--- /dev/null
+From c7b27944218130cca3bbb20314ba5b88b5de4aa4 Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:04 +0800
+Subject: [PATCH] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE
+ 2022-36764
+
+This commit contains the patch files and tests for DxeTpm2MeasureBootLib
+CVE 2022-36764.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c7b27944218130cca3bbb20314ba5b88b5de4aa4]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../DxeTpm2MeasureBootLib.c | 12 ++--
+ .../DxeTpm2MeasureBootLibSanitization.c | 46 +++++++++++++-
+ .../DxeTpm2MeasureBootLibSanitization.h | 28 ++++++++-
+ .../DxeTpm2MeasureBootLibSanitizationTest.c | 60 ++++++++++++++++---
+ 4 files changed, 131 insertions(+), 15 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+index 0475103d6e..714cc8e03e 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+@@ -378,7 +378,6 @@ Exit:
+ @retval EFI_OUT_OF_RESOURCES No enough resource to measure image.\r
+ @retval EFI_UNSUPPORTED ImageType is unsupported or PE image is mal-format.\r
+ @retval other error value\r
+-\r
+ **/\r
+ EFI_STATUS\r
+ EFIAPI\r
+@@ -405,6 +404,7 @@ Tcg2MeasurePeImage (
+ Status = EFI_UNSUPPORTED;\r
+ ImageLoad = NULL;\r
+ EventPtr = NULL;\r
++ Tcg2Event = NULL;\r
+ \r
+ Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;\r
+ CcProtocol = MeasureBootProtocols->CcProtocol;\r
+@@ -420,18 +420,22 @@ Tcg2MeasurePeImage (
+ }\r
+ \r
+ FilePathSize = (UINT32)GetDevicePathSize (FilePath);\r
++ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);\r
++ if (EFI_ERROR (Status)) {\r
++ return EFI_UNSUPPORTED;\r
++ }\r
+ \r
+ //\r
+ // Determine destination PCR by BootPolicy\r
+ //\r
+- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;\r
+- EventPtr = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));\r
++ // from a malicious GPT disk partition\r
++ EventPtr = AllocateZeroPool (EventSize);\r
+ if (EventPtr == NULL) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+ \r
+ Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;\r
+- Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);\r
++ Tcg2Event->Size = EventSize;\r
+ Tcg2Event->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER);\r
+ Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;\r
+ ImageLoad = (EFI_IMAGE_LOAD_EVENT *)Tcg2Event->Event;\r
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+index e2309655d3..2a4d52c6d5 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader (
+ }\r
+ \r
+ /**\r
+- This function will validate that the allocation size from the primary header is sane\r
++ This function will validate that the allocation size from the primary header is sane\r
+ It will check the following:\r
+ - AllocationSize does not overflow\r
+ \r
+@@ -273,3 +273,47 @@ SanitizePrimaryHeaderGptEventSize (
+ \r
+ return EFI_SUCCESS;\r
+ }\r
++\r
++/**\r
++ This function will validate that the PeImage Event Size from the loaded image is sane\r
++ It will check the following:\r
++ - EventSize does not overflow\r
++\r
++ @param[in] FilePathSize - Size of the file path.\r
++ @param[out] EventSize - Pointer to the event size.\r
++\r
++ @retval EFI_SUCCESS\r
++ The event size is valid.\r
++\r
++ @retval EFI_OUT_OF_RESOURCES\r
++ Overflow would have occurred.\r
++\r
++ @retval EFI_INVALID_PARAMETER\r
++ One of the passed parameters was invalid.\r
++**/\r
++EFI_STATUS\r
++SanitizePeImageEventSize (\r
++ IN UINT32 FilePathSize,\r
++ OUT UINT32 *EventSize\r
++ )\r
++{\r
++ EFI_STATUS Status;\r
++\r
++ // Replacing logic:\r
++ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;\r
++ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);\r
++ if (EFI_ERROR (Status)) {\r
++ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));\r
++ return EFI_BAD_BUFFER_SIZE;\r
++ }\r
++\r
++ // Replacing logic:\r
++ // EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)\r
++ Status = SafeUint32Add (*EventSize, OFFSET_OF (EFI_TCG2_EVENT, Event), EventSize);\r
++ if (EFI_ERROR (Status)) {\r
++ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));\r
++ return EFI_BAD_BUFFER_SIZE;\r
++ }\r
++\r
++ return EFI_SUCCESS;\r
++}\r
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+index 048b738987..8f72ba4240 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+@@ -9,6 +9,9 @@
+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse\r
+ partition data carefully.\r
+ \r
++ Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its\r
++ data structure within this image buffer before use.\r
++\r
+ Copyright (c) Microsoft Corporation.<BR>\r
+ SPDX-License-Identifier: BSD-2-Clause-Patent\r
+ \r
+@@ -110,4 +113,27 @@ SanitizePrimaryHeaderGptEventSize (
+ OUT UINT32 *EventSize\r
+ );\r
+ \r
+-#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_\r
++/**\r
++ This function will validate that the PeImage Event Size from the loaded image is sane\r
++ It will check the following:\r
++ - EventSize does not overflow\r
++\r
++ @param[in] FilePathSize - Size of the file path.\r
++ @param[out] EventSize - Pointer to the event size.\r
++\r
++ @retval EFI_SUCCESS\r
++ The event size is valid.\r
++\r
++ @retval EFI_OUT_OF_RESOURCES\r
++ Overflow would have occurred.\r
++\r
++ @retval EFI_INVALID_PARAMETER\r
++ One of the passed parameters was invalid.\r
++**/\r
++EFI_STATUS\r
++SanitizePeImageEventSize (\r
++ IN UINT32 FilePathSize,\r
++ OUT UINT32 *EventSize\r
++ );\r
++\r
++#endif // DXE_TPM2_MEASURE_BOOT_LIB_VALIDATION_\r
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+index 3eb9763e3c..820e99aeb9 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+@@ -72,10 +72,10 @@ TestSanitizeEfiPartitionTableHeader (
+ PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;\r
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);\r
+ PrimaryHeader.MyLBA = 1;\r
+- PrimaryHeader.AlternateLBA = 2;\r
+- PrimaryHeader.FirstUsableLBA = 3;\r
+- PrimaryHeader.LastUsableLBA = 4;\r
+- PrimaryHeader.PartitionEntryLBA = 5;\r
++ PrimaryHeader.PartitionEntryLBA = 2;\r
++ PrimaryHeader.AlternateLBA = 3;\r
++ PrimaryHeader.FirstUsableLBA = 4;\r
++ PrimaryHeader.LastUsableLBA = 5;\r
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;\r
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;\r
+ PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid\r
+@@ -187,11 +187,6 @@ TestSanitizePrimaryHeaderGptEventSize (
+ EFI_STATUS Status;\r
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;\r
+ UINTN NumberOfPartition;\r
+- EFI_GPT_DATA *GptData;\r
+- EFI_TCG2_EVENT *Tcg2Event;\r
+-\r
+- Tcg2Event = NULL;\r
+- GptData = NULL;\r
+ \r
+ // Test that a normal PrimaryHeader passes validation\r
+ PrimaryHeader.NumberOfPartitionEntries = 5;\r
+@@ -225,6 +220,52 @@ TestSanitizePrimaryHeaderGptEventSize (
+ return UNIT_TEST_PASSED;\r
+ }\r
+ \r
++/**\r
++ This function tests the SanitizePeImageEventSize function.\r
++ It's intent is to test that the untrusted input from a file path when generating a\r
++ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating\r
++ the event size when allocating space\r
++\r
++ @param[in] Context The unit test context.\r
++\r
++ @retval UNIT_TEST_PASSED The test passed.\r
++ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.\r
++**/\r
++UNIT_TEST_STATUS\r
++EFIAPI\r
++TestSanitizePeImageEventSize (\r
++ IN UNIT_TEST_CONTEXT Context\r
++ )\r
++{\r
++ UINT32 EventSize;\r
++ UINTN ExistingLogicEventSize;\r
++ UINT32 FilePathSize;\r
++ EFI_STATUS Status;\r
++\r
++ FilePathSize = 255;\r
++\r
++ // Test that a normal PE image passes validation\r
++ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);\r
++ UT_ASSERT_EQUAL (Status, EFI_SUCCESS);\r
++\r
++ // Test that the event size is correct compared to the existing logic\r
++ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;\r
++ ExistingLogicEventSize += OFFSET_OF (EFI_TCG2_EVENT, Event);\r
++\r
++ if (EventSize != ExistingLogicEventSize) {\r
++ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);\r
++ return UNIT_TEST_ERROR_TEST_FAILED;\r
++ }\r
++\r
++ // Test that the event size may not overflow\r
++ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);\r
++ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);\r
++\r
++ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));\r
++\r
++ return UNIT_TEST_PASSED;\r
++}\r
++\r
+ // *--------------------------------------------------------------------*\r
+ // * Unit Test Code Main Function\r
+ // *--------------------------------------------------------------------*\r
+@@ -267,6 +308,7 @@ UefiTestMain (
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);\r
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);\r
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);\r
++ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);\r
+ \r
+ Status = RunAllTestSuites (Framework);\r
+ \r
+--
+2.40.0
+
--- /dev/null
+From 0d341c01eeabe0ab5e76693b36e728b8f538a40e Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:05 +0800
+Subject: [PATCH] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE
+ 2022-36764
+
+This commit contains the patch files and tests for DxeTpmMeasureBootLib
+CVE 2022-36764.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0d341c01eeabe0ab5e76693b36e728b8f538a40e]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../DxeTpmMeasureBootLib.c | 13 ++-
+ .../DxeTpmMeasureBootLibSanitization.c | 44 +++++++++
+ .../DxeTpmMeasureBootLibSanitization.h | 23 +++++
+ .../DxeTpmMeasureBootLibSanitizationTest.c | 98 +++++++++++++++++--
+ 4 files changed, 168 insertions(+), 10 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+index 669ab19134..a9fc440a09 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+@@ -17,6 +17,7 @@
+ \r
+ Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
+ SPDX-License-Identifier: BSD-2-Clause-Patent\r
++Copyright (c) Microsoft Corporation.<BR>\r
+ \r
+ Copyright (c) Microsoft Corporation.<BR>\r
+ SPDX-License-Identifier: BSD-2-Clause-Patent\r
+@@ -345,18 +346,22 @@ TcgMeasurePeImage (
+ ImageLoad = NULL;\r
+ SectionHeader = NULL;\r
+ Sha1Ctx = NULL;\r
++ TcgEvent = NULL;\r
+ FilePathSize = (UINT32)GetDevicePathSize (FilePath);\r
+ \r
+- //\r
+ // Determine destination PCR by BootPolicy\r
+ //\r
+- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;\r
+- TcgEvent = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT));\r
++ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);\r
++ if (EFI_ERROR (Status)) {\r
++ return EFI_UNSUPPORTED;\r
++ }\r
++\r
++ TcgEvent = AllocateZeroPool (EventSize);\r
+ if (TcgEvent == NULL) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+ \r
+- TcgEvent->EventSize = EventSize;\r
++ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);\r
+ ImageLoad = (EFI_IMAGE_LOAD_EVENT *)TcgEvent->Event;\r
+ \r
+ switch (ImageType) {\r
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+index a3fa46f5e6..c989851cec 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+@@ -239,3 +239,47 @@ SanitizePrimaryHeaderGptEventSize (
+ \r
+ return EFI_SUCCESS;\r
+ }\r
++\r
++/**\r
++ This function will validate that the PeImage Event Size from the loaded image is sane\r
++ It will check the following:\r
++ - EventSize does not overflow\r
++\r
++ @param[in] FilePathSize - Size of the file path.\r
++ @param[out] EventSize - Pointer to the event size.\r
++\r
++ @retval EFI_SUCCESS\r
++ The event size is valid.\r
++\r
++ @retval EFI_OUT_OF_RESOURCES\r
++ Overflow would have occurred.\r
++\r
++ @retval EFI_INVALID_PARAMETER\r
++ One of the passed parameters was invalid.\r
++**/\r
++EFI_STATUS\r
++SanitizePeImageEventSize (\r
++ IN UINT32 FilePathSize,\r
++ OUT UINT32 *EventSize\r
++ )\r
++{\r
++ EFI_STATUS Status;\r
++\r
++ // Replacing logic:\r
++ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;\r
++ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);\r
++ if (EFI_ERROR (Status)) {\r
++ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));\r
++ return EFI_BAD_BUFFER_SIZE;\r
++ }\r
++\r
++ // Replacing logic:\r
++ // EventSize + sizeof (TCG_PCR_EVENT_HDR)\r
++ Status = SafeUint32Add (*EventSize, sizeof (TCG_PCR_EVENT_HDR), EventSize);\r
++ if (EFI_ERROR (Status)) {\r
++ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));\r
++ return EFI_BAD_BUFFER_SIZE;\r
++ }\r
++\r
++ return EFI_SUCCESS;\r
++}\r
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+index 0d9d00c281..2248495813 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+@@ -111,4 +111,27 @@ SanitizePrimaryHeaderGptEventSize (
+ OUT UINT32 *EventSize\r
+ );\r
+ \r
++/**\r
++ This function will validate that the PeImage Event Size from the loaded image is sane\r
++ It will check the following:\r
++ - EventSize does not overflow\r
++\r
++ @param[in] FilePathSize - Size of the file path.\r
++ @param[out] EventSize - Pointer to the event size.\r
++\r
++ @retval EFI_SUCCESS\r
++ The event size is valid.\r
++\r
++ @retval EFI_OUT_OF_RESOURCES\r
++ Overflow would have occurred.\r
++\r
++ @retval EFI_INVALID_PARAMETER\r
++ One of the passed parameters was invalid.\r
++**/\r
++EFI_STATUS\r
++SanitizePeImageEventSize (\r
++ IN UINT32 FilePathSize,\r
++ OUT UINT32 *EventSize\r
++ );\r
++\r
+ #endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_\r
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+index eeb928cdb0..c41498be45 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+@@ -1,8 +1,8 @@
+ /** @file\r
+-This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.\r
++ This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.\r
+ \r
+-Copyright (c) Microsoft Corporation.<BR>\r
+-SPDX-License-Identifier: BSD-2-Clause-Patent\r
++ Copyright (c) Microsoft Corporation.<BR>\r
++ SPDX-License-Identifier: BSD-2-Clause-Patent\r
+ **/\r
+ \r
+ #include <Uefi.h>\r
+@@ -186,9 +186,6 @@ TestSanitizePrimaryHeaderGptEventSize (
+ EFI_STATUS Status;\r
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;\r
+ UINTN NumberOfPartition;\r
+- EFI_GPT_DATA *GptData;\r
+-\r
+- GptData = NULL;\r
+ \r
+ // Test that a normal PrimaryHeader passes validation\r
+ PrimaryHeader.NumberOfPartitionEntries = 5;\r
+@@ -222,6 +219,94 @@ TestSanitizePrimaryHeaderGptEventSize (
+ return UNIT_TEST_PASSED;\r
+ }\r
+ \r
++/**\r
++ This function tests the SanitizePeImageEventSize function.\r
++ It's intent is to test that the untrusted input from a file path for an\r
++ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating\r
++ the event size when allocating space.\r
++\r
++ @param[in] Context The unit test context.\r
++\r
++ @retval UNIT_TEST_PASSED The test passed.\r
++ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.\r
++**/\r
++UNIT_TEST_STATUS\r
++EFIAPI\r
++TestSanitizePeImageEventSize (\r
++ IN UNIT_TEST_CONTEXT Context\r
++ )\r
++{\r
++ UINT32 EventSize;\r
++ UINTN ExistingLogicEventSize;\r
++ UINT32 FilePathSize;\r
++ EFI_STATUS Status;\r
++ EFI_DEVICE_PATH_PROTOCOL DevicePath;\r
++ EFI_IMAGE_LOAD_EVENT *ImageLoadEvent;\r
++ UNIT_TEST_STATUS TestStatus;\r
++\r
++ TestStatus = UNIT_TEST_ERROR_TEST_FAILED;\r
++\r
++ // Generate EFI_DEVICE_PATH_PROTOCOL test data\r
++ DevicePath.Type = 0;\r
++ DevicePath.SubType = 0;\r
++ DevicePath.Length[0] = 0;\r
++ DevicePath.Length[1] = 0;\r
++\r
++ // Generate EFI_IMAGE_LOAD_EVENT test data\r
++ ImageLoadEvent = AllocateZeroPool (sizeof (EFI_IMAGE_LOAD_EVENT) + sizeof (EFI_DEVICE_PATH_PROTOCOL));\r
++ if (ImageLoadEvent == NULL) {\r
++ DEBUG ((DEBUG_ERROR, "%a: AllocateZeroPool failed\n", __func__));\r
++ goto Exit;\r
++ }\r
++\r
++ // Populate EFI_IMAGE_LOAD_EVENT54 test data\r
++ ImageLoadEvent->ImageLocationInMemory = (EFI_PHYSICAL_ADDRESS)0x12345678;\r
++ ImageLoadEvent->ImageLengthInMemory = 0x1000;\r
++ ImageLoadEvent->ImageLinkTimeAddress = (UINTN)ImageLoadEvent;\r
++ ImageLoadEvent->LengthOfDevicePath = sizeof (EFI_DEVICE_PATH_PROTOCOL);\r
++ CopyMem (ImageLoadEvent->DevicePath, &DevicePath, sizeof (EFI_DEVICE_PATH_PROTOCOL));\r
++\r
++ FilePathSize = 255;\r
++\r
++ // Test that a normal PE image passes validation\r
++ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);\r
++ if (EFI_ERROR (Status)) {\r
++ UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);\r
++ goto Exit;\r
++ }\r
++\r
++ // Test that the event size is correct compared to the existing logic\r
++ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;\r
++ ExistingLogicEventSize += sizeof (TCG_PCR_EVENT_HDR);\r
++\r
++ if (EventSize != ExistingLogicEventSize) {\r
++ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);\r
++ goto Exit;\r
++ }\r
++\r
++ // Test that the event size may not overflow\r
++ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);\r
++ if (Status != EFI_BAD_BUFFER_SIZE) {\r
++ UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);\r
++ goto Exit;\r
++ }\r
++\r
++ TestStatus = UNIT_TEST_PASSED;\r
++Exit:\r
++\r
++ if (ImageLoadEvent != NULL) {\r
++ FreePool (ImageLoadEvent);\r
++ }\r
++\r
++ if (TestStatus == UNIT_TEST_ERROR_TEST_FAILED) {\r
++ DEBUG ((DEBUG_ERROR, "%a: Test failed\n", __func__));\r
++ } else {\r
++ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));\r
++ }\r
++\r
++ return TestStatus;\r
++}\r
++\r
+ // *--------------------------------------------------------------------*\r
+ // * Unit Test Code Main Function\r
+ // *--------------------------------------------------------------------*\r
+@@ -265,6 +350,7 @@ UefiTestMain (
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);\r
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);\r
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);\r
++ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);\r
+ \r
+ Status = RunAllTestSuites (Framework);\r
+ \r
+--
+2.40.0
+
--- /dev/null
+From 8f6d343ae639fba8e4b80e45257275e23083431f Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:06 +0800
+Subject: [PATCH] SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml
+
+This creates / adds a security file that tracks the security fixes
+found in this package and can be used to find the fixes that were
+applied.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/8f6d343ae639fba8e4b80e45257275e23083431f]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ SecurityPkg/SecurityFixes.yaml | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
+index f9e3e7be74..833fb827a9 100644
+--- a/SecurityPkg/SecurityFixes.yaml
++++ b/SecurityPkg/SecurityFixes.yaml
+@@ -20,3 +20,17 @@ CVE_2022_36763:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117\r
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168\r
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990\r
++CVE_2022_36764:\r
++ commit_titles:\r
++ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"\r
++ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"\r
++ - "SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml"\r
++ cve: CVE-2022-36764\r
++ date_reported: 2022-10-25 12:23 UTC\r
++ description: Heap Buffer Overflow in Tcg2MeasurePeImage()\r
++ note:\r
++ files_impacted:\r
++ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c\r
++ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c\r
++ links:\r
++ - https://bugzilla.tianocore.org/show_bug.cgi?id=4118\r
+--
+2.40.0
+
file://CVE-2022-36763-0001.patch \
file://CVE-2022-36763-0002.patch \
file://CVE-2022-36763-0003.patch \
+ file://CVE-2022-36764-0001.patch \
+ file://CVE-2022-36764-0002.patch \
+ file://CVE-2022-36764-0003.patch \
"
PV = "edk2-stable202202"
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
