From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Mon, 7 Apr 2025 11:37:13 +0000 (+0800)
Subject: ovmf: fix CVE-2025-2295
X-Git-Tag: uninative-4.8~812
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f59dec939cf0d313b1b01b1e7bf10e059d9d0ac;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

ovmf: fix CVE-2025-2295

According to [1], EDK2 contains a vulnerability in BIOS where a user may
cause an Integer Overflow or Wraparound by network means. A successful
exploitation of this vulnerability may lead to denial of service.

Refer debian [2], backport a patch from edk2 [3] to fix CVE-2025-2295

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2295
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100594
[3] https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch
new file mode 100644
index 00000000000..038a3f2dbc7
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch
@@ -0,0 +1,56 @@
+From 4b028816b5619ede6c3720664478055e09151516 Mon Sep 17 00:00:00 2001
+From: Madhavan <madavtechy@gmail.com>
+Date: Fri, 14 Mar 2025 14:15:13 -0400
+Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI
+ bz4206
+
+Used SafeUint32Add to calculate and validate OutTransferLength with
+boundary check in IScsiOnR2TRcvd to avoid integer overflow
+
+Signed-off-by: Madhavan <madavtechy@gmail.com>
+
+CVE: CVE-2025-2295
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
+index ef587649a0..fb48e6304d 100644
+--- a/NetworkPkg/IScsiDxe/IScsiProto.c
++++ b/NetworkPkg/IScsiDxe/IScsiProto.c
+@@ -1,7 +1,7 @@
+ /** @file
+   The implementation of iSCSI protocol based on RFC3720.
+ 
+-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd (
+   EFI_STATUS               Status;
+   ISCSI_XFER_CONTEXT       *XferContext;
+   UINT8                    *Data;
++  UINT32                   TransferLength;
+ 
+   R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL);
+   if (R2THdr == NULL) {
+@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd (
+   XferContext->Offset            = R2THdr->BufferOffset;
+   XferContext->DesiredLength     = R2THdr->DesiredDataTransferLength;
+ 
+-  if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) ||
++  Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength);
++  if (EFI_ERROR (Status)) {
++    return EFI_PROTOCOL_ERROR;
++  }
++
++  if ((TransferLength > Packet->OutTransferLength) ||
+       (XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength)
+       )
+   {
+-- 
+2.48.1
+
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 764d79854ff..41ab85b703c 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
            file://0003-debug-prefix-map.patch \
            file://0004-reproducible.patch \
+           file://CVE-2025-2295.patch \
            "
 
 PV = "edk2-stable202411"