Backport a fix from upstream to resolve CVE-2024-38796
https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65
Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
---
...-Fix-overflow-issue-in-BasePeCoffLib.patch | 37 +++++++++++++++++++
meta/recipes-core/ovmf/ovmf_git.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644
meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
diff --git
a/meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
b/meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
new file mode 100644
index 0000000000..8d36bdf1c1
--- /dev/null
+++
b/meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
@@ -0,0 +1,37 @@
+From c4d6af8428375c0343fcfd20bf1465e6d4be4690 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougfl...@microsoft.com>
+Date: Fri, 22 Nov 2024 17:44:27 +0800
+Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
+
+The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
+also a UINT32 value. The current code does not check for overflow when
+adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
+check to ensure that the addition does not overflow.
+
+Signed-off-by: Doug Flick <dougfl...@microsoft.com>
+Authored-by: sriraamx gobichettipalayam <sr...@intel.com>
+
+CVE: CVE-2024-38796
+Upstream-Status: Backport
[https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65]
+
+Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
+---
+ MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+index 6d8d9faeb8..2339b111b5 100644
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -1014,7 +1014,7 @@ PeCoffLoaderRelocateImage (
+ RelocDir = &Hdr.Te->DataDirectory[0];
+ }
+
+- if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
++ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 <
MAX_UINT32 - RelocDir->VirtualAddress)) {
+ RelocBase = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress
(ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+ RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
+ ImageContext,
+--
+2.34.1
+
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb
b/meta/recipes-core/ovmf/ovmf_git.bb
index 1dba709824..e626d306a4 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -53,6 +53,7 @@ SRC_URI =
"gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
file://CVE-2022-36765-0001.patch \
file://CVE-2022-36765-0002.patch \
file://CVE-2022-36765-0003.patch \
+ file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \
"
PV = "edk2-stable202202"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#207596):
https://lists.openembedded.org/g/openembedded-core/message/207596
Mute This Topic: https://lists.openembedded.org/mt/109719915/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
