- CryptoPkg/Test: call ProcessLibraryConstructorList
- EmbeddedPkg/Hob: Integer Overflow in CreateHob() - MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID - MdePkg/X86UnitTestHost: set rdrand cpuid bit - NetworkPkg: SECURITY PATCH CVE-2023-45237 - NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in iPXE environment - NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236 - OvmfPkg: wire up RngDxe - SecurityPkg/RngDxe: add rng test - StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
This commit is contained in:
parent
9e147b807c
commit
fafa4b8c26
@ -0,0 +1,36 @@
|
||||
From 94961b8817eec6f8d0434555ac50a7aa51c22201 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri, 14 Jun 2024 11:45:49 +0200
|
||||
Subject: [PATCH] CryptoPkg/Test: call ProcessLibraryConstructorList
|
||||
|
||||
Needed to properly initialize BaseRngLib.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
.../Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
|
||||
index d0c1c7a4f7e0..48d463b8ad49 100644
|
||||
--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
|
||||
+++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
|
||||
@@ -8,6 +8,12 @@
|
||||
**/
|
||||
#include "TestBaseCryptLib.h"
|
||||
|
||||
+VOID
|
||||
+EFIAPI
|
||||
+ProcessLibraryConstructorList (
|
||||
+ VOID
|
||||
+ );
|
||||
+
|
||||
/**
|
||||
Initialize the unit test framework, suite, and unit tests for the
|
||||
sample unit tests and run the unit tests.
|
||||
@@ -76,5 +82,6 @@ main (
|
||||
char *argv[]
|
||||
)
|
||||
{
|
||||
+ ProcessLibraryConstructorList ();
|
||||
return UefiTestMain ();
|
||||
}
|
148
SOURCES/edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch
Normal file
148
SOURCES/edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch
Normal file
@ -0,0 +1,148 @@
|
||||
From aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 Mon Sep 17 00:00:00 2001
|
||||
From: Gua Guo <gua.guo@intel.com>
|
||||
Date: Thu, 11 Jan 2024 13:07:50 +0800
|
||||
Subject: [PATCH] EmbeddedPkg/Hob: Integer Overflow in CreateHob()
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
|
||||
|
||||
Fix integer overflow in various CreateHob instances.
|
||||
Fixes: CVE-2022-36765
|
||||
|
||||
The CreateHob() function aligns the requested size to 8
|
||||
performing the following operation:
|
||||
```
|
||||
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
|
||||
```
|
||||
|
||||
No checks are performed to ensure this value doesn't
|
||||
overflow, and could lead to CreateHob() returning a smaller
|
||||
HOB than requested, which could lead to OOB HOB accesses.
|
||||
|
||||
Reported-by: Marc Beatove <mbeatove@google.com>
|
||||
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
|
||||
Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
|
||||
Cc: Abner Chang <abner.chang@amd.com>
|
||||
Cc: John Mathew <john.mathews@intel.com>
|
||||
Authored-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Signed-off-by: Gua Guo <gua.guo@intel.com>
|
||||
---
|
||||
EmbeddedPkg/Library/PrePiHobLib/Hob.c | 43 +++++++++++++++++++++++++++
|
||||
1 file changed, 43 insertions(+)
|
||||
|
||||
diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
|
||||
index 8eb175aa96f9..cbc35152ccbc 100644
|
||||
--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c
|
||||
+++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
|
||||
@@ -110,6 +110,13 @@ CreateHob (
|
||||
|
||||
HandOffHob = GetHobList ();
|
||||
|
||||
+ //
|
||||
+ // Check Length to avoid data overflow.
|
||||
+ //
|
||||
+ if (HobLength > MAX_UINT16 - 0x7) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
|
||||
|
||||
FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
|
||||
@@ -160,6 +167,9 @@ BuildResourceDescriptorHob (
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
|
||||
ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
Hob->ResourceType = ResourceType;
|
||||
Hob->ResourceAttribute = ResourceAttribute;
|
||||
@@ -401,6 +411,10 @@ BuildModuleHob (
|
||||
);
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
|
||||
Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
|
||||
@@ -449,6 +463,11 @@ BuildGuidHob (
|
||||
ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
CopyGuid (&Hob->Name, Guid);
|
||||
return Hob + 1;
|
||||
}
|
||||
@@ -512,6 +531,10 @@ BuildFvHob (
|
||||
EFI_HOB_FIRMWARE_VOLUME *Hob;
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
Hob->BaseAddress = BaseAddress;
|
||||
Hob->Length = Length;
|
||||
@@ -543,6 +566,10 @@ BuildFv2Hob (
|
||||
EFI_HOB_FIRMWARE_VOLUME2 *Hob;
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
Hob->BaseAddress = BaseAddress;
|
||||
Hob->Length = Length;
|
||||
@@ -584,6 +611,10 @@ BuildFv3Hob (
|
||||
EFI_HOB_FIRMWARE_VOLUME3 *Hob;
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
Hob->BaseAddress = BaseAddress;
|
||||
Hob->Length = Length;
|
||||
@@ -639,6 +670,10 @@ BuildCpuHob (
|
||||
EFI_HOB_CPU *Hob;
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
Hob->SizeOfMemorySpace = SizeOfMemorySpace;
|
||||
Hob->SizeOfIoSpace = SizeOfIoSpace;
|
||||
@@ -676,6 +711,10 @@ BuildStackHob (
|
||||
);
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid);
|
||||
Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
|
||||
@@ -756,6 +795,10 @@ BuildMemoryAllocationHob (
|
||||
);
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
|
||||
Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
|
@ -0,0 +1,191 @@
|
||||
From c3a8ca7b54a9fd17acdf16c6282a92cc989fa92a Mon Sep 17 00:00:00 2001
|
||||
From: Pedro Falcato <pedro.falcato@gmail.com>
|
||||
Date: Tue, 22 Nov 2022 22:31:03 +0000
|
||||
Subject: [PATCH] MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID
|
||||
|
||||
RDRAND has notoriously been broken many times over its lifespan.
|
||||
Add a smoketest to RDRAND, in order to better sniff out potential
|
||||
security concerns.
|
||||
|
||||
Also add a proper CPUID test in order to support older CPUs which may
|
||||
not have it; it was previously being tested but then promptly ignored.
|
||||
|
||||
Testing algorithm inspired by linux's arch/x86/kernel/cpu/rdrand.c
|
||||
:x86_init_rdrand() per commit 049f9ae9..
|
||||
|
||||
Many thanks to Jason Donenfeld for relicensing his linux RDRAND detection
|
||||
code to MIT and the public domain.
|
||||
|
||||
>On Tue, Nov 22, 2022 at 2:21 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
|
||||
<..>
|
||||
> I (re)wrote that function in Linux. I hereby relicense it as MIT, and
|
||||
> also place it into public domain. Do with it what you will now.
|
||||
>
|
||||
> Jason
|
||||
|
||||
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4163
|
||||
|
||||
Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
|
||||
Cc: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
Cc: Liming Gao <gaoliming@byosoft.com.cn>
|
||||
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
|
||||
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
|
||||
---
|
||||
MdePkg/Library/BaseRngLib/Rand/RdRand.c | 99 +++++++++++++++++++++++--
|
||||
1 file changed, 91 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/MdePkg/Library/BaseRngLib/Rand/RdRand.c b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
|
||||
index 9bd68352f9f7..06d2a6f12d2e 100644
|
||||
--- a/MdePkg/Library/BaseRngLib/Rand/RdRand.c
|
||||
+++ b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
|
||||
@@ -3,6 +3,7 @@
|
||||
to provide high-quality random numbers.
|
||||
|
||||
Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
|
||||
+Copyright (c) 2022, Pedro Falcato. All rights reserved.<BR>
|
||||
Copyright (c) 2021, NUVIA Inc. All rights reserved.<BR>
|
||||
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
|
||||
|
||||
@@ -24,6 +25,88 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
STATIC BOOLEAN mRdRandSupported;
|
||||
|
||||
+//
|
||||
+// Intel SDM says 10 tries is good enough for reliable RDRAND usage.
|
||||
+//
|
||||
+#define RDRAND_RETRIES 10
|
||||
+
|
||||
+#define RDRAND_TEST_SAMPLES 8
|
||||
+
|
||||
+#define RDRAND_MIN_CHANGE 5
|
||||
+
|
||||
+//
|
||||
+// Add a define for native-word RDRAND, just for the test.
|
||||
+//
|
||||
+#ifdef MDE_CPU_X64
|
||||
+#define ASM_RDRAND AsmRdRand64
|
||||
+#else
|
||||
+#define ASM_RDRAND AsmRdRand32
|
||||
+#endif
|
||||
+
|
||||
+/**
|
||||
+ Tests RDRAND for broken implementations.
|
||||
+
|
||||
+ @retval TRUE RDRAND is reliable (and hopefully safe).
|
||||
+ @retval FALSE RDRAND is unreliable and should be disabled, despite CPUID.
|
||||
+
|
||||
+**/
|
||||
+STATIC
|
||||
+BOOLEAN
|
||||
+TestRdRand (
|
||||
+ VOID
|
||||
+ )
|
||||
+{
|
||||
+ //
|
||||
+ // Test for notoriously broken rdrand implementations that always return the same
|
||||
+ // value, like the Zen 3 uarch (all-1s) or other several AMD families on suspend/resume (also all-1s).
|
||||
+ // Note that this should be expanded to extensively test for other sorts of possible errata.
|
||||
+ //
|
||||
+
|
||||
+ //
|
||||
+ // Our algorithm samples rdrand $RDRAND_TEST_SAMPLES times and expects
|
||||
+ // a different result $RDRAND_MIN_CHANGE times for reliable RDRAND usage.
|
||||
+ //
|
||||
+ UINTN Prev;
|
||||
+ UINT8 Idx;
|
||||
+ UINT8 TestIteration;
|
||||
+ UINT32 Changed;
|
||||
+
|
||||
+ Changed = 0;
|
||||
+
|
||||
+ for (TestIteration = 0; TestIteration < RDRAND_TEST_SAMPLES; TestIteration++) {
|
||||
+ UINTN Sample;
|
||||
+ //
|
||||
+ // Note: We use a retry loop for rdrand. Normal users get this in BaseRng.c
|
||||
+ // Any failure to get a random number will assume RDRAND does not work.
|
||||
+ //
|
||||
+ for (Idx = 0; Idx < RDRAND_RETRIES; Idx++) {
|
||||
+ if (ASM_RDRAND (&Sample)) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (Idx == RDRAND_RETRIES) {
|
||||
+ DEBUG ((DEBUG_ERROR, "BaseRngLib/x86: CPU BUG: Failed to get an RDRAND random number - disabling\n"));
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ if (TestIteration != 0) {
|
||||
+ Changed += Sample != Prev;
|
||||
+ }
|
||||
+
|
||||
+ Prev = Sample;
|
||||
+ }
|
||||
+
|
||||
+ if (Changed < RDRAND_MIN_CHANGE) {
|
||||
+ DEBUG ((DEBUG_ERROR, "BaseRngLib/x86: CPU BUG: RDRAND not reliable - disabling\n"));
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
+#undef ASM_RDRAND
|
||||
+
|
||||
/**
|
||||
The constructor function checks whether or not RDRAND instruction is supported
|
||||
by the host hardware.
|
||||
@@ -48,10 +131,13 @@ BaseRngLibConstructor (
|
||||
// CPUID. A value of 1 indicates that processor support RDRAND instruction.
|
||||
//
|
||||
AsmCpuid (1, 0, 0, &RegEcx, 0);
|
||||
- ASSERT ((RegEcx & RDRAND_MASK) == RDRAND_MASK);
|
||||
|
||||
mRdRandSupported = ((RegEcx & RDRAND_MASK) == RDRAND_MASK);
|
||||
|
||||
+ if (mRdRandSupported) {
|
||||
+ mRdRandSupported = TestRdRand ();
|
||||
+ }
|
||||
+
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -70,6 +156,7 @@ ArchGetRandomNumber16 (
|
||||
OUT UINT16 *Rand
|
||||
)
|
||||
{
|
||||
+ ASSERT (mRdRandSupported);
|
||||
return AsmRdRand16 (Rand);
|
||||
}
|
||||
|
||||
@@ -88,6 +175,7 @@ ArchGetRandomNumber32 (
|
||||
OUT UINT32 *Rand
|
||||
)
|
||||
{
|
||||
+ ASSERT (mRdRandSupported);
|
||||
return AsmRdRand32 (Rand);
|
||||
}
|
||||
|
||||
@@ -106,6 +194,7 @@ ArchGetRandomNumber64 (
|
||||
OUT UINT64 *Rand
|
||||
)
|
||||
{
|
||||
+ ASSERT (mRdRandSupported);
|
||||
return AsmRdRand64 (Rand);
|
||||
}
|
||||
|
||||
@@ -122,13 +211,7 @@ ArchIsRngSupported (
|
||||
VOID
|
||||
)
|
||||
{
|
||||
- /*
|
||||
- Existing software depends on this always returning TRUE, so for
|
||||
- now hard-code it.
|
||||
-
|
||||
- return mRdRandSupported;
|
||||
- */
|
||||
- return TRUE;
|
||||
+ return mRdRandSupported;
|
||||
}
|
||||
|
||||
/**
|
@ -0,0 +1,42 @@
|
||||
From 5e776299a2604b336a947e68593012ab2cc16eb4 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri, 14 Jun 2024 11:45:53 +0200
|
||||
Subject: [PATCH] MdePkg/X86UnitTestHost: set rdrand cpuid bit
|
||||
|
||||
Set the rdrand feature bit when faking cpuid for host test cases.
|
||||
Needed to make the CryptoPkg test cases work.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
MdePkg/Library/BaseLib/X86UnitTestHost.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/MdePkg/Library/BaseLib/X86UnitTestHost.c b/MdePkg/Library/BaseLib/X86UnitTestHost.c
|
||||
index 8ba4f54a385d..7f7276f7f4b8 100644
|
||||
--- a/MdePkg/Library/BaseLib/X86UnitTestHost.c
|
||||
+++ b/MdePkg/Library/BaseLib/X86UnitTestHost.c
|
||||
@@ -66,6 +66,15 @@ UnitTestHostBaseLibAsmCpuid (
|
||||
OUT UINT32 *Edx OPTIONAL
|
||||
)
|
||||
{
|
||||
+ UINT32 RetEcx;
|
||||
+
|
||||
+ RetEcx = 0;
|
||||
+ switch (Index) {
|
||||
+ case 1:
|
||||
+ RetEcx |= BIT30; /* RdRand */
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
if (Eax != NULL) {
|
||||
*Eax = 0;
|
||||
}
|
||||
@@ -75,7 +84,7 @@ UnitTestHostBaseLibAsmCpuid (
|
||||
}
|
||||
|
||||
if (Ecx != NULL) {
|
||||
- *Ecx = 0;
|
||||
+ *Ecx = RetEcx;
|
||||
}
|
||||
|
||||
if (Edx != NULL) {
|
1279
SOURCES/edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch
Normal file
1279
SOURCES/edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,53 @@
|
||||
From ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3 Mon Sep 17 00:00:00 2001
|
||||
From: Sam <Sam_Tsai@wiwynn.com>
|
||||
Date: Wed, 29 May 2024 07:46:03 +0800
|
||||
Subject: [PATCH] NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in
|
||||
iPXE environment
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH"
|
||||
REF: 1904a64
|
||||
|
||||
Issue Description:
|
||||
An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was:
|
||||
|
||||
NetworkPkg\TcpDxe\TcpDriver.c
|
||||
Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, &mHash2ServiceHandle);
|
||||
|
||||
Root Cause Analysis:
|
||||
The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle.
|
||||
|
||||
Implemented Solution:
|
||||
To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly:
|
||||
|
||||
NetworkPkg\TcpDxe\TcpDriver.c
|
||||
Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle);
|
||||
|
||||
This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error.
|
||||
|
||||
Verification:
|
||||
Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment.
|
||||
|
||||
Cc: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
|
||||
Signed-off-by: Sam Tsai [Wiwynn] <sam_tsai@wiwynn.com>
|
||||
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||||
---
|
||||
NetworkPkg/TcpDxe/TcpDriver.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
|
||||
index 40bba4080c87..c6e7c0df540a 100644
|
||||
--- a/NetworkPkg/TcpDxe/TcpDriver.c
|
||||
+++ b/NetworkPkg/TcpDxe/TcpDriver.c
|
||||
@@ -509,7 +509,7 @@ TcpDestroyService (
|
||||
//
|
||||
// Destroy the instance of the hashing protocol for this controller.
|
||||
//
|
||||
- Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
|
||||
+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, mHash2ServiceHandle);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return EFI_UNSUPPORTED;
|
||||
}
|
@ -0,0 +1,820 @@
|
||||
From 1904a64bcc18199738e5be183d28887ac5d837d7 Mon Sep 17 00:00:00 2001
|
||||
From: Doug Flick <dougflick@microsoft.com>
|
||||
Date: Wed, 8 May 2024 22:56:29 -0700
|
||||
Subject: [PATCH] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
|
||||
REF: https://www.rfc-editor.org/rfc/rfc1948.txt
|
||||
REF: https://www.rfc-editor.org/rfc/rfc6528.txt
|
||||
REF: https://www.rfc-editor.org/rfc/rfc9293.txt
|
||||
|
||||
Bug Overview:
|
||||
PixieFail Bug #8
|
||||
CVE-2023-45236
|
||||
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
|
||||
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
|
||||
|
||||
Updates TCP ISN generation to use a cryptographic hash of the
|
||||
connection's identifying parameters and a secret key.
|
||||
This prevents an attacker from guessing the ISN used for some other
|
||||
connection.
|
||||
|
||||
This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.
|
||||
|
||||
RFC: 9293 Section 3.4.1. Initial Sequence Number Selection
|
||||
|
||||
A TCP implementation MUST use the above type of "clock" for clock-
|
||||
driven selection of initial sequence numbers (MUST-8), and SHOULD
|
||||
generate its initial sequence numbers with the expression:
|
||||
|
||||
ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
|
||||
|
||||
where M is the 4 microsecond timer, and F() is a pseudorandom
|
||||
function (PRF) of the connection's identifying parameters ("localip,
|
||||
localport, remoteip, remoteport") and a secret key ("secretkey")
|
||||
(SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or
|
||||
an attacker could still guess at sequence numbers from the ISN used
|
||||
for some other connection. The PRF could be implemented as a
|
||||
cryptographic hash of the concatenation of the TCP connection
|
||||
parameters and some secret data. For discussion of the selection of
|
||||
a specific hash algorithm and management of the secret key data,
|
||||
please see Section 3 of [42].
|
||||
|
||||
For each connection there is a send sequence number and a receive
|
||||
sequence number. The initial send sequence number (ISS) is chosen by
|
||||
the data sending TCP peer, and the initial receive sequence number
|
||||
(IRS) is learned during the connection-establishing procedure.
|
||||
|
||||
For a connection to be established or initialized, the two TCP peers
|
||||
must synchronize on each other's initial sequence numbers. This is
|
||||
done in an exchange of connection-establishing segments carrying a
|
||||
control bit called "SYN" (for synchronize) and the initial sequence
|
||||
numbers. As a shorthand, segments carrying the SYN bit are also
|
||||
called "SYNs". Hence, the solution requires a suitable mechanism for
|
||||
picking an initial sequence number and a slightly involved handshake
|
||||
to exchange the ISNs.
|
||||
|
||||
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||||
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
|
||||
|
||||
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
||||
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
||||
---
|
||||
NetworkPkg/SecurityFixes.yaml | 22 +++
|
||||
NetworkPkg/TcpDxe/TcpDriver.c | 92 ++++++++++++-
|
||||
NetworkPkg/TcpDxe/TcpDxe.inf | 8 +-
|
||||
NetworkPkg/TcpDxe/TcpFunc.h | 23 ++--
|
||||
NetworkPkg/TcpDxe/TcpInput.c | 13 +-
|
||||
NetworkPkg/TcpDxe/TcpMain.h | 59 ++++++--
|
||||
NetworkPkg/TcpDxe/TcpMisc.c | 244 ++++++++++++++++++++++++++++++++--
|
||||
NetworkPkg/TcpDxe/TcpTimer.c | 3 +-
|
||||
8 files changed, 415 insertions(+), 49 deletions(-)
|
||||
|
||||
diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
|
||||
index 20a4555019d9..4305328425d0 100644
|
||||
--- a/NetworkPkg/SecurityFixes.yaml
|
||||
+++ b/NetworkPkg/SecurityFixes.yaml
|
||||
@@ -122,6 +122,28 @@ CVE_2023_45235:
|
||||
- http://www.openwall.com/lists/oss-security/2024/01/16/2
|
||||
- http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
|
||||
- https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
|
||||
+CVE_2023_45236:
|
||||
+ commit_titles:
|
||||
+ - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch"
|
||||
+ cve: CVE-2023-45236
|
||||
+ date_reported: 2023-08-28 13:56 UTC
|
||||
+ description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers"
|
||||
+ note:
|
||||
+ files_impacted:
|
||||
+ - NetworkPkg/Include/Library/NetLib.h
|
||||
+ - NetworkPkg/TcpDxe/TcpDriver.c
|
||||
+ - NetworkPkg/TcpDxe/TcpDxe.inf
|
||||
+ - NetworkPkg/TcpDxe/TcpFunc.h
|
||||
+ - NetworkPkg/TcpDxe/TcpInput.c
|
||||
+ - NetworkPkg/TcpDxe/TcpMain.h
|
||||
+ - NetworkPkg/TcpDxe/TcpMisc.c
|
||||
+ - NetworkPkg/TcpDxe/TcpTimer.c
|
||||
+ links:
|
||||
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4541
|
||||
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45236
|
||||
+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
|
||||
+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
|
||||
+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
|
||||
CVE_2023_45237:
|
||||
commit_titles:
|
||||
- "NetworkPkg:: SECURITY PATCH CVE 2023-45237"
|
||||
diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
|
||||
index 8fe6badd687c..40bba4080c87 100644
|
||||
--- a/NetworkPkg/TcpDxe/TcpDriver.c
|
||||
+++ b/NetworkPkg/TcpDxe/TcpDriver.c
|
||||
@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL gTcpServiceBinding = {
|
||||
TcpServiceBindingDestroyChild
|
||||
};
|
||||
|
||||
+//
|
||||
+// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces
|
||||
+// if the platform does not provide one.
|
||||
+//
|
||||
+EFI_HANDLE mHash2ServiceHandle = NULL;
|
||||
+
|
||||
/**
|
||||
Create and start the heartbeat timer for the TCP driver.
|
||||
|
||||
@@ -165,6 +171,23 @@ TcpDriverEntryPoint (
|
||||
EFI_STATUS Status;
|
||||
UINT32 Random;
|
||||
|
||||
+ //
|
||||
+ // Initialize the Secret used for hashing TCP sequence numbers
|
||||
+ //
|
||||
+ // Normally this should be regenerated periodically, but since
|
||||
+ // this is only used for UEFI networking and not a general purpose
|
||||
+ // operating system, it is not necessary to regenerate it.
|
||||
+ //
|
||||
+ Status = PseudoRandomU32 (&mTcpGlobalSecret);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
|
||||
+ return Status;
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // Get a random number used to generate a random port number
|
||||
+ // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret
|
||||
+ //
|
||||
Status = PseudoRandomU32 (&Random);
|
||||
if (EFI_ERROR (Status)) {
|
||||
DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));
|
||||
@@ -207,9 +230,8 @@ TcpDriverEntryPoint (
|
||||
}
|
||||
|
||||
//
|
||||
- // Initialize ISS and random port.
|
||||
+ // Initialize the random port.
|
||||
//
|
||||
- mTcpGlobalIss = Random % mTcpGlobalIss;
|
||||
mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN));
|
||||
mTcp6RandomPort = mTcp4RandomPort;
|
||||
|
||||
@@ -224,6 +246,8 @@ TcpDriverEntryPoint (
|
||||
@param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.
|
||||
|
||||
@retval EFI_OUT_OF_RESOURCES Failed to allocate some resources.
|
||||
+ @retval EFI_UNSUPPORTED Service Binding Protocols are unavailable.
|
||||
+ @retval EFI_ALREADY_STARTED The TCP driver is already started on the controller.
|
||||
@retval EFI_SUCCESS A new IP6 service binding private was created.
|
||||
|
||||
**/
|
||||
@@ -234,11 +258,13 @@ TcpCreateService (
|
||||
IN UINT8 IpVersion
|
||||
)
|
||||
{
|
||||
- EFI_STATUS Status;
|
||||
- EFI_GUID *IpServiceBindingGuid;
|
||||
- EFI_GUID *TcpServiceBindingGuid;
|
||||
- TCP_SERVICE_DATA *TcpServiceData;
|
||||
- IP_IO_OPEN_DATA OpenData;
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_GUID *IpServiceBindingGuid;
|
||||
+ EFI_GUID *TcpServiceBindingGuid;
|
||||
+ TCP_SERVICE_DATA *TcpServiceData;
|
||||
+ IP_IO_OPEN_DATA OpenData;
|
||||
+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding;
|
||||
+ EFI_HASH2_PROTOCOL *Hash2Protocol;
|
||||
|
||||
if (IpVersion == IP_VERSION_4) {
|
||||
IpServiceBindingGuid = &gEfiIp4ServiceBindingProtocolGuid;
|
||||
@@ -272,6 +298,33 @@ TcpCreateService (
|
||||
return EFI_UNSUPPORTED;
|
||||
}
|
||||
|
||||
+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ //
|
||||
+ // If we can't find the Hashing protocol, then we need to create one.
|
||||
+ //
|
||||
+
|
||||
+ //
|
||||
+ // Platform is expected to publish the hash service binding protocol to support TCP.
|
||||
+ //
|
||||
+ Status = gBS->LocateProtocol (
|
||||
+ &gEfiHash2ServiceBindingProtocolGuid,
|
||||
+ NULL,
|
||||
+ (VOID **)&Hash2ServiceBinding
|
||||
+ );
|
||||
+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) {
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // Create an instance of the hash protocol for this controller.
|
||||
+ //
|
||||
+ Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
//
|
||||
// Create the TCP service data.
|
||||
//
|
||||
@@ -423,6 +476,7 @@ TcpDestroyService (
|
||||
EFI_STATUS Status;
|
||||
LIST_ENTRY *List;
|
||||
TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT Context;
|
||||
+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding;
|
||||
|
||||
ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6));
|
||||
|
||||
@@ -439,6 +493,30 @@ TcpDestroyService (
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
+ //
|
||||
+ // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver.
|
||||
+ //
|
||||
+ if (mHash2ServiceHandle != NULL) {
|
||||
+ Status = gBS->LocateProtocol (
|
||||
+ &gEfiHash2ServiceBindingProtocolGuid,
|
||||
+ NULL,
|
||||
+ (VOID **)&Hash2ServiceBinding
|
||||
+ );
|
||||
+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) {
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // Destroy the instance of the hashing protocol for this controller.
|
||||
+ //
|
||||
+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
+ mHash2ServiceHandle = NULL;
|
||||
+ }
|
||||
+
|
||||
Status = gBS->OpenProtocol (
|
||||
NicHandle,
|
||||
ServiceBindingGuid,
|
||||
diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
|
||||
index cf5423f4c537..76de4cf9ec3d 100644
|
||||
--- a/NetworkPkg/TcpDxe/TcpDxe.inf
|
||||
+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
|
||||
@@ -6,6 +6,7 @@
|
||||
# stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack.
|
||||
#
|
||||
# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||
+# Copyright (c) Microsoft Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
#
|
||||
@@ -68,7 +69,6 @@
|
||||
NetLib
|
||||
IpIoLib
|
||||
|
||||
-
|
||||
[Protocols]
|
||||
## SOMETIMES_CONSUMES
|
||||
## SOMETIMES_PRODUCES
|
||||
@@ -81,6 +81,12 @@
|
||||
gEfiIp6ServiceBindingProtocolGuid ## TO_START
|
||||
gEfiTcp6ProtocolGuid ## BY_START
|
||||
gEfiTcp6ServiceBindingProtocolGuid ## BY_START
|
||||
+ gEfiHash2ProtocolGuid ## BY_START
|
||||
+ gEfiHash2ServiceBindingProtocolGuid ## BY_START
|
||||
+
|
||||
+[Guids]
|
||||
+ gEfiHashAlgorithmMD5Guid ## CONSUMES
|
||||
+ gEfiHashAlgorithmSha256Guid ## CONSUMES
|
||||
|
||||
[Depex]
|
||||
gEfiHash2ServiceBindingProtocolGuid
|
||||
diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h
|
||||
index a7af01fff246..c707bee3e548 100644
|
||||
--- a/NetworkPkg/TcpDxe/TcpFunc.h
|
||||
+++ b/NetworkPkg/TcpDxe/TcpFunc.h
|
||||
@@ -2,7 +2,7 @@
|
||||
Declaration of external functions shared in TCP driver.
|
||||
|
||||
Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
|
||||
-
|
||||
+ Copyright (c) Microsoft Corporation
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
**/
|
||||
@@ -36,8 +36,11 @@ VOID
|
||||
|
||||
@param[in, out] Tcb Pointer to the TCP_CB of this TCP instance.
|
||||
|
||||
+ @retval EFI_SUCCESS The operation completed successfully
|
||||
+ @retval others The underlying functions failed and could not complete the operation
|
||||
+
|
||||
**/
|
||||
-VOID
|
||||
+EFI_STATUS
|
||||
TcpInitTcbLocal (
|
||||
IN OUT TCP_CB *Tcb
|
||||
);
|
||||
@@ -128,17 +131,6 @@ TcpCloneTcb (
|
||||
IN TCP_CB *Tcb
|
||||
);
|
||||
|
||||
-/**
|
||||
- Compute an ISS to be used by a new connection.
|
||||
-
|
||||
- @return The result ISS.
|
||||
-
|
||||
-**/
|
||||
-TCP_SEQNO
|
||||
-TcpGetIss (
|
||||
- VOID
|
||||
- );
|
||||
-
|
||||
/**
|
||||
Get the local mss.
|
||||
|
||||
@@ -202,8 +194,11 @@ TcpFormatNetbuf (
|
||||
@param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a
|
||||
connection.
|
||||
|
||||
+ @retval EFI_SUCCESS The operation completed successfully
|
||||
+ @retval others The underlying functions failed and could not complete the operation
|
||||
+
|
||||
**/
|
||||
-VOID
|
||||
+EFI_STATUS
|
||||
TcpOnAppConnect (
|
||||
IN OUT TCP_CB *Tcb
|
||||
);
|
||||
diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
|
||||
index 97633a3908be..a5d575ccafeb 100644
|
||||
--- a/NetworkPkg/TcpDxe/TcpInput.c
|
||||
+++ b/NetworkPkg/TcpDxe/TcpInput.c
|
||||
@@ -724,6 +724,7 @@ TcpInput (
|
||||
TCP_SEQNO Urg;
|
||||
UINT16 Checksum;
|
||||
INT32 Usable;
|
||||
+ EFI_STATUS Status;
|
||||
|
||||
ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6));
|
||||
|
||||
@@ -872,7 +873,17 @@ TcpInput (
|
||||
Tcb->LocalEnd.Port = Head->DstPort;
|
||||
Tcb->RemoteEnd.Port = Head->SrcPort;
|
||||
|
||||
- TcpInitTcbLocal (Tcb);
|
||||
+ Status = TcpInitTcbLocal (Tcb);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG (
|
||||
+ (DEBUG_ERROR,
|
||||
+ "TcpInput: discard a segment because failed to init local end for TCB %p\n",
|
||||
+ Tcb)
|
||||
+ );
|
||||
+
|
||||
+ goto DISCARD;
|
||||
+ }
|
||||
+
|
||||
TcpInitTcbPeer (Tcb, Seg, &Option);
|
||||
|
||||
TcpSetState (Tcb, TCP_SYN_RCVD);
|
||||
diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
|
||||
index c0c9b7f46ebe..4d5566ab9379 100644
|
||||
--- a/NetworkPkg/TcpDxe/TcpMain.h
|
||||
+++ b/NetworkPkg/TcpDxe/TcpMain.h
|
||||
@@ -3,7 +3,7 @@
|
||||
It is the common head file for all Tcp*.c in TCP driver.
|
||||
|
||||
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
|
||||
-
|
||||
+ Copyright (c) Microsoft Corporation
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
**/
|
||||
@@ -13,6 +13,7 @@
|
||||
|
||||
#include <Protocol/ServiceBinding.h>
|
||||
#include <Protocol/DriverBinding.h>
|
||||
+#include <Protocol/Hash2.h>
|
||||
#include <Library/IpIoLib.h>
|
||||
#include <Library/DevicePathLib.h>
|
||||
#include <Library/PrintLib.h>
|
||||
@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE *gTcpControllerNameTable;
|
||||
|
||||
extern LIST_ENTRY mTcpRunQue;
|
||||
extern LIST_ENTRY mTcpListenQue;
|
||||
-extern TCP_SEQNO mTcpGlobalIss;
|
||||
+extern TCP_SEQNO mTcpGlobalSecret;
|
||||
extern UINT32 mTcpTick;
|
||||
|
||||
///
|
||||
@@ -45,14 +46,6 @@ extern UINT32 mTcpTick;
|
||||
|
||||
#define TCP_EXPIRE_TIME 65535
|
||||
|
||||
-///
|
||||
-/// The implementation selects the initial send sequence number and the unit to
|
||||
-/// be added when it is increased.
|
||||
-///
|
||||
-#define TCP_BASE_ISS 0x4d7e980b
|
||||
-#define TCP_ISS_INCREMENT_1 2048
|
||||
-#define TCP_ISS_INCREMENT_2 100
|
||||
-
|
||||
typedef union {
|
||||
EFI_TCP4_CONFIG_DATA Tcp4CfgData;
|
||||
EFI_TCP6_CONFIG_DATA Tcp6CfgData;
|
||||
@@ -774,4 +767,50 @@ Tcp6Poll (
|
||||
IN EFI_TCP6_PROTOCOL *This
|
||||
);
|
||||
|
||||
+/**
|
||||
+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
|
||||
+ and remote IP addresses and ports.
|
||||
+
|
||||
+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
|
||||
+ Where the ISN is computed as follows:
|
||||
+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
|
||||
+
|
||||
+ Otherwise:
|
||||
+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
|
||||
+
|
||||
+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
|
||||
+ connection's identifying parameters ("localip, localport, remoteip, remoteport")
|
||||
+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
|
||||
+ outside (MUST-9), or an attacker could still guess at sequence numbers from the
|
||||
+ ISN used for some other connection. The PRF could be implemented as a
|
||||
+ cryptographic hash of the concatenation of the TCP connection parameters and some
|
||||
+ secret data. For discussion of the selection of a specific hash algorithm and
|
||||
+ management of the secret key data."
|
||||
+
|
||||
+ @param[in] LocalIp A pointer to the local IP address of the TCP connection.
|
||||
+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer.
|
||||
+ @param[in] LocalPort The local port number of the TCP connection.
|
||||
+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection.
|
||||
+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer.
|
||||
+ @param[in] RemotePort The remote port number of the TCP connection.
|
||||
+ @param[out] Isn A pointer to the variable that will receive the Initial
|
||||
+ Sequence Number (ISN).
|
||||
+
|
||||
+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was
|
||||
+ retrieved.
|
||||
+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid.
|
||||
+ @retval EFI_UNSUPPORTED The operation is not supported.
|
||||
+
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+TcpGetIsn (
|
||||
+ IN UINT8 *LocalIp,
|
||||
+ IN UINTN LocalIpSize,
|
||||
+ IN UINT16 LocalPort,
|
||||
+ IN UINT8 *RemoteIp,
|
||||
+ IN UINTN RemoteIpSize,
|
||||
+ IN UINT16 RemotePort,
|
||||
+ OUT TCP_SEQNO *Isn
|
||||
+ );
|
||||
+
|
||||
#endif
|
||||
diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
|
||||
index c93212d47ded..3310306f639c 100644
|
||||
--- a/NetworkPkg/TcpDxe/TcpMisc.c
|
||||
+++ b/NetworkPkg/TcpDxe/TcpMisc.c
|
||||
@@ -3,7 +3,7 @@
|
||||
|
||||
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
|
||||
Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
|
||||
-
|
||||
+ Copyright (c) Microsoft Corporation
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
**/
|
||||
@@ -20,7 +20,34 @@ LIST_ENTRY mTcpListenQue = {
|
||||
&mTcpListenQue
|
||||
};
|
||||
|
||||
-TCP_SEQNO mTcpGlobalIss = TCP_BASE_ISS;
|
||||
+//
|
||||
+// The Session secret
|
||||
+// This must be initialized to a random value at boot time
|
||||
+//
|
||||
+TCP_SEQNO mTcpGlobalSecret;
|
||||
+
|
||||
+//
|
||||
+// Union to hold either an IPv4 or IPv6 address
|
||||
+// This is used to simplify the ISN hash computation
|
||||
+//
|
||||
+typedef union {
|
||||
+ UINT8 IPv4[4];
|
||||
+ UINT8 IPv6[16];
|
||||
+} NETWORK_ADDRESS;
|
||||
+
|
||||
+//
|
||||
+// The ISN is computed by hashing this structure
|
||||
+// It is initialized with the local and remote IP addresses and ports
|
||||
+// and the secret
|
||||
+//
|
||||
+//
|
||||
+typedef struct {
|
||||
+ UINT16 LocalPort;
|
||||
+ UINT16 RemotePort;
|
||||
+ NETWORK_ADDRESS LocalAddress;
|
||||
+ NETWORK_ADDRESS RemoteAddress;
|
||||
+ TCP_SEQNO Secret;
|
||||
+} ISN_HASH_CTX;
|
||||
|
||||
CHAR16 *mTcpStateName[] = {
|
||||
L"TCP_CLOSED",
|
||||
@@ -41,12 +68,18 @@ CHAR16 *mTcpStateName[] = {
|
||||
|
||||
@param[in, out] Tcb Pointer to the TCP_CB of this TCP instance.
|
||||
|
||||
+ @retval EFI_SUCCESS The operation completed successfully
|
||||
+ @retval others The underlying functions failed and could not complete the operation
|
||||
+
|
||||
**/
|
||||
-VOID
|
||||
+EFI_STATUS
|
||||
TcpInitTcbLocal (
|
||||
IN OUT TCP_CB *Tcb
|
||||
)
|
||||
{
|
||||
+ TCP_SEQNO Isn;
|
||||
+ EFI_STATUS Status;
|
||||
+
|
||||
//
|
||||
// Compute the checksum of the fixed parts of pseudo header
|
||||
//
|
||||
@@ -57,6 +90,16 @@ TcpInitTcbLocal (
|
||||
0x06,
|
||||
0
|
||||
);
|
||||
+
|
||||
+ Status = TcpGetIsn (
|
||||
+ Tcb->LocalEnd.Ip.v4.Addr,
|
||||
+ sizeof (IPv4_ADDRESS),
|
||||
+ Tcb->LocalEnd.Port,
|
||||
+ Tcb->RemoteEnd.Ip.v4.Addr,
|
||||
+ sizeof (IPv4_ADDRESS),
|
||||
+ Tcb->RemoteEnd.Port,
|
||||
+ &Isn
|
||||
+ );
|
||||
} else {
|
||||
Tcb->HeadSum = NetIp6PseudoHeadChecksum (
|
||||
&Tcb->LocalEnd.Ip.v6,
|
||||
@@ -64,9 +107,25 @@ TcpInitTcbLocal (
|
||||
0x06,
|
||||
0
|
||||
);
|
||||
+
|
||||
+ Status = TcpGetIsn (
|
||||
+ Tcb->LocalEnd.Ip.v6.Addr,
|
||||
+ sizeof (IPv6_ADDRESS),
|
||||
+ Tcb->LocalEnd.Port,
|
||||
+ Tcb->RemoteEnd.Ip.v6.Addr,
|
||||
+ sizeof (IPv6_ADDRESS),
|
||||
+ Tcb->RemoteEnd.Port,
|
||||
+ &Isn
|
||||
+ );
|
||||
+ }
|
||||
+
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n"));
|
||||
+ ASSERT (FALSE);
|
||||
+ return Status;
|
||||
}
|
||||
|
||||
- Tcb->Iss = TcpGetIss ();
|
||||
+ Tcb->Iss = Isn;
|
||||
Tcb->SndUna = Tcb->Iss;
|
||||
Tcb->SndNxt = Tcb->Iss;
|
||||
|
||||
@@ -82,6 +141,8 @@ TcpInitTcbLocal (
|
||||
Tcb->RetxmitSeqMax = 0;
|
||||
|
||||
Tcb->ProbeTimerOn = FALSE;
|
||||
+
|
||||
+ return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -506,18 +567,162 @@ TcpCloneTcb (
|
||||
}
|
||||
|
||||
/**
|
||||
- Compute an ISS to be used by a new connection.
|
||||
-
|
||||
- @return The resulting ISS.
|
||||
+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
|
||||
+ and remote IP addresses and ports.
|
||||
+
|
||||
+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
|
||||
+ Where the ISN is computed as follows:
|
||||
+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
|
||||
+
|
||||
+ Otherwise:
|
||||
+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
|
||||
+
|
||||
+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
|
||||
+ connection's identifying parameters ("localip, localport, remoteip, remoteport")
|
||||
+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
|
||||
+ outside (MUST-9), or an attacker could still guess at sequence numbers from the
|
||||
+ ISN used for some other connection. The PRF could be implemented as a
|
||||
+ cryptographic hash of the concatenation of the TCP connection parameters and some
|
||||
+ secret data. For discussion of the selection of a specific hash algorithm and
|
||||
+ management of the secret key data."
|
||||
+
|
||||
+ @param[in] LocalIp A pointer to the local IP address of the TCP connection.
|
||||
+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer.
|
||||
+ @param[in] LocalPort The local port number of the TCP connection.
|
||||
+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection.
|
||||
+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer.
|
||||
+ @param[in] RemotePort The remote port number of the TCP connection.
|
||||
+ @param[out] Isn A pointer to the variable that will receive the Initial
|
||||
+ Sequence Number (ISN).
|
||||
+
|
||||
+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was
|
||||
+ retrieved.
|
||||
+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid.
|
||||
+ @retval EFI_UNSUPPORTED The operation is not supported.
|
||||
|
||||
**/
|
||||
-TCP_SEQNO
|
||||
-TcpGetIss (
|
||||
- VOID
|
||||
+EFI_STATUS
|
||||
+TcpGetIsn (
|
||||
+ IN UINT8 *LocalIp,
|
||||
+ IN UINTN LocalIpSize,
|
||||
+ IN UINT16 LocalPort,
|
||||
+ IN UINT8 *RemoteIp,
|
||||
+ IN UINTN RemoteIpSize,
|
||||
+ IN UINT16 RemotePort,
|
||||
+ OUT TCP_SEQNO *Isn
|
||||
)
|
||||
{
|
||||
- mTcpGlobalIss += TCP_ISS_INCREMENT_1;
|
||||
- return mTcpGlobalIss;
|
||||
+ EFI_STATUS Status;
|
||||
+ EFI_HASH2_PROTOCOL *Hash2Protocol;
|
||||
+ EFI_HASH2_OUTPUT HashResult;
|
||||
+ ISN_HASH_CTX IsnHashCtx;
|
||||
+ EFI_TIME TimeStamp;
|
||||
+
|
||||
+ //
|
||||
+ // Check that the ISN pointer is valid
|
||||
+ //
|
||||
+ if (Isn == NULL) {
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // The local ip may be a v4 or v6 address and may not be NULL
|
||||
+ //
|
||||
+ if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) {
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // the local ip may be a v4 or v6 address
|
||||
+ //
|
||||
+ if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) {
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // Locate the Hash Protocol
|
||||
+ //
|
||||
+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status));
|
||||
+
|
||||
+ //
|
||||
+ // TcpCreateService(..) is expected to be called prior to this function
|
||||
+ //
|
||||
+ ASSERT_EFI_ERROR (Status);
|
||||
+ return Status;
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // Initialize the hash algorithm
|
||||
+ //
|
||||
+ Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status));
|
||||
+ return Status;
|
||||
+ }
|
||||
+
|
||||
+ IsnHashCtx.LocalPort = LocalPort;
|
||||
+ IsnHashCtx.RemotePort = RemotePort;
|
||||
+ IsnHashCtx.Secret = mTcpGlobalSecret;
|
||||
+
|
||||
+ //
|
||||
+ // Check the IP address family and copy accordingly
|
||||
+ //
|
||||
+ if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) {
|
||||
+ CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize);
|
||||
+ } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) {
|
||||
+ CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize);
|
||||
+ } else {
|
||||
+ return EFI_INVALID_PARAMETER; // Unsupported address size
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // Repeat the process for the remote IP address
|
||||
+ //
|
||||
+ if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) {
|
||||
+ CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize);
|
||||
+ } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) {
|
||||
+ CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize);
|
||||
+ } else {
|
||||
+ return EFI_INVALID_PARAMETER; // Unsupported address size
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // Compute the hash
|
||||
+ // Update the hash with the data
|
||||
+ //
|
||||
+ Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx));
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status));
|
||||
+ return Status;
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // Finalize the hash and retrieve the result
|
||||
+ //
|
||||
+ Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status));
|
||||
+ return Status;
|
||||
+ }
|
||||
+
|
||||
+ Status = gRT->GetTime (&TimeStamp, NULL);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ return Status;
|
||||
+ }
|
||||
+
|
||||
+ //
|
||||
+ // copy the first 4 bytes of the hash result into the ISN
|
||||
+ //
|
||||
+ CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn));
|
||||
+
|
||||
+ //
|
||||
+ // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250)
|
||||
+ //
|
||||
+ *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250;
|
||||
+
|
||||
+ return Status;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -721,17 +926,28 @@ TcpFormatNetbuf (
|
||||
@param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a
|
||||
connection.
|
||||
|
||||
+ @retval EFI_SUCCESS The operation completed successfully
|
||||
+ @retval others The underlying functions failed and could not complete the operation
|
||||
+
|
||||
**/
|
||||
-VOID
|
||||
+EFI_STATUS
|
||||
TcpOnAppConnect (
|
||||
IN OUT TCP_CB *Tcb
|
||||
)
|
||||
{
|
||||
- TcpInitTcbLocal (Tcb);
|
||||
+ EFI_STATUS Status;
|
||||
+
|
||||
+ Status = TcpInitTcbLocal (Tcb);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ return Status;
|
||||
+ }
|
||||
+
|
||||
TcpSetState (Tcb, TCP_SYN_SENT);
|
||||
|
||||
TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout);
|
||||
TcpToSendData (Tcb, 1);
|
||||
+
|
||||
+ return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
|
||||
index 5d2e124977d9..065b1bdf5feb 100644
|
||||
--- a/NetworkPkg/TcpDxe/TcpTimer.c
|
||||
+++ b/NetworkPkg/TcpDxe/TcpTimer.c
|
||||
@@ -2,7 +2,7 @@
|
||||
TCP timer related functions.
|
||||
|
||||
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
|
||||
-
|
||||
+ Copyright (c) Microsoft Corporation
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
**/
|
||||
@@ -483,7 +483,6 @@ TcpTickingDpc (
|
||||
INT16 Index;
|
||||
|
||||
mTcpTick++;
|
||||
- mTcpGlobalIss += TCP_ISS_INCREMENT_2;
|
||||
|
||||
//
|
||||
// Don't use LIST_FOR_EACH, which isn't delete safe.
|
307
SOURCES/edk2-OvmfPkg-wire-up-RngDxe.patch
Normal file
307
SOURCES/edk2-OvmfPkg-wire-up-RngDxe.patch
Normal file
@ -0,0 +1,307 @@
|
||||
From 0aa96c512c689426838ec1cf4aa78ff088c03a1e Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri, 24 May 2024 12:51:17 +0200
|
||||
Subject: [PATCH] OvmfPkg: wire up RngDxe
|
||||
|
||||
Add OvmfRng include snippets with the random number generator
|
||||
configuration for OVMF. Include RngDxe, build with BaseRngLib,
|
||||
so the rdrand instruction is used (if available).
|
||||
|
||||
Also move VirtioRng to the include snippets.
|
||||
|
||||
Use the new include snippets for OVMF builds.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 712797cf19acd292bf203522a79e40e7e13d268b)
|
||||
---
|
||||
OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +-
|
||||
OvmfPkg/AmdSev/AmdSevX64.fdf | 3 ++-
|
||||
OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc | 9 +++++++++
|
||||
OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc | 6 ++++++
|
||||
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 2 +-
|
||||
OvmfPkg/IntelTdx/IntelTdxX64.fdf | 3 ++-
|
||||
OvmfPkg/Microvm/MicrovmX64.dsc | 2 +-
|
||||
OvmfPkg/Microvm/MicrovmX64.fdf | 3 ++-
|
||||
OvmfPkg/OvmfPkgIa32.dsc | 2 +-
|
||||
OvmfPkg/OvmfPkgIa32.fdf | 3 ++-
|
||||
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
|
||||
OvmfPkg/OvmfPkgIa32X64.fdf | 3 ++-
|
||||
OvmfPkg/OvmfPkgX64.dsc | 2 +-
|
||||
OvmfPkg/OvmfPkgX64.fdf | 3 ++-
|
||||
14 files changed, 33 insertions(+), 12 deletions(-)
|
||||
create mode 100644 OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
|
||||
create mode 100644 OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
|
||||
|
||||
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
|
||||
index cf1ad83e09..4edc2a9069 100644
|
||||
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
|
||||
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
|
||||
@@ -651,7 +651,6 @@
|
||||
OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
- OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
!if $(PVSCSI_ENABLE) == TRUE
|
||||
OvmfPkg/PvScsiDxe/PvScsiDxe.inf
|
||||
!endif
|
||||
@@ -763,6 +762,7 @@
|
||||
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
|
||||
}
|
||||
!endif
|
||||
+!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
|
||||
|
||||
OvmfPkg/PlatformDxe/Platform.inf
|
||||
OvmfPkg/AmdSevDxe/AmdSevDxe.inf {
|
||||
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
|
||||
index c56c98dc85..480837b0fa 100644
|
||||
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
|
||||
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
|
||||
@@ -220,7 +220,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
|
||||
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
-INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
!if $(PVSCSI_ENABLE) == TRUE
|
||||
INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
|
||||
!endif
|
||||
@@ -316,6 +315,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
|
||||
#
|
||||
!include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
|
||||
|
||||
+!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
|
||||
+
|
||||
################################################################################
|
||||
|
||||
[FV.FVMAIN_COMPACT]
|
||||
diff --git a/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
|
||||
new file mode 100644
|
||||
index 0000000000..68839a0caa
|
||||
--- /dev/null
|
||||
+++ b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
|
||||
@@ -0,0 +1,9 @@
|
||||
+##
|
||||
+# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+##
|
||||
+
|
||||
+ SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf {
|
||||
+ <LibraryClasses>
|
||||
+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
|
||||
+ }
|
||||
+ OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
diff --git a/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
|
||||
new file mode 100644
|
||||
index 0000000000..99cb4a32b1
|
||||
--- /dev/null
|
||||
+++ b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
|
||||
@@ -0,0 +1,6 @@
|
||||
+##
|
||||
+# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+##
|
||||
+
|
||||
+INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
|
||||
+INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
|
||||
index 9f49b60ff0..4b7e1596fc 100644
|
||||
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
|
||||
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
|
||||
@@ -641,7 +641,6 @@
|
||||
OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
- OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
!if $(PVSCSI_ENABLE) == TRUE
|
||||
OvmfPkg/PvScsiDxe/PvScsiDxe.inf
|
||||
!endif
|
||||
@@ -752,6 +751,7 @@
|
||||
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
|
||||
}
|
||||
!endif
|
||||
+!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
|
||||
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
|
||||
index ce5d542048..88d0f75ae2 100644
|
||||
--- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf
|
||||
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
|
||||
@@ -285,7 +285,6 @@ READ_LOCK_STATUS = TRUE
|
||||
#
|
||||
INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
|
||||
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
-INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
!if $(PVSCSI_ENABLE) == TRUE
|
||||
INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
|
||||
!endif
|
||||
@@ -333,6 +332,8 @@ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
|
||||
INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
|
||||
INF OvmfPkg/PlatformDxe/Platform.inf
|
||||
|
||||
+!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
|
||||
+
|
||||
################################################################################
|
||||
|
||||
[FV.FVMAIN_COMPACT]
|
||||
diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
|
||||
index fb73f2e089..9206f01816 100644
|
||||
--- a/OvmfPkg/Microvm/MicrovmX64.dsc
|
||||
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
|
||||
@@ -754,7 +754,6 @@
|
||||
OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
- OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
|
||||
MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
|
||||
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
|
||||
@@ -880,6 +879,7 @@
|
||||
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
|
||||
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
|
||||
}
|
||||
+!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
|
||||
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf
|
||||
index 055e659a35..c8268d7e8c 100644
|
||||
--- a/OvmfPkg/Microvm/MicrovmX64.fdf
|
||||
+++ b/OvmfPkg/Microvm/MicrovmX64.fdf
|
||||
@@ -204,7 +204,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
|
||||
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
-INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
|
||||
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
@@ -303,6 +302,8 @@ INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf
|
||||
INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
|
||||
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
|
||||
|
||||
+!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
|
||||
+
|
||||
################################################################################
|
||||
|
||||
[FV.FVMAIN_COMPACT]
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
index 65a866ae0c..b64c215585 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
@@ -804,7 +804,6 @@
|
||||
OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
- OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
|
||||
!if $(PVSCSI_ENABLE) == TRUE
|
||||
OvmfPkg/PvScsiDxe/PvScsiDxe.inf
|
||||
@@ -942,6 +941,7 @@
|
||||
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
|
||||
}
|
||||
!endif
|
||||
+!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
|
||||
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
|
||||
index 10eb6fe72b..c31276e4a3 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32.fdf
|
||||
+++ b/OvmfPkg/OvmfPkgIa32.fdf
|
||||
@@ -236,7 +236,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
|
||||
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
-INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
|
||||
!if $(PVSCSI_ENABLE) == TRUE
|
||||
INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
|
||||
@@ -367,6 +366,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
|
||||
#
|
||||
!include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
|
||||
|
||||
+!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
|
||||
+
|
||||
!if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
|
||||
INF OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
|
||||
!endif
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
index 679e25501b..ececac3757 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
@@ -822,7 +822,6 @@
|
||||
OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
- OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
|
||||
!if $(PVSCSI_ENABLE) == TRUE
|
||||
OvmfPkg/PvScsiDxe/PvScsiDxe.inf
|
||||
@@ -960,6 +959,7 @@
|
||||
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
|
||||
}
|
||||
!endif
|
||||
+!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
|
||||
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
|
||||
index ff06bbfc6f..a7b4aeac08 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
|
||||
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
|
||||
@@ -237,7 +237,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
|
||||
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
-INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
|
||||
!if $(PVSCSI_ENABLE) == TRUE
|
||||
INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
|
||||
@@ -374,6 +373,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
|
||||
#
|
||||
!include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
|
||||
|
||||
+!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
|
||||
+
|
||||
################################################################################
|
||||
|
||||
[FV.FVMAIN_COMPACT]
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
|
||||
index d294fd4625..0ab4d3df06 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgX64.dsc
|
||||
@@ -890,7 +890,6 @@
|
||||
OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
- OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
|
||||
!if $(PVSCSI_ENABLE) == TRUE
|
||||
OvmfPkg/PvScsiDxe/PvScsiDxe.inf
|
||||
@@ -1028,6 +1027,7 @@
|
||||
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
|
||||
}
|
||||
!endif
|
||||
+!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
|
||||
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
|
||||
index f3b787201f..ae08ac4fe9 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.fdf
|
||||
+++ b/OvmfPkg/OvmfPkgX64.fdf
|
||||
@@ -262,7 +262,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
|
||||
INF OvmfPkg/Virtio10Dxe/Virtio10.inf
|
||||
INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
|
||||
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
|
||||
-INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
|
||||
INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
|
||||
!if $(PVSCSI_ENABLE) == TRUE
|
||||
INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
|
||||
@@ -408,6 +407,8 @@ INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf
|
||||
#
|
||||
!include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
|
||||
|
||||
+!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
|
||||
+
|
||||
################################################################################
|
||||
|
||||
[FV.FVMAIN_COMPACT]
|
42
SOURCES/edk2-SecurityPkg-RngDxe-add-rng-test.patch
Normal file
42
SOURCES/edk2-SecurityPkg-RngDxe-add-rng-test.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From a61bc0accb8a76edba4f073fdc7bafc908df045d Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri, 31 May 2024 09:49:13 +0200
|
||||
Subject: [PATCH] SecurityPkg/RngDxe: add rng test
|
||||
|
||||
Check whenever RngLib actually returns random numbers, only return
|
||||
a non-zero number of Algorithms if that is the case.
|
||||
|
||||
This has the effect that RndDxe loads and installs EFI_RNG_PROTOCOL
|
||||
only in case it can actually deliver random numbers.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
|
||||
index 5723ed695747..8b0742bab6c4 100644
|
||||
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
|
||||
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
|
||||
@@ -23,6 +23,7 @@
|
||||
|
||||
#include <Library/BaseLib.h>
|
||||
#include <Library/BaseMemoryLib.h>
|
||||
+#include <Library/RngLib.h>
|
||||
|
||||
#include "RngDxeInternals.h"
|
||||
|
||||
@@ -43,7 +44,12 @@ GetAvailableAlgorithms (
|
||||
VOID
|
||||
)
|
||||
{
|
||||
- mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
|
||||
+ UINT64 RngTest;
|
||||
+
|
||||
+ if (GetRandomNumber64 (&RngTest)) {
|
||||
+ mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
|
||||
+ }
|
||||
+
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
@ -0,0 +1,126 @@
|
||||
From 9a75b030cf27d2530444e9a2f9f11867f79bf679 Mon Sep 17 00:00:00 2001
|
||||
From: Gua Guo <gua.guo@intel.com>
|
||||
Date: Thu, 11 Jan 2024 13:03:26 +0800
|
||||
Subject: [PATCH] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
|
||||
|
||||
Fix integer overflow in various CreateHob instances.
|
||||
Fixes: CVE-2022-36765
|
||||
|
||||
The CreateHob() function aligns the requested size to 8
|
||||
performing the following operation:
|
||||
```
|
||||
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
|
||||
```
|
||||
|
||||
No checks are performed to ensure this value doesn't
|
||||
overflow, and could lead to CreateHob() returning a smaller
|
||||
HOB than requested, which could lead to OOB HOB accesses.
|
||||
|
||||
Reported-by: Marc Beatove <mbeatove@google.com>
|
||||
Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
|
||||
Cc: Sami Mujawar <sami.mujawar@arm.com>
|
||||
Reviewed-by: Ray Ni <ray.ni@intel.com>
|
||||
Cc: John Mathew <john.mathews@intel.com>
|
||||
Authored-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Signed-off-by: Gua Guo <gua.guo@intel.com>
|
||||
---
|
||||
.../Arm/StandaloneMmCoreHobLib.c | 35 +++++++++++++++++++
|
||||
1 file changed, 35 insertions(+)
|
||||
|
||||
diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
|
||||
index 1550e1babc83..59473e28fe59 100644
|
||||
--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
|
||||
+++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
|
||||
@@ -34,6 +34,13 @@ CreateHob (
|
||||
|
||||
HandOffHob = GetHobList ();
|
||||
|
||||
+ //
|
||||
+ // Check Length to avoid data overflow.
|
||||
+ //
|
||||
+ if (HobLength > MAX_UINT16 - 0x7) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
|
||||
|
||||
FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
|
||||
@@ -89,6 +96,10 @@ BuildModuleHob (
|
||||
);
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
|
||||
Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
|
||||
@@ -129,6 +140,9 @@ BuildResourceDescriptorHob (
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
|
||||
ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
Hob->ResourceType = ResourceType;
|
||||
Hob->ResourceAttribute = ResourceAttribute;
|
||||
@@ -167,6 +181,11 @@ BuildGuidHob (
|
||||
ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
CopyGuid (&Hob->Name, Guid);
|
||||
return Hob + 1;
|
||||
}
|
||||
@@ -226,6 +245,10 @@ BuildFvHob (
|
||||
EFI_HOB_FIRMWARE_VOLUME *Hob;
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
Hob->BaseAddress = BaseAddress;
|
||||
Hob->Length = Length;
|
||||
@@ -255,6 +278,10 @@ BuildFv2Hob (
|
||||
EFI_HOB_FIRMWARE_VOLUME2 *Hob;
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
Hob->BaseAddress = BaseAddress;
|
||||
Hob->Length = Length;
|
||||
@@ -282,6 +309,10 @@ BuildCpuHob (
|
||||
EFI_HOB_CPU *Hob;
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
Hob->SizeOfMemorySpace = SizeOfMemorySpace;
|
||||
Hob->SizeOfIoSpace = SizeOfIoSpace;
|
||||
@@ -319,6 +350,10 @@ BuildMemoryAllocationHob (
|
||||
);
|
||||
|
||||
Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
|
||||
+ ASSERT (Hob != NULL);
|
||||
+ if (Hob == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
|
||||
Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
|
@ -20,7 +20,7 @@ ExclusiveArch: x86_64 aarch64
|
||||
|
||||
Name: edk2
|
||||
Version: %{GITDATE}
|
||||
Release: 6%{?dist}
|
||||
Release: 6%{?dist}.2.alma.1
|
||||
Summary: UEFI firmware for 64-bit virtual machines
|
||||
License: BSD-2-Clause-Patent and Apache-2.0 and MIT
|
||||
URL: http://www.tianocore.org
|
||||
@ -265,6 +265,28 @@ Patch69: edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch
|
||||
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
|
||||
Patch70: edk2-NetworkPkg-Updating-SecurityFixes.yaml.patch
|
||||
|
||||
# Patches were taken from:
|
||||
# https://github.com/tianocore/edk2/commit/aeaee8944f0eaacbf4cdf39279785b9ba4836bb6
|
||||
Patch71: edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch
|
||||
# https://github.com/tianocore/edk2/commit/9a75b030cf27d2530444e9a2f9f11867f79bf679
|
||||
Patch72: edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch
|
||||
# https://github.com/tianocore/edk2/commit/4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345
|
||||
Patch73: edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch
|
||||
# https://github.com/tianocore/edk2/commit/1904a64bcc18199738e5be183d28887ac5d837d7
|
||||
Patch74: edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch
|
||||
# https://github.com/tianocore/edk2/commit/ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3
|
||||
Patch75: edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flow-in.patch
|
||||
# https://github.com/tianocore/edk2/commit/c3a8ca7b54a9fd17acdf16c6282a92cc989fa92a
|
||||
Patch76: edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-check-CPUID.patch
|
||||
# https://github.com/tianocore/edk2/commit/a61bc0accb8a76edba4f073fdc7bafc908df045d
|
||||
Patch77: edk2-SecurityPkg-RngDxe-add-rng-test.patch
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/edk2/-/commit/5872fb18b4e645856614429dfffbb704858a9ea7
|
||||
Patch78: edk2-OvmfPkg-wire-up-RngDxe.patch
|
||||
# https://github.com/tianocore/edk2/commit/94961b8817eec6f8d0434555ac50a7aa51c22201
|
||||
Patch79: edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch
|
||||
# https://github.com/tianocore/edk2/commit/5e776299a2604b336a947e68593012ab2cc16eb4
|
||||
Patch80: edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch
|
||||
|
||||
# python3-devel and libuuid-devel are required for building tools.
|
||||
# python3-devel is also needed for varstore template generation and
|
||||
# verification with "ovmf-vars-generator".
|
||||
@ -597,6 +619,19 @@ install -m 0644 \
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jul 24 2024 Eduard Abdullin <eabdullin@almalinux.org> - 20231122-6.2.alma.1
|
||||
- CryptoPkg/Test: call ProcessLibraryConstructorList
|
||||
- EmbeddedPkg/Hob: Integer Overflow in CreateHob()
|
||||
- MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID
|
||||
- MdePkg/X86UnitTestHost: set rdrand cpuid bit
|
||||
- NetworkPkg: SECURITY PATCH CVE-2023-45237
|
||||
- NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in
|
||||
iPXE environment
|
||||
- NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
|
||||
- OvmfPkg: wire up RngDxe
|
||||
- SecurityPkg/RngDxe: add rng test
|
||||
- StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
|
||||
|
||||
* Thu Feb 22 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-6
|
||||
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853]
|
||||
- edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853]
|
||||
|
Loading…
Reference in New Issue
Block a user