Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: e...@packages.debian.org Control: affects -1 + src:edk2 User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] The security team has asked me to prepare a stable update that resolves 2 non-critical security issues. [ Impact ] Users remain vulnerable to these security issues. [ Tests ] I don't have reproducers for these issues. I regression tested using the autopkgtests. The regression tests should exercise the PE/COFF Loader. [ Risks ] This modifies code in the PE/COFF loader, so a regression could cause certain binaries to fail to load/execute. It also modifies code in the S3 Resume Path, so a regression could lead to issues with Suspend/Resume. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] These are backports of upstream fixes that only required context changes to apply.
diff -Nru edk2-2020.11/debian/changelog edk2-2020.11/debian/changelog --- edk2-2020.11/debian/changelog 2024-02-13 18:22:25.000000000 -0700 +++ edk2-2020.11/debian/changelog 2024-11-05 06:13:20.000000000 -0700 @@ -1,3 +1,14 @@ +edk2 (2020.11-2+deb11u3) bullseye; urgency=medium + + * Fix overflow condition in PeCoffLoaderRelocateImage(), CVE-2024-38796: + - d/p/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch + - d/p/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch + (Closes: #1084055) + * Fix potential UINT32 overflow in S3 ResumeCount. CVE-2024-1298: + - d/p/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch + + -- dann frazier <da...@debian.org> Tue, 05 Nov 2024 06:13:20 -0700 + edk2 (2020.11-2+deb11u2) bullseye-security; urgency=medium * Disable the built-in Shell when SecureBoot is enabled, CVE-2023-48733. diff -Nru edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch --- edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch 1969-12-31 17:00:00.000000000 -0700 +++ edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch 2024-11-05 06:13:20.000000000 -0700 @@ -0,0 +1,29 @@ +From c95233b8525ca6828921affd1496146cff262e65 Mon Sep 17 00:00:00 2001 +From: Doug Flick <dougfl...@microsoft.com> +Date: Fri, 27 Sep 2024 12:08:55 -0700 +Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib + +The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is +also a UINT32 value. The current code does not check for overflow when +adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a +check to ensure that the addition does not overflow. + +Signed-off-by: Doug Flick <dougfl...@microsoft.com> +Authored-by: sriraamx gobichettipalayam <sr...@intel.com> + +Origin: upstream, https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1993 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084055 +Last-Update: 2024-11-04 + +--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c ++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +@@ -991,7 +991,7 @@ + RelocDir = &Hdr.Te->DataDirectory[0]; + } + +- if ((RelocDir != NULL) && (RelocDir->Size > 0)) { ++ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) { + RelocBase = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset); + RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, + RelocDir->VirtualAddress + RelocDir->Size - 1, diff -Nru edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch --- edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch 1969-12-31 17:00:00.000000000 -0700 +++ edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch 2024-11-05 06:13:20.000000000 -0700 @@ -0,0 +1,30 @@ +From e73ec569429ba72fbb6829518d6c192b4cd3346f Mon Sep 17 00:00:00 2001 +From: Doug Flick <dougfl...@microsoft.com> +Date: Mon, 30 Sep 2024 12:54:30 -0700 +Subject: [PATCH] MdePkg: Improving readability of CVE patch for + PeCoffLoaderRelocateImage + +This change adds parantheses to the if condition detecting overflow in +the PeCoffLoaderRelocateImage function to improve readability. + +Follow on change for: + REF!: https://github.com/tianocore/edk2/pull/6249 + +Signed-off-by: Doug Flick <dougfl...@microsoft.com> + +Origin: upstream, https://github.com/tianocore/edk2/commit/e73ec569429ba72fbb6829518d6c192b4cd3346f +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1993 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084055 +Last-Update: 2024-11-04 + +--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c ++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +@@ -991,7 +991,7 @@ + RelocDir = &Hdr.Te->DataDirectory[0]; + } + +- if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) { ++ if ((RelocDir != NULL) && (RelocDir->Size > 0) && ((RelocDir->Size - 1) < (MAX_UINT32 - RelocDir->VirtualAddress))) { + RelocBase = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset); + RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, + RelocDir->VirtualAddress + RelocDir->Size - 1, diff -Nru edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch --- edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch 1969-12-31 17:00:00.000000000 -0700 +++ edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch 2024-11-05 06:13:20.000000000 -0700 @@ -0,0 +1,43 @@ +From 284dbac43da752ee34825c8b3f6f9e8281cb5a19 Mon Sep 17 00:00:00 2001 +From: Shanmugavel Pakkirisamy <shanmugavelx.pakkiris...@intel.com> +Date: Mon, 6 May 2024 17:53:09 +0800 +Subject: [PATCH] MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677 + +Attacker able to modify physical memory and ResumeCount. +System will crash/DoS when ResumeCount reaches its MAX_UINT32. + +Cc: Zhiguang Liu <zhiguang....@intel.com> +Cc: Dandan Bi <dandan...@intel.com> +Cc: Liming Gao <gaolim...@byosoft.com.cn> + +Signed-off-by: Pakkirisamy ShanmugavelX <shanmugavelx.pakkiris...@intel.com> +Reviewed-by: Liming Gao <gaolim...@byosoft.com.cn> + +Origin: upstream, https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4677 +Last-Updated: 2024-11-04 + +--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c ++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c +@@ -110,11 +110,15 @@ + // + S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount); + AcpiS3ResumeRecord->ResumeCount++; +- AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount); ++ if (AcpiS3ResumeRecord->ResumeCount > 0) { ++ AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount); ++ DEBUG ((DEBUG_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume)); ++ } else { ++ DEBUG ((DEBUG_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero.")); ++ } + +- DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - ResumeCount = %d\n", AcpiS3ResumeRecord->ResumeCount)); +- DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - FullResume = %ld\n", AcpiS3ResumeRecord->FullResume)); +- DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume)); ++ DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount = 0x%x\n", AcpiS3ResumeRecord->ResumeCount)); ++ DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume = 0x%x\n", AcpiS3ResumeRecord->FullResume)); + + // + // Update S3 Suspend Performance Record. diff -Nru edk2-2020.11/debian/patches/series edk2-2020.11/debian/patches/series --- edk2-2020.11/debian/patches/series 2024-02-13 18:22:25.000000000 -0700 +++ edk2-2020.11/debian/patches/series 2024-11-05 06:13:20.000000000 -0700 @@ -8,3 +8,6 @@ 0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch 0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch Disable-the-Shell-when-SecureBoot-is-enabled.patch +0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch +0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch +MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
