Doug: Is there any functionality impact by these two CVE fixes? Thanks Liming > -----邮件原件----- > 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Doug Flick via > groups.io > 发送时间: 2024年5月9日 13:56 > 收件人: devel@edk2.groups.io > 抄送: Liming Gao <gaolim...@byosoft.com.cn> > 主题: [edk2-devel] [PATCH v2 00/13] NetworkPkg: CVE-2023-45236 and > CVE-2023-45237 > > REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores- edk-ii- > ipv6-network-stack.html > > This patch series patches the following CVEs: > - CVE-2023-45236: Predictable TCP Initial Sequence Numbers > - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator > > In order to patch these CVEs, the following changes were made: > - NetworkPkg no longer performs it's own random number generation, > instead it uses EFI_RNG_PROTOCOL provided by the plaform to > generate random numbers. > - This change was made such that any future random number > generation vulnerabilities will be a result of the platforms > implementation of the EFI_RNG_PROTOCOL and not the NetworkPkg > > - NetworkPkg uses the TCP initial sequence number algorithm as described > in RFC 6528 to generate the initial sequence number for TCP connections. > - This change was made to ensure that the initial sequence number > is not predictable and therefore cannot be used in a TCP hijacking > attack. > > In addition to the above changes, the following changes were made: > - EmulatorPkg OvmfPkg, and ArmVirtPkg were updated to include the > Hash2DxeCrypto driver to support TCP ISN generation using > EFI_HASH2_PROTOCOL > > - EmulatorPkg was updated to include the > RngDxe driver to support random number generation using the > EFI_RNG_PROTOCOL > > - OvmfPkg, and ArmVirtPkg were updated to include the > virtio-rng-pci device to support random number generation using the > EFI_RNG_PROTOCOL using the existing VirtioRngDxe driver > > - SecurityPkg was updated to fix an incorrect limitation on the > GetRng function in the RngDxe driver where the minimum amount of > random data that could be requested was 32 bytes (256 bits) instead > of what the caller requested > > - MdePkg was updated to include MockUefiBootServicesTableLib, > MockRng, and MockHash2 protocols for testing > > - NetworkPkg was updated to include a test for the PxeBcDhcp6 driver > due to underlying changes > > Cc: Liming Gao <gaolim...@byosoft.com.cn> > > Signed-off-by: Doug Flick [MSFT] <doug.e...@gmail.com> > > Doug Flick (13): > EmulatorPkg: : Add RngDxe to EmulatorPkg > EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg > OvmfPkg:PlatformCI: Support virtio-rng-pci > OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg > ArmVirtPkg:PlatformCI: Support virtio-rng-pci > ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg > SecurityPkg: RngDxe: Remove incorrect limitation on GetRng > NetworkPkg:: SECURITY PATCH CVE-2023-45237 > NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 > MdePkg: : Add MockUefiBootServicesTableLib > MdePkg: : Adds Protocol for MockRng > MdePkg: Add MockHash2 Protocol for testing > NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes > > NetworkPkg/NetworkPkg.dec > | 7 + > ArmVirtPkg/ArmVirtQemu.dsc > | 5 + > ArmVirtPkg/ArmVirtQemuKernel.dsc > | 5 + > EmulatorPkg/EmulatorPkg.dsc > | 14 +- > MdePkg/Test/MdePkgHostTest.dsc > | 1 + > NetworkPkg/Test/NetworkPkgHostTest.dsc > | 1 + > OvmfPkg/OvmfPkgIa32.dsc > | 6 +- > OvmfPkg/OvmfPkgIa32X64.dsc > | 6 +- > OvmfPkg/OvmfPkgX64.dsc > | 6 +- > OvmfPkg/OvmfXen.dsc > | 5 + > EmulatorPkg/EmulatorPkg.fdf > | 11 +- > OvmfPkg/OvmfPkgIa32.fdf > | 5 + > OvmfPkg/OvmfPkgIa32X64.fdf > | 5 + > OvmfPkg/OvmfPkgX64.fdf > | 5 + > OvmfPkg/OvmfXen.fdf > | 5 + > > MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUe > fiBootServicesTableLib.inf | 32 +++ > NetworkPkg/Library/DxeNetLib/DxeNetLib.inf > | 13 +- > NetworkPkg/TcpDxe/TcpDxe.inf > | 11 +- > NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf > | 3 +- > > MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib. > h | 78 +++++++ > MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h > | 67 ++++++ > MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h > | 48 ++++ > NetworkPkg/IScsiDxe/IScsiMisc.h > | 6 +- > NetworkPkg/Include/Library/NetLib.h > | 40 +++- > NetworkPkg/Ip6Dxe/Ip6Nd.h > | 8 +- > NetworkPkg/TcpDxe/TcpFunc.h > | 23 +- > NetworkPkg/TcpDxe/TcpMain.h > | 59 ++++- > NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c > | 10 +- > NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c > | 11 +- > NetworkPkg/DnsDxe/DnsDhcp.c > | 10 +- > NetworkPkg/DnsDxe/DnsImpl.c > | 11 +- > NetworkPkg/HttpBootDxe/HttpBootDhcp6.c > | 10 +- > NetworkPkg/IScsiDxe/IScsiCHAP.c > | 19 +- > NetworkPkg/IScsiDxe/IScsiMisc.c > | 14 +- > NetworkPkg/Ip4Dxe/Ip4Driver.c > | 10 +- > NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c > | 9 +- > NetworkPkg/Ip6Dxe/Ip6Driver.c > | 17 +- > NetworkPkg/Ip6Dxe/Ip6If.c > | 12 +- > NetworkPkg/Ip6Dxe/Ip6Mld.c > | 12 +- > NetworkPkg/Ip6Dxe/Ip6Nd.c > | 33 ++- > NetworkPkg/Library/DxeNetLib/DxeNetLib.c > | 129 +++++++++-- > NetworkPkg/TcpDxe/TcpDriver.c > | 105 ++++++++- > NetworkPkg/TcpDxe/TcpInput.c > | 13 +- > NetworkPkg/TcpDxe/TcpMisc.c > | 242 ++++++++++++++++++-- > NetworkPkg/TcpDxe/TcpTimer.c > | 3 +- > NetworkPkg/Udp4Dxe/Udp4Driver.c > | 10 +- > NetworkPkg/Udp6Dxe/Udp6Driver.c > | 11 +- > NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c > | 9 +- > NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c > | 11 +- > NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c > | 12 +- > SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c > | 8 - > ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc > | 5 + > ArmVirtPkg/PlatformCI/PlatformBuildLib.py > | 2 + > > MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUe > fiBootServicesTableLib.cpp | 69 ++++++ > MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp > | 27 +++ > MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp > | 21 ++ > NetworkPkg/SecurityFixes.yaml > | 61 +++++ > NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp > | 102 ++++++++- > OvmfPkg/PlatformCI/PlatformBuildLib.py > | 2 + > 59 files changed, 1345 insertions(+), 150 deletions(-) > create mode 100644 > MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUe > fiBootServicesTableLib.inf > create mode 100644 > MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib. > h > create mode 100644 > MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h > create mode 100644 > MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h > create mode 100644 > MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUe > fiBootServicesTableLib.cpp > create mode 100644 > MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp > create mode 100644 > MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp > > -- > 2.34.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118760): https://edk2.groups.io/g/devel/message/118760 Mute This Topic: https://groups.io/mt/105998004/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-