Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package edk2 for openSUSE:Factory checked in at 2025-04-15 16:44:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/edk2 (Old) and /work/SRC/openSUSE:Factory/.edk2.new.1907 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "edk2" Tue Apr 15 16:44:54 2025 rev:14 rq:1269123 version:202502 Changes: -------- --- /work/SRC/openSUSE:Factory/edk2/edk2.changes 2025-03-20 19:24:34.796615758 +0100 +++ /work/SRC/openSUSE:Factory/.edk2.new.1907/edk2.changes 2025-04-15 16:47:56.360212553 +0200 @@ -1,0 +2,6 @@ +Mon Apr 14 06:32:43 UTC 2025 - Guillaume GARDET <guillaume.gar...@opensuse.org> + +- Add patch to fix CVE-2024-38797 - boo#1240985: + * 10928.patch + +------------------------------------------------------------------- New: ---- 10928.patch BETA DEBUG BEGIN: New:- Add patch to fix CVE-2024-38797 - boo#1240985: * 10928.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ edk2.spec ++++++ --- /var/tmp/diff_new_pack.2PdVDN/_old 2025-04-15 16:47:59.748354424 +0200 +++ /var/tmp/diff_new_pack.2PdVDN/_new 2025-04-15 16:47:59.764355094 +0200 @@ -69,6 +69,8 @@ Source10: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz Source11: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz.asc Source12: openssl.keyring +# PATCH-FIX-UPSTREAM - https://github.com/tianocore/edk2/pull/10928 - CVE-2024-38797 +Patch1: 10928.patch #!BuildIgnore: gcc-PIE BuildRequires: acpica BuildRequires: bc @@ -118,6 +120,7 @@ %prep %setup -q -n edk2-edk2-stable%{archive_version} -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 7 -a 8 +%patch -P 1 -p1 # Fix path of the brotli submodules cp -R brotli-%{brotli_version}/* BaseTools/Source/C/BrotliCompress/brotli/ ++++++ 10928.patch ++++++ >From 2dcdb41b564aa3cb846644b4b1722a0b3ae5e06b Mon Sep 17 00:00:00 2001 From: Doug Flick <dougfl...@microsoft.com> Date: Thu, 3 Oct 2024 09:37:18 -0700 Subject: [PATCH 1/4] SecurityPkg: Out of bound read in HashPeImageByType() In HashPeImageByType(), the hash of PE/COFF image is calculated. This function may get untrusted input. Inside this function, the following code verifies the loaded image has the correct format, by reading the second byte of the buffer. ```c if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) { ... } ``` The input image is not trusted and that may not have the second byte to read. So this poses an out of bound read error. With below fix we are assuring that we don't do out of bound read. i.e, we make sure that AuthDataSize is greater than 1. ```c if (AuthDataSize > 1 && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){ ... } ``` AuthDataSize size is verified before reading the second byte. So if AuthDataSize is less than 2, the second byte will not be read, and the out of bound read situation won't occur. Tested the patch on real platform with and without TPM connected and verified image is booting fine. Authored-by: Raj AlwinX Selvaraj <alw...@intel.com> Signed-off-by: Doug Flick <dougfl...@microsoft.com> --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index b05da19c2b5f..2afa2c93d9c8 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -642,7 +642,7 @@ HashPeImageByType ( // This field has the fixed offset (+32) in final Authenticode ASN.1 data. // Fixed offset (+32) is calculated based on two bytes of length encoding. // - if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) { + if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) { // // Only support two bytes of Long Form of Length Encoding. // >From 5df518ec510324f48ed1cf0376150960644b41f0 Mon Sep 17 00:00:00 2001 From: Doug Flick <dougfl...@microsoft.com> Date: Thu, 3 Oct 2024 10:16:57 -0700 Subject: [PATCH 2/4] SecurityPkg: Improving HashPeImageByType () logic Namely: (1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes to TRUE for Index==0, then it will evaluate to TRUE for all other Index values as well. As a result, the (Index == HASHALG_MAX) condition will fire after the loop, and we'll return EFI_UNSUPPORTED. While this is correct, functionally speaking, it is wasteful to keep re-checking TWO_BYTE_ENCODE in the loop body. The check should be made at the top of the function, and EFI_UNSUPPORTED should be returned at once, if appropriate. (2) If the hash algorithm selected by Index has such a large OID that the OID comparison cannot even be performed (because AuthDataSize is not large enough for containing the OID in question, starting at offset 32), then the function returns EFI_UNSUPPORTED at once. This is bogus; this case should simply be treated as an OID mismatch, and the loop should advance to the next Index value / hash algorithm candidate. A remaining hash algo may have a shorter OID and yield an OID match. Signed-off-by: Doug Flick <dougfl...@microsoft.com> --- .../DxeImageVerificationLib.c | 37 ++++++++++--------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index 2afa2c93d9c8..2eca39d563fe 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -618,6 +618,7 @@ HashPeImage ( @param[in] AuthDataSize Size of the Authenticode Signature in bytes. @retval EFI_UNSUPPORTED Hash algorithm is not supported. + @retval EFI_BAD_BUFFER_SIZE AuthData provided is invalid size. @retval EFI_SUCCESS Hash successfully. **/ @@ -629,28 +630,28 @@ HashPeImageByType ( { UINT8 Index; - for (Index = 0; Index < HASHALG_MAX; Index++) { + // + // Check the Hash algorithm in PE/COFF Authenticode. + // According to PKCS#7 Definition: + // SignedData ::= SEQUENCE { + // version Version, + // digestAlgorithms DigestAlgorithmIdentifiers, + // contentInfo ContentInfo, + // .... } + // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing + // This field has the fixed offset (+32) in final Authenticode ASN.1 data. + // Fixed offset (+32) is calculated based on two bytes of length encoding. + // + if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) { // - // Check the Hash algorithm in PE/COFF Authenticode. - // According to PKCS#7 Definition: - // SignedData ::= SEQUENCE { - // version Version, - // digestAlgorithms DigestAlgorithmIdentifiers, - // contentInfo ContentInfo, - // .... } - // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing - // This field has the fixed offset (+32) in final Authenticode ASN.1 data. - // Fixed offset (+32) is calculated based on two bytes of length encoding. + // Only support two bytes of Long Form of Length Encoding. // - if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) { - // - // Only support two bytes of Long Form of Length Encoding. - // - continue; - } + return EFI_BAD_BUFFER_SIZE; + } + for (Index = 0; Index < HASHALG_MAX; Index++) { if (AuthDataSize < 32 + mHash[Index].OidLength) { - return EFI_UNSUPPORTED; + continue; } if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) { >From 8676572908b950dd4d1f8985006011be99c0a5b6 Mon Sep 17 00:00:00 2001 From: Doug Flick <dougfl...@microsoft.com> Date: Fri, 17 Jan 2025 11:30:17 -0800 Subject: [PATCH 3/4] SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic Namely: (1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes to TRUE for Index==0, then it will evaluate to TRUE for all other Index values as well. As a result, the (Index == HASHALG_MAX) condition will fire after the loop, and we'll return EFI_UNSUPPORTED. While this is correct, functionally speaking, it is wasteful to keep re-checking TWO_BYTE_ENCODE in the loop body. The check should be made at the top of the function, and EFI_UNSUPPORTED should be returned at once, if appropriate. (2) If the hash algorithm selected by Index has such a large OID that the OID comparison cannot even be performed (because AuthDataSize is not large enough for containing the OID in question, starting at offset 32), then the function returns EFI_UNSUPPORTED at once. This is bogus; this case should simply be treated as an OID mismatch, and the loop should advance to the next Index value / hash algorithm candidate. A remaining hash algo may have a shorter OID and yield an OID match. Signed-off-by: Doug Flick <dougfl...@microsoft.com> --- .../SecureBootConfigImpl.c | 37 +++++++++++-------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index d4dc4e14020c..d262904c3138 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -2105,30 +2105,35 @@ HashPeImageByType ( { UINT8 Index; WIN_CERTIFICATE_EFI_PKCS *PkcsCertData; + UINT32 PkcsCertSize; PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *)(mImageBase + mSecDataDir->Offset); + PkcsCertSize = mSecDataDir->SizeOfCert; - for (Index = 0; Index < HASHALG_MAX; Index++) { + // + // Check the Hash algorithm in PE/COFF Authenticode. + // According to PKCS#7 Definition: + // SignedData ::= SEQUENCE { + // version Version, + // digestAlgorithms DigestAlgorithmIdentifiers, + // contentInfo ContentInfo, + // .... } + // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing + // This field has the fixed offset (+32) in final Authenticode ASN.1 data. + // Fixed offset (+32) is calculated based on two bytes of length encoding. + // + if ((PkcsCertSize > 1) && ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) { // - // Check the Hash algorithm in PE/COFF Authenticode. - // According to PKCS#7 Definition: - // SignedData ::= SEQUENCE { - // version Version, - // digestAlgorithms DigestAlgorithmIdentifiers, - // contentInfo ContentInfo, - // .... } - // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing - // This field has the fixed offset (+32) in final Authenticode ASN.1 data. - // Fixed offset (+32) is calculated based on two bytes of length encoding. + // Only support two bytes of Long Form of Length Encoding. // - if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) { - // - // Only support two bytes of Long Form of Length Encoding. - // + return EFI_BAD_BUFFER_SIZE; + } + + for (Index = 0; Index < HASHALG_MAX; Index++) { + if (PkcsCertSize < 32 + mHash[Index].OidLength) { continue; } - // if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) { break; } >From 519366f542e9370bee982b1c3687ffedb5cabc21 Mon Sep 17 00:00:00 2001 From: Doug Flick <dougfl...@microsoft.com> Date: Mon, 7 Apr 2025 11:23:41 -0700 Subject: [PATCH 4/4] SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797 This commit updates the SecurityFixes.yaml file to include information about the CVE-2024-38797 vulnerability. Signed-off-by: Doug Flick <dougfl...@microsoft.com> --- SecurityPkg/SecurityFixes.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml index b4006b42b89e..06b597a43ee5 100644 --- a/SecurityPkg/SecurityFixes.yaml +++ b/SecurityPkg/SecurityFixes.yaml @@ -40,3 +40,18 @@ CVE_2022_36764: - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c links: - https://bugzilla.tianocore.org/show_bug.cgi?id=4118 +CVE_2024_38797: + commit-titles: + - "SecurityPkg: Out of bound read in HashPeImageByType()" + - "SecurityPkg: Improving HashPeImageByType () logic" + - "SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic" + cve: CVE-2024-38797 + date_reported: 2024-06-04 12:00 UTC + description: Out of bound read in HashPeImageByType() + note: + files_impacted: + - SecurityPkg\Library\DxeImageVerificationLib\DxeImageVerificationLib.c + - SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigImpl.c + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=2214 + - https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf
