Doug:
Is there any functionality impact by these two CVE fixes?
Thanks
Liming
> -邮件原件-
> 发件人: devel@edk2.groups.io 代表 Doug Flick via
> groups.io
> 发送时间: 2024年5月9日 13:56
> 收件人: devel@edk2.groups.io
> 抄送: Liming Gao
> 主题: [edk2-devel] [PATCH v2 00/13] NetworkPkg: CVE-2023-45236 and
> CVE-2023-45237
>
>
REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-
edk-ii-
> ipv6-network-stack.html
>
> This patch series patches the following CVEs:
> - CVE-2023-45236: Predictable TCP Initial Sequence Numbers
> - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator
>
> In order to patch these CVEs, the following changes were made:
> - NetworkPkg no longer performs it's own random number generation,
> instead it uses EFI_RNG_PROTOCOL provided by the plaform to
> generate random numbers.
> - This change was made such that any future random number
> generation vulnerabilities will be a result of the platforms
> implementation of the EFI_RNG_PROTOCOL and not the NetworkPkg
>
> - NetworkPkg uses the TCP initial sequence number algorithm as described
> in RFC 6528 to generate the initial sequence number for TCP connections.
> - This change was made to ensure that the initial sequence number
> is not predictable and therefore cannot be used in a TCP hijacking
> attack.
>
> In addition to the above changes, the following changes were made:
> - EmulatorPkg OvmfPkg, and ArmVirtPkg were updated to include the
> Hash2DxeCrypto driver to support TCP ISN generation using
> EFI_HASH2_PROTOCOL
>
> - EmulatorPkg was updated to include the
> RngDxe driver to support random number generation using the
> EFI_RNG_PROTOCOL
>
> - OvmfPkg, and ArmVirtPkg were updated to include the
> virtio-rng-pci device to support random number generation using the
> EFI_RNG_PROTOCOL using the existing VirtioRngDxe driver
>
> - SecurityPkg was updated to fix an incorrect limitation on the
> GetRng function in the RngDxe driver where the minimum amount of
> random data that could be requested was 32 bytes (256 bits) instead
> of what the caller requested
>
> - MdePkg was updated to include MockUefiBootServicesTableLib,
> MockRng, and MockHash2 protocols for testing
>
> - NetworkPkg was updated to include a test for the PxeBcDhcp6 driver
> due to underlying changes
>
> Cc: Liming Gao
>
> Signed-off-by: Doug Flick [MSFT]
>
> Doug Flick (13):
> EmulatorPkg: : Add RngDxe to EmulatorPkg
> EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg
> OvmfPkg:PlatformCI: Support virtio-rng-pci
> OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg
> ArmVirtPkg:PlatformCI: Support virtio-rng-pci
> ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg
> SecurityPkg: RngDxe: Remove incorrect limitation on GetRng
> NetworkPkg:: SECURITY PATCH CVE-2023-45237
> NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236
> MdePkg: : Add MockUefiBootServicesTableLib
> MdePkg: : Adds Protocol for MockRng
> MdePkg: Add MockHash2 Protocol for testing
> NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes
>
> NetworkPkg/NetworkPkg.dec
> | 7 +
> ArmVirtPkg/ArmVirtQemu.dsc
> | 5 +
> ArmVirtPkg/ArmVirtQemuKernel.dsc
> | 5 +
> EmulatorPkg/EmulatorPkg.dsc
> | 14 +-
> MdePkg/Test/MdePkgHostTest.dsc
> | 1 +
> NetworkPkg/Test/NetworkPkgHostTest.dsc
> | 1 +
> OvmfPkg/OvmfPkgIa32.dsc
> | 6 +-
> OvmfPkg/OvmfPkgIa32X64.dsc
> | 6 +-
> OvmfPkg/OvmfPkgX64.dsc
> | 6 +-
> OvmfPkg/OvmfXen.dsc
> | 5 +
> EmulatorPkg/EmulatorPkg.fdf
> | 11 +-
> OvmfPkg/OvmfPkgIa32.fdf
> | 5 +
> OvmfPkg/OvmfPkgIa32X64.fdf
> | 5 +
> OvmfPkg/OvmfPkgX64.fdf
> | 5 +
> OvmfPkg/OvmfXen.fdf
> | 5 +
>
> MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUe
> fiBootServicesTableLib.inf | 32 +++
> NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
> | 13 +-
> NetworkPkg/TcpDxe/TcpDxe.inf
> | 11 +-
> NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
> | 3 +-
>
> MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib.
> h| 78 +++
> MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h
> | 67 ++
> MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h
> | 48
> NetworkPkg/IScsiDxe/IScsiMisc.h
> | 6 +-
> NetworkPkg/Include/Library/NetLib.h
> | 40 +++-
> NetworkPkg/Ip6Dxe/Ip6Nd.h
> | 8 +-
> NetworkPkg/TcpDxe/TcpFunc.h
> | 23 +-
> NetworkPkg/TcpDxe/TcpMain.h
> | 59 -
> NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
> | 10 +-
> NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
> | 11 +-
> NetworkPkg/DnsDxe/DnsDhcp.c
> | 10 +-
> NetworkPkg/DnsDxe/DnsImpl.c
> | 11 +-
> NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
> | 10 +-
> NetworkPkg/IScsiDxe/IScsiCHAP.c
> | 19 +-
> NetworkPkg/IScsiDxe/IScsiMisc.c
> | 14 +-
> NetworkPkg/Ip4Dxe/Ip4Driver.c
> | 10 +-
> NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
> | 9 +-
> NetworkPkg/Ip6Dxe/Ip6Driver.c
> | 17 +-
> NetworkPkg/Ip6Dxe/Ip6If.c
> | 12 +-
>