From: Hongxu Jia Date: Fri, 22 Nov 2024 09:47:25 +0000 (+0800) Subject: ovmf: fix CVE-2024-1298 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=af65d3e221fb239c2dd769ce109e78c720e35793;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git ovmf: fix CVE-2024-1298 Backport a fix from upstream to resolve CVE-2024-1298 https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19 Signed-off-by: Hongxu Jia --- diff --git a/meta/recipes-core/ovmf/ovmf/0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch b/meta/recipes-core/ovmf/ovmf/0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch new file mode 100644 index 00000000000..7480f8722ec --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch @@ -0,0 +1,51 @@ +From 63f29c180dd04d13614440740a8795ee422567b8 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Fri, 22 Nov 2024 17:43:28 +0800 +Subject: [PATCH] MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677 + +Attacker able to modify physical memory and ResumeCount. +System will crash/DoS when ResumeCount reaches its MAX_UINT32. + +Cc: Zhiguang Liu +Cc: Dandan Bi +Cc: Liming Gao + +Signed-off-by: Pakkirisamy ShanmugavelX +Reviewed-by: Liming Gao + +CVE: CVE-2024-1298 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19] +Signed-off-by: Hongxu Jia +--- + .../FirmwarePerformancePei.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c +index 2f2b2a80b2..2ba9215226 100644 +--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c ++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c +@@ -112,11 +112,15 @@ FpdtStatusCodeListenerPei ( + // + S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount); + AcpiS3ResumeRecord->ResumeCount++; +- AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount); ++ if (AcpiS3ResumeRecord->ResumeCount > 0) { ++ AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount); ++ DEBUG ((DEBUG_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume)); ++ } else { ++ DEBUG ((DEBUG_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero.")); ++ } + +- DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount = %d\n", AcpiS3ResumeRecord->ResumeCount)); +- DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume = %ld\n", AcpiS3ResumeRecord->FullResume)); +- DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume)); ++ DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount = 0x%x\n", AcpiS3ResumeRecord->ResumeCount)); ++ DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume = 0x%x\n", AcpiS3ResumeRecord->FullResume)); + + // + // Update S3 Suspend Performance Record. +-- +2.34.1 + diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index e626d306a48..a067dd017b1 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -54,6 +54,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://CVE-2022-36765-0002.patch \ file://CVE-2022-36765-0003.patch \ file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \ + file://0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch \ " PV = "edk2-stable202202"