* [OE-core][kirkstone 01/22] u-boot: Fix CVE-2022-30767
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 02/22] u-boot: fix CVE-2022-2347 and CVE-2022-30790 Steve Sakoman
` (20 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Carlos Dominguez <carlos.dominguez@windriver.com>
This patch mitigates the vulnerability identified via CVE-2019-14196.
The previous patch was bypassed/ineffective, and now the vulnerability
is identified via CVE-2022-30767. The patch removes the sanity check
introduced to mitigate CVE-2019-14196 since it's ineffective.
filefh3_length is changed to unsigned type integer, preventing negative
numbers from being used during comparison with positive values during
size sanity checks.
Signed-off-by: Carlos Dominguez <carlos.dominguez@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../u-boot/files/0001-CVE-2022-30767.patch | 44 +++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch
diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch
new file mode 100644
index 0000000000..aee7f05ab4
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch
@@ -0,0 +1,44 @@
+From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Thr Jun 2 00:00:00 2022
+From: Andrea zi0Black Cappa <zi0Black@protonmail.com>
+Date: Tue, 14 Jun 2022 17:16:00 +0200
+Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
+
+This patch mitigates the vulnerability identified via CVE-2019-14196.
+The previous patch was bypassed/ineffective, and now the vulnerability
+is identified via CVE-2022-30767. The patch removes the sanity check
+introduced to mitigate CVE-2019-14196 since it's ineffective.
+filefh3_length is changed to unsigned type integer, preventing negative
+numbers from being used during comparison with positive values during
+size sanity checks.
+
+CVE: CVE-2019-14196
+
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/bdbf7a05e26f3c5fd437c99e2755ffde186ddc80]
+Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
+Signed-off-by: Carlos Dominguez <carlos.dominguez@windriver.com>
+---
+ net/nfs.c | 4 +---
+ 1 file changed, 1 insertions(+), 3 deletions(-)
+
+diff --git a/net/nfs.c b/net/nfs.c
+index 70d0e08bde..3003f54aac 100644
+--- a/net/nfs.c
++++ b/net/nfs.c
+@@ -57,7 +57,7 @@ static ulong nfs_timeout = NFS_TIMEOUT;
+
+ static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */
+ static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
+-static int filefh3_length; /* (variable) length of filefh when NFSv3 */
++static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */
+
+ static enum net_loop_state nfs_download_state;
+ static struct in_addr nfs_server_ip;
+@@ -578,8 +578,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
+ filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
+ if (filefh3_length > NFS3_FHSIZE)
+ filefh3_length = NFS3_FHSIZE;
+- if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
+- return -NFS_RPC_DROP;
+ memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
+ }
+
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index c4cfcbca19..cd40ad1a7d 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -7,6 +7,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \
file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \
file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \
+ file://0001-CVE-2022-30767.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 02/22] u-boot: fix CVE-2022-2347 and CVE-2022-30790
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 01/22] u-boot: Fix CVE-2022-30767 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 03/22] u-boot: fix CVE-2024-57254 Steve Sakoman
` (19 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Backport appropriate patches to fix CVE-2022-2347 and CVE-2022-30790.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../u-boot/files/CVE-2022-2347_1.patch | 129 +++++++++++++++
.../u-boot/files/CVE-2022-2347_2.patch | 66 ++++++++
.../u-boot/files/CVE-2022-30790.patch | 149 ++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 3 +
4 files changed, 347 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2022-2347_2.patch
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2022-30790.patch
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch b/meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch
new file mode 100644
index 0000000000..34ee82c3a5
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch
@@ -0,0 +1,129 @@
+From 9d2d2deabc49dbedf93a7192b25f55d9933fcede Mon Sep 17 00:00:00 2001
+From: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
+Date: Thu, 3 Nov 2022 09:37:48 +0530
+Subject: [PATCH 1/2] usb: gadget: dfu: Fix the unchecked length field
+
+DFU implementation does not bound the length field in USB
+DFU download setup packets, and it does not verify that
+the transfer direction. Fixing the length and transfer
+direction.
+
+CVE-2022-2347
+
+Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
+Reviewed-by: Marek Vasut <marex@denx.de>
+
+CVE: CVE-2022-2347
+Upstream-Status: Backport [fbce985e28eaca3af82afecc11961aadaf971a7e]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ drivers/usb/gadget/f_dfu.c | 56 +++++++++++++++++++++++++-------------
+ 1 file changed, 37 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
+index 4bedc7d3a1..33ef62f8ba 100644
+--- a/drivers/usb/gadget/f_dfu.c
++++ b/drivers/usb/gadget/f_dfu.c
+@@ -321,21 +321,29 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
+ u16 len = le16_to_cpu(ctrl->wLength);
+ int value = 0;
+
++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ switch (ctrl->bRequest) {
+ case USB_REQ_DFU_DNLOAD:
+- if (len == 0) {
+- f_dfu->dfu_state = DFU_STATE_dfuERROR;
+- value = RET_STALL;
+- break;
++ if (ctrl->bRequestType == USB_DIR_OUT) {
++ if (len == 0) {
++ f_dfu->dfu_state = DFU_STATE_dfuERROR;
++ value = RET_STALL;
++ break;
++ }
++ f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
++ f_dfu->blk_seq_num = w_value;
++ value = handle_dnload(gadget, len);
+ }
+- f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
+- f_dfu->blk_seq_num = w_value;
+- value = handle_dnload(gadget, len);
+ break;
+ case USB_REQ_DFU_UPLOAD:
+- f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
+- f_dfu->blk_seq_num = 0;
+- value = handle_upload(req, len);
++ if (ctrl->bRequestType == USB_DIR_IN) {
++ f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
++ f_dfu->blk_seq_num = 0;
++ value = handle_upload(req, len);
++ if (value >= 0 && value < len)
++ f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++ }
+ break;
+ case USB_REQ_DFU_ABORT:
+ /* no zlp? */
+@@ -424,11 +432,15 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
+ u16 len = le16_to_cpu(ctrl->wLength);
+ int value = 0;
+
++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ switch (ctrl->bRequest) {
+ case USB_REQ_DFU_DNLOAD:
+- f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
+- f_dfu->blk_seq_num = w_value;
+- value = handle_dnload(gadget, len);
++ if (ctrl->bRequestType == USB_DIR_OUT) {
++ f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
++ f_dfu->blk_seq_num = w_value;
++ value = handle_dnload(gadget, len);
++ }
+ break;
+ case USB_REQ_DFU_ABORT:
+ f_dfu->dfu_state = DFU_STATE_dfuIDLE;
+@@ -511,13 +523,17 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
+ u16 len = le16_to_cpu(ctrl->wLength);
+ int value = 0;
+
++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ switch (ctrl->bRequest) {
+ case USB_REQ_DFU_UPLOAD:
+- /* state transition if less data then requested */
+- f_dfu->blk_seq_num = w_value;
+- value = handle_upload(req, len);
+- if (value >= 0 && value < len)
+- f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++ if (ctrl->bRequestType == USB_DIR_IN) {
++ /* state transition if less data then requested */
++ f_dfu->blk_seq_num = w_value;
++ value = handle_upload(req, len);
++ if (value >= 0 && value < len)
++ f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++ }
+ break;
+ case USB_REQ_DFU_ABORT:
+ f_dfu->dfu_state = DFU_STATE_dfuIDLE;
+@@ -593,6 +609,8 @@ dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
+ int value = 0;
+ u8 req_type = ctrl->bRequestType & USB_TYPE_MASK;
+
++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ debug("w_value: 0x%x len: 0x%x\n", w_value, len);
+ debug("req_type: 0x%x ctrl->bRequest: 0x%x f_dfu->dfu_state: 0x%x\n",
+ req_type, ctrl->bRequest, f_dfu->dfu_state);
+@@ -612,7 +630,7 @@ dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
+ value = dfu_state[f_dfu->dfu_state] (f_dfu, ctrl, gadget, req);
+
+ if (value >= 0) {
+- req->length = value;
++ req->length = value > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : value;
+ req->zero = value < len;
+ value = usb_ep_queue(gadget->ep0, req, 0);
+ if (value < 0) {
+--
+2.32.0
+
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2022-2347_2.patch b/meta/recipes-bsp/u-boot/files/CVE-2022-2347_2.patch
new file mode 100644
index 0000000000..708c7923d2
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2022-2347_2.patch
@@ -0,0 +1,66 @@
+From 0f465b3e81baa095b62a154a739c5378285526db Mon Sep 17 00:00:00 2001
+From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Date: Wed, 30 Nov 2022 09:29:16 +0100
+Subject: [PATCH 2/2] usb: gadget: dfu: Fix check of transfer direction
+
+Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347
+blocks DFU usb requests.
+The verification of the transfer direction was done by an equality
+but it is a bit mask.
+
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Reviewed-by: Fabio Estevam <festevam@denx.de>
+Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Tested-by: Marek Vasut <marex@denx.de>
+
+CVE: CVE-2022-2347
+Upstream-Status: Backport [14dc0ab138988a8e45ffa086444ec8db48b3f103]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ drivers/usb/gadget/f_dfu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
+index 33ef62f8ba..44877df4ec 100644
+--- a/drivers/usb/gadget/f_dfu.c
++++ b/drivers/usb/gadget/f_dfu.c
+@@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
+
+ switch (ctrl->bRequest) {
+ case USB_REQ_DFU_DNLOAD:
+- if (ctrl->bRequestType == USB_DIR_OUT) {
++ if (!(ctrl->bRequestType & USB_DIR_IN)) {
+ if (len == 0) {
+ f_dfu->dfu_state = DFU_STATE_dfuERROR;
+ value = RET_STALL;
+@@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
+ }
+ break;
+ case USB_REQ_DFU_UPLOAD:
+- if (ctrl->bRequestType == USB_DIR_IN) {
++ if (ctrl->bRequestType & USB_DIR_IN) {
+ f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
+ f_dfu->blk_seq_num = 0;
+ value = handle_upload(req, len);
+@@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
+
+ switch (ctrl->bRequest) {
+ case USB_REQ_DFU_DNLOAD:
+- if (ctrl->bRequestType == USB_DIR_OUT) {
++ if (!(ctrl->bRequestType & USB_DIR_IN)) {
+ f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
+ f_dfu->blk_seq_num = w_value;
+ value = handle_dnload(gadget, len);
+@@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
+
+ switch (ctrl->bRequest) {
+ case USB_REQ_DFU_UPLOAD:
+- if (ctrl->bRequestType == USB_DIR_IN) {
++ if (ctrl->bRequestType & USB_DIR_IN) {
+ /* state transition if less data then requested */
+ f_dfu->blk_seq_num = w_value;
+ value = handle_upload(req, len);
+--
+2.32.0
+
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2022-30790.patch b/meta/recipes-bsp/u-boot/files/CVE-2022-30790.patch
new file mode 100644
index 0000000000..e67cf391a8
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2022-30790.patch
@@ -0,0 +1,149 @@
+From 1817c3824a08bbad7fd2fbae1a6e73be896e8e5e Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Fri, 14 Oct 2022 19:43:39 +0200
+Subject: [PATCH] net: (actually/better) deal with CVE-2022-{30790,30552}
+
+I hit a strange problem with v2022.10: Sometimes my tftp transfer
+would seemingly just hang. It only happened for some files. Moreover,
+changing tftpblocksize from 65464 to 65460 or 65000 made it work again
+for all the files I tried. So I started suspecting it had something to
+do with the file sizes and in particular the way the tftp blocks get
+fragmented and reassembled.
+
+v2022.01 showed no problems with any of the files or any value of
+tftpblocksize.
+
+Looking at what had changed in net.c or tftp.c since January showed
+only one remotely interesting thing, b85d130ea0ca.
+
+So I fired up wireshark on my host to see if somehow one of the
+packets would be too small. But no, with both v2022.01 and v2022.10,
+the exact same sequence of packets were sent, all but the last of size
+1500, and the last being 1280 bytes.
+
+But then it struck me that 1280 is 5*256, so one of the two bytes
+on-the-wire is 0 and the other is 5, and when then looking at the code
+again the lack of endianness conversion becomes obvious. [ntohs is
+both applied to ip->ip_off just above, as well as to ip->ip_len just a
+little further down when the "len" is actually computed].
+
+IOWs the current code would falsely reject any packet which happens to
+be a multiple of 256 bytes in size, breaking tftp transfers somewhat
+randomly, and if it did get one of those "malicious" packets with
+ip_len set to, say, 27, it would be seen by this check as being 6912
+and hence not rejected.
+
+====
+
+Now, just adding the missing ntohs() would make my initial problem go
+away, in that I can now download the file where the last fragment ends
+up being 1280 bytes. But there's another bug in the code and/or
+analysis: The right-hand side is too strict, in that it is ok for the
+last fragment not to have a multiple of 8 bytes as payload - it really
+must be ok, because nothing in the IP spec says that IP datagrams must
+have a multiple of 8 bytes as payload. And comments in the code also
+mention this.
+
+To fix that, replace the comparison with <= IP_HDR_SIZE and add
+another check that len is actually a multiple of 8 when the "more
+fragments" bit is set - which it necessarily is for the case where
+offset8 ends up being 0, since we're only called when
+
+ (ip_off & (IP_OFFS | IP_FLAGS_MFRAG)).
+
+====
+
+So, does this fix CVE-2022-30790 for real? It certainly correctly
+rejects the POC code which relies on sending a packet of size 27 with
+the MFRAG flag set. Can the attack be carried out with a size 27
+packet that doesn't set MFRAG (hence must set a non-zero fragment
+offset)? I dunno. If we get a packet without MFRAG, we update
+h->last_byte in the hole we've found to be start+len, hence we'd enter
+one of
+
+ if ((h >= thisfrag) && (h->last_byte <= start + len)) {
+
+or
+
+ } else if (h->last_byte <= start + len) {
+
+and thus won't reach any of the
+
+ /* overlaps with initial part of the hole: move this hole */
+ newh = thisfrag + (len / 8);
+
+ /* fragment sits in the middle: split the hole */
+ newh = thisfrag + (len / 8);
+
+IOW these division are now guaranteed to be exact, and thus I think
+the scenario in CVE-2022-30790 cannot happen anymore.
+
+====
+
+However, there's a big elephant in the room, which has always been
+spelled out in the comments, and which makes me believe that one can
+still cause mayhem even with packets whose payloads are all 8-byte
+aligned:
+
+ This code doesn't deal with a fragment that overlaps with two
+ different holes (thus being a superset of a previously-received
+ fragment).
+
+Suppose each character below represents 8 bytes, with D being already
+received data, H being a hole descriptor (struct hole), h being
+non-populated chunks, and P representing where the payload of a just
+received packet should go:
+
+ DDDHhhhhDDDDHhhhDDDD
+ PPPPPPPPP
+
+I'm pretty sure in this case we'd end up with h being the first hole,
+enter the simple
+
+ } else if (h->last_byte <= start + len) {
+ /* overlaps with final part of the hole: shorten this hole */
+ h->last_byte = start;
+
+case, and thus in the memcpy happily overwrite the second H with our
+chosen payload. This is probably worth fixing...
+
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+
+CVE: CVE-2022-30790
+Upstream-Status: Backport [1817c3824a08bbad7fd2fbae1a6e73be896e8e5e]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ net/net.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/net.c b/net/net.c
+index 434c3b411e..987c25931e 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -924,7 +924,11 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
+ int offset8, start, len, done = 0;
+ u16 ip_off = ntohs(ip->ip_off);
+
+- if (ip->ip_len < IP_MIN_FRAG_DATAGRAM_SIZE)
++ /*
++ * Calling code already rejected <, but we don't have to deal
++ * with an IP fragment with no payload.
++ */
++ if (ntohs(ip->ip_len) <= IP_HDR_SIZE)
+ return NULL;
+
+ /* payload starts after IP header, this fragment is in there */
+@@ -934,6 +938,10 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
+ start = offset8 * 8;
+ len = ntohs(ip->ip_len) - IP_HDR_SIZE;
+
++ /* All but last fragment must have a multiple-of-8 payload. */
++ if ((len & 7) && (ip_off & IP_FLAGS_MFRAG))
++ return NULL;
++
+ if (start + len > IP_MAXUDP) /* fragment extends too far */
+ return NULL;
+
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index cd40ad1a7d..62ebe40cb6 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -8,6 +8,9 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \
file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \
file://0001-CVE-2022-30767.patch \
+ file://CVE-2022-30790.patch \
+ file://CVE-2022-2347_1.patch \
+ file://CVE-2022-2347_2.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 03/22] u-boot: fix CVE-2024-57254
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 01/22] u-boot: Fix CVE-2022-30767 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 02/22] u-boot: fix CVE-2022-2347 and CVE-2022-30790 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 04/22] u-boot: fix CVE-2024-57255 Steve Sakoman
` (18 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
An integer overflow in sqfs_inode_size in Das U-Boot before
2025.01-rc1 occurs in the symlink size calculation via a
crafted squashfs filesystem.
https://nvd.nist.gov/vuln/detail/CVE-2024-57254
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../u-boot/files/CVE-2024-57254.patch | 47 +++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
new file mode 100644
index 0000000000..be00121224
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
@@ -0,0 +1,47 @@
+From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:45 +0200
+Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size()
+
+A carefully crafted squashfs filesystem can exhibit an extremly large
+inode size and overflow the calculation in sqfs_inode_size().
+As a consequence, the squashfs driver will read from wrong locations.
+
+Fix by using __builtin_add_overflow() to detect the overflow.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57254
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs_inode.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
+index d25cfb53..bb3ccd37 100644
+--- a/fs/squashfs/sqfs_inode.c
++++ b/fs/squashfs/sqfs_inode.c
+@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
+
+ case SQFS_SYMLINK_TYPE:
+ case SQFS_LSYMLINK_TYPE: {
++ int size;
++
+ struct squashfs_symlink_inode *symlink =
+ (struct squashfs_symlink_inode *)inode;
+
+- return sizeof(*symlink) +
+- get_unaligned_le32(&symlink->symlink_size);
++ if (__builtin_add_overflow(sizeof(*symlink),
++ get_unaligned_le32(&symlink->symlink_size), &size))
++ return -EINVAL;
++
++ return size;
+ }
+
+ case SQFS_BLKDEV_TYPE:
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index 62ebe40cb6..d9c6fcb993 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -11,6 +11,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://CVE-2022-30790.patch \
file://CVE-2022-2347_1.patch \
file://CVE-2022-2347_2.patch \
+ file://CVE-2024-57254.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 04/22] u-boot: fix CVE-2024-57255
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 03/22] u-boot: fix CVE-2024-57254 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 05/22] u-boot: fix CVE-2024-57256 Steve Sakoman
` (17 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1
occurs via a crafted squashfs filesystem with an inode size of 0xffffffff,
resulting in a malloc of zero and resultant memory overwrite.
https://nvd.nist.gov/vuln/detail/CVE-2024-57255
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../u-boot/files/CVE-2024-57255.patch | 53 +++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 +
2 files changed, 54 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch
new file mode 100644
index 0000000000..4ca72da554
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch
@@ -0,0 +1,53 @@
+From 5d7ca74388544bf8c95e104517a9120e94bfe40d Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:44 +0200
+Subject: [PATCH 2/8] squashfs: Fix integer overflow in sqfs_resolve_symlink()
+
+A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
+as a consequence malloc() will do a zero allocation.
+Later in the function the inode size is again used for copying data.
+So an attacker can overwrite memory.
+Avoid the overflow by using the __builtin_add_overflow() helper.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57255
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 1430e671..16a07c06 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
+ char *resolved, *target;
+ u32 sz;
+
+- sz = get_unaligned_le32(&sym->symlink_size);
+- target = malloc(sz + 1);
++ if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz))
++ return NULL;
++
++ target = malloc(sz);
+ if (!target)
+ return NULL;
+
+@@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
+ * There is no trailling null byte in the symlink's target path, so a
+ * copy is made and a '\0' is added at its end.
+ */
+- target[sz] = '\0';
++ target[sz - 1] = '\0';
+ /* Get target name (relative path) */
+- strncpy(target, sym->symlink, sz);
++ strncpy(target, sym->symlink, sz - 1);
+
+ /* Relative -> absolute path conversion */
+ resolved = sqfs_get_abs_path(base_path, target);
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index d9c6fcb993..cfe36256f3 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -12,6 +12,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://CVE-2022-2347_1.patch \
file://CVE-2022-2347_2.patch \
file://CVE-2024-57254.patch \
+ file://CVE-2024-57255.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 05/22] u-boot: fix CVE-2024-57256
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 04/22] u-boot: fix CVE-2024-57255 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 06/22] u-boot: fix CVE-2024-57257 Steve Sakoman
` (16 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1
occurs for zalloc (adding one to an le32 variable) via a crafted ext4
filesystem with an inode size of 0xffffffff, resulting in a malloc of
zero and resultant memory overwrite.
https://nvd.nist.gov/vuln/detail/CVE-2024-57256
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../u-boot/files/CVE-2024-57256.patch | 51 +++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 +
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch
new file mode 100644
index 0000000000..78cf4ac225
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch
@@ -0,0 +1,51 @@
+From 49cab731abe7a98db4ac16666e3b5ab3bc799282 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 9 Aug 2024 11:54:28 +0200
+Subject: [PATCH 3/8] ext4: Fix integer overflow in ext4fs_read_symlink()
+
+While zalloc() takes a size_t type, adding 1 to the le32 variable
+will overflow.
+A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
+and as consequence zalloc() will do a zero allocation.
+
+Later in the function the inode size is again used for copying data.
+So an attacker can overwrite memory.
+
+Avoid the overflow by using the __builtin_add_overflow() helper.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+
+CVE: CVE-2024-57256
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/ext4/ext4_common.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
+index f50de7c0..a7798296 100644
+--- a/fs/ext4/ext4_common.c
++++ b/fs/ext4/ext4_common.c
+@@ -2188,13 +2188,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node)
+ struct ext2fs_node *diro = node;
+ int status;
+ loff_t actread;
++ size_t alloc_size;
+
+ if (!diro->inode_read) {
+ status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode);
+ if (status == 0)
+ return NULL;
+ }
+- symlink = zalloc(le32_to_cpu(diro->inode.size) + 1);
++
++ if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size))
++ return NULL;
++
++ symlink = zalloc(alloc_size);
+ if (!symlink)
+ return NULL;
+
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index cfe36256f3..c643fb35f3 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -13,6 +13,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://CVE-2022-2347_2.patch \
file://CVE-2024-57254.patch \
file://CVE-2024-57255.patch \
+ file://CVE-2024-57256.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 06/22] u-boot: fix CVE-2024-57257
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 05/22] u-boot: fix CVE-2024-57256 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 07/22] u-boot: fix CVE-2024-57258 Steve Sakoman
` (15 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1
occurs via a crafted squashfs filesystem with deep symlink nesting.
https://nvd.nist.gov/vuln/detail/CVE-2024-57257
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../u-boot/files/CVE-2024-57257.patch | 228 ++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 +
2 files changed, 229 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch
new file mode 100644
index 0000000000..5b6cbb8cad
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch
@@ -0,0 +1,228 @@
+From 790a2005e7a44dba059f5dbf1b9eff3a13e9b5e7 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Wed, 19 Feb 2025 15:51:53 +0800
+Subject: [PATCH] squashfs: Fix stack overflow while symlink resolving
+
+The squashfs driver blindly follows symlinks, and calls sqfs_size()
+recursively. So an attacker can create a crafted filesystem and with
+a deep enough nesting level a stack overflow can be achieved.
+
+Fix by limiting the nesting level to 8.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57257
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 76 +++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 7f2af8e1f9..09c0911689 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -24,7 +24,12 @@
+ #include "sqfs_filesystem.h"
+ #include "sqfs_utils.h"
+
++#define MAX_SYMLINK_NEST 8
++
+ static struct squashfs_ctxt ctxt;
++static int symlinknest;
++
++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp);
+
+ static int sqfs_disk_read(__u32 block, __u32 nr_blocks, void *buf)
+ {
+@@ -502,7 +507,7 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ goto out;
+ }
+
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, token_list[j]);
+ if (!ret)
+ break;
+@@ -527,6 +532,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+
+ /* Check for symbolic link and inode type sanity */
+ if (get_unaligned_le16(&dir->inode_type) == SQFS_SYMLINK_TYPE) {
++ if (++symlinknest == MAX_SYMLINK_NEST) {
++ ret = -ELOOP;
++ goto out;
++ }
++
+ sym = (struct squashfs_symlink_inode *)table;
+ /* Get first j + 1 tokens */
+ path = sqfs_concat_tokens(token_list, j + 1);
+@@ -872,7 +882,7 @@ out:
+ return metablks_count;
+ }
+
+-int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
++static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp)
+ {
+ unsigned char *inode_table = NULL, *dir_table = NULL;
+ int j, token_count = 0, ret = 0, metablks_count;
+@@ -967,7 +977,19 @@ out:
+ return ret;
+ }
+
++int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
++{
++ symlinknest = 0;
++ return sqfs_opendir_nest(filename, dirsp);
++}
++
+ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
++{
++ symlinknest = 0;
++ return sqfs_readdir_nest(fs_dirs, dentp);
++}
++
++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
+ {
+ struct squashfs_super_block *sblk = ctxt.sblk;
+ struct squashfs_dir_stream *dirs;
+@@ -1311,8 +1333,8 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg,
+ return datablk_count;
+ }
+
+-int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+- loff_t *actread)
++static int sqfs_read_nest(const char *filename, void *buf, loff_t offset,
++ loff_t len, loff_t *actread)
+ {
+ char *dir = NULL, *fragment_block, *datablock = NULL, *data_buffer = NULL;
+ char *fragment = NULL, *file = NULL, *resolved, *data;
+@@ -1342,11 +1364,11 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ }
+
+ /*
+- * sqfs_opendir will uncompress inode and directory tables, and will
++ * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ * return a pointer to the directory that contains the requested file.
+ */
+ sqfs_split_path(&file, &dir, filename);
+- ret = sqfs_opendir(dir, &dirsp);
++ ret = sqfs_opendir_nest(dir, &dirsp);
+ if (ret) {
+ goto out;
+ }
+@@ -1354,7 +1376,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ dirs = (struct squashfs_dir_stream *)dirsp;
+
+ /* For now, only regular files are able to be loaded */
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, file);
+ if (!ret)
+ break;
+@@ -1403,9 +1425,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ break;
+ case SQFS_SYMLINK_TYPE:
+ case SQFS_LSYMLINK_TYPE:
++ if (++symlinknest == MAX_SYMLINK_NEST) {
++ ret = -ELOOP;
++ goto out;
++ }
++
+ symlink = (struct squashfs_symlink_inode *)ipos;
+ resolved = sqfs_resolve_symlink(symlink, filename);
+- ret = sqfs_read(resolved, buf, offset, len, actread);
++ ret = sqfs_read_nest(resolved, buf, offset, len, actread);
+ free(resolved);
+ goto out;
+ case SQFS_BLKDEV_TYPE:
+@@ -1579,7 +1606,14 @@ out:
+ return ret;
+ }
+
+-int sqfs_size(const char *filename, loff_t *size)
++int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
++ loff_t *actread)
++{
++ symlinknest = 0;
++ return sqfs_read_nest(filename, buf, offset, len, actread);
++}
++
++static int sqfs_size_nest(const char *filename, loff_t *size)
+ {
+ struct squashfs_super_block *sblk = ctxt.sblk;
+ struct squashfs_symlink_inode *symlink;
+@@ -1595,10 +1629,10 @@ int sqfs_size(const char *filename, loff_t *size)
+
+ sqfs_split_path(&file, &dir, filename);
+ /*
+- * sqfs_opendir will uncompress inode and directory tables, and will
++ * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ * return a pointer to the directory that contains the requested file.
+ */
+- ret = sqfs_opendir(dir, &dirsp);
++ ret = sqfs_opendir_nest(dir, &dirsp);
+ if (ret) {
+ ret = -EINVAL;
+ goto free_strings;
+@@ -1606,7 +1640,7 @@ int sqfs_size(const char *filename, loff_t *size)
+
+ dirs = (struct squashfs_dir_stream *)dirsp;
+
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, file);
+ if (!ret)
+ break;
+@@ -1639,6 +1673,11 @@ int sqfs_size(const char *filename, loff_t *size)
+ break;
+ case SQFS_SYMLINK_TYPE:
+ case SQFS_LSYMLINK_TYPE:
++ if (++symlinknest == MAX_SYMLINK_NEST) {
++ *size = 0;
++ return -ELOOP;
++ }
++
+ symlink = (struct squashfs_symlink_inode *)ipos;
+ resolved = sqfs_resolve_symlink(symlink, filename);
+ ret = sqfs_size(resolved, size);
+@@ -1678,10 +1717,11 @@ int sqfs_exists(const char *filename)
+
+ sqfs_split_path(&file, &dir, filename);
+ /*
+- * sqfs_opendir will uncompress inode and directory tables, and will
++ * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ * return a pointer to the directory that contains the requested file.
+ */
+- ret = sqfs_opendir(dir, &dirsp);
++ symlinknest = 0;
++ ret = sqfs_opendir_nest(dir, &dirsp);
+ if (ret) {
+ ret = -EINVAL;
+ goto free_strings;
+@@ -1689,7 +1729,7 @@ int sqfs_exists(const char *filename)
+
+ dirs = (struct squashfs_dir_stream *)dirsp;
+
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, file);
+ if (!ret)
+ break;
+@@ -1706,6 +1746,12 @@ free_strings:
+ return ret == 0;
+ }
+
++int sqfs_size(const char *filename, loff_t *size)
++{
++ symlinknest = 0;
++ return sqfs_size_nest(filename, size);
++}
++
+ void sqfs_close(void)
+ {
+ sqfs_decompressor_cleanup(&ctxt);
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index c643fb35f3..c68e3e442f 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -14,6 +14,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://CVE-2024-57254.patch \
file://CVE-2024-57255.patch \
file://CVE-2024-57256.patch \
+ file://CVE-2024-57257.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 07/22] u-boot: fix CVE-2024-57258
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 06/22] u-boot: fix CVE-2024-57257 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 08/22] u-boot: fix CVE-2024-57259 Steve Sakoman
` (14 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1
occur for a crafted squashfs filesystem via sbrk, via request2size,
or because ptrdiff_t is mishandled on x86_64.
https://nvd.nist.gov/vuln/detail/CVE-2024-57258
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../u-boot/files/CVE-2024-57258-1.patch | 47 +++++++++++++++++++
.../u-boot/files/CVE-2024-57258-2.patch | 43 +++++++++++++++++
.../u-boot/files/CVE-2024-57258-3.patch | 40 ++++++++++++++++
meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 3 ++
4 files changed, 133 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
new file mode 100644
index 0000000000..d33a4260ba
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
@@ -0,0 +1,47 @@
+From 50ab41c3628dedeca1a331dd86dd203b73faea74 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:45 +0200
+Subject: [PATCH 5/8] dlmalloc: Fix integer overflow in sbrk()
+
+Make sure that the new break is within mem_malloc_start
+and mem_malloc_end before making progress.
+ulong new = old + increment; can overflow for extremely large
+increment values and memset() can get wrongly called.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ common/dlmalloc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/common/dlmalloc.c b/common/dlmalloc.c
+index de3f0422..bae2a27c 100644
+--- a/common/dlmalloc.c
++++ b/common/dlmalloc.c
+@@ -591,6 +591,9 @@ void *sbrk(ptrdiff_t increment)
+ ulong old = mem_malloc_brk;
+ ulong new = old + increment;
+
++ if ((new < mem_malloc_start) || (new > mem_malloc_end))
++ return (void *)MORECORE_FAILURE;
++
+ /*
+ * if we are giving memory back make sure we clear it out since
+ * we set MORECORE_CLEARS to 1
+@@ -598,9 +601,6 @@ void *sbrk(ptrdiff_t increment)
+ if (increment < 0)
+ memset((void *)new, 0, -increment);
+
+- if ((new < mem_malloc_start) || (new > mem_malloc_end))
+- return (void *)MORECORE_FAILURE;
+-
+ mem_malloc_brk = new;
+
+ return (void *)old;
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
new file mode 100644
index 0000000000..688e2c64d8
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
@@ -0,0 +1,43 @@
+From db7c626204f488a802a2e58b7a788b11fde6be7d Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:44 +0200
+Subject: [PATCH 6/8] dlmalloc: Fix integer overflow in request2size()
+
+req is of type size_t, casting it to long opens the door
+for an integer overflow.
+Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
+cause and overflow such that request2size() returns MINSIZE.
+
+Fix by removing the cast.
+The origin of the cast is unclear, it's in u-boot and ppcboot since ever
+and predates the CVS history.
+Doug Lea's original dlmalloc implementation also doesn't have it.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ common/dlmalloc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/dlmalloc.c b/common/dlmalloc.c
+index bae2a27c..1ac4ee9f 100644
+--- a/common/dlmalloc.c
++++ b/common/dlmalloc.c
+@@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ /* pad request bytes into a usable size */
+
+ #define request2size(req) \
+- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
+- (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
++ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
++ (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
+ (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
+
+ /* Check if m has acceptable alignment */
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
new file mode 100644
index 0000000000..2c8a7c9d91
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
@@ -0,0 +1,40 @@
+From 37095a204127b60b5e00c4c5d435d6e48a6a1c51 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:43 +0200
+Subject: [PATCH 7/8] x86: Fix ptrdiff_t for x86_64
+
+sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
+by LONG_MIN/LONG_MAX.
+So, use the long type, also to match the rest of the Linux ecosystem.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ arch/x86/include/asm/posix_types.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h
+index dbcea7f4..e1ed9bca 100644
+--- a/arch/x86/include/asm/posix_types.h
++++ b/arch/x86/include/asm/posix_types.h
+@@ -20,11 +20,12 @@ typedef unsigned short __kernel_gid_t;
+ #if defined(__x86_64__)
+ typedef unsigned long __kernel_size_t;
+ typedef long __kernel_ssize_t;
++typedef long __kernel_ptrdiff_t;
+ #else
+ typedef unsigned int __kernel_size_t;
+ typedef int __kernel_ssize_t;
+-#endif
+ typedef int __kernel_ptrdiff_t;
++#endif
+ typedef long __kernel_time_t;
+ typedef long __kernel_suseconds_t;
+ typedef long __kernel_clock_t;
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index c68e3e442f..cdee9fc721 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -15,6 +15,9 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://CVE-2024-57255.patch \
file://CVE-2024-57256.patch \
file://CVE-2024-57257.patch \
+ file://CVE-2024-57258-1.patch \
+ file://CVE-2024-57258-2.patch \
+ file://CVE-2024-57258-3.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 08/22] u-boot: fix CVE-2024-57259
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 07/22] u-boot: fix CVE-2024-57258 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 09/22] Revert "ovmf: Fix CVE-2023-45237" Steve Sakoman
` (13 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error
and resultant heap memory corruption for squashfs directory listing because the
path separator is not considered in a size calculation.
https://nvd.nist.gov/vuln/detail/CVE-2024-57259
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../u-boot/files/CVE-2024-57259.patch | 41 +++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 +
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch
new file mode 100644
index 0000000000..fdf5fdfce4
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch
@@ -0,0 +1,41 @@
+From 2c08fe306c6cbc60ec4beb434c71e56bb7abb678 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 22:05:09 +0200
+Subject: [PATCH 8/8] squashfs: Fix heap corruption in sqfs_search_dir()
+
+res needs to be large enough to store both strings rem and target,
+plus the path separator and the terminator.
+Currently the space for the path separator is not accounted, so
+the heap is corrupted by one byte.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57259
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index a5b7890e..1bd9b2a4 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -563,8 +563,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ ret = -ENOMEM;
+ goto out;
+ }
+- /* Concatenate remaining tokens and symlink's target */
+- res = malloc(strlen(rem) + strlen(target) + 1);
++ /*
++ * Concatenate remaining tokens and symlink's target.
++ * Allocate enough space for rem, target, '/' and '\0'.
++ */
++ res = malloc(strlen(rem) + strlen(target) + 2);
+ if (!res) {
+ ret = -ENOMEM;
+ goto out;
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index cdee9fc721..0ff2477c39 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://CVE-2024-57258-1.patch \
file://CVE-2024-57258-2.patch \
file://CVE-2024-57258-3.patch \
+ file://CVE-2024-57259.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 09/22] Revert "ovmf: Fix CVE-2023-45237"
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 08/22] u-boot: fix CVE-2024-57259 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 10/22] Revert "ovmf: Fix CVE-2023-45236" Steve Sakoman
` (12 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
This reverts commit 6f8bdaad9d22e65108f859a695277ce1b20ef7c6.
his reverts commit 4c2d3e37308cac98614dfafed79b7323423af8bc.
The fix for CVE-2023-45237 causes ovmf firmware not support pxe boot
any more and no boot item in OVMF menu such as
UEFI PXEv4 (MAC address)
It has not been fixed by ovmf upstream and an issue has been created on
https://github.com/tianocore/tianocore.github.io/issues/82
Revert the fixes for now.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ovmf/ovmf/CVE-2023-45237-0001.patch | 78 -
.../ovmf/ovmf/CVE-2023-45237-0002.patch | 1288 -----------------
meta/recipes-core/ovmf/ovmf_git.bb | 2 -
3 files changed, 1368 deletions(-)
delete mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch
deleted file mode 100644
index d1dcb8dc44..0000000000
--- a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c Mon Sep 17 00:00:00 2001
-From: Pierre Gondois <pierre.gondois@arm.com>
-Date: Fri, 11 Aug 2023 16:33:06 +0200
-Subject: [PATCH] MdePkg/Rng: Add GUID to describe Arm Rndr Rng algorithms
-
-BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4441
-
-The EFI_RNG_PROTOCOL can rely on the RngLib. The RngLib has multiple
-implementations, some of them are unsafe (e.g. BaseRngLibTimerLib).
-To allow the RngDxe to detect when such implementation is used,
-a GetRngGuid() function is added in a following patch.
-
-Prepare GetRngGuid() return values and add a gEfiRngAlgorithmArmRndr
-to describe a Rng algorithm accessed through Arm's RNDR instruction.
-[1] states that the implementation of this algorithm should be
-compliant to NIST SP900-80. The compliance is not guaranteed.
-
-[1] Arm Architecture Reference Manual Armv8, for A-profile architecture
-sK12.1 'Properties of the generated random number'
-
-Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
-Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
-Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
-Acked-by: Ard Biesheuvel <ardb@kernel.org>
-Tested-by: Kun Qin <kun.qin@microsoft.com>
-
-CVE: CVE-2023-45237
-
-Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c]
-
-Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
----
- MdePkg/Include/Protocol/Rng.h | 10 ++++++++++
- MdePkg/MdePkg.dec | 1 +
- 2 files changed, 11 insertions(+)
-
-diff --git a/MdePkg/Include/Protocol/Rng.h b/MdePkg/Include/Protocol/Rng.h
-index baf425587b..38bde53240 100644
---- a/MdePkg/Include/Protocol/Rng.h
-+++ b/MdePkg/Include/Protocol/Rng.h
-@@ -67,6 +67,15 @@ typedef EFI_GUID EFI_RNG_ALGORITHM;
- { \
- 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 } \
- }
-+///
-+/// The Arm Architecture states the RNDR that the DRBG algorithm should be compliant
-+/// with NIST SP800-90A, while not mandating a particular algorithm, so as to be
-+/// inclusive of different geographies.
-+///
-+#define EFI_RNG_ALGORITHM_ARM_RNDR \
-+ { \
-+ 0x43d2fde3, 0x9d4e, 0x4d79, {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41} \
-+ }
-
- /**
- Returns information about the random number generation implementation.
-@@ -146,5 +155,6 @@ extern EFI_GUID gEfiRngAlgorithmSp80090Ctr256Guid;
- extern EFI_GUID gEfiRngAlgorithmX9313DesGuid;
- extern EFI_GUID gEfiRngAlgorithmX931AesGuid;
- extern EFI_GUID gEfiRngAlgorithmRaw;
-+extern EFI_GUID gEfiRngAlgorithmArmRndr;
-
- #endif
-diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
-index 59b405928b..a449dbc556 100644
---- a/MdePkg/MdePkg.dec
-+++ b/MdePkg/MdePkg.dec
-@@ -594,6 +594,7 @@
- gEfiRngAlgorithmX9313DesGuid = { 0x63c4785a, 0xca34, 0x4012, {0xa3, 0xc8, 0x0b, 0x6a, 0x32, 0x4f, 0x55, 0x46 }}
- gEfiRngAlgorithmX931AesGuid = { 0xacd03321, 0x777e, 0x4d3d, {0xb1, 0xc8, 0x20, 0xcf, 0xd8, 0x88, 0x20, 0xc9 }}
- gEfiRngAlgorithmRaw = { 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 }}
-+ gEfiRngAlgorithmArmRndr = { 0x43d2fde3, 0x9d4e, 0x4d79, {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41 }}
-
- ## Include/Protocol/AdapterInformation.h
- gEfiAdapterInfoMediaStateGuid = { 0xD7C74207, 0xA831, 0x4A26, {0xB1, 0xF5, 0xD1, 0x93, 0x06, 0x5C, 0xE8, 0xB6 }}
---
-2.40.0
-
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch
deleted file mode 100644
index 722a6cd530..0000000000
--- a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch
+++ /dev/null
@@ -1,1288 +0,0 @@
-From 4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345 Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Wed, 8 May 2024 22:56:28 -0700
-Subject: [PATCH] NetworkPkg: SECURITY PATCH CVE-2023-45237
-
-REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542
-
-Bug Overview:
-PixieFail Bug #9
-CVE-2023-45237
-CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
-CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
-
-Use of a Weak PseudoRandom Number Generator
-
-Change Overview:
-
-Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either
-
->
-> EFI_STATUS
-> EFIAPI
-> PseudoRandomU32 (
-> OUT UINT32 *Output
-> );
->
-
-or (depending on the use case)
-
->
-> EFI_STATUS
-> EFIAPI
-> PseudoRandom (
-> OUT VOID *Output,
-> IN UINTN OutputLength
-> );
->
-
-This is because the use of
-
-Example:
-
-The following code snippet PseudoRandomU32 () function is used:
-
->
-> UINT32 Random;
->
-> Status = PseudoRandomU32 (&Random);
-> if (EFI_ERROR (Status)) {
-> DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n",
-__func__, Status));
-> return Status;
-> }
->
-
-This also introduces a new PCD to enable/disable the use of the
-secure implementation of algorithms for PseudoRandom () and
-instead depend on the default implementation. This may be required for
-some platforms where the UEFI Spec defined algorithms are not available.
-
->
-> PcdEnforceSecureRngAlgorithms
->
-
-If the platform does not have any one of the UEFI defined
-secure RNG algorithms then the driver will assert.
-
-Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
-Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
-
-Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
-Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
-
-CVE: CVE-2023-45237
-
-Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345]
-
-Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
----
- NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 10 +-
- NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 11 +-
- NetworkPkg/DnsDxe/DnsDhcp.c | 10 +-
- NetworkPkg/DnsDxe/DnsImpl.c | 11 +-
- NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 10 +-
- NetworkPkg/IScsiDxe/IScsiCHAP.c | 19 ++-
- NetworkPkg/IScsiDxe/IScsiMisc.c | 14 +--
- NetworkPkg/IScsiDxe/IScsiMisc.h | 6 +-
- NetworkPkg/Include/Library/NetLib.h | 40 +++++--
- NetworkPkg/Ip4Dxe/Ip4Driver.c | 10 +-
- NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 9 +-
- NetworkPkg/Ip6Dxe/Ip6Driver.c | 17 ++-
- NetworkPkg/Ip6Dxe/Ip6If.c | 12 +-
- NetworkPkg/Ip6Dxe/Ip6Mld.c | 12 +-
- NetworkPkg/Ip6Dxe/Ip6Nd.c | 33 +++++-
- NetworkPkg/Ip6Dxe/Ip6Nd.h | 8 +-
- NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 130 ++++++++++++++++++---
- NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 14 ++-
- NetworkPkg/NetworkPkg.dec | 7 ++
- NetworkPkg/SecurityFixes.yaml | 39 +++++++
- NetworkPkg/TcpDxe/TcpDriver.c | 15 ++-
- NetworkPkg/TcpDxe/TcpDxe.inf | 3 +
- NetworkPkg/Udp4Dxe/Udp4Driver.c | 10 +-
- NetworkPkg/Udp6Dxe/Udp6Driver.c | 11 +-
- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 9 +-
- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 11 +-
- NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 12 +-
- 27 files changed, 410 insertions(+), 83 deletions(-)
-
-diff --git a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
-index 8c37e93be3..892caee368 100644
---- a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
-+++ b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
-@@ -1,6 +1,7 @@
- /** @file
-
- Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
-+Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -189,6 +190,13 @@ Dhcp4CreateService (
- {
- DHCP_SERVICE *DhcpSb;
- EFI_STATUS Status;
-+ UINT32 Random;
-+
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-
- *Service = NULL;
- DhcpSb = AllocateZeroPool (sizeof (DHCP_SERVICE));
-@@ -203,7 +211,7 @@ Dhcp4CreateService (
- DhcpSb->Image = ImageHandle;
- InitializeListHead (&DhcpSb->Children);
- DhcpSb->DhcpState = Dhcp4Stopped;
-- DhcpSb->Xid = NET_RANDOM (NetRandomInitSeed ());
-+ DhcpSb->Xid = Random;
- CopyMem (
- &DhcpSb->ServiceBinding,
- &mDhcp4ServiceBindingTemplate,
-diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
-index b591a4605b..e7f2787a98 100644
---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
-+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
-@@ -3,7 +3,7 @@
- implementation for Dhcp6 Driver.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -123,6 +123,13 @@ Dhcp6CreateService (
- {
- DHCP6_SERVICE *Dhcp6Srv;
- EFI_STATUS Status;
-+ UINT32 Random;
-+
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-
- *Service = NULL;
- Dhcp6Srv = AllocateZeroPool (sizeof (DHCP6_SERVICE));
-@@ -147,7 +154,7 @@ Dhcp6CreateService (
- Dhcp6Srv->Signature = DHCP6_SERVICE_SIGNATURE;
- Dhcp6Srv->Controller = Controller;
- Dhcp6Srv->Image = ImageHandle;
-- Dhcp6Srv->Xid = (0xffffff & NET_RANDOM (NetRandomInitSeed ()));
-+ Dhcp6Srv->Xid = (0xffffff & Random);
-
- CopyMem (
- &Dhcp6Srv->ServiceBinding,
-diff --git a/NetworkPkg/DnsDxe/DnsDhcp.c b/NetworkPkg/DnsDxe/DnsDhcp.c
-index 933565a32d..9eb3c1d2d8 100644
---- a/NetworkPkg/DnsDxe/DnsDhcp.c
-+++ b/NetworkPkg/DnsDxe/DnsDhcp.c
-@@ -2,6 +2,7 @@
- Functions implementation related with DHCPv4/v6 for DNS driver.
-
- Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
-+Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -277,6 +278,7 @@ GetDns4ServerFromDhcp4 (
- EFI_DHCP4_TRANSMIT_RECEIVE_TOKEN Token;
- BOOLEAN IsDone;
- UINTN Index;
-+ UINT32 Random;
-
- Image = Instance->Service->ImageHandle;
- Controller = Instance->Service->ControllerHandle;
-@@ -292,6 +294,12 @@ GetDns4ServerFromDhcp4 (
- Data = NULL;
- InterfaceInfo = NULL;
-
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-+
- ZeroMem ((UINT8 *)ParaList, sizeof (ParaList));
-
- ZeroMem (&MnpConfigData, sizeof (EFI_MANAGED_NETWORK_CONFIG_DATA));
-@@ -467,7 +475,7 @@ GetDns4ServerFromDhcp4 (
-
- Status = Dhcp4->Build (Dhcp4, &SeedPacket, 0, NULL, 2, ParaList, &Token.Packet);
-
-- Token.Packet->Dhcp4.Header.Xid = HTONL (NET_RANDOM (NetRandomInitSeed ()));
-+ Token.Packet->Dhcp4.Header.Xid = Random;
-
- Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)0x8000);
-
-diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c
-index d311812800..c2629bb8df 100644
---- a/NetworkPkg/DnsDxe/DnsImpl.c
-+++ b/NetworkPkg/DnsDxe/DnsImpl.c
-@@ -2,6 +2,7 @@
- DnsDxe support functions implementation.
-
- Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
-+Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -1963,6 +1964,14 @@ ConstructDNSQuery (
- NET_FRAGMENT Frag;
- DNS_HEADER *DnsHeader;
- DNS_QUERY_SECTION *DnsQuery;
-+ EFI_STATUS Status;
-+ UINT32 Random;
-+
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-
- //
- // Messages carried by UDP are restricted to 512 bytes (not counting the IP
-@@ -1977,7 +1986,7 @@ ConstructDNSQuery (
- // Fill header
- //
- DnsHeader = (DNS_HEADER *)Frag.Bulk;
-- DnsHeader->Identification = (UINT16)NET_RANDOM (NetRandomInitSeed ());
-+ DnsHeader->Identification = (UINT16)Random;
- DnsHeader->Flags.Uint16 = 0x0000;
- DnsHeader->Flags.Bits.RD = 1;
- DnsHeader->Flags.Bits.OpCode = DNS_FLAGS_OPCODE_STANDARD;
-diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
-index b22cef4ff5..f964515b0f 100644
---- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
-+++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
-@@ -2,6 +2,7 @@
- Functions implementation related with DHCPv6 for HTTP boot driver.
-
- Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
-+Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -951,6 +952,7 @@ HttpBootDhcp6Sarr (
- UINT32 OptCount;
- UINT8 Buffer[HTTP_BOOT_DHCP6_OPTION_MAX_SIZE];
- EFI_STATUS Status;
-+ UINT32 Random;
-
- Dhcp6 = Private->Dhcp6;
- ASSERT (Dhcp6 != NULL);
-@@ -961,6 +963,12 @@ HttpBootDhcp6Sarr (
- OptCount = HttpBootBuildDhcp6Options (Private, OptList, Buffer);
- ASSERT (OptCount > 0);
-
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-+
- Retransmit = AllocateZeroPool (sizeof (EFI_DHCP6_RETRANSMISSION));
- if (Retransmit == NULL) {
- return EFI_OUT_OF_RESOURCES;
-@@ -976,7 +984,7 @@ HttpBootDhcp6Sarr (
- Config.IaInfoEvent = NULL;
- Config.RapidCommit = FALSE;
- Config.ReconfigureAccept = FALSE;
-- Config.IaDescriptor.IaId = NET_RANDOM (NetRandomInitSeed ());
-+ Config.IaDescriptor.IaId = Random;
- Config.IaDescriptor.Type = EFI_DHCP6_IA_TYPE_NA;
- Config.SolicitRetransmission = Retransmit;
- Retransmit->Irt = 4;
-diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
-index b507f11cd4..bebb1ac29b 100644
---- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
-+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
-@@ -3,6 +3,7 @@
- Configuration.
-
- Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
-+Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -576,16 +577,24 @@ IScsiCHAPToSendReq (
- //
- // CHAP_I=<I>
- //
-- IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1);
-+ Status = IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1);
-+ if (EFI_ERROR (Status)) {
-+ break;
-+ }
-+
- AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier);
- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr);
- //
- // CHAP_C=<C>
- //
-- IScsiGenRandom (
-- (UINT8 *)AuthData->OutChallenge,
-- AuthData->Hash->DigestSize
-- );
-+ Status = IScsiGenRandom (
-+ (UINT8 *)AuthData->OutChallenge,
-+ AuthData->Hash->DigestSize
-+ );
-+ if (EFI_ERROR (Status)) {
-+ break;
-+ }
-+
- BinToHexStatus = IScsiBinToHex (
- (UINT8 *)AuthData->OutChallenge,
- AuthData->Hash->DigestSize,
-diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
-index b3ea90158f..cd77f1a13e 100644
---- a/NetworkPkg/IScsiDxe/IScsiMisc.c
-+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
-@@ -2,6 +2,7 @@
- Miscellaneous routines for iSCSI driver.
-
- Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
-+Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -474,20 +475,17 @@ IScsiNetNtoi (
- @param[in, out] Rand The buffer to contain random numbers.
- @param[in] RandLength The length of the Rand buffer.
-
-+ @retval EFI_SUCCESS on success
-+ @retval others on error
-+
- **/
--VOID
-+EFI_STATUS
- IScsiGenRandom (
- IN OUT UINT8 *Rand,
- IN UINTN RandLength
- )
- {
-- UINT32 Random;
--
-- while (RandLength > 0) {
-- Random = NET_RANDOM (NetRandomInitSeed ());
-- *Rand++ = (UINT8)(Random);
-- RandLength--;
-- }
-+ return PseudoRandom (Rand, RandLength);
- }
-
- /**
-diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
-index a951eee70e..91b2cd2261 100644
---- a/NetworkPkg/IScsiDxe/IScsiMisc.h
-+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
-@@ -2,6 +2,7 @@
- Miscellaneous definitions for iSCSI driver.
-
- Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
-+Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -202,8 +203,11 @@ IScsiNetNtoi (
- @param[in, out] Rand The buffer to contain random numbers.
- @param[in] RandLength The length of the Rand buffer.
-
-+ @retval EFI_SUCCESS on success
-+ @retval others on error
-+
- **/
--VOID
-+EFI_STATUS
- IScsiGenRandom (
- IN OUT UINT8 *Rand,
- IN UINTN RandLength
-diff --git a/NetworkPkg/Include/Library/NetLib.h b/NetworkPkg/Include/Library/NetLib.h
-index 8c0e62b388..e8108b79db 100644
---- a/NetworkPkg/Include/Library/NetLib.h
-+++ b/NetworkPkg/Include/Library/NetLib.h
-@@ -3,6 +3,7 @@
- It provides basic functions for the UEFI network stack.
-
- Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
-+Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -539,8 +540,6 @@ extern EFI_IPv4_ADDRESS mZeroIp4Addr;
- #define TICKS_PER_MS 10000U
- #define TICKS_PER_SECOND 10000000U
-
--#define NET_RANDOM(Seed) ((UINT32) ((UINT32) (Seed) * 1103515245UL + 12345) % 4294967295UL)
--
- /**
- Extract a UINT32 from a byte stream.
-
-@@ -580,19 +579,40 @@ NetPutUint32 (
- );
-
- /**
-- Initialize a random seed using current time and monotonic count.
-+ Generate a Random output data given a length.
-
-- Get current time and monotonic count first. Then initialize a random seed
-- based on some basic mathematics operation on the hour, day, minute, second,
-- nanosecond and year of the current time and the monotonic count value.
-+ @param[out] Output - The buffer to store the generated random data.
-+ @param[in] OutputLength - The length of the output buffer.
-
-- @return The random seed initialized with current time.
-+ @retval EFI_SUCCESS On Success
-+ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero
-+ @retval EFI_NOT_FOUND RNG protocol not found
-+ @retval Others Error from RngProtocol->GetRNG()
-
-+ @return Status code
- **/
--UINT32
-+EFI_STATUS
- EFIAPI
--NetRandomInitSeed (
-- VOID
-+PseudoRandom (
-+ OUT VOID *Output,
-+ IN UINTN OutputLength
-+ );
-+
-+/**
-+ Generate a 32-bit pseudo-random number.
-+
-+ @param[out] Output - The buffer to store the generated random number.
-+
-+ @retval EFI_SUCCESS On Success
-+ @retval EFI_NOT_FOUND RNG protocol not found
-+ @retval Others Error from RngProtocol->GetRNG()
-+
-+ @return Status code
-+**/
-+EFI_STATUS
-+EFIAPI
-+PseudoRandomU32 (
-+ OUT UINT32 *Output
- );
-
- #define NET_LIST_USER_STRUCT(Entry, Type, Field) \
-diff --git a/NetworkPkg/Ip4Dxe/Ip4Driver.c b/NetworkPkg/Ip4Dxe/Ip4Driver.c
-index ec483ff01f..683423f38d 100644
---- a/NetworkPkg/Ip4Dxe/Ip4Driver.c
-+++ b/NetworkPkg/Ip4Dxe/Ip4Driver.c
-@@ -2,6 +2,7 @@
- The driver binding and service binding protocol for IP4 driver.
-
- Copyright (c) 2005 - 2019, Intel Corporation. All rights reserved.<BR>
-+Copyright (c) Microsoft Corporation
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-@@ -549,11 +550,18 @@ Ip4DriverBindingStart (
- EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2;
- UINTN Index;
- IP4_CONFIG2_DATA_ITEM *DataItem;
-+ UINT32 Random;
-
- IpSb = NULL;
- Ip4Cfg2 = NULL;
- DataItem = NULL;
-
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-+
- //
- // Test for the Ip4 service binding protocol
- //
-@@ -653,7 +661,7 @@ Ip4DriverBindingStart (
- //
- // Initialize the IP4 ID
- //
-- mIp4Id = (UINT16)NET_RANDOM (NetRandomInitSeed ());
-+ mIp4Id = (UINT16)Random;
-
- return Status;
-
-diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
-index 70e232ce6c..4c1354d26c 100644
---- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
-+++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
-@@ -2276,6 +2276,13 @@ Ip6ConfigInitInstance (
- UINTN Index;
- UINT16 IfIndex;
- IP6_CONFIG_DATA_ITEM *DataItem;
-+ UINT32 Random;
-+
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-
- IpSb = IP6_SERVICE_FROM_IP6_CONFIG_INSTANCE (Instance);
-
-@@ -2381,7 +2388,7 @@ Ip6ConfigInitInstance (
- // The NV variable is not set, so generate a random IAID, and write down the
- // fresh new configuration as the NV variable now.
- //
-- Instance->IaId = NET_RANDOM (NetRandomInitSeed ());
-+ Instance->IaId = Random;
-
- for (Index = 0; Index < IpSb->SnpMode.HwAddressSize; Index++) {
- Instance->IaId |= (IpSb->SnpMode.CurrentAddress.Addr[Index] << ((Index << 3) & 31));
-diff --git a/NetworkPkg/Ip6Dxe/Ip6Driver.c b/NetworkPkg/Ip6Dxe/Ip6Driver.c
-index b483a7d136..cbe011dad4 100644
---- a/NetworkPkg/Ip6Dxe/Ip6Driver.c
-+++ b/NetworkPkg/Ip6Dxe/Ip6Driver.c
-@@ -3,7 +3,7 @@
-
- Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -316,7 +316,11 @@ Ip6CreateService (
- IpSb->CurHopLimit = IP6_HOP_LIMIT;
- IpSb->LinkMTU = IP6_MIN_LINK_MTU;
- IpSb->BaseReachableTime = IP6_REACHABLE_TIME;
-- Ip6UpdateReachableTime (IpSb);
-+ Status = Ip6UpdateReachableTime (IpSb);
-+ if (EFI_ERROR (Status)) {
-+ goto ON_ERROR;
-+ }
-+
- //
- // RFC4861 RETRANS_TIMER: 1,000 milliseconds
- //
-@@ -516,11 +520,18 @@ Ip6DriverBindingStart (
- EFI_STATUS Status;
- EFI_IP6_CONFIG_PROTOCOL *Ip6Cfg;
- IP6_CONFIG_DATA_ITEM *DataItem;
-+ UINT32 Random;
-
- IpSb = NULL;
- Ip6Cfg = NULL;
- DataItem = NULL;
-
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-+
- //
- // Test for the Ip6 service binding protocol
- //
-@@ -656,7 +667,7 @@ Ip6DriverBindingStart (
- //
- // Initialize the IP6 ID
- //
-- mIp6Id = NET_RANDOM (NetRandomInitSeed ());
-+ mIp6Id = Random;
-
- return EFI_SUCCESS;
-
-diff --git a/NetworkPkg/Ip6Dxe/Ip6If.c b/NetworkPkg/Ip6Dxe/Ip6If.c
-index 4629c05f25..f3d11c4d21 100644
---- a/NetworkPkg/Ip6Dxe/Ip6If.c
-+++ b/NetworkPkg/Ip6Dxe/Ip6If.c
-@@ -2,7 +2,7 @@
- Implement IP6 pseudo interface.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -89,6 +89,14 @@ Ip6SetAddress (
- IP6_PREFIX_LIST_ENTRY *PrefixEntry;
- UINT64 Delay;
- IP6_DELAY_JOIN_LIST *DelayNode;
-+ EFI_STATUS Status;
-+ UINT32 Random;
-+
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-
- NET_CHECK_SIGNATURE (Interface, IP6_INTERFACE_SIGNATURE);
-
-@@ -164,7 +172,7 @@ Ip6SetAddress (
- // Thus queue the address to be processed in Duplicate Address Detection module
- // after the delay time (in milliseconds).
- //
-- Delay = (UINT64)NET_RANDOM (NetRandomInitSeed ());
-+ Delay = (UINT64)Random;
- Delay = MultU64x32 (Delay, IP6_ONE_SECOND_IN_MS);
- Delay = RShiftU64 (Delay, 32);
-
-diff --git a/NetworkPkg/Ip6Dxe/Ip6Mld.c b/NetworkPkg/Ip6Dxe/Ip6Mld.c
-index e6b2b653e2..498a118543 100644
---- a/NetworkPkg/Ip6Dxe/Ip6Mld.c
-+++ b/NetworkPkg/Ip6Dxe/Ip6Mld.c
-@@ -696,7 +696,15 @@ Ip6UpdateDelayTimer (
- IN OUT IP6_MLD_GROUP *Group
- )
- {
-- UINT32 Delay;
-+ UINT32 Delay;
-+ EFI_STATUS Status;
-+ UINT32 Random;
-+
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-
- //
- // If the Query packet specifies a Maximum Response Delay of zero, perform timer
-@@ -715,7 +723,7 @@ Ip6UpdateDelayTimer (
- // is less than the remaining value of the running timer.
- //
- if ((Group->DelayTimer == 0) || (Delay < Group->DelayTimer)) {
-- Group->DelayTimer = Delay / 4294967295UL * NET_RANDOM (NetRandomInitSeed ());
-+ Group->DelayTimer = Delay / 4294967295UL * Random;
- }
-
- return EFI_SUCCESS;
-diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c
-index c10c7017f8..72aa45c10f 100644
---- a/NetworkPkg/Ip6Dxe/Ip6Nd.c
-+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c
-@@ -2,7 +2,7 @@
- Implementation of Neighbor Discovery support routines.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -16,17 +16,28 @@ EFI_MAC_ADDRESS mZeroMacAddress;
-
- @param[in, out] IpSb Points to the IP6_SERVICE.
-
-+ @retval EFI_SUCCESS ReachableTime Updated
-+ @retval others Failed to update ReachableTime
- **/
--VOID
-+EFI_STATUS
- Ip6UpdateReachableTime (
- IN OUT IP6_SERVICE *IpSb
- )
- {
-- UINT32 Random;
-+ UINT32 Random;
-+ EFI_STATUS Status;
-
-- Random = (NetRandomInitSeed () / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE;
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-+
-+ Random = (Random / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE;
- Random = Random + IP6_MIN_RANDOM_FACTOR_SCALED;
- IpSb->ReachableTime = (IpSb->BaseReachableTime * Random) / IP6_RANDOM_FACTOR_SCALE;
-+
-+ return EFI_SUCCESS;
- }
-
- /**
-@@ -972,10 +983,17 @@ Ip6InitDADProcess (
- IP6_SERVICE *IpSb;
- EFI_STATUS Status;
- UINT32 MaxDelayTick;
-+ UINT32 Random;
-
- NET_CHECK_SIGNATURE (IpIf, IP6_INTERFACE_SIGNATURE);
- ASSERT (AddressInfo != NULL);
-
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-+
- //
- // Do nothing if we have already started DAD on the address.
- //
-@@ -1014,7 +1032,7 @@ Ip6InitDADProcess (
- Entry->Transmit = 0;
- Entry->Receive = 0;
- MaxDelayTick = IP6_MAX_RTR_SOLICITATION_DELAY / IP6_TIMER_INTERVAL_IN_MS;
-- Entry->RetransTick = (MaxDelayTick * ((NET_RANDOM (NetRandomInitSeed ()) % 5) + 1)) / 5;
-+ Entry->RetransTick = (MaxDelayTick * ((Random % 5) + 1)) / 5;
- Entry->AddressInfo = AddressInfo;
- Entry->Callback = Callback;
- Entry->Context = Context;
-@@ -2078,7 +2096,10 @@ Ip6ProcessRouterAdvertise (
- // in BaseReachableTime and recompute a ReachableTime.
- //
- IpSb->BaseReachableTime = ReachableTime;
-- Ip6UpdateReachableTime (IpSb);
-+ Status = Ip6UpdateReachableTime (IpSb);
-+ if (EFI_ERROR (Status)) {
-+ goto Exit;
-+ }
- }
-
- if (RetransTimer != 0) {
-diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h
-index bf64e9114e..5795e23c7d 100644
---- a/NetworkPkg/Ip6Dxe/Ip6Nd.h
-+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h
-@@ -2,7 +2,7 @@
- Definition of Neighbor Discovery support routines.
-
- Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -780,10 +780,10 @@ Ip6OnArpResolved (
- /**
- Update the ReachableTime in IP6 service binding instance data, in milliseconds.
-
-- @param[in, out] IpSb Points to the IP6_SERVICE.
--
-+ @retval EFI_SUCCESS ReachableTime Updated
-+ @retval others Failed to update ReachableTime
- **/
--VOID
-+EFI_STATUS
- Ip6UpdateReachableTime (
- IN OUT IP6_SERVICE *IpSb
- );
-diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
-index fd4a9e15a8..01c13c08d2 100644
---- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
-+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
-@@ -3,6 +3,7 @@
-
- Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
- (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
-+Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
- **/
-
-@@ -31,6 +32,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
- #include <Library/DevicePathLib.h>
- #include <Library/PrintLib.h>
- #include <Library/UefiLib.h>
-+#include <Protocol/Rng.h>
-
- #define NIC_ITEM_CONFIG_SIZE (sizeof (NIC_IP4_CONFIG_INFO) + sizeof (EFI_IP4_ROUTE_TABLE) * MAX_IP4_CONFIG_IN_VARIABLE)
- #define DEFAULT_ZERO_START ((UINTN) ~0)
-@@ -127,6 +129,25 @@ GLOBAL_REMOVE_IF_UNREFERENCED VLAN_DEVICE_PATH mNetVlanDevicePathTemplate = {
- 0
- };
-
-+//
-+// These represent UEFI SPEC defined algorithms that should be supported by
-+// the RNG protocol and are generally considered secure.
-+//
-+// The order of the algorithms in this array is important. This order is the order
-+// in which the algorithms will be tried by the RNG protocol.
-+// If your platform needs to use a specific algorithm for the random number generator,
-+// then you should place that algorithm first in the array.
-+//
-+GLOBAL_REMOVE_IF_UNREFERENCED EFI_GUID *mSecureHashAlgorithms[] = {
-+ &gEfiRngAlgorithmSp80090Ctr256Guid, // SP800-90A DRBG CTR using AES-256
-+ &gEfiRngAlgorithmSp80090Hmac256Guid, // SP800-90A DRBG HMAC using SHA-256
-+ &gEfiRngAlgorithmSp80090Hash256Guid, // SP800-90A DRBG Hash using SHA-256
-+ &gEfiRngAlgorithmArmRndr, // unspecified SP800-90A DRBG via ARM RNDR register
-+ &gEfiRngAlgorithmRaw, // Raw data from NRBG (or TRNG)
-+};
-+
-+#define SECURE_HASH_ALGORITHMS_SIZE (sizeof (mSecureHashAlgorithms) / sizeof (EFI_GUID *))
-+
- /**
- Locate the handles that support SNP, then open one of them
- to send the syslog packets. The caller isn't required to close
-@@ -884,34 +905,107 @@ Ip6Swap128 (
- }
-
- /**
-- Initialize a random seed using current time and monotonic count.
-+ Generate a Random output data given a length.
-
-- Get current time and monotonic count first. Then initialize a random seed
-- based on some basic mathematics operation on the hour, day, minute, second,
-- nanosecond and year of the current time and the monotonic count value.
-+ @param[out] Output - The buffer to store the generated random data.
-+ @param[in] OutputLength - The length of the output buffer.
-
-- @return The random seed initialized with current time.
-+ @retval EFI_SUCCESS On Success
-+ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero
-+ @retval EFI_NOT_FOUND RNG protocol not found
-+ @retval Others Error from RngProtocol->GetRNG()
-
-+ @return Status code
- **/
--UINT32
-+EFI_STATUS
- EFIAPI
--NetRandomInitSeed (
-- VOID
-+PseudoRandom (
-+ OUT VOID *Output,
-+ IN UINTN OutputLength
- )
- {
-- EFI_TIME Time;
-- UINT32 Seed;
-- UINT64 MonotonicCount;
-+ EFI_RNG_PROTOCOL *RngProtocol;
-+ EFI_STATUS Status;
-+ UINTN AlgorithmIndex;
-+
-+ if ((Output == NULL) || (OutputLength == 0)) {
-+ return EFI_INVALID_PARAMETER;
-+ }
-+
-+ Status = gBS->LocateProtocol (&gEfiRngProtocolGuid, NULL, (VOID **)&RngProtocol);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "Failed to locate EFI_RNG_PROTOCOL: %r\n", Status));
-+ ASSERT_EFI_ERROR (Status);
-+ return Status;
-+ }
-+
-+ if (PcdGetBool (PcdEnforceSecureRngAlgorithms)) {
-+ for (AlgorithmIndex = 0; AlgorithmIndex < SECURE_HASH_ALGORITHMS_SIZE; AlgorithmIndex++) {
-+ Status = RngProtocol->GetRNG (RngProtocol, mSecureHashAlgorithms[AlgorithmIndex], OutputLength, (UINT8 *)Output);
-+ if (!EFI_ERROR (Status)) {
-+ //
-+ // Secure Algorithm was supported on this platform
-+ //
-+ return EFI_SUCCESS;
-+ } else if (Status == EFI_UNSUPPORTED) {
-+ //
-+ // Secure Algorithm was not supported on this platform
-+ //
-+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
-+
-+ //
-+ // Try the next secure algorithm
-+ //
-+ continue;
-+ } else {
-+ //
-+ // Some other error occurred
-+ //
-+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
-+ ASSERT_EFI_ERROR (Status);
-+ return Status;
-+ }
-+ }
-+
-+ //
-+ // If we get here, we failed to generate random data using any secure algorithm
-+ // Platform owner should ensure that at least one secure algorithm is supported
-+ //
-+ ASSERT_EFI_ERROR (Status);
-+ return Status;
-+ }
-+
-+ //
-+ // Lets try using the default algorithm (which may not be secure)
-+ //
-+ Status = RngProtocol->GetRNG (RngProtocol, NULL, OutputLength, (UINT8 *)Output);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random data: %r\n", __func__, Status));
-+ ASSERT_EFI_ERROR (Status);
-+ return Status;
-+ }
-
-- gRT->GetTime (&Time, NULL);
-- Seed = (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second);
-- Seed ^= Time.Nanosecond;
-- Seed ^= Time.Year << 7;
-+ return EFI_SUCCESS;
-+}
-+
-+/**
-+ Generate a 32-bit pseudo-random number.
-
-- gBS->GetNextMonotonicCount (&MonotonicCount);
-- Seed += (UINT32)MonotonicCount;
-+ @param[out] Output - The buffer to store the generated random number.
-
-- return Seed;
-+ @retval EFI_SUCCESS On Success
-+ @retval EFI_NOT_FOUND RNG protocol not found
-+ @retval Others Error from RngProtocol->GetRNG()
-+
-+ @return Status code
-+**/
-+EFI_STATUS
-+EFIAPI
-+PseudoRandomU32 (
-+ OUT UINT32 *Output
-+ )
-+{
-+ return PseudoRandom (Output, sizeof (*Output));
- }
-
- /**
-diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
-index 8145d256ec..a8f534a293 100644
---- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
-+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
-@@ -3,6 +3,7 @@
- #
- # Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
- # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
-+# Copyright (c) Microsoft Corporation
- # SPDX-License-Identifier: BSD-2-Clause-Patent
- #
- ##
-@@ -49,7 +50,11 @@
- gEfiSmbiosTableGuid ## SOMETIMES_CONSUMES ## SystemTable
- gEfiSmbios3TableGuid ## SOMETIMES_CONSUMES ## SystemTable
- gEfiAdapterInfoMediaStateGuid ## SOMETIMES_CONSUMES
--
-+ gEfiRngAlgorithmRaw ## CONSUMES
-+ gEfiRngAlgorithmSp80090Ctr256Guid ## CONSUMES
-+ gEfiRngAlgorithmSp80090Hmac256Guid ## CONSUMES
-+ gEfiRngAlgorithmSp80090Hash256Guid ## CONSUMES
-+ gEfiRngAlgorithmArmRndr ## CONSUMES
-
- [Protocols]
- gEfiSimpleNetworkProtocolGuid ## SOMETIMES_CONSUMES
-@@ -59,3 +64,10 @@
- gEfiComponentNameProtocolGuid ## SOMETIMES_CONSUMES
- gEfiComponentName2ProtocolGuid ## SOMETIMES_CONSUMES
- gEfiAdapterInformationProtocolGuid ## SOMETIMES_CONSUMES
-+ gEfiRngProtocolGuid ## CONSUMES
-+
-+[FixedPcd]
-+ gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES
-+
-+[Depex]
-+ gEfiRngProtocolGuid
-diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec
-index 928e84fec4..ff335e957c 100644
---- a/NetworkPkg/NetworkPkg.dec
-+++ b/NetworkPkg/NetworkPkg.dec
-@@ -5,6 +5,7 @@
- #
- # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.<BR>
- # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP<BR>
-+# Copyright (c) Microsoft Corporation
- #
- # SPDX-License-Identifier: BSD-2-Clause-Patent
- #
-@@ -127,6 +128,12 @@
- # @Prompt Indicates whether SnpDxe creates event for ExitBootServices() call.
- gEfiNetworkPkgTokenSpaceGuid.PcdSnpCreateExitBootServicesEvent|TRUE|BOOLEAN|0x1000000C
-
-+ ## Enforces the use of Secure UEFI spec defined RNG algorithms for all network connections.
-+ # TRUE - Enforce the use of Secure UEFI spec defined RNG algorithms.
-+ # FALSE - Do not enforce and depend on the default implementation of RNG algorithm from the provider.
-+ # @Prompt Enforce the use of Secure UEFI spec defined RNG algorithms.
-+ gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|TRUE|BOOLEAN|0x1000000D
-+
- [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
- ## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355).
- # 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT]
-diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
-index 7e900483fe..2b2c794697 100644
---- a/NetworkPkg/SecurityFixes.yaml
-+++ b/NetworkPkg/SecurityFixes.yaml
-@@ -121,3 +121,42 @@ CVE_2023_45235:
- - http://www.openwall.com/lists/oss-security/2024/01/16/2
- - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
- - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
-+CVE_2023_45237:
-+ commit_titles:
-+ - "NetworkPkg:: SECURITY PATCH CVE 2023-45237"
-+ cve: CVE-2023-45237
-+ date_reported: 2023-08-28 13:56 UTC
-+ description: "Bug 09 - Use of a Weak PseudoRandom Number Generator"
-+ note:
-+ files_impacted:
-+ - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
-+ - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
-+ - NetworkPkg/DnsDxe/DnsDhcp.c
-+ - NetworkPkg/DnsDxe/DnsImpl.c
-+ - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
-+ - NetworkPkg/IScsiDxe/IScsiCHAP.c
-+ - NetworkPkg/IScsiDxe/IScsiMisc.c
-+ - NetworkPkg/IScsiDxe/IScsiMisc.h
-+ - NetworkPkg/Include/Library/NetLib.h
-+ - NetworkPkg/Ip4Dxe/Ip4Driver.c
-+ - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
-+ - NetworkPkg/Ip6Dxe/Ip6Driver.c
-+ - NetworkPkg/Ip6Dxe/Ip6If.c
-+ - NetworkPkg/Ip6Dxe/Ip6Mld.c
-+ - NetworkPkg/Ip6Dxe/Ip6Nd.c
-+ - NetworkPkg/Ip6Dxe/Ip6Nd.h
-+ - NetworkPkg/Library/DxeNetLib/DxeNetLib.c
-+ - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
-+ - NetworkPkg/NetworkPkg.dec
-+ - NetworkPkg/TcpDxe/TcpDriver.c
-+ - NetworkPkg/Udp4Dxe/Udp4Driver.c
-+ - NetworkPkg/Udp6Dxe/Udp6Driver.c
-+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
-+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
-+ - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
-+ links:
-+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4542
-+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45237
-+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
-+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
-+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
-diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
-index 98a90e0210..8fe6badd68 100644
---- a/NetworkPkg/TcpDxe/TcpDriver.c
-+++ b/NetworkPkg/TcpDxe/TcpDriver.c
-@@ -2,7 +2,7 @@
- The driver binding and service binding protocol for the TCP driver.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -163,7 +163,13 @@ TcpDriverEntryPoint (
- )
- {
- EFI_STATUS Status;
-- UINT32 Seed;
-+ UINT32 Random;
-+
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-
- //
- // Install the TCP Driver Binding Protocol
-@@ -203,9 +209,8 @@ TcpDriverEntryPoint (
- //
- // Initialize ISS and random port.
- //
-- Seed = NetRandomInitSeed ();
-- mTcpGlobalIss = NET_RANDOM (Seed) % mTcpGlobalIss;
-- mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (NET_RANDOM (Seed) % TCP_PORT_KNOWN));
-+ mTcpGlobalIss = Random % mTcpGlobalIss;
-+ mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN));
- mTcp6RandomPort = mTcp4RandomPort;
-
- return EFI_SUCCESS;
-diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
-index c0acbdca57..cf5423f4c5 100644
---- a/NetworkPkg/TcpDxe/TcpDxe.inf
-+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
-@@ -82,5 +82,8 @@
- gEfiTcp6ProtocolGuid ## BY_START
- gEfiTcp6ServiceBindingProtocolGuid ## BY_START
-
-+[Depex]
-+ gEfiHash2ServiceBindingProtocolGuid
-+
- [UserExtensions.TianoCore."ExtraFiles"]
- TcpDxeExtra.uni
-diff --git a/NetworkPkg/Udp4Dxe/Udp4Driver.c b/NetworkPkg/Udp4Dxe/Udp4Driver.c
-index cb917fcfc9..c7ea16f4cd 100644
---- a/NetworkPkg/Udp4Dxe/Udp4Driver.c
-+++ b/NetworkPkg/Udp4Dxe/Udp4Driver.c
-@@ -1,6 +1,7 @@
- /** @file
-
- Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
-+Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -555,6 +556,13 @@ Udp4DriverEntryPoint (
- )
- {
- EFI_STATUS Status;
-+ UINT32 Random;
-+
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-
- //
- // Install the Udp4DriverBinding and Udp4ComponentName protocols.
-@@ -571,7 +579,7 @@ Udp4DriverEntryPoint (
- //
- // Initialize the UDP random port.
- //
-- mUdp4RandomPort = (UINT16)(((UINT16)NetRandomInitSeed ()) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN);
-+ mUdp4RandomPort = (UINT16)(((UINT16)Random) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN);
- }
-
- return Status;
-diff --git a/NetworkPkg/Udp6Dxe/Udp6Driver.c b/NetworkPkg/Udp6Dxe/Udp6Driver.c
-index ae96fb9966..edb758d57c 100644
---- a/NetworkPkg/Udp6Dxe/Udp6Driver.c
-+++ b/NetworkPkg/Udp6Dxe/Udp6Driver.c
-@@ -2,7 +2,7 @@
- Driver Binding functions and Service Binding functions for the Network driver module.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -596,6 +596,13 @@ Udp6DriverEntryPoint (
- )
- {
- EFI_STATUS Status;
-+ UINT32 Random;
-+
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-
- //
- // Install the Udp6DriverBinding and Udp6ComponentName protocols.
-@@ -614,7 +621,7 @@ Udp6DriverEntryPoint (
- // Initialize the UDP random port.
- //
- mUdp6RandomPort = (UINT16)(
-- ((UINT16)NetRandomInitSeed ()) %
-+ ((UINT16)Random) %
- UDP6_PORT_KNOWN +
- UDP6_PORT_KNOWN
- );
-diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
-index 91146b78cb..452038c219 100644
---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
-+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
-@@ -2,7 +2,7 @@
- Functions implementation related with DHCPv4 for UefiPxeBc Driver.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -1381,6 +1381,12 @@ PxeBcDhcp4Discover (
- UINT8 VendorOptLen;
- UINT32 Xid;
-
-+ Status = PseudoRandomU32 (&Xid);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-+
- Mode = Private->PxeBc.Mode;
- Dhcp4 = Private->Dhcp4;
- Status = EFI_SUCCESS;
-@@ -1471,7 +1477,6 @@ PxeBcDhcp4Discover (
- //
- // Set fields of the token for the request packet.
- //
-- Xid = NET_RANDOM (NetRandomInitSeed ());
- Token.Packet->Dhcp4.Header.Xid = HTONL (Xid);
- Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)((IsBCast) ? 0x8000 : 0x0));
- CopyMem (&Token.Packet->Dhcp4.Header.ClientAddr, &Private->StationIp, sizeof (EFI_IPv4_ADDRESS));
-diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
-index 7fd1281c11..bcabbd2219 100644
---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
-+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
-@@ -2180,7 +2180,7 @@ PxeBcDhcp6Discover (
- UINTN ReadSize;
- UINT16 OpCode;
- UINT16 OpLen;
-- UINT32 Xid;
-+ UINT32 Random;
- EFI_STATUS Status;
- UINTN DiscoverLenNeeded;
-
-@@ -2198,6 +2198,12 @@ PxeBcDhcp6Discover (
- return EFI_DEVICE_ERROR;
- }
-
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-+
- DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET);
- Discover = AllocateZeroPool (DiscoverLenNeeded);
- if (Discover == NULL) {
-@@ -2207,8 +2213,7 @@ PxeBcDhcp6Discover (
- //
- // Build the discover packet by the cached request packet before.
- //
-- Xid = NET_RANDOM (NetRandomInitSeed ());
-- Discover->TransactionId = HTONL (Xid);
-+ Discover->TransactionId = HTONL (Random);
- Discover->MessageType = Request->Dhcp6.Header.MessageType;
- RequestOpt = Request->Dhcp6.Option;
- DiscoverOpt = Discover->DhcpOptions;
-diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
-index d84aca7e85..4cd915b411 100644
---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
-+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
-@@ -3,6 +3,7 @@
-
- (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
- Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.<BR>
-+ Copyright (c) Microsoft Corporation
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-@@ -892,6 +893,13 @@ PxeBcCreateIp6Children (
- PXEBC_PRIVATE_PROTOCOL *Id;
- EFI_SIMPLE_NETWORK_PROTOCOL *Snp;
- UINTN Index;
-+ UINT32 Random;
-+
-+ Status = PseudoRandomU32 (&Random);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "Failed to generate random number using EFI_RNG_PROTOCOL: %r\n", Status));
-+ return Status;
-+ }
-
- if (Private->Ip6Nic != NULL) {
- //
-@@ -935,9 +943,9 @@ PxeBcCreateIp6Children (
- }
-
- //
-- // Generate a random IAID for the Dhcp6 assigned address.
-+ // Set a random IAID for the Dhcp6 assigned address.
- //
-- Private->IaId = NET_RANDOM (NetRandomInitSeed ());
-+ Private->IaId = Random;
- if (Private->Snp != NULL) {
- for (Index = 0; Index < Private->Snp->Mode->HwAddressSize; Index++) {
- Private->IaId |= (Private->Snp->Mode->CurrentAddress.Addr[Index] << ((Index << 3) & 31));
---
-2.40.0
-
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index d52e3f4971..bb345688ac 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -47,8 +47,6 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
file://CVE-2023-45229-0002.patch \
file://CVE-2023-45229-0003.patch \
file://CVE-2023-45229-0004.patch \
- file://CVE-2023-45237-0001.patch \
- file://CVE-2023-45237-0002.patch \
file://CVE-2023-45236.patch \
file://CVE-2022-36765-0001.patch \
file://CVE-2022-36765-0002.patch \
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 10/22] Revert "ovmf: Fix CVE-2023-45236"
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 09/22] Revert "ovmf: Fix CVE-2023-45237" Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 11/22] libxml2: fix compilation of explicit child axis in pattern Steve Sakoman
` (11 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
This reverts commit a9cd3321558e95f61ed4c5eca0dcf5a3f4704925.
The fix for CVE-2023-45237 has been reverted. And the fix for
CVE-2023-45236 depends on it. So revert it too.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ovmf/ovmf/CVE-2023-45236.patch | 829 ------------------
meta/recipes-core/ovmf/ovmf_git.bb | 1 -
2 files changed, 830 deletions(-)
delete mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch
deleted file mode 100644
index ac43392ce6..0000000000
--- a/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch
+++ /dev/null
@@ -1,829 +0,0 @@
-From 1904a64bcc18199738e5be183d28887ac5d837d7 Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Wed, 8 May 2024 22:56:29 -0700
-Subject: [PATCH] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
-
-REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
-REF: https://www.rfc-editor.org/rfc/rfc1948.txt
-REF: https://www.rfc-editor.org/rfc/rfc6528.txt
-REF: https://www.rfc-editor.org/rfc/rfc9293.txt
-
-Bug Overview:
-PixieFail Bug #8
-CVE-2023-45236
-CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
-CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
-
-Updates TCP ISN generation to use a cryptographic hash of the
-connection's identifying parameters and a secret key.
-This prevents an attacker from guessing the ISN used for some other
-connection.
-
-This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.
-
-RFC: 9293 Section 3.4.1. Initial Sequence Number Selection
-
- A TCP implementation MUST use the above type of "clock" for clock-
- driven selection of initial sequence numbers (MUST-8), and SHOULD
- generate its initial sequence numbers with the expression:
-
- ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
-
- where M is the 4 microsecond timer, and F() is a pseudorandom
- function (PRF) of the connection's identifying parameters ("localip,
- localport, remoteip, remoteport") and a secret key ("secretkey")
- (SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or
- an attacker could still guess at sequence numbers from the ISN used
- for some other connection. The PRF could be implemented as a
- cryptographic hash of the concatenation of the TCP connection
- parameters and some secret data. For discussion of the selection of
- a specific hash algorithm and management of the secret key data,
- please see Section 3 of [42].
-
- For each connection there is a send sequence number and a receive
- sequence number. The initial send sequence number (ISS) is chosen by
- the data sending TCP peer, and the initial receive sequence number
- (IRS) is learned during the connection-establishing procedure.
-
- For a connection to be established or initialized, the two TCP peers
- must synchronize on each other's initial sequence numbers. This is
- done in an exchange of connection-establishing segments carrying a
- control bit called "SYN" (for synchronize) and the initial sequence
- numbers. As a shorthand, segments carrying the SYN bit are also
- called "SYNs". Hence, the solution requires a suitable mechanism for
- picking an initial sequence number and a slightly involved handshake
- to exchange the ISNs.
-
-Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
-Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
-
-Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
-Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
-
-CVE: CVE-2023-45236
-
-Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1904a64bcc18199738e5be183d28887ac5d837d7]
-
-Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
----
- NetworkPkg/SecurityFixes.yaml | 22 +++
- NetworkPkg/TcpDxe/TcpDriver.c | 92 ++++++++++++-
- NetworkPkg/TcpDxe/TcpDxe.inf | 8 +-
- NetworkPkg/TcpDxe/TcpFunc.h | 23 ++--
- NetworkPkg/TcpDxe/TcpInput.c | 13 +-
- NetworkPkg/TcpDxe/TcpMain.h | 59 ++++++--
- NetworkPkg/TcpDxe/TcpMisc.c | 244 ++++++++++++++++++++++++++++++++--
- NetworkPkg/TcpDxe/TcpTimer.c | 3 +-
- 8 files changed, 415 insertions(+), 49 deletions(-)
-
-diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
-index 2b2c794697..ab355419cc 100644
---- a/NetworkPkg/SecurityFixes.yaml
-+++ b/NetworkPkg/SecurityFixes.yaml
-@@ -121,6 +121,28 @@ CVE_2023_45235:
- - http://www.openwall.com/lists/oss-security/2024/01/16/2
- - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
- - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
-+CVE_2023_45236:
-+ commit_titles:
-+ - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch"
-+ cve: CVE-2023-45236
-+ date_reported: 2023-08-28 13:56 UTC
-+ description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers"
-+ note:
-+ files_impacted:
-+ - NetworkPkg/Include/Library/NetLib.h
-+ - NetworkPkg/TcpDxe/TcpDriver.c
-+ - NetworkPkg/TcpDxe/TcpDxe.inf
-+ - NetworkPkg/TcpDxe/TcpFunc.h
-+ - NetworkPkg/TcpDxe/TcpInput.c
-+ - NetworkPkg/TcpDxe/TcpMain.h
-+ - NetworkPkg/TcpDxe/TcpMisc.c
-+ - NetworkPkg/TcpDxe/TcpTimer.c
-+ links:
-+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4541
-+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45236
-+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
-+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
-+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
- CVE_2023_45237:
- commit_titles:
- - "NetworkPkg:: SECURITY PATCH CVE 2023-45237"
-diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
-index 8fe6badd68..40bba4080c 100644
---- a/NetworkPkg/TcpDxe/TcpDriver.c
-+++ b/NetworkPkg/TcpDxe/TcpDriver.c
-@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL gTcpServiceBinding = {
- TcpServiceBindingDestroyChild
- };
-
-+//
-+// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces
-+// if the platform does not provide one.
-+//
-+EFI_HANDLE mHash2ServiceHandle = NULL;
-+
- /**
- Create and start the heartbeat timer for the TCP driver.
-
-@@ -165,6 +171,23 @@ TcpDriverEntryPoint (
- EFI_STATUS Status;
- UINT32 Random;
-
-+ //
-+ // Initialize the Secret used for hashing TCP sequence numbers
-+ //
-+ // Normally this should be regenerated periodically, but since
-+ // this is only used for UEFI networking and not a general purpose
-+ // operating system, it is not necessary to regenerate it.
-+ //
-+ Status = PseudoRandomU32 (&mTcpGlobalSecret);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+ return Status;
-+ }
-+
-+ //
-+ // Get a random number used to generate a random port number
-+ // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret
-+ //
- Status = PseudoRandomU32 (&Random);
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));
-@@ -207,9 +230,8 @@ TcpDriverEntryPoint (
- }
-
- //
-- // Initialize ISS and random port.
-+ // Initialize the random port.
- //
-- mTcpGlobalIss = Random % mTcpGlobalIss;
- mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN));
- mTcp6RandomPort = mTcp4RandomPort;
-
-@@ -224,6 +246,8 @@ TcpDriverEntryPoint (
- @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.
-
- @retval EFI_OUT_OF_RESOURCES Failed to allocate some resources.
-+ @retval EFI_UNSUPPORTED Service Binding Protocols are unavailable.
-+ @retval EFI_ALREADY_STARTED The TCP driver is already started on the controller.
- @retval EFI_SUCCESS A new IP6 service binding private was created.
-
- **/
-@@ -234,11 +258,13 @@ TcpCreateService (
- IN UINT8 IpVersion
- )
- {
-- EFI_STATUS Status;
-- EFI_GUID *IpServiceBindingGuid;
-- EFI_GUID *TcpServiceBindingGuid;
-- TCP_SERVICE_DATA *TcpServiceData;
-- IP_IO_OPEN_DATA OpenData;
-+ EFI_STATUS Status;
-+ EFI_GUID *IpServiceBindingGuid;
-+ EFI_GUID *TcpServiceBindingGuid;
-+ TCP_SERVICE_DATA *TcpServiceData;
-+ IP_IO_OPEN_DATA OpenData;
-+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding;
-+ EFI_HASH2_PROTOCOL *Hash2Protocol;
-
- if (IpVersion == IP_VERSION_4) {
- IpServiceBindingGuid = &gEfiIp4ServiceBindingProtocolGuid;
-@@ -272,6 +298,33 @@ TcpCreateService (
- return EFI_UNSUPPORTED;
- }
-
-+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
-+ if (EFI_ERROR (Status)) {
-+ //
-+ // If we can't find the Hashing protocol, then we need to create one.
-+ //
-+
-+ //
-+ // Platform is expected to publish the hash service binding protocol to support TCP.
-+ //
-+ Status = gBS->LocateProtocol (
-+ &gEfiHash2ServiceBindingProtocolGuid,
-+ NULL,
-+ (VOID **)&Hash2ServiceBinding
-+ );
-+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) {
-+ return EFI_UNSUPPORTED;
-+ }
-+
-+ //
-+ // Create an instance of the hash protocol for this controller.
-+ //
-+ Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle);
-+ if (EFI_ERROR (Status)) {
-+ return EFI_UNSUPPORTED;
-+ }
-+ }
-+
- //
- // Create the TCP service data.
- //
-@@ -423,6 +476,7 @@ TcpDestroyService (
- EFI_STATUS Status;
- LIST_ENTRY *List;
- TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT Context;
-+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding;
-
- ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6));
-
-@@ -439,6 +493,30 @@ TcpDestroyService (
- return EFI_SUCCESS;
- }
-
-+ //
-+ // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver.
-+ //
-+ if (mHash2ServiceHandle != NULL) {
-+ Status = gBS->LocateProtocol (
-+ &gEfiHash2ServiceBindingProtocolGuid,
-+ NULL,
-+ (VOID **)&Hash2ServiceBinding
-+ );
-+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) {
-+ return EFI_UNSUPPORTED;
-+ }
-+
-+ //
-+ // Destroy the instance of the hashing protocol for this controller.
-+ //
-+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
-+ if (EFI_ERROR (Status)) {
-+ return EFI_UNSUPPORTED;
-+ }
-+
-+ mHash2ServiceHandle = NULL;
-+ }
-+
- Status = gBS->OpenProtocol (
- NicHandle,
- ServiceBindingGuid,
-diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
-index cf5423f4c5..76de4cf9ec 100644
---- a/NetworkPkg/TcpDxe/TcpDxe.inf
-+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
-@@ -6,6 +6,7 @@
- # stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack.
- #
- # Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-+# Copyright (c) Microsoft Corporation
- #
- # SPDX-License-Identifier: BSD-2-Clause-Patent
- #
-@@ -68,7 +69,6 @@
- NetLib
- IpIoLib
-
--
- [Protocols]
- ## SOMETIMES_CONSUMES
- ## SOMETIMES_PRODUCES
-@@ -81,6 +81,12 @@
- gEfiIp6ServiceBindingProtocolGuid ## TO_START
- gEfiTcp6ProtocolGuid ## BY_START
- gEfiTcp6ServiceBindingProtocolGuid ## BY_START
-+ gEfiHash2ProtocolGuid ## BY_START
-+ gEfiHash2ServiceBindingProtocolGuid ## BY_START
-+
-+[Guids]
-+ gEfiHashAlgorithmMD5Guid ## CONSUMES
-+ gEfiHashAlgorithmSha256Guid ## CONSUMES
-
- [Depex]
- gEfiHash2ServiceBindingProtocolGuid
-diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h
-index a7af01fff2..c707bee3e5 100644
---- a/NetworkPkg/TcpDxe/TcpFunc.h
-+++ b/NetworkPkg/TcpDxe/TcpFunc.h
-@@ -2,7 +2,7 @@
- Declaration of external functions shared in TCP driver.
-
- Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -36,8 +36,11 @@ VOID
-
- @param[in, out] Tcb Pointer to the TCP_CB of this TCP instance.
-
-+ @retval EFI_SUCCESS The operation completed successfully
-+ @retval others The underlying functions failed and could not complete the operation
-+
- **/
--VOID
-+EFI_STATUS
- TcpInitTcbLocal (
- IN OUT TCP_CB *Tcb
- );
-@@ -128,17 +131,6 @@ TcpCloneTcb (
- IN TCP_CB *Tcb
- );
-
--/**
-- Compute an ISS to be used by a new connection.
--
-- @return The result ISS.
--
--**/
--TCP_SEQNO
--TcpGetIss (
-- VOID
-- );
--
- /**
- Get the local mss.
-
-@@ -202,8 +194,11 @@ TcpFormatNetbuf (
- @param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a
- connection.
-
-+ @retval EFI_SUCCESS The operation completed successfully
-+ @retval others The underlying functions failed and could not complete the operation
-+
- **/
--VOID
-+EFI_STATUS
- TcpOnAppConnect (
- IN OUT TCP_CB *Tcb
- );
-diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
-index fb1aa827f8..0477a15d0c 100644
---- a/NetworkPkg/TcpDxe/TcpInput.c
-+++ b/NetworkPkg/TcpDxe/TcpInput.c
-@@ -724,6 +724,7 @@ TcpInput (
- TCP_SEQNO Urg;
- UINT16 Checksum;
- INT32 Usable;
-+ EFI_STATUS Status;
-
- ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6));
-
-@@ -872,7 +873,17 @@ TcpInput (
- Tcb->LocalEnd.Port = Head->DstPort;
- Tcb->RemoteEnd.Port = Head->SrcPort;
-
-- TcpInitTcbLocal (Tcb);
-+ Status = TcpInitTcbLocal (Tcb);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG (
-+ (DEBUG_ERROR,
-+ "TcpInput: discard a segment because failed to init local end for TCB %p\n",
-+ Tcb)
-+ );
-+
-+ goto DISCARD;
-+ }
-+
- TcpInitTcbPeer (Tcb, Seg, &Option);
-
- TcpSetState (Tcb, TCP_SYN_RCVD);
-diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
-index c0c9b7f46e..4d5566ab93 100644
---- a/NetworkPkg/TcpDxe/TcpMain.h
-+++ b/NetworkPkg/TcpDxe/TcpMain.h
-@@ -3,7 +3,7 @@
- It is the common head file for all Tcp*.c in TCP driver.
-
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -13,6 +13,7 @@
-
- #include <Protocol/ServiceBinding.h>
- #include <Protocol/DriverBinding.h>
-+#include <Protocol/Hash2.h>
- #include <Library/IpIoLib.h>
- #include <Library/DevicePathLib.h>
- #include <Library/PrintLib.h>
-@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE *gTcpControllerNameTable;
-
- extern LIST_ENTRY mTcpRunQue;
- extern LIST_ENTRY mTcpListenQue;
--extern TCP_SEQNO mTcpGlobalIss;
-+extern TCP_SEQNO mTcpGlobalSecret;
- extern UINT32 mTcpTick;
-
- ///
-@@ -45,14 +46,6 @@ extern UINT32 mTcpTick;
-
- #define TCP_EXPIRE_TIME 65535
-
--///
--/// The implementation selects the initial send sequence number and the unit to
--/// be added when it is increased.
--///
--#define TCP_BASE_ISS 0x4d7e980b
--#define TCP_ISS_INCREMENT_1 2048
--#define TCP_ISS_INCREMENT_2 100
--
- typedef union {
- EFI_TCP4_CONFIG_DATA Tcp4CfgData;
- EFI_TCP6_CONFIG_DATA Tcp6CfgData;
-@@ -774,4 +767,50 @@ Tcp6Poll (
- IN EFI_TCP6_PROTOCOL *This
- );
-
-+/**
-+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
-+ and remote IP addresses and ports.
-+
-+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
-+ Where the ISN is computed as follows:
-+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
-+
-+ Otherwise:
-+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
-+
-+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
-+ connection's identifying parameters ("localip, localport, remoteip, remoteport")
-+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
-+ outside (MUST-9), or an attacker could still guess at sequence numbers from the
-+ ISN used for some other connection. The PRF could be implemented as a
-+ cryptographic hash of the concatenation of the TCP connection parameters and some
-+ secret data. For discussion of the selection of a specific hash algorithm and
-+ management of the secret key data."
-+
-+ @param[in] LocalIp A pointer to the local IP address of the TCP connection.
-+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer.
-+ @param[in] LocalPort The local port number of the TCP connection.
-+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection.
-+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer.
-+ @param[in] RemotePort The remote port number of the TCP connection.
-+ @param[out] Isn A pointer to the variable that will receive the Initial
-+ Sequence Number (ISN).
-+
-+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was
-+ retrieved.
-+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid.
-+ @retval EFI_UNSUPPORTED The operation is not supported.
-+
-+**/
-+EFI_STATUS
-+TcpGetIsn (
-+ IN UINT8 *LocalIp,
-+ IN UINTN LocalIpSize,
-+ IN UINT16 LocalPort,
-+ IN UINT8 *RemoteIp,
-+ IN UINTN RemoteIpSize,
-+ IN UINT16 RemotePort,
-+ OUT TCP_SEQNO *Isn
-+ );
-+
- #endif
-diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
-index c93212d47d..3310306f63 100644
---- a/NetworkPkg/TcpDxe/TcpMisc.c
-+++ b/NetworkPkg/TcpDxe/TcpMisc.c
-@@ -3,7 +3,7 @@
-
- (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
- Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -20,7 +20,34 @@ LIST_ENTRY mTcpListenQue = {
- &mTcpListenQue
- };
-
--TCP_SEQNO mTcpGlobalIss = TCP_BASE_ISS;
-+//
-+// The Session secret
-+// This must be initialized to a random value at boot time
-+//
-+TCP_SEQNO mTcpGlobalSecret;
-+
-+//
-+// Union to hold either an IPv4 or IPv6 address
-+// This is used to simplify the ISN hash computation
-+//
-+typedef union {
-+ UINT8 IPv4[4];
-+ UINT8 IPv6[16];
-+} NETWORK_ADDRESS;
-+
-+//
-+// The ISN is computed by hashing this structure
-+// It is initialized with the local and remote IP addresses and ports
-+// and the secret
-+//
-+//
-+typedef struct {
-+ UINT16 LocalPort;
-+ UINT16 RemotePort;
-+ NETWORK_ADDRESS LocalAddress;
-+ NETWORK_ADDRESS RemoteAddress;
-+ TCP_SEQNO Secret;
-+} ISN_HASH_CTX;
-
- CHAR16 *mTcpStateName[] = {
- L"TCP_CLOSED",
-@@ -41,12 +68,18 @@ CHAR16 *mTcpStateName[] = {
-
- @param[in, out] Tcb Pointer to the TCP_CB of this TCP instance.
-
-+ @retval EFI_SUCCESS The operation completed successfully
-+ @retval others The underlying functions failed and could not complete the operation
-+
- **/
--VOID
-+EFI_STATUS
- TcpInitTcbLocal (
- IN OUT TCP_CB *Tcb
- )
- {
-+ TCP_SEQNO Isn;
-+ EFI_STATUS Status;
-+
- //
- // Compute the checksum of the fixed parts of pseudo header
- //
-@@ -57,6 +90,16 @@ TcpInitTcbLocal (
- 0x06,
- 0
- );
-+
-+ Status = TcpGetIsn (
-+ Tcb->LocalEnd.Ip.v4.Addr,
-+ sizeof (IPv4_ADDRESS),
-+ Tcb->LocalEnd.Port,
-+ Tcb->RemoteEnd.Ip.v4.Addr,
-+ sizeof (IPv4_ADDRESS),
-+ Tcb->RemoteEnd.Port,
-+ &Isn
-+ );
- } else {
- Tcb->HeadSum = NetIp6PseudoHeadChecksum (
- &Tcb->LocalEnd.Ip.v6,
-@@ -64,9 +107,25 @@ TcpInitTcbLocal (
- 0x06,
- 0
- );
-+
-+ Status = TcpGetIsn (
-+ Tcb->LocalEnd.Ip.v6.Addr,
-+ sizeof (IPv6_ADDRESS),
-+ Tcb->LocalEnd.Port,
-+ Tcb->RemoteEnd.Ip.v6.Addr,
-+ sizeof (IPv6_ADDRESS),
-+ Tcb->RemoteEnd.Port,
-+ &Isn
-+ );
-+ }
-+
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n"));
-+ ASSERT (FALSE);
-+ return Status;
- }
-
-- Tcb->Iss = TcpGetIss ();
-+ Tcb->Iss = Isn;
- Tcb->SndUna = Tcb->Iss;
- Tcb->SndNxt = Tcb->Iss;
-
-@@ -82,6 +141,8 @@ TcpInitTcbLocal (
- Tcb->RetxmitSeqMax = 0;
-
- Tcb->ProbeTimerOn = FALSE;
-+
-+ return EFI_SUCCESS;
- }
-
- /**
-@@ -506,18 +567,162 @@ TcpCloneTcb (
- }
-
- /**
-- Compute an ISS to be used by a new connection.
--
-- @return The resulting ISS.
-+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
-+ and remote IP addresses and ports.
-+
-+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
-+ Where the ISN is computed as follows:
-+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
-+
-+ Otherwise:
-+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
-+
-+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
-+ connection's identifying parameters ("localip, localport, remoteip, remoteport")
-+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
-+ outside (MUST-9), or an attacker could still guess at sequence numbers from the
-+ ISN used for some other connection. The PRF could be implemented as a
-+ cryptographic hash of the concatenation of the TCP connection parameters and some
-+ secret data. For discussion of the selection of a specific hash algorithm and
-+ management of the secret key data."
-+
-+ @param[in] LocalIp A pointer to the local IP address of the TCP connection.
-+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer.
-+ @param[in] LocalPort The local port number of the TCP connection.
-+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection.
-+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer.
-+ @param[in] RemotePort The remote port number of the TCP connection.
-+ @param[out] Isn A pointer to the variable that will receive the Initial
-+ Sequence Number (ISN).
-+
-+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was
-+ retrieved.
-+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid.
-+ @retval EFI_UNSUPPORTED The operation is not supported.
-
- **/
--TCP_SEQNO
--TcpGetIss (
-- VOID
-+EFI_STATUS
-+TcpGetIsn (
-+ IN UINT8 *LocalIp,
-+ IN UINTN LocalIpSize,
-+ IN UINT16 LocalPort,
-+ IN UINT8 *RemoteIp,
-+ IN UINTN RemoteIpSize,
-+ IN UINT16 RemotePort,
-+ OUT TCP_SEQNO *Isn
- )
- {
-- mTcpGlobalIss += TCP_ISS_INCREMENT_1;
-- return mTcpGlobalIss;
-+ EFI_STATUS Status;
-+ EFI_HASH2_PROTOCOL *Hash2Protocol;
-+ EFI_HASH2_OUTPUT HashResult;
-+ ISN_HASH_CTX IsnHashCtx;
-+ EFI_TIME TimeStamp;
-+
-+ //
-+ // Check that the ISN pointer is valid
-+ //
-+ if (Isn == NULL) {
-+ return EFI_INVALID_PARAMETER;
-+ }
-+
-+ //
-+ // The local ip may be a v4 or v6 address and may not be NULL
-+ //
-+ if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) {
-+ return EFI_INVALID_PARAMETER;
-+ }
-+
-+ //
-+ // the local ip may be a v4 or v6 address
-+ //
-+ if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) {
-+ return EFI_INVALID_PARAMETER;
-+ }
-+
-+ //
-+ // Locate the Hash Protocol
-+ //
-+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status));
-+
-+ //
-+ // TcpCreateService(..) is expected to be called prior to this function
-+ //
-+ ASSERT_EFI_ERROR (Status);
-+ return Status;
-+ }
-+
-+ //
-+ // Initialize the hash algorithm
-+ //
-+ Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status));
-+ return Status;
-+ }
-+
-+ IsnHashCtx.LocalPort = LocalPort;
-+ IsnHashCtx.RemotePort = RemotePort;
-+ IsnHashCtx.Secret = mTcpGlobalSecret;
-+
-+ //
-+ // Check the IP address family and copy accordingly
-+ //
-+ if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) {
-+ CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize);
-+ } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) {
-+ CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize);
-+ } else {
-+ return EFI_INVALID_PARAMETER; // Unsupported address size
-+ }
-+
-+ //
-+ // Repeat the process for the remote IP address
-+ //
-+ if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) {
-+ CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize);
-+ } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) {
-+ CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize);
-+ } else {
-+ return EFI_INVALID_PARAMETER; // Unsupported address size
-+ }
-+
-+ //
-+ // Compute the hash
-+ // Update the hash with the data
-+ //
-+ Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx));
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status));
-+ return Status;
-+ }
-+
-+ //
-+ // Finalize the hash and retrieve the result
-+ //
-+ Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult);
-+ if (EFI_ERROR (Status)) {
-+ DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status));
-+ return Status;
-+ }
-+
-+ Status = gRT->GetTime (&TimeStamp, NULL);
-+ if (EFI_ERROR (Status)) {
-+ return Status;
-+ }
-+
-+ //
-+ // copy the first 4 bytes of the hash result into the ISN
-+ //
-+ CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn));
-+
-+ //
-+ // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250)
-+ //
-+ *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250;
-+
-+ return Status;
- }
-
- /**
-@@ -721,17 +926,28 @@ TcpFormatNetbuf (
- @param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a
- connection.
-
-+ @retval EFI_SUCCESS The operation completed successfully
-+ @retval others The underlying functions failed and could not complete the operation
-+
- **/
--VOID
-+EFI_STATUS
- TcpOnAppConnect (
- IN OUT TCP_CB *Tcb
- )
- {
-- TcpInitTcbLocal (Tcb);
-+ EFI_STATUS Status;
-+
-+ Status = TcpInitTcbLocal (Tcb);
-+ if (EFI_ERROR (Status)) {
-+ return Status;
-+ }
-+
- TcpSetState (Tcb, TCP_SYN_SENT);
-
- TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout);
- TcpToSendData (Tcb, 1);
-+
-+ return EFI_SUCCESS;
- }
-
- /**
-diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
-index 5d2e124977..065b1bdf5f 100644
---- a/NetworkPkg/TcpDxe/TcpTimer.c
-+++ b/NetworkPkg/TcpDxe/TcpTimer.c
-@@ -2,7 +2,7 @@
- TCP timer related functions.
-
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
--
-+ Copyright (c) Microsoft Corporation
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- **/
-@@ -483,7 +483,6 @@ TcpTickingDpc (
- INT16 Index;
-
- mTcpTick++;
-- mTcpGlobalIss += TCP_ISS_INCREMENT_2;
-
- //
- // Don't use LIST_FOR_EACH, which isn't delete safe.
---
-2.40.0
-
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index bb345688ac..3c577e51a9 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -47,7 +47,6 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
file://CVE-2023-45229-0002.patch \
file://CVE-2023-45229-0003.patch \
file://CVE-2023-45229-0004.patch \
- file://CVE-2023-45236.patch \
file://CVE-2022-36765-0001.patch \
file://CVE-2022-36765-0002.patch \
file://CVE-2022-36765-0003.patch \
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 11/22] libxml2: fix compilation of explicit child axis in pattern
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (9 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 10/22] Revert "ovmf: Fix CVE-2023-45236" Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 12/22] libxml2: patch CVE-2024-56171 Steve Sakoman
` (10 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This was reported as sucurity fix in
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.10
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...x-compilation-of-explicit-child-axis.patch | 31 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch
diff --git a/meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch b/meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch
new file mode 100644
index 0000000000..932c0ec422
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch
@@ -0,0 +1,31 @@
+From 503f788e84f1c1f1d769c2c7258d77faee94b5a3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 13 Feb 2025 16:48:53 +0100
+Subject: [PATCH] pattern: Fix compilation of explicit child axis
+
+The child axis is the default axis and should generate XML_OP_ELEM like
+the case without an axis.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/503f788e84f1c1f1d769c2c7258d77faee94b5a3]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pattern.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pattern.c b/pattern.c
+index 27e96946..3182794e 100644
+--- a/pattern.c
++++ b/pattern.c
+@@ -1178,10 +1178,10 @@ xmlCompileStepPattern(xmlPatParserContextPtr ctxt) {
+ goto error;
+ }
+ } else {
+- PUSH(XML_OP_CHILD, token, URL);
++ PUSH(XML_OP_ELEM, token, URL);
+ }
+ } else
+- PUSH(XML_OP_CHILD, name, NULL);
++ PUSH(XML_OP_ELEM, name, NULL);
+ return;
+ } else if (xmlStrEqual(name, (const xmlChar *) "attribute")) {
+ XML_PAT_FREE_STRING(ctxt, name)
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index ecaae0b436..912bcfd0f3 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -34,6 +34,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
file://CVE-2024-25062.patch \
file://CVE-2024-34459.patch \
file://CVE-2022-49043.patch \
+ file://0001-pattern-Fix-compilation-of-explicit-child-axis.patch \
"
SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 12/22] libxml2: patch CVE-2024-56171
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (10 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 11/22] libxml2: fix compilation of explicit child axis in pattern Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 13/22] libxml2: patch CVE-2025-24928 Steve Sakoman
` (9 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit from 2.12 branch.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libxml/libxml2/CVE-2024-56171.patch | 42 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-56171.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-56171.patch b/meta/recipes-core/libxml/libxml2/CVE-2024-56171.patch
new file mode 100644
index 0000000000..6c7b1c11e7
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2024-56171.patch
@@ -0,0 +1,42 @@
+From 245b70d7d2768572ae1b05b3668ca858b9ec4ed4 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 10 Dec 2024 16:52:05 +0100
+Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after
+ xmlSchemaItemListAdd
+
+xmlSchemaItemListAdd can reallocate the items array. Update local
+variables after adding item in
+
+- xmlSchemaIDCFillNodeTables
+- xmlSchemaBubbleIDCNodeTables
+
+Fixes #828.
+
+CVE: CVE-2024-56171
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/245b70d7d2768572ae1b05b3668ca858b9ec4ed4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ xmlschemas.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index a089ebc5..18e35e75 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -23647,6 +23647,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
+ }
+ if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1)
+ goto internal_error;
++ dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items;
+ /*
+ * Remove the duplicate entry from the IDC node-table.
+ */
+@@ -23863,6 +23864,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt)
+ goto internal_error;
+ }
+ xmlSchemaItemListAdd(parBind->dupls, parNode);
++ dupls = (xmlSchemaPSVIIDCNodePtr *)
++ parBind->dupls->items;
+ } else {
+ /*
+ * Add the node-table entry (node and key-sequence) of
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 912bcfd0f3..e9578ceb59 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -35,6 +35,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
file://CVE-2024-34459.patch \
file://CVE-2022-49043.patch \
file://0001-pattern-Fix-compilation-of-explicit-child-axis.patch \
+ file://CVE-2024-56171.patch \
"
SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 13/22] libxml2: patch CVE-2025-24928
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (11 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 12/22] libxml2: patch CVE-2024-56171 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 14/22] libcap: fix CVE-2025-1390 Steve Sakoman
` (8 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit fomr 2.12 branch.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libxml/libxml2/CVE-2025-24928.patch | 58 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
2 files changed, 59 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch
new file mode 100644
index 0000000000..6da43f81a5
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch
@@ -0,0 +1,58 @@
+From 858ca26c0689161a6b903a6682cc8a1cc10a0ea8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 11 Feb 2025 17:30:40 +0100
+Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in
+ xmlSnprintfElements
+
+Fixes #847.
+
+CVE: CVE-2025-24928
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/858ca26c0689161a6b903a6682cc8a1cc10a0ea8]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ valid.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/valid.c b/valid.c
+index ed3c8503..36a0435b 100644
+--- a/valid.c
++++ b/valid.c
+@@ -5259,25 +5259,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
+ return;
+ }
+ switch (cur->type) {
+- case XML_ELEMENT_NODE:
++ case XML_ELEMENT_NODE: {
++ int qnameLen = xmlStrlen(cur->name);
++
++ if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
++ qnameLen += xmlStrlen(cur->ns->prefix) + 1;
++ if (size - len < qnameLen + 10) {
++ if ((size - len > 4) && (buf[len - 1] != '.'))
++ strcat(buf, " ...");
++ return;
++ }
+ if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
+- if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
+- if ((size - len > 4) && (buf[len - 1] != '.'))
+- strcat(buf, " ...");
+- return;
+- }
+ strcat(buf, (char *) cur->ns->prefix);
+ strcat(buf, ":");
+ }
+- if (size - len < xmlStrlen(cur->name) + 10) {
+- if ((size - len > 4) && (buf[len - 1] != '.'))
+- strcat(buf, " ...");
+- return;
+- }
+- strcat(buf, (char *) cur->name);
++ if (cur->name != NULL)
++ strcat(buf, (char *) cur->name);
+ if (cur->next != NULL)
+ strcat(buf, " ");
+ break;
++ }
+ case XML_TEXT_NODE:
+ if (xmlIsBlankNode(cur))
+ break;
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index e9578ceb59..8f1d882505 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -36,6 +36,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
file://CVE-2022-49043.patch \
file://0001-pattern-Fix-compilation-of-explicit-child-axis.patch \
file://CVE-2024-56171.patch \
+ file://CVE-2025-24928.patch \
"
SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 14/22] libcap: fix CVE-2025-1390
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (12 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 13/22] libxml2: patch CVE-2025-24928 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 15/22] ffmpeg: ignore 5 CVEs Steve Sakoman
` (7 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Upstream-Status: Backport from https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libcap/files/CVE-2025-1390.patch | 36 +++++++++++++++++++
meta/recipes-support/libcap/libcap_2.66.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-support/libcap/files/CVE-2025-1390.patch
diff --git a/meta/recipes-support/libcap/files/CVE-2025-1390.patch b/meta/recipes-support/libcap/files/CVE-2025-1390.patch
new file mode 100644
index 0000000000..339feaba92
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2025-1390.patch
@@ -0,0 +1,36 @@
+From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Mon, 17 Feb 2025 10:31:55 +0800
+Subject: pam_cap: Fix potential configuration parsing error
+
+The current configuration parsing does not actually skip user names
+that do not start with @, but instead treats the name as a group
+name for further parsing, which can result in matching unexpected
+capability sets and may trigger potential security issues. Only
+names starting with @ should be parsed as group names.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878]
+CVE: CVE-2025-1390
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ pam_cap/pam_cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index 7e8cade..7b3d2d1 100644
+--- a/pam_cap/pam_cap.c
++++ b/pam_cap/pam_cap.c
+@@ -143,6 +143,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
+
+ if (line[0] != '@') {
+ D(("user [%s] is not [%s] - skipping", user, line));
++ continue;
+ }
+
+ int i;
+--
+2.25.1
+
diff --git a/meta/recipes-support/libcap/libcap_2.66.bb b/meta/recipes-support/libcap/libcap_2.66.bb
index 7534063b7d..42dacb301e 100644
--- a/meta/recipes-support/libcap/libcap_2.66.bb
+++ b/meta/recipes-support/libcap/libcap_2.66.bb
@@ -18,6 +18,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${
file://0002-tests-do-not-run-target-executables.patch \
file://CVE-2023-2602.patch \
file://CVE-2023-2603.patch \
+ file://CVE-2025-1390.patch \
"
SRC_URI:append:class-nativesdk = " \
file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 15/22] ffmpeg: ignore 5 CVEs
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (13 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 14/22] libcap: fix CVE-2025-1390 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 16/22] ffmpeg: ignore CVE-2024-7272 Steve Sakoman
` (6 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
There is no release which is vulnerable to these CVEs.
These vulnerabilities are in new features being developed and were fixed
before release.
NVD most likely does not accept CVE rejection from a non-maintainer and
non-reporter, so ignoring this CVE should be acceptable solution.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index b5b11496f4..bded23bc35 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -57,6 +57,24 @@ SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a
# https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018
CVE_CHECK_IGNORE += "CVE-2023-39018"
+# There is no release which is vulnerable to these CVEs
+# These vulnerabilities are in new features being developed and fixed before releasing them
+# feature (jpeg xl): https://github.com/FFmpeg/FFmpeg/commit/0c0dd23fe1102313742092c4760596971755814e
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962
+CVE_CHECK_IGNORE += "CVE-2023-46407"
+# feature (evc parser): https://github.com/FFmpeg/FFmpeg/commit/34e4f18360c4ecb8e5979cab8f389478d8cd7819
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/4565747056a11356210ed8edcecb920105e40b60
+CVE_CHECK_IGNORE += "CVE-2023-47470"
+# feature (jpeg xl): https://github.com/FFmpeg/FFmpeg/commit/0c0dd23fe1102313742092c4760596971755814e
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/d2e8974699a9e35cc1a926bf74a972300d629cd5
+CVE_CHECK_IGNORE += "CVE-2024-22860"
+# feature (oqs audio decoder): https://github.com/FFmpeg/FFmpeg/commit/7ef9d31071021c05e6b792af3f25b7b9ceaa9258
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/87b8c1081959e45ffdcbabb3d53ac9882ef2b5ce
+CVE_CHECK_IGNORE += "CVE-2024-22861"
+# feature (jpeg xl): https://github.com/FFmpeg/FFmpeg/commit/0c0dd23fe1102313742092c4760596971755814e
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/ca09d8a0dcd82e3128e62463231296aaf63ae6f7
+CVE_CHECK_IGNORE += "CVE-2024-22862"
+
# Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
ARM_INSTRUCTION_SET:armv4 = "arm"
ARM_INSTRUCTION_SET:armv5 = "arm"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 16/22] ffmpeg: ignore CVE-2024-7272
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (14 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 15/22] ffmpeg: ignore 5 CVEs Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 17/22] gstreamer1.0-rtsp-server: fix CVE-2024-44331 Steve Sakoman
` (5 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This vulnerability was introduced in 5.1, so 5.0.1 is not affected.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index bded23bc35..900545a5f0 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -75,6 +75,11 @@ CVE_CHECK_IGNORE += "CVE-2024-22861"
# bugfix: https://github.com/FFmpeg/FFmpeg/commit/ca09d8a0dcd82e3128e62463231296aaf63ae6f7
CVE_CHECK_IGNORE += "CVE-2024-22862"
+# This vulnerability was introduced in 5.1 and fixed in 5.2 (backported also to 5.1.6), so 5.0.x is not affected
+# introduced: https://github.com/FFmpeg/FFmpeg/commit/8a5896ec1f635ccf0d726f7ba7a06649ebeebf25
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6
+CVE_CHECK_IGNORE += "CVE-2024-7272"
+
# Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
ARM_INSTRUCTION_SET:armv4 = "arm"
ARM_INSTRUCTION_SET:armv5 = "arm"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 17/22] gstreamer1.0-rtsp-server: fix CVE-2024-44331
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (15 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 16/22] ffmpeg: ignore CVE-2024-7272 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 18/22] ffmpeg: fix CVE-2024-36618 Steve Sakoman
` (4 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c
allows remote attackers to cause a denial of service via a series of specially crafted
hexstream requests.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../CVE-2024-44331.patch | 44 +++++++++++++++++++
.../gstreamer1.0-rtsp-server_1.20.7.bb | 4 +-
2 files changed, 47 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch
new file mode 100644
index 0000000000..e78fef7b93
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch
@@ -0,0 +1,44 @@
+From aa3e97d67c05d4648ea58c7ff7675e24a81ca72b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 24 Oct 2024 20:12:55 +0300
+Subject: [PATCH] rtsp-server: Remove pointless assertions that can happen if
+ client provides invalid rates
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3731
+Fixes CVE-2024-44331
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/7739>
+
+CVE: CVE-2024-44331
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/aa3e97d67c05d4648ea58c7ff7675e24a81ca72b]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gst/rtsp-server/rtsp-media.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/gst/rtsp-server/rtsp-media.c b/gst/rtsp-server/rtsp-media.c
+index 88bf7a7..e482b44 100644
+--- a/gst/rtsp-server/rtsp-media.c
++++ b/gst/rtsp-server/rtsp-media.c
+@@ -2737,15 +2737,13 @@ gst_rtsp_media_get_rates (GstRTSPMedia * media, gdouble * rate,
+ first_stream = FALSE;
+ } else {
+ if (save_rate != *rate || save_applied_rate != *applied_rate) {
+- /* diffrent rate or applied_rate, weird */
+- g_assert (FALSE);
++ /* different rate or applied_rate, weird */
+ result = FALSE;
+ break;
+ }
+ }
+ } else {
+- /* complete stream withot rate and applied_rate, weird */
+- g_assert (FALSE);
++ /* complete stream without rate and applied_rate, weird */
+ result = FALSE;
+ break;
+ }
+--
+2.40.0
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb
index 2901be69d2..a7d17e3b1e 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb
@@ -8,7 +8,9 @@ DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base"
PNREAL = "gst-rtsp-server"
-SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz"
+SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz \
+ file://CVE-2024-44331.patch \
+ "
SRC_URI[sha256sum] = "2c8f46aa9df2245e5b39a2082be8e9d3edc0f61bc34f667803d7a21da1b51987"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 18/22] ffmpeg: fix CVE-2024-36618
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (16 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 17/22] gstreamer1.0-rtsp-server: fix CVE-2024-44331 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 19/22] ffmpeg: fix CVE-2024-28661 Steve Sakoman
` (3 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library
which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ffmpeg/ffmpeg/CVE-2024-36618.patch | 36 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch
new file mode 100644
index 0000000000..941b38260a
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch
@@ -0,0 +1,36 @@
+From 7a089ed8e049e3bfcb22de1250b86f2106060857 Mon Sep 17 00:00:00 2001
+From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+Date: Tue, 12 Mar 2024 23:23:17 +0100
+Subject: [PATCH] avformat/avidec: Fix integer overflow iff ULONG_MAX <
+ INT64_MAX
+
+Affects many FATE-tests, see
+https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
+
+Reviewed-by: James Almer <jamrial@gmail.com>
+Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+
+CVE: CVE-2024-36618
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/avidec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/avidec.c b/libavformat/avidec.c
+index 8584b4a..b0fe7df 100644
+--- a/libavformat/avidec.c
++++ b/libavformat/avidec.c
+@@ -1682,7 +1682,7 @@ static int check_stream_max_drift(AVFormatContext *s)
+ int *idx = av_calloc(s->nb_streams, sizeof(*idx));
+ if (!idx)
+ return AVERROR(ENOMEM);
+- for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) {
++ for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) {
+ int64_t max_dts = INT64_MIN / 2;
+ int64_t min_dts = INT64_MAX / 2;
+ int64_t max_buffer = 0;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 900545a5f0..aa317513a1 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -47,6 +47,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://CVE-2024-36613.patch \
file://CVE-2024-36616.patch \
file://CVE-2024-36617.patch \
+ file://CVE-2024-36618.patch \
"
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 19/22] ffmpeg: fix CVE-2024-28661
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (17 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 18/22] ffmpeg: fix CVE-2024-36618 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 20/22] ffmpeg: fix CVE-2024-35369 Steve Sakoman
` (2 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ffmpeg/ffmpeg/CVE-2024-28661.patch | 40 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch
new file mode 100644
index 0000000000..fd5009bccc
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch
@@ -0,0 +1,40 @@
+From 66b50445cb36cf6adb49c2397362509aedb42c71 Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Fri, 16 Feb 2024 11:17:13 -0300
+Subject: [PATCH] avcodec/speexdec: check for sane frame_size values
+
+Regression since ab39cc36c72bb73318bb911acb66873de850a107.
+
+Fixes heap buffer overflows
+Fixes ticket #10866
+
+Reported-by: sploitem <sploitem@gmail.com>
+Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
+Signed-off-by: James Almer <jamrial@gmail.com>
+
+CVE: CVE-2024-28661
+
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/66b50445cb36cf6adb49c2397362509aedb42c71]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavcodec/speexdec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
+index ee95417..5b016df 100644
+--- a/libavcodec/speexdec.c
++++ b/libavcodec/speexdec.c
+@@ -1419,8 +1419,9 @@ static int parse_speex_extradata(AVCodecContext *avctx,
+ return AVERROR_INVALIDDATA;
+ s->bitrate = bytestream_get_le32(&buf);
+ s->frame_size = bytestream_get_le32(&buf);
+- if (s->frame_size < NB_FRAME_SIZE << s->mode)
++ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0))
+ return AVERROR_INVALIDDATA;
++ s->frame_size *= 1 + (s->mode > 0);
+ s->vbr = bytestream_get_le32(&buf);
+ s->frames_per_packet = bytestream_get_le32(&buf);
+ if (s->frames_per_packet <= 0 ||
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index aa317513a1..2048e51962 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://CVE-2024-36616.patch \
file://CVE-2024-36617.patch \
file://CVE-2024-36618.patch \
+ file://CVE-2024-28661.patch \
"
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 20/22] ffmpeg: fix CVE-2024-35369
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (18 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 19/22] ffmpeg: fix CVE-2024-28661 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 21/22] ffmpeg: fix CVE-2025-25473 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 22/22] vim: Upgrade 9.1.0764 -> 9.1.1043 Steve Sakoman
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module,
a potential security vulnerability exists due to insufficient validation of
certain parameters when parsing Speex codec extradata. This vulnerability
could lead to integer overflow conditions, potentially resulting in undefined
behavior or crashes during the decoding process.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ffmpeg/ffmpeg/CVE-2024-35369.patch | 38 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch
new file mode 100644
index 0000000000..b408ee2edc
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch
@@ -0,0 +1,38 @@
+From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Sat, 17 Feb 2024 09:45:57 -0300
+Subject: [PATCH] avcodec/speexdec: further check for sane frame_size
+ values
+
+Prevent potential integer overflows.
+
+Signed-off-by: James Almer <jamrial@gmail.com>
+
+CVE: CVE-2024-35369
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavcodec/speexdec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
+index 5b016df..f1f739a 100644
+--- a/libavcodec/speexdec.c
++++ b/libavcodec/speexdec.c
+@@ -1419,9 +1419,10 @@ static int parse_speex_extradata(AVCodecContext *avctx,
+ return AVERROR_INVALIDDATA;
+ s->bitrate = bytestream_get_le32(&buf);
+ s->frame_size = bytestream_get_le32(&buf);
+- if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0))
++ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) ||
++ s->frame_size > INT32_MAX >> (s->mode > 0))
+ return AVERROR_INVALIDDATA;
+- s->frame_size *= 1 + (s->mode > 0);
++ s->frame_size <<= (s->mode > 0);
+ s->vbr = bytestream_get_le32(&buf);
+ s->frames_per_packet = bytestream_get_le32(&buf);
+ if (s->frames_per_packet <= 0 ||
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 2048e51962..2173105fd3 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -49,6 +49,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://CVE-2024-36617.patch \
file://CVE-2024-36618.patch \
file://CVE-2024-28661.patch \
+ file://CVE-2024-35369.patch \
"
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 21/22] ffmpeg: fix CVE-2025-25473
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (19 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 20/22] ffmpeg: fix CVE-2024-35369 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 22/22] vim: Upgrade 9.1.0764 -> 9.1.1043 Steve Sakoman
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer
dereference via the component libavformat/mov.c.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ffmpeg/ffmpeg/CVE-2025-25473.patch | 36 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch
new file mode 100644
index 0000000000..c9527751b5
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch
@@ -0,0 +1,36 @@
+From c08d300481b8ebb846cd43a473988fdbc6793d1b Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Fri, 17 Jan 2025 00:05:31 -0300
+Subject: [PATCH] avformat/avformat: also clear FFFormatContext packet queue
+ when closing a muxer
+
+packet_buffer is used in mux.c, and if a muxing process fails at a point where
+packets remained in said queue, they will leak.
+
+Fixes ticket #11419
+
+Signed-off-by: James Almer <jamrial@gmail.com>
+
+CVE: CVE-2025-25473
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/c08d300481b8ebb846cd43a473988fdbc6793d1b]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libavformat/utils.c b/libavformat/utils.c
+index cee86ae..fe458dd 100644
+--- a/libavformat/utils.c
++++ b/libavformat/utils.c
+@@ -724,6 +724,7 @@ void avformat_free_context(AVFormatContext *s)
+ av_dict_free(&si->id3v2_meta);
+ av_packet_free(&si->pkt);
+ av_packet_free(&si->parse_pkt);
++ avpriv_packet_list_free(&si->packet_buffer);
+ av_freep(&s->streams);
+ ff_flush_packet_queue(s);
+ av_freep(&s->url);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 2173105fd3..4b99c0fa21 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -50,6 +50,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://CVE-2024-36618.patch \
file://CVE-2024-28661.patch \
file://CVE-2024-35369.patch \
+ file://CVE-2025-25473.patch \
"
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][kirkstone 22/22] vim: Upgrade 9.1.0764 -> 9.1.1043
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
` (20 preceding siblings ...)
2025-02-25 14:29 ` [OE-core][kirkstone 21/22] ffmpeg: fix CVE-2025-25473 Steve Sakoman
@ 2025-02-25 14:29 ` Steve Sakoman
21 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2025-02-25 14:29 UTC (permalink / raw)
To: openembedded-core
From: Divya Chellam <divya.chellam@windriver.com>
This includes CVE-fix for CVE-2025-22134 and CVE-2025-24014
Changes between 9.1.0764 -> 9.1.1043
====================================
https://github.com/vim/vim/compare/v9.1.0764...v9.1.1043
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/vim/vim.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 582eddcb9d..4ac9c58c80 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -18,8 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
-PV .= ".0764"
-SRCREV = "51b62387be93c65fa56bbabe1c3c1ea5df187641"
+PV .= ".1043"
+SRCREV = "9d1bed5eccdbb46a26b8a484f5e9163c40e63919"
# Do not consider .z in x.y.z, as that is updated with every commit
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"
--
2.43.0
^ permalink raw reply related [flat|nested] 23+ messages in thread