Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kirkstone ovmf cve fixes #101

Merged
merged 13 commits into from
Dec 9, 2024
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
From 63f29c180dd04d13614440740a8795ee422567b8 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <[email protected]>
Date: Fri, 22 Nov 2024 17:43:28 +0800
Subject: [PATCH] MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677

Attacker able to modify physical memory and ResumeCount.
System will crash/DoS when ResumeCount reaches its MAX_UINT32.

Cc: Zhiguang Liu <[email protected]>
Cc: Dandan Bi <[email protected]>
Cc: Liming Gao <[email protected]>

Signed-off-by: Pakkirisamy ShanmugavelX <[email protected]>
Reviewed-by: Liming Gao <[email protected]>

CVE: CVE-2024-1298
Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19]
Signed-off-by: Hongxu Jia <[email protected]>
---
.../FirmwarePerformancePei.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
index 2f2b2a80b2..2ba9215226 100644
--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
@@ -112,11 +112,15 @@ FpdtStatusCodeListenerPei (
//
S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount);
AcpiS3ResumeRecord->ResumeCount++;
- AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
+ if (AcpiS3ResumeRecord->ResumeCount > 0) {
+ AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
+ DEBUG ((DEBUG_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume));
+ } else {
+ DEBUG ((DEBUG_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero."));
+ }

- DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount = %d\n", AcpiS3ResumeRecord->ResumeCount));
- DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume = %ld\n", AcpiS3ResumeRecord->FullResume));
- DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume));
+ DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount = 0x%x\n", AcpiS3ResumeRecord->ResumeCount));
+ DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume = 0x%x\n", AcpiS3ResumeRecord->FullResume));

//
// Update S3 Suspend Performance Record.
--
2.34.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
From c4d6af8428375c0343fcfd20bf1465e6d4be4690 Mon Sep 17 00:00:00 2001
From: Doug Flick <[email protected]>
Date: Fri, 22 Nov 2024 17:44:27 +0800
Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib

The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
also a UINT32 value. The current code does not check for overflow when
adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
check to ensure that the addition does not overflow.

Signed-off-by: Doug Flick <[email protected]>
Authored-by: sriraamx gobichettipalayam <[email protected]>

CVE: CVE-2024-38796
Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65]

Signed-off-by: Hongxu Jia <[email protected]>
---
MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
index 6d8d9faeb8..2339b111b5 100644
--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
@@ -1014,7 +1014,7 @@ PeCoffLoaderRelocateImage (
RelocDir = &Hdr.Te->DataDirectory[0];
}

- if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
+ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
RelocBase = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
ImageContext,
--
2.34.1

Loading