879,7 @@
@@ -880,6 +879,7 @@
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
@ -161,11 +181,11 @@ index fb73f2e089..9206f01816 100644
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf
index 055e659a35..c8268d7e8c 100644
--- a/OvmfPkg/Microvm/MicrovmX64.fdf
+++ b/OvmfPkg/Microvm/MicrovmX64.fdf
@@ -204,7 +204,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf
index eda24a3ec9..767ee4b338 100644
--- a/OvmfPkg/Microvm/MicrovmX64.fdf
+++ b/OvmfPkg/Microvm/MicrovmX64.fdf
@@ -204,7 +204,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -173,7 +193,7 @@ index 055e659a35..c8268d7e8c 100644
INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
@@ -303,6 +302,8 @@ INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf
@@ -303,6 +302,8 @@ INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf
INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@ -182,11 +202,11 @@ index 055e659a35..c8268d7e8c 100644
################################################################################
[FV.FVMAIN_COMPACT]
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 65a866ae0c..b64c215585 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -804,7 +804,6 @@
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 83adecc374..4074aa382d 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -804,7 +804,6 @@
OvmfPkg/Virtio10Dxe/Virtio10.inf
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -194,7 +214,7 @@ index 65a866ae0c..b64c215585 100644
OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
!if $(PVSCSI_ENABLE) == TRUE
OvmfPkg/PvScsiDxe/PvScsiDxe.inf
@@ -942,6 +941,7 @@
@@ -942,6 +941,7 @@
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
!endif
@ -202,11 +222,11 @@ index 65a866ae0c..b64c215585 100644
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 10eb6fe72b..c31276e4a3 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -236,7 +236,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 88c57ff5ff..20cfd2788e 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -236,7 +236,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -214,7 +234,7 @@ index 10eb6fe72b..c31276e4a3 100644
INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
!if $(PVSCSI_ENABLE) == TRUE
INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
@@ -367,6 +366,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -367,6 +366,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
#
!include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
@ -223,11 +243,11 @@ index 10eb6fe72b..c31276e4a3 100644
!if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
INF OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
!endif
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 679e25501b..ececac3757 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -822,7 +822,6 @@
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index b47cdf63e7..75ef19bc85 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -822,7 +822,6 @@
OvmfPkg/Virtio10Dxe/Virtio10.inf
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -235,7 +255,7 @@ index 679e25501b..ececac3757 100644
OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
!if $(PVSCSI_ENABLE) == TRUE
OvmfPkg/PvScsiDxe/PvScsiDxe.inf
@@ -960,6 +959,7 @@
@@ -960,6 +959,7 @@
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
!endif
@ -243,11 +263,11 @@ index 679e25501b..ececac3757 100644
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index ff06bbfc6f..a7b4aeac08 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -237,7 +237,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index ab5a9bc306..8517c79ba2 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -237,7 +237,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -255,7 +275,7 @@ index ff06bbfc6f..a7b4aeac08 100644
INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
!if $(PVSCSI_ENABLE) == TRUE
INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
@@ -374,6 +373,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -374,6 +373,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
#
!include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
@ -264,11 +284,11 @@ index ff06bbfc6f..a7b4aeac08 100644
################################################################################
[FV.FVMAIN_COMPACT]
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index d294fd4625..0ab4d3df06 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -890,7 +890,6 @@
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index be3824ec1e..631ff0c788 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -890,7 +890,6 @@
OvmfPkg/Virtio10Dxe/Virtio10.inf
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -276,7 +296,7 @@ index d294fd4625..0ab4d3df06 100644
OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
!if $(PVSCSI_ENABLE) == TRUE
OvmfPkg/PvScsiDxe/PvScsiDxe.inf
@@ -1028,6 +1027,7 @@
@@ -1028,6 +1027,7 @@
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
!endif
@ -284,11 +304,11 @@ index d294fd4625..0ab4d3df06 100644
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index f3b787201f..ae08ac4fe9 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -262,7 +262,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 851399888f..7ecde357ce 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -262,7 +262,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
@ -296,7 +316,7 @@ index f3b787201f..ae08ac4fe9 100644
INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
!if $(PVSCSI_ENABLE) == TRUE
INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
@@ -408,6 +407,8 @@ INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf
@@ -408,6 +407,8 @@ INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf
#
!include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
@ -305,3 +325,6 @@ index f3b787201f..ae08ac4fe9 100644
################################################################################
[FV.FVMAIN_COMPACT]
--
2.39.3

79
SOURCES/edk2-SecurityPkg-RngDxe-add-rng-test.patch
View File

@ -1,7 +1,33 @@
From a61bc0accb8a76edba4f073fdc7bafc908df045d Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 31 May 2024 09:49:13 +0200
Subject: [PATCH] SecurityPkg/RngDxe: add rng test
From 7719d41979ef6e376d183c70cd47951ff5bf6ef1 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 20 Jun 2024 10:33:43 -0400
Subject: [PATCH 5/8] SecurityPkg/RngDxe: add rng test
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237
RH-Jira: RHEL-40270 RHEL-40272
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [5/8] 84a58daaed0ee81ebed501392be33338da575df6
JIRA: https://issues.redhat.com/browse/RHEL-40270
Upstream: Merged
CVE: CVE-2023-45237
commit a61bc0accb8a76edba4f073fdc7bafc908df045d
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri May 31 09:49:13 2024 +0200
SecurityPkg/RngDxe: add rng test
Check whenever RngLib actually returns random numbers, only return
a non-zero number of Algorithms if that is the case.
This has the effect that RndDxe loads and installs EFI_RNG_PROTOCOL
only in case it can actually deliver random numbers.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Check whenever RngLib actually returns random numbers, only return
a non-zero number of Algorithms if that is the case.
@ -15,28 +41,31 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
index 5723ed695747..8b0742bab6c4 100644
index 7e06e16e4b..285b5f46e7 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
@@ -23,6 +23,7 @@
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
+#include <Library/RngLib.h>
#include "RngDxeInternals.h"
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
+#include <Library/RngLib.h>
#include "RngDxeInternals.h"
@@ -43,7 +44,12 @@ GetAvailableAlgorithms (
VOID
)
{
- mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
+ UINT64 RngTest;
+
+ if (GetRandomNumber64 (&RngTest)) {
+ mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
+ }
+
return EFI_SUCCESS;
}
VOID
)
{
- mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
+ UINT64 RngTest;
+
+ if (GetRandomNumber64 (&RngTest)) {
+ mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
+ }
+
return EFI_SUCCESS;
}
--
2.39.3

108
SOURCES/edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch
View File

@ -1,39 +1,58 @@
From 9a75b030cf27d2530444e9a2f9f11867f79bf679 Mon Sep 17 00:00:00 2001
From: Gua Guo <gua.guo@intel.com>
Date: Thu, 11 Jan 2024 13:03:26 +0800
Subject: [PATCH] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```
No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.
Reported-by: Marc Beatove <mbeatove@google.com>
Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Cc: John Mathew <john.mathews@intel.com>
Authored-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gua Guo <gua.guo@intel.com>
---
.../Arm/StandaloneMmCoreHobLib.c | 35 +++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
index 1550e1babc83..59473e28fe59 100644
--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
+++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
@@ -34,6 +34,13 @@ CreateHob (
From 0ef57f5f435ee1909d14da24cd1c3edc91fef405 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Sat, 6 Apr 2024 11:00:29 -0400
Subject: [PATCH 2/2] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 69: EmbeddedPkg/Hob: Integer Overflow in CreateHob()
RH-Jira: RHEL-30156
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [2/2] 3c3454688975f62041dd8d3393f0bba5ec3b71f1
JIRA: https://issues.redhat.com/browse/RHEL-30156
CVE: CVE-2022-36765
Upstream: Merged
commit 9a75b030cf27d2530444e9a2f9f11867f79bf679
Author: Gua Guo <gua.guo@intel.com>
Date: Thu Jan 11 13:03:26 2024 +0800
StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```
No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.
Reported-by: Marc Beatove <mbeatove@google.com>
Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Cc: John Mathew <john.mathews@intel.com>
Authored-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gua Guo <gua.guo@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../Arm/StandaloneMmCoreHobLib.c | 35 +++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
index 1550e1babc..59473e28fe 100644
--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
+++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
@@ -34,6 +34,13 @@ CreateHob (
HandOffHob = GetHobList ();
@ -47,7 +66,7 @@ index 1550e1babc83..59473e28fe59 100644
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
@@ -89,6 +96,10 @@ BuildModuleHob (
@@ -89,6 +96,10 @@ BuildModuleHob (
);
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
@ -58,7 +77,7 @@ index 1550e1babc83..59473e28fe59 100644
CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
@@ -129,6 +140,9 @@ BuildResourceDescriptorHob (
@@ -129,6 +140,9 @@ BuildResourceDescriptorHob (
Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
ASSERT (Hob != NULL);
@ -68,7 +87,7 @@ index 1550e1babc83..59473e28fe59 100644
Hob->ResourceType = ResourceType;
Hob->ResourceAttribute = ResourceAttribute;
@@ -167,6 +181,11 @@ BuildGuidHob (
@@ -167,6 +181,11 @@ BuildGuidHob (
ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
@ -80,7 +99,7 @@ index 1550e1babc83..59473e28fe59 100644
CopyGuid (&Hob->Name, Guid);
return Hob + 1;
}
@@ -226,6 +245,10 @@ BuildFvHob (
@@ -226,6 +245,10 @@ BuildFvHob (
EFI_HOB_FIRMWARE_VOLUME *Hob;
Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
@ -91,7 +110,7 @@ index 1550e1babc83..59473e28fe59 100644
Hob->BaseAddress = BaseAddress;
Hob->Length = Length;
@@ -255,6 +278,10 @@ BuildFv2Hob (
@@ -255,6 +278,10 @@ BuildFv2Hob (
EFI_HOB_FIRMWARE_VOLUME2 *Hob;
Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
@ -102,7 +121,7 @@ index 1550e1babc83..59473e28fe59 100644
Hob->BaseAddress = BaseAddress;
Hob->Length = Length;
@@ -282,6 +309,10 @@ BuildCpuHob (
@@ -282,6 +309,10 @@ BuildCpuHob (
EFI_HOB_CPU *Hob;
Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
@ -113,7 +132,7 @@ index 1550e1babc83..59473e28fe59 100644
Hob->SizeOfMemorySpace = SizeOfMemorySpace;
Hob->SizeOfIoSpace = SizeOfIoSpace;
@@ -319,6 +350,10 @@ BuildMemoryAllocationHob (
@@ -319,6 +350,10 @@ BuildMemoryAllocationHob (
);
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
@ -124,3 +143,6 @@ index 1550e1babc83..59473e28fe59 100644
ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
--
2.39.3

71
SPECS/edk2.spec
View File

@ -20,7 +20,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2
Version: %{GITDATE}
Release: 6%{?dist}.2.alma.1
Release: 6%{?dist}.2
Summary: UEFI firmware for 64-bit virtual machines
License: BSD-2-Clause-Patent and Apache-2.0 and MIT
URL: http://www.tianocore.org
@ -50,6 +50,7 @@ Source80: edk2-build.py
Source82: edk2-build.rhel-9
Source90: DBXUpdate-%{DBXDATE}.x64.bin
Patch1: 0001-ignore-build-artifacts-generated-files-session-setti.patch
Patch2: 0002-Remove-submodules.patch
Patch3: 0003-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
@ -264,27 +265,33 @@ Patch69: edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch70: edk2-NetworkPkg-Updating-SecurityFixes.yaml.patch
# Patches were taken from:
# https://github.com/tianocore/edk2/commit/aeaee8944f0eaacbf4cdf39279785b9ba4836bb6
# For RHEL-30156 - CVE-2022-36765 edk2: integer overflow in CreateHob() could lead to HOB OOB R/W [rhel-9.4.z]
Patch71: edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch
# https://github.com/tianocore/edk2/commit/9a75b030cf27d2530444e9a2f9f11867f79bf679
# For RHEL-30156 - CVE-2022-36765 edk2: integer overflow in CreateHob() could lead to HOB OOB R/W [rhel-9.4.z]
Patch72: edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch
# https://github.com/tianocore/edk2/commit/4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345
# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z]
# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z]
Patch73: edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch
# https://github.com/tianocore/edk2/commit/1904a64bcc18199738e5be183d28887ac5d837d7
# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z]
# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z]
Patch74: edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch
# https://github.com/tianocore/edk2/commit/ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3
Patch75: edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flow-in.patch
# https://github.com/tianocore/edk2/commit/c3a8ca7b54a9fd17acdf16c6282a92cc989fa92a
Patch76: edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-check-CPUID.patch
# https://github.com/tianocore/edk2/commit/a61bc0accb8a76edba4f073fdc7bafc908df045d
# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z]
# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z]
Patch75: edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch
# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z]
# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z]
Patch76: edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch
# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z]
# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z]
Patch77: edk2-SecurityPkg-RngDxe-add-rng-test.patch
# https://gitlab.com/redhat/centos-stream/rpms/edk2/-/commit/5872fb18b4e645856614429dfffbb704858a9ea7
# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z]
# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z]
Patch78: edk2-OvmfPkg-wire-up-RngDxe.patch
# https://github.com/tianocore/edk2/commit/94961b8817eec6f8d0434555ac50a7aa51c22201
# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z]
# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z]
Patch79: edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch
# https://github.com/tianocore/edk2/commit/5e776299a2604b336a947e68593012ab2cc16eb4
# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z]
# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z]
Patch80: edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch
# python3-devel and libuuid-devel are required for building tools.
@ -619,18 +626,28 @@ install -m 0644 \
%changelog
* Wed Jul 24 2024 Eduard Abdullin <eabdullin@almalinux.org> - 20231122-6.2.alma.1
- CryptoPkg/Test: call ProcessLibraryConstructorList
- EmbeddedPkg/Hob: Integer Overflow in CreateHob()
- MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID
- MdePkg/X86UnitTestHost: set rdrand cpuid bit
- NetworkPkg: SECURITY PATCH CVE-2023-45237
- NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in
iPXE environment
- NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
- OvmfPkg: wire up RngDxe
- SecurityPkg/RngDxe: add rng test
- StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
* Tue Jul 23 2024 EL Errata <el-errata_ww@oracle.com> - 20231122-6.0.1.el9_4.2
- Replace upstream references [Orabug:36569119]
* Mon Jul 01 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-6.el9_4.2
- edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch [RHEL-40270 RHEL-40272]
- edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch [RHEL-40270 RHEL-40272]
- edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch [RHEL-40270 RHEL-40272]
- edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch [RHEL-40270 RHEL-40272]
- edk2-SecurityPkg-RngDxe-add-rng-test.patch [RHEL-40270 RHEL-40272]
- edk2-OvmfPkg-wire-up-RngDxe.patch [RHEL-40270 RHEL-40272]
- edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch [RHEL-40270 RHEL-40272]
- edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch [RHEL-40270 RHEL-40272]
- Resolves: RHEL-40270
(CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z])
- Resolves: RHEL-40272
(CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z])
* Wed Apr 10 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-6.el9_4.1
- edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch [RHEL-30156]
- edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch [RHEL-30156]
- Resolves: RHEL-30156
(CVE-2022-36765 edk2: integer overflow in CreateHob() could lead to HOB OOB R/W [rhel-9.4.z])
* Thu Feb 22 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-6
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853]