From: "Fabien Thomas" <fabien.thomas@smile.fr>
To: "Hongxu Jia" <hongxu.jia@windriver.com>,
"Fabien Thomas" <fabien.thomas@smile.fr>,
<openembedded-core@lists.openembedded.org>,
<yoann.congal@smile.fr>
Subject: Re: [OE-core] [scarthgap][PATCH 3/3] ovmf: fix CVE-2024-38798
Date: Thu, 30 Apr 2026 14:25:34 +0200 [thread overview]
Message-ID: <DI6HKLJPYBHV.95KI3VALLEC2@smile.fr> (raw)
In-Reply-To: <29edab2d-29e6-49f3-88ec-6eb1d831214c@windriver.com>
On Thu Apr 30, 2026 at 2:05 PM CEST, Hongxu Jia wrote:
> On 4/30/26 17:25, Fabien Thomas wrote:
>> CAUTION: This email comes from a non Wind River email account!
>> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>> On Mon Apr 27, 2026 at 6:56 AM CEST, hongxu via lists.openembedded.org wrote:
>>> According to [1],
>>>
>>> EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
>>> Sensitive Information to an Unauthorized Actor” by local access. Successful
>>> exploitation of this vulnerability will lead to possible information disclosure
>>> or escalation of privilege and impact Confidentiality.
>>>
>>> Backport a patch [2] from upstream to fix CVE-2024-38798
>>>
>>> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798
>>> [2] https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249
>>>
>>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>> ---
>>> .../ovmf/ovmf/CVE-2024-38798.patch | 116 ++++++++++++++++++
>>> meta/recipes-core/ovmf/ovmf_git.bb | 1 +
>>> 2 files changed, 117 insertions(+)
>>> create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>>>
>>> diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>>> new file mode 100644
>>> index 0000000000..2d0a73c7a6
>>> --- /dev/null
>>> +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>>> @@ -0,0 +1,116 @@
>>> +From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001
>>> +From: Hongxu Jia <hongxu.jia@windriver.com>
>>> +Date: Mon, 5 Jan 2026 13:04:18 +0800
>>> +Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading
>>> +
>>> +There is a possibility to retrieve user input keystroke data stored in the
>>> +queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
>>> +exposure of the password string, clear the queue buffer by filling it
>>> +with zeros after reading.
>>> +
>>> +Signed-off-by: Nick Wang <nick.wang@insyde.com>
>>> +
>>> +CVE: CVE-2024-38798
>>> +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249]
>>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>> +---
>>> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c | 2 ++
>>> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c | 1 +
>>> + MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c | 2 +-
>>> + .../Universal/Console/ConSplitterDxe/ConSplitter.c | 1 +
>>> + .../Universal/Console/TerminalDxe/TerminalConIn.c | 8 ++++++--
>>> + 5 files changed, 11 insertions(+), 3 deletions(-)
>>> +
>>> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>>> +index 981309f..32757a7 100644
>>> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>>> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>>> +@@ -650,6 +650,8 @@ PopScancodeBufHead (
>>> + if (Buf != NULL) {
>>> + Buf[Index] = Queue->Buffer[Queue->Head];
>>> + }
>>> ++
>>> ++ Queue->Buffer[Queue->Head] = 0;
>>> + }
>>> +
>>> + return EFI_SUCCESS;
>>> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>>> +index 81d3c6e..e03c88f 100644
>>> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>>> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>>> +@@ -51,6 +51,7 @@ PopEfikeyBufHead (
>>> + CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
>>> + }
>>> +
>>> ++ ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
>>> + Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT;
>>> + return EFI_SUCCESS;
>>> + }
>>> +diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>>> +index b5a6459..7df1566 100644
>>> +--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>>> ++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>>> +@@ -1840,7 +1840,7 @@ Dequeue (
>>> + }
>>> +
>>> + CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize);
>>> +-
>>> ++ ZeroMem (Queue->Buffer[Queue->Head], ItemSize);
>>> + //
>>> + // Adjust the head pointer of the FIFO keyboard buffer.
>>> + //
>>> +diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>>> +index 0a776f3..5c1a35e 100644
>>> +--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>>> ++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>>> +@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey (
>>> + &Private->KeyQueue[1],
>>> + Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA)
>>> + );
>>> ++ ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA));
>>> + return EFI_SUCCESS;
>>> + }
>>> +
>>> +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>>> +index f1d0a34..8aafb4b 100644
>>> +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>>> ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>>> +@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey (
>>> + return FALSE;
>>> + }
>>> +
>>> +- *Output = TerminalDevice->RawFiFo->Data[Head];
>>> ++ *Output = TerminalDevice->RawFiFo->Data[Head];
>>> ++ TerminalDevice->RawFiFo->Data[Head] = 0;
>>> +
>>> + TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1));
>>> +
>>> +@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey (
>>> + }
>>> +
>>> + CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>>> ++ ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>>> +
>>> + EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>>> +
>>> +@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey (
>>> + }
>>> +
>>> + CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>>> ++ ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>>> +
>>> + TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>>> +
>>> +@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey (
>>> + Head = TerminalDevice->UnicodeFiFo->Head;
>>> + ASSERT (Head < FIFO_MAX_NUMBER + 1);
>>> +
>>> +- *Output = TerminalDevice->UnicodeFiFo->Data[Head];
>>> ++ *Output = TerminalDevice->UnicodeFiFo->Data[Head];
>>> ++ TerminalDevice->UnicodeFiFo->Data[Head] = 0;
>>> +
>>> + TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>>> + }
>>> +--
>>> +2.34.1
>>> +
>>> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
>>> index f0503db9fb..85b3d7c911 100644
>>> --- a/meta/recipes-core/ovmf/ovmf_git.bb
>>> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
>>> @@ -36,6 +36,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
>>> file://CVE-2025-2296-7.patch \
>>> file://CVE-2025-2296-8.patch \
>>> file://CVE-2025-2296-9.patch \
>>> + file://CVE-2024-38798.patch \
>>> "
>>>
>>> PV = "edk2-stable202402"
>> Helllo Hongxu,
>>
>> I'm filling in for Yoann while he's on leave.
>>
>> It appears that the patches from commits "[PATCH 2/3] ovmf: fix CVE-2025-2296"
>> and "[PATCH 3/3] ovmf: fix CVE-2024-38798" do not apply to neither
>> scarthgap-next nor scarthgap branch :
>> `Patch 0001-AmdSev-Halt-on-failed-blob-allocation.patch does not apply`
>> `Patch CVE-2024-38798.patch does not apply`
>>
>> Could you take another look at this?
>
> Hi Thomas,
>
> I could apply the patch on latest scarthgap, I am afraid it was caused
> by the `CR' at the end of lines
>
> would you please apply the patch by `git am --keep-cr 00*.patch' or
> cherry-pick from my github by following steps:
>
> $ git fetch https://github.com/hongxu-jia/openembedded-core.git scarthgap
>
> $ git log HEAD..FETCH_HEAD --oneline
> 405b06db9d (scarthgap) ovmf: fix CVE-2024-38798
> 5b951e8d74 ovmf: fix CVE-2025-2296
> 2b93d45cfa u-boot: fix CVE-2025-24857
>
> $ git cherry-pick 2b93d45cfa 5b951e8d74 405b06db9d
>
> //Hongxu
>
>
>>
>> --
>> Fabien Thomas
>> Smile ECS
>>
Sorry Hongxu,
I didn't see your other reply, at first.
I've just done exactly what you suggest and they applied correctly now.
Thanks for these fixes.
Regards,
--
Fabien Thomas
Smile ECS
next prev parent reply other threads:[~2026-04-30 12:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 4:56 [scarthgap][PATCH 1/3] u-boot: fix CVE-2025-24857 Hongxu Jia
2026-04-27 4:56 ` [scarthgap][PATCH 2/3] ovmf: fix CVE-2025-2296 Hongxu Jia
2026-04-27 4:56 ` [scarthgap][PATCH 3/3] ovmf: fix CVE-2024-38798 Hongxu Jia
2026-04-30 9:25 ` [OE-core] " Fabien Thomas
2026-04-30 12:05 ` Hongxu Jia
2026-04-30 12:25 ` Fabien Thomas [this message]
[not found] ` <18AA1DD7A8866F0B.1773850@lists.openembedded.org>
2026-04-27 5:01 ` [OE-core] [scarthgap][PATCH 2/3] ovmf: fix CVE-2025-2296 Hongxu Jia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DI6HKLJPYBHV.95KI3VALLEC2@smile.fr \
--to=fabien.thomas@smile.fr \
--cc=hongxu.jia@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=yoann.congal@smile.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox