--- /dev/null
+From 2c8fb3e5164effc8a370e800fe91db7341e69116 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Mon, 7 Apr 2025 11:23:41 -0700
+Subject: [PATCH 1/4] SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797
+
+This commit updates the SecurityFixes.yaml file to include
+information about the CVE-2024-38797 vulnerability.
+
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/519366f542e9370bee982b1c3687ffedb5cabc21]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ SecurityPkg/SecurityFixes.yaml | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
+index b4006b4..06b597a 100644
+--- a/SecurityPkg/SecurityFixes.yaml
++++ b/SecurityPkg/SecurityFixes.yaml
+@@ -40,3 +40,18 @@ CVE_2022_36764:
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c\r
+ links:\r
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4118\r
++CVE_2024_38797:\r
++ commit-titles:\r
++ - "SecurityPkg: Out of bound read in HashPeImageByType()"\r
++ - "SecurityPkg: Improving HashPeImageByType () logic"\r
++ - "SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic"\r
++ cve: CVE-2024-38797\r
++ date_reported: 2024-06-04 12:00 UTC\r
++ description: Out of bound read in HashPeImageByType()\r
++ note:\r
++ files_impacted:\r
++ - SecurityPkg\Library\DxeImageVerificationLib\DxeImageVerificationLib.c\r
++ - SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigImpl.c\r
++ links:\r
++ - https://bugzilla.tianocore.org/show_bug.cgi?id=2214\r
++ - https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf\r
+--
+2.34.1
+
--- /dev/null
+From 1a7be26382c4a34504875f094e15fe371d44192e Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Thu, 3 Oct 2024 09:37:18 -0700
+Subject: [PATCH 2/4] SecurityPkg: Out of bound read in HashPeImageByType()
+
+In HashPeImageByType(), the hash of PE/COFF image is calculated.
+This function may get untrusted input.
+
+Inside this function, the following code verifies the loaded image has
+the correct format, by reading the second byte of the buffer.
+
+```c
+ if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+ ...
+ }
+```
+
+The input image is not trusted and that may not have the second byte to
+read. So this poses an out of bound read error.
+
+With below fix we are assuring that we don't do out of bound read. i.e,
+we make sure that AuthDataSize is greater than 1.
+
+```c
+ if (AuthDataSize > 1
+ && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
+ ...
+ }
+```
+
+AuthDataSize size is verified before reading the second byte.
+So if AuthDataSize is less than 2, the second byte will not be read, and
+the out of bound read situation won't occur.
+
+Tested the patch on real platform with and without TPM connected and
+verified image is booting fine.
+
+Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com>
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/2dcdb41b564aa3cb846644b4b1722a0b3ae5e06b]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index b05da19..2afa2c9 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -642,7 +642,7 @@ HashPeImageByType (
+ // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
+ // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
+ //\r
+- if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {\r
++ if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {\r
+ //\r
+ // Only support two bytes of Long Form of Length Encoding.\r
+ //\r
+--
+2.34.1
+
--- /dev/null
+From 4db363db013a92937431234252fc9d84e44fc120 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Thu, 3 Oct 2024 10:16:57 -0700
+Subject: [PATCH 3/4] SecurityPkg: Improving HashPeImageByType () logic
+
+Namely:
+
+(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
+ to TRUE for Index==0, then it will evaluate to TRUE for all other
+ Index values as well. As a result, the (Index == HASHALG_MAX)
+ condition will fire after the loop, and we'll return
+ EFI_UNSUPPORTED.
+
+ While this is correct, functionally speaking, it is wasteful to
+ keep re-checking TWO_BYTE_ENCODE in the loop body. The check
+ should be made at the top of the function, and EFI_UNSUPPORTED
+ should be returned at once, if appropriate.
+
+(2) If the hash algorithm selected by Index has such a large OID that
+ the OID comparison cannot even be performed (because AuthDataSize
+ is not large enough for containing the OID in question, starting
+ at offset 32), then the function returns EFI_UNSUPPORTED at once.
+
+ This is bogus; this case should simply be treated as an OID
+ mismatch, and the loop should advance to the next Index value /
+ hash algorithm candidate. A remaining hash algo may have a shorter
+ OID and yield an OID match.
+
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/5df518ec510324f48ed1cf0376150960644b41f0]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../DxeImageVerificationLib.c | 37 ++++++++++---------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 2afa2c9..2eca39d 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -618,6 +618,7 @@ Done:
+ @param[in] AuthDataSize Size of the Authenticode Signature in bytes.\r
+ \r
+ @retval EFI_UNSUPPORTED Hash algorithm is not supported.\r
++ @retval EFI_BAD_BUFFER_SIZE AuthData provided is invalid size.\r
+ @retval EFI_SUCCESS Hash successfully.\r
+ \r
+ **/\r
+@@ -629,28 +630,28 @@ HashPeImageByType (
+ {\r
+ UINT8 Index;\r
+ \r
+- for (Index = 0; Index < HASHALG_MAX; Index++) {\r
++ //\r
++ // Check the Hash algorithm in PE/COFF Authenticode.\r
++ // According to PKCS#7 Definition:\r
++ // SignedData ::= SEQUENCE {\r
++ // version Version,\r
++ // digestAlgorithms DigestAlgorithmIdentifiers,\r
++ // contentInfo ContentInfo,\r
++ // .... }\r
++ // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing\r
++ // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
++ // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
++ //\r
++ if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {\r
+ //\r
+- // Check the Hash algorithm in PE/COFF Authenticode.\r
+- // According to PKCS#7 Definition:\r
+- // SignedData ::= SEQUENCE {\r
+- // version Version,\r
+- // digestAlgorithms DigestAlgorithmIdentifiers,\r
+- // contentInfo ContentInfo,\r
+- // .... }\r
+- // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing\r
+- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
+- // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
++ // Only support two bytes of Long Form of Length Encoding.\r
+ //\r
+- if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {\r
+- //\r
+- // Only support two bytes of Long Form of Length Encoding.\r
+- //\r
+- continue;\r
+- }\r
++ return EFI_BAD_BUFFER_SIZE;\r
++ }\r
+ \r
++ for (Index = 0; Index < HASHALG_MAX; Index++) {\r
+ if (AuthDataSize < 32 + mHash[Index].OidLength) {\r
+- return EFI_UNSUPPORTED;\r
++ continue;\r
+ }\r
+ \r
+ if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {\r
+--
+2.34.1
+
--- /dev/null
+From cb3342702c5c1f8a4ddbb6d503a98ed720d14eb3 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 17 Jan 2025 11:30:17 -0800
+Subject: [PATCH 4/4] SecurityPkg: Improving
+ SecureBootConfigImpl:HashPeImageByType () logic
+
+Namely:
+
+(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
+ to TRUE for Index==0, then it will evaluate to TRUE for all other
+ Index values as well. As a result, the (Index == HASHALG_MAX)
+ condition will fire after the loop, and we'll return
+ EFI_UNSUPPORTED.
+
+ While this is correct, functionally speaking, it is wasteful to
+ keep re-checking TWO_BYTE_ENCODE in the loop body. The check
+ should be made at the top of the function, and EFI_UNSUPPORTED
+ should be returned at once, if appropriate.
+
+(2) If the hash algorithm selected by Index has such a large OID that
+ the OID comparison cannot even be performed (because AuthDataSize
+ is not large enough for containing the OID in question, starting
+ at offset 32), then the function returns EFI_UNSUPPORTED at once.
+
+ This is bogus; this case should simply be treated as an OID
+ mismatch, and the loop should advance to the next Index value /
+ hash algorithm candidate. A remaining hash algo may have a shorter
+ OID and yield an OID match.
+
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/8676572908b950dd4d1f8985006011be99c0a5b6]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../SecureBootConfigImpl.c | 37 +++++++++++--------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+index 6d4560c..155e755 100644
+--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
++++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+@@ -2096,30 +2096,35 @@ HashPeImageByType (
+ {\r
+ UINT8 Index;\r
+ WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;\r
++ UINT32 PkcsCertSize;\r
+ \r
+ PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *)(mImageBase + mSecDataDir->Offset);\r
++ PkcsCertSize = mSecDataDir->SizeOfCert;\r
+ \r
+- for (Index = 0; Index < HASHALG_MAX; Index++) {\r
++ //\r
++ // Check the Hash algorithm in PE/COFF Authenticode.\r
++ // According to PKCS#7 Definition:\r
++ // SignedData ::= SEQUENCE {\r
++ // version Version,\r
++ // digestAlgorithms DigestAlgorithmIdentifiers,\r
++ // contentInfo ContentInfo,\r
++ // .... }\r
++ // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing\r
++ // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
++ // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
++ //\r
++ if ((PkcsCertSize > 1) && ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {\r
+ //\r
+- // Check the Hash algorithm in PE/COFF Authenticode.\r
+- // According to PKCS#7 Definition:\r
+- // SignedData ::= SEQUENCE {\r
+- // version Version,\r
+- // digestAlgorithms DigestAlgorithmIdentifiers,\r
+- // contentInfo ContentInfo,\r
+- // .... }\r
+- // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing\r
+- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
+- // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
++ // Only support two bytes of Long Form of Length Encoding.\r
+ //\r
+- if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {\r
+- //\r
+- // Only support two bytes of Long Form of Length Encoding.\r
+- //\r
++ return EFI_BAD_BUFFER_SIZE;\r
++ }\r
++\r
++ for (Index = 0; Index < HASHALG_MAX; Index++) {\r
++ if (PkcsCertSize < 32 + mHash[Index].OidLength) {\r
+ continue;\r
+ }\r
+ \r
+- //\r
+ if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {\r
+ break;\r
+ }\r
+--
+2.34.1
+
file://0003-debug-prefix-map.patch \
file://0004-reproducible.patch \
file://CVE-2025-2295.patch \
+ file://CVE-2024-38797-1.patch \
+ file://CVE-2024-38797-2.patch \
+ file://CVE-2024-38797-3.patch \
+ file://CVE-2024-38797-4.patch \
"
PV = "edk2-stable202502"
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
