Re: [OE-core] [scarthgap][PATCH 3/3] ovmf: fix CVE-2024-38798

["Fabien Thomas" <fabien.thomas@smile.fr>]

On Mon Apr 27, 2026 at 6:56 AM CEST, hongxu via lists.openembedded.org wrote:
> According to [1],
>
>   EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
>   Sensitive Information to an Unauthorized Actor” by local access. Successful
>   exploitation of this vulnerability will lead to possible information disclosure
>   or escalation of privilege and impact Confidentiality.
>
> Backport a patch [2] from upstream to fix CVE-2024-38798
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798
> [2] https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
>  .../ovmf/ovmf/CVE-2024-38798.patch            | 116 ++++++++++++++++++
>  meta/recipes-core/ovmf/ovmf_git.bb            |   1 +
>  2 files changed, 117 insertions(+)
>  create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>
> diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
> new file mode 100644
> index 0000000000..2d0a73c7a6
> --- /dev/null
> +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
> @@ -0,0 +1,116 @@
> +From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001
> +From: Hongxu Jia <hongxu.jia@windriver.com>
> +Date: Mon, 5 Jan 2026 13:04:18 +0800
> +Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading
> +
> +There is a possibility to retrieve user input keystroke data stored in the
> +queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
> +exposure of the password string, clear the queue buffer by filling it
> +with zeros after reading.
> +
> +Signed-off-by: Nick Wang <nick.wang@insyde.com>
> +
> +CVE: CVE-2024-38798
> +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249]
> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +---
> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c       | 2 ++
> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c        | 1 +
> + MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c                  | 2 +-
> + .../Universal/Console/ConSplitterDxe/ConSplitter.c        | 1 +
> + .../Universal/Console/TerminalDxe/TerminalConIn.c         | 8 ++++++--
> + 5 files changed, 11 insertions(+), 3 deletions(-)
> +
> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
> +index 981309f..32757a7 100644
> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
> +@@ -650,6 +650,8 @@ PopScancodeBufHead (
> +     if (Buf != NULL) {
> +       Buf[Index] = Queue->Buffer[Queue->Head];
> +     }
> ++
> ++    Queue->Buffer[Queue->Head] = 0;
> +   }
> + 
> +   return EFI_SUCCESS;
> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
> +index 81d3c6e..e03c88f 100644
> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
> +@@ -51,6 +51,7 @@ PopEfikeyBufHead (
> +     CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
> +   }
> + 
> ++  ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
> +   Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT;
> +   return EFI_SUCCESS;
> + }
> +diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
> +index b5a6459..7df1566 100644
> +--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
> ++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
> +@@ -1840,7 +1840,7 @@ Dequeue (
> +   }
> + 
> +   CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize);
> +-
> ++  ZeroMem (Queue->Buffer[Queue->Head], ItemSize);
> +   //
> +   // Adjust the head pointer of the FIFO keyboard buffer.
> +   //
> +diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
> +index 0a776f3..5c1a35e 100644
> +--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
> ++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
> +@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey (
> +     &Private->KeyQueue[1],
> +     Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA)
> +     );
> ++  ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA));
> +   return EFI_SUCCESS;
> + }
> + 
> +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
> +index f1d0a34..8aafb4b 100644
> +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
> ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
> +@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey (
> +     return FALSE;
> +   }
> + 
> +-  *Output = TerminalDevice->RawFiFo->Data[Head];
> ++  *Output                             = TerminalDevice->RawFiFo->Data[Head];
> ++  TerminalDevice->RawFiFo->Data[Head] = 0;
> + 
> +   TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1));
> + 
> +@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey (
> +   }
> + 
> +   CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
> ++  ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
> + 
> +   EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
> + 
> +@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey (
> +   }
> + 
> +   CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
> ++  ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
> + 
> +   TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
> + 
> +@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey (
> +   Head = TerminalDevice->UnicodeFiFo->Head;
> +   ASSERT (Head < FIFO_MAX_NUMBER + 1);
> + 
> +-  *Output = TerminalDevice->UnicodeFiFo->Data[Head];
> ++  *Output                                 = TerminalDevice->UnicodeFiFo->Data[Head];
> ++  TerminalDevice->UnicodeFiFo->Data[Head] = 0;
> + 
> +   TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
> + }
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
> index f0503db9fb..85b3d7c911 100644
> --- a/meta/recipes-core/ovmf/ovmf_git.bb
> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
> @@ -36,6 +36,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
>             file://CVE-2025-2296-7.patch \
>             file://CVE-2025-2296-8.patch \
>             file://CVE-2025-2296-9.patch \
> +           file://CVE-2024-38798.patch \
>             "
>  
>  PV = "edk2-stable202402"

Helllo Hongxu,

I'm filling in for Yoann while he's on leave.

It appears that the patches from commits "[PATCH 2/3] ovmf: fix CVE-2025-2296"
and "[PATCH 3/3] ovmf: fix CVE-2024-38798" do not apply to neither
scarthgap-next nor scarthgap branch :
`Patch 0001-AmdSev-Halt-on-failed-blob-allocation.patch does not apply`
`Patch CVE-2024-38798.patch does not apply`

Could you take another look at this?

-- 
Fabien Thomas
Smile ECS