From: Hongxu Jia <hongxu.jia@windriver.com>
To: Fabien Thomas <fabien.thomas@smile.fr>,
openembedded-core@lists.openembedded.org, yoann.congal@smile.fr
Subject: Re: [OE-core] [scarthgap][PATCH 3/3] ovmf: fix CVE-2024-38798
Date: Thu, 30 Apr 2026 20:05:15 +0800 [thread overview]
Message-ID: <29edab2d-29e6-49f3-88ec-6eb1d831214c@windriver.com> (raw)
In-Reply-To: <DI6DQKDSGHF1.244EBN969P2YA@smile.fr>
On 4/30/26 17:25, Fabien Thomas wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Mon Apr 27, 2026 at 6:56 AM CEST, hongxu via lists.openembedded.org wrote:
>> According to [1],
>>
>> EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
>> Sensitive Information to an Unauthorized Actor” by local access. Successful
>> exploitation of this vulnerability will lead to possible information disclosure
>> or escalation of privilege and impact Confidentiality.
>>
>> Backport a patch [2] from upstream to fix CVE-2024-38798
>>
>> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798
>> [2] https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>> .../ovmf/ovmf/CVE-2024-38798.patch | 116 ++++++++++++++++++
>> meta/recipes-core/ovmf/ovmf_git.bb | 1 +
>> 2 files changed, 117 insertions(+)
>> create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>>
>> diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>> new file mode 100644
>> index 0000000000..2d0a73c7a6
>> --- /dev/null
>> +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>> @@ -0,0 +1,116 @@
>> +From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001
>> +From: Hongxu Jia <hongxu.jia@windriver.com>
>> +Date: Mon, 5 Jan 2026 13:04:18 +0800
>> +Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading
>> +
>> +There is a possibility to retrieve user input keystroke data stored in the
>> +queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
>> +exposure of the password string, clear the queue buffer by filling it
>> +with zeros after reading.
>> +
>> +Signed-off-by: Nick Wang <nick.wang@insyde.com>
>> +
>> +CVE: CVE-2024-38798
>> +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249]
>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> +---
>> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c | 2 ++
>> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c | 1 +
>> + MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c | 2 +-
>> + .../Universal/Console/ConSplitterDxe/ConSplitter.c | 1 +
>> + .../Universal/Console/TerminalDxe/TerminalConIn.c | 8 ++++++--
>> + 5 files changed, 11 insertions(+), 3 deletions(-)
>> +
>> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>> +index 981309f..32757a7 100644
>> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>> +@@ -650,6 +650,8 @@ PopScancodeBufHead (
>> + if (Buf != NULL) {
>> + Buf[Index] = Queue->Buffer[Queue->Head];
>> + }
>> ++
>> ++ Queue->Buffer[Queue->Head] = 0;
>> + }
>> +
>> + return EFI_SUCCESS;
>> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>> +index 81d3c6e..e03c88f 100644
>> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>> +@@ -51,6 +51,7 @@ PopEfikeyBufHead (
>> + CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
>> + }
>> +
>> ++ ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
>> + Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT;
>> + return EFI_SUCCESS;
>> + }
>> +diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>> +index b5a6459..7df1566 100644
>> +--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>> ++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>> +@@ -1840,7 +1840,7 @@ Dequeue (
>> + }
>> +
>> + CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize);
>> +-
>> ++ ZeroMem (Queue->Buffer[Queue->Head], ItemSize);
>> + //
>> + // Adjust the head pointer of the FIFO keyboard buffer.
>> + //
>> +diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>> +index 0a776f3..5c1a35e 100644
>> +--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>> ++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>> +@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey (
>> + &Private->KeyQueue[1],
>> + Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA)
>> + );
>> ++ ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA));
>> + return EFI_SUCCESS;
>> + }
>> +
>> +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>> +index f1d0a34..8aafb4b 100644
>> +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>> ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>> +@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey (
>> + return FALSE;
>> + }
>> +
>> +- *Output = TerminalDevice->RawFiFo->Data[Head];
>> ++ *Output = TerminalDevice->RawFiFo->Data[Head];
>> ++ TerminalDevice->RawFiFo->Data[Head] = 0;
>> +
>> + TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1));
>> +
>> +@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey (
>> + }
>> +
>> + CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>> ++ ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>> +
>> + EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>> +
>> +@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey (
>> + }
>> +
>> + CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>> ++ ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>> +
>> + TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>> +
>> +@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey (
>> + Head = TerminalDevice->UnicodeFiFo->Head;
>> + ASSERT (Head < FIFO_MAX_NUMBER + 1);
>> +
>> +- *Output = TerminalDevice->UnicodeFiFo->Data[Head];
>> ++ *Output = TerminalDevice->UnicodeFiFo->Data[Head];
>> ++ TerminalDevice->UnicodeFiFo->Data[Head] = 0;
>> +
>> + TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>> + }
>> +--
>> +2.34.1
>> +
>> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
>> index f0503db9fb..85b3d7c911 100644
>> --- a/meta/recipes-core/ovmf/ovmf_git.bb
>> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
>> @@ -36,6 +36,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
>> file://CVE-2025-2296-7.patch \
>> file://CVE-2025-2296-8.patch \
>> file://CVE-2025-2296-9.patch \
>> + file://CVE-2024-38798.patch \
>> "
>>
>> PV = "edk2-stable202402"
> Helllo Hongxu,
>
> I'm filling in for Yoann while he's on leave.
>
> It appears that the patches from commits "[PATCH 2/3] ovmf: fix CVE-2025-2296"
> and "[PATCH 3/3] ovmf: fix CVE-2024-38798" do not apply to neither
> scarthgap-next nor scarthgap branch :
> `Patch 0001-AmdSev-Halt-on-failed-blob-allocation.patch does not apply`
> `Patch CVE-2024-38798.patch does not apply`
>
> Could you take another look at this?
Hi Thomas,
I could apply the patch on latest scarthgap, I am afraid it was caused
by the `CR' at the end of lines
would you please apply the patch by `git am --keep-cr 00*.patch' or
cherry-pick from my github by following steps:
$ git fetch https://github.com/hongxu-jia/openembedded-core.git scarthgap
$ git log HEAD..FETCH_HEAD --oneline
405b06db9d (scarthgap) ovmf: fix CVE-2024-38798
5b951e8d74 ovmf: fix CVE-2025-2296
2b93d45cfa u-boot: fix CVE-2025-24857
$ git cherry-pick 2b93d45cfa 5b951e8d74 405b06db9d
//Hongxu
>
> --
> Fabien Thomas
> Smile ECS
>
next prev parent reply other threads:[~2026-04-30 12:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 4:56 [scarthgap][PATCH 1/3] u-boot: fix CVE-2025-24857 Hongxu Jia
2026-04-27 4:56 ` [scarthgap][PATCH 2/3] ovmf: fix CVE-2025-2296 Hongxu Jia
2026-04-27 4:56 ` [scarthgap][PATCH 3/3] ovmf: fix CVE-2024-38798 Hongxu Jia
2026-04-30 9:25 ` [OE-core] " Fabien Thomas
2026-04-30 12:05 ` Hongxu Jia [this message]
2026-04-30 12:25 ` Fabien Thomas
[not found] ` <18AA1DD7A8866F0B.1773850@lists.openembedded.org>
2026-04-27 5:01 ` [OE-core] [scarthgap][PATCH 2/3] ovmf: fix CVE-2025-2296 Hongxu Jia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=29edab2d-29e6-49f3-88ec-6eb1d831214c@windriver.com \
--to=hongxu.jia@windriver.com \
--cc=fabien.thomas@smile.fr \
--cc=openembedded-core@lists.openembedded.org \
--cc=yoann.congal@smile.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox