diff --git a/1018-CVE-2024-38805.patch b/1018-CVE-2024-38805.patch new file mode 100644 index 0000000000000000000000000000000000000000..7e7adf9ccbcf7845e606195a73cbabc4f9c112ea --- /dev/null +++ b/1018-CVE-2024-38805.patch @@ -0,0 +1,70 @@ +From b3a2f7ff24e156e8c4d694fffff01e95a048c536 Mon Sep 17 00:00:00 2001 +From: Santhosh Kumar V +Date: Wed, 7 May 2025 18:53:30 +0530 +Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for out of bound memory access for + bz4207 (CVE-2024-38805) + +In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len. +Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len . + +Signed-off-by: santhosh kumar V +--- + NetworkPkg/IScsiDxe/IScsiProto.c | 29 +- + 1 files changed, 24 insertions(+), 5 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c +index ef587649..53a0ff80 100644 +--- a/NetworkPkg/IScsiDxe/IScsiProto.c ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c +@@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList ( + { + LIST_ENTRY *ListHead; + ISCSI_KEY_VALUE_PAIR *KeyValuePair; ++ EFI_STATUS Status; ++ UINT32 Result; + + ListHead = AllocatePool (sizeof (LIST_ENTRY)); + if (ListHead == NULL) { +@@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList ( + Data++; + } + +- if (*Data == '=') { ++ // Here Len must not be zero. ++ // The value of Len is size of data buffer. Actually, Data is make up of strings. ++ // AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0 ++ // (1) Len == 0, *Data != '=' goto ON_ERROR ++ // (2) *Data == '=', Len != 0 normal case. ++ // (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error. ++ if ((Len > 0) && (*Data == '=')) { + *Data = '\0'; +- + Data++; + Len--; + } else { +@@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList ( + + KeyValuePair->Value = Data; + +- InsertTailList (ListHead, &KeyValuePair->List); ++ Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__)); ++ FreePool (KeyValuePair); ++ goto ON_ERROR; ++ } + +- Data += AsciiStrLen (KeyValuePair->Value) + 1; +- Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1; ++ Status = SafeUint32Sub (Len, Result, &Len); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__)); ++ FreePool (KeyValuePair); ++ goto ON_ERROR; ++ } ++ ++ InsertTailList (ListHead, &KeyValuePair->List); ++ Data += Result; + } + + return ListHead; diff --git a/edk2.spec b/edk2.spec index d63637f8d41c0fba9d3d120228159f2a0ea6fb47..b07b683bd9e10896a4d0f7841c1a9aa694573e3f 100644 --- a/edk2.spec +++ b/edk2.spec @@ -1,4 +1,4 @@ -%define anolis_release 20 +%define anolis_release 21 %undefine _auto_set_build_flags ExclusiveArch: x86_64 aarch64 loongarch64 riscv64 @@ -123,6 +123,8 @@ Patch1015:1015-OvmfPkg-HashLibCsv-Add-HashLibCsv.patch Patch1016:1016-OvmfPkg-CsvTcg2Dxe-Add-CsvTcg2Dxe.patch Patch1017:1017-OvmfPkg-OvmfPkgX64-Set-default-value-of-CC_MEASUREME.patch +# https://github.com/tianocore/edk2/commit/b3a2f7ff24e156e8c4d694fffff01e95a048c536 +Patch1018: 1018-CVE-2024-38805.patch BuildRequires: python3-devel BuildRequires: libuuid-devel @@ -575,7 +577,10 @@ rm -f %{buildroot}%{_datadir}/edk2/riscv/*.raw %changelog -* Thu, Oct 30 2025 -202402-20 +* Tue Nov 11 2025 wenxin - 202402-21 +- add patch to fix CVE-2024-38805 + +* Thu Oct 30 2025 -202402-20 - Support RTMR and CC Measurement on CSV3 Guest * Tue Sep 23 2025 wh02252983 - 202402-19