diff --git a/SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch b/SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch new file mode 100644 index 0000000..9338bdd --- /dev/null +++ b/SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch @@ -0,0 +1,63 @@ +From 30da4837584643c637eea751dbb01e0718fa764d Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Mon, 21 Oct 2024 14:45:37 -0400 +Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib + +RH-Author: Jon Maloy +RH-MergeRequest: 96: MdePkg: Fix overflow issue in BasePeCoffLib +RH-Jira: RHEL-60830 +RH-Acked-by: Oliver Steffen +RH-Commit: [1/1] 5406406ac2711215ec2bd3d9c1a2e6bb268dda38 (jmaloy/jons_fork) + +JIRA: https://issues.redhat.com/browse/RHEL-60830 +CVE: CVE-2024-38796 +Upstream: Merged + +commit c95233b8525ca6828921affd1496146cff262e65 +Author: Doug Flick +Date: Fri Sep 27 12:08:55 2024 -0700 + + MdePkg: Fix overflow issue in BasePeCoffLib + + The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is + also a UINT32 value. The current code does not check for overflow when + adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a + check to ensure that the addition does not overflow. + + Signed-off-by: Doug Flick + Authored-by: sriraamx gobichettipalayam + +Signed-off-by: Jon Maloy +--- + MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +index 1102833b94..6b1ccc7217 100644 +--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c ++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +@@ -991,13 +991,14 @@ PeCoffLoaderRelocateImage ( + RelocDir = &Hdr.Te->DataDirectory[0]; + } + +- if ((RelocDir != NULL) && (RelocDir->Size > 0)) { +- RelocBase = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset); +- RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, +- RelocDir->VirtualAddress + RelocDir->Size - 1, +- TeStrippedOffset +- ); +- if (RelocBase == NULL || RelocBaseEnd == NULL || (UINTN) RelocBaseEnd < (UINTN) RelocBase) { ++ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) { ++ RelocBase = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset); ++ RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress ( ++ ImageContext, ++ RelocDir->VirtualAddress + RelocDir->Size - 1, ++ TeStrippedOffset ++ ); ++ if ((RelocBase == NULL) || (RelocBaseEnd == NULL) || ((UINTN)RelocBaseEnd < (UINTN)RelocBase)) { + ImageContext->ImageError = IMAGE_ERROR_FAILED_RELOCATION; + return RETURN_LOAD_ERROR; + } +-- +2.45.2 + diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index aac8878..379ee21 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 13%{?dist}.3 +Release: 13%{?dist}.4 Summary: UEFI firmware for 64-bit virtual machines Group: Applications/Emulators License: BSD-2-Clause-Patent and OpenSSL and MIT @@ -386,6 +386,8 @@ Patch114: edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch Patch115: edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch # For RHEL-53009 - No http boot support on edk2-ovmf-20231122-6.el9_4.2 [rhel-8.10.z] Patch116: edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch +# For RHEL-60830 - CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-8.10.z] +Patch117: edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch # python3-devel and libuuid-devel are required for building tools. @@ -832,6 +834,11 @@ true %endif %changelog +* Tue Oct 29 2024 Jon Maloy - 20220126gitbb1bba3d77-13.el8.4 +- edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60830] +- Resolves: RHEL-60830 + (CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-8.10.z]) + * Mon Aug 26 2024 Jon Maloy - 20220126gitbb1bba3d77-13.el8.3 - edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch [RHEL-53009] - Resolves: RHEL-53009