5 files changed, 306 insertions, 0 deletions
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch
new file mode 100644
index 0000000000..066dfa0ff0
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch
@@ -0,0 +1,43 @@
+From 2c8fb3e5164effc8a370e800fe91db7341e69116 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Mon, 7 Apr 2025 11:23:41 -0700
+Subject: [PATCH 1/4] SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797
+This commit updates the SecurityFixes.yaml file to include
+information about the CVE-2024-38797 vulnerability.
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/519366f542e9370bee982b1c3687ffedb5cabc21]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ SecurityPkg/SecurityFixes.yaml | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
+index b4006b4..06b597a 100644
+--- a/SecurityPkg/SecurityFixes.yaml
+++ b/SecurityPkg/SecurityFixes.yaml
+@@ -40,3 +40,18 @@ CVE_2022_36764:
+     - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+   links:
+     - https://bugzilla.tianocore.org/show_bug.cgi?id=4118
+CVE_2024_38797:
+  commit-titles:
+    - "SecurityPkg: Out of bound read in HashPeImageByType()"
+    - "SecurityPkg: Improving HashPeImageByType () logic"
+    - "SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic"
+  cve: CVE-2024-38797
+  date_reported: 2024-06-04 12:00 UTC
+  description: Out of bound read in HashPeImageByType()
+  note:
+  files_impacted:
+    - SecurityPkg\Library\DxeImageVerificationLib\DxeImageVerificationLib.c
+    - SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigImpl.c
+  links:
+    - https://bugzilla.tianocore.org/show_bug.cgi?id=2214
+    - https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf
+-- 
+2.34.1
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch
new file mode 100644
index 0000000000..9bf6645681
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch
@@ -0,0 +1,63 @@
+From 1a7be26382c4a34504875f094e15fe371d44192e Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Thu, 3 Oct 2024 09:37:18 -0700
+Subject: [PATCH 2/4] SecurityPkg: Out of bound read in HashPeImageByType()
+In HashPeImageByType(), the hash of PE/COFF image is calculated.
+This function may get untrusted input.
+Inside this function, the following code verifies the loaded image has
+the correct format, by reading the second byte of the buffer.
+```c
+  if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+        ...
+  }
+```
+The input image is not trusted and that may not have the second byte to
+read. So this poses an out of bound read error.
+With below fix we are assuring that we don't do out of bound read. i.e,
+we make sure that AuthDataSize is greater than 1.
+```c
+  if (AuthDataSize > 1
+      && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
+    ...
+  }
+```
+AuthDataSize size is verified before reading the second byte.
+So if AuthDataSize is less than 2, the second byte will not be read, and
+the out of bound read situation won't occur.
+Tested the patch on real platform with and without TPM connected and
+verified image is booting fine.
+Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com>
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/2dcdb41b564aa3cb846644b4b1722a0b3ae5e06b]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c   | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index b05da19..2afa2c9 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -642,7 +642,7 @@ HashPeImageByType (
+     //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+     //    Fixed offset (+32) is calculated based on two bytes of length encoding.
+     //
+-    if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+    if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
+       //
+       // Only support two bytes of Long Form of Length Encoding.
+       //
+-- 
+2.34.1
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch
new file mode 100644
index 0000000000..169c78daab
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch
@@ -0,0 +1,99 @@
+From 4db363db013a92937431234252fc9d84e44fc120 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Thu, 3 Oct 2024 10:16:57 -0700
+Subject: [PATCH 3/4] SecurityPkg: Improving HashPeImageByType () logic
+Namely:
+(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
+    to TRUE for Index==0, then it will evaluate to TRUE for all other
+    Index values as well. As a result, the (Index == HASHALG_MAX)
+    condition will fire after the loop, and we'll return
+    EFI_UNSUPPORTED.
+    While this is correct, functionally speaking, it is wasteful to
+    keep re-checking TWO_BYTE_ENCODE in the loop body. The check
+    should be made at the top of the function, and EFI_UNSUPPORTED
+    should be returned at once, if appropriate.
+(2) If the hash algorithm selected by Index has such a large OID that
+    the OID comparison cannot even be performed (because AuthDataSize
+    is not large enough for containing the OID in question, starting
+    at offset 32), then the function returns EFI_UNSUPPORTED at once.
+    This is bogus; this case should simply be treated as an OID
+    mismatch, and the loop should advance to the next Index value /
+    hash algorithm candidate. A remaining hash algo may have a shorter
+    OID and yield an OID match.
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/5df518ec510324f48ed1cf0376150960644b41f0]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../DxeImageVerificationLib.c                 | 37 ++++++++++---------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 2afa2c9..2eca39d 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -618,6 +618,7 @@ Done:
+   @param[in]  AuthDataSize        Size of the Authenticode Signature in bytes.
+ 
+   @retval EFI_UNSUPPORTED             Hash algorithm is not supported.
+  @retval EFI_BAD_BUFFER_SIZE         AuthData provided is invalid size.
+   @retval EFI_SUCCESS                 Hash successfully.
+ 
+ **/
+@@ -629,28 +630,28 @@ HashPeImageByType (
+ {
+   UINT8  Index;
+ 
+-  for (Index = 0; Index < HASHALG_MAX; Index++) {
+  //
+  // Check the Hash algorithm in PE/COFF Authenticode.
+  //    According to PKCS#7 Definition:
+  //        SignedData ::= SEQUENCE {
+  //            version Version,
+  //            digestAlgorithms DigestAlgorithmIdentifiers,
+  //            contentInfo ContentInfo,
+  //            .... }
+  //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
+  //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+  //    Fixed offset (+32) is calculated based on two bytes of length encoding.
+  //
+  if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
+     //
+-    // Check the Hash algorithm in PE/COFF Authenticode.
+-    //    According to PKCS#7 Definition:
+-    //        SignedData ::= SEQUENCE {
+-    //            version Version,
+-    //            digestAlgorithms DigestAlgorithmIdentifiers,
+-    //            contentInfo ContentInfo,
+-    //            .... }
+-    //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
+-    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+-    //    Fixed offset (+32) is calculated based on two bytes of length encoding.
+    // Only support two bytes of Long Form of Length Encoding.
+     //
+-    if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
+-      //
+-      // Only support two bytes of Long Form of Length Encoding.
+-      //
+-      continue;
+-    }
+    return EFI_BAD_BUFFER_SIZE;
+  }
+ 
+  for (Index = 0; Index < HASHALG_MAX; Index++) {
+     if (AuthDataSize < 32 + mHash[Index].OidLength) {
+-      return EFI_UNSUPPORTED;
+      continue;
+     }
+ 
+     if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
+-- 
+2.34.1
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch
new file mode 100644
index 0000000000..86bc950e7d
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch
@@ -0,0 +1,97 @@
+From cb3342702c5c1f8a4ddbb6d503a98ed720d14eb3 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 17 Jan 2025 11:30:17 -0800
+Subject: [PATCH 4/4] SecurityPkg: Improving
+ SecureBootConfigImpl:HashPeImageByType () logic
+Namely:
+(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
+    to TRUE for Index==0, then it will evaluate to TRUE for all other
+    Index values as well. As a result, the (Index == HASHALG_MAX)
+    condition will fire after the loop, and we'll return
+    EFI_UNSUPPORTED.
+    While this is correct, functionally speaking, it is wasteful to
+    keep re-checking TWO_BYTE_ENCODE in the loop body. The check
+    should be made at the top of the function, and EFI_UNSUPPORTED
+    should be returned at once, if appropriate.
+(2) If the hash algorithm selected by Index has such a large OID that
+    the OID comparison cannot even be performed (because AuthDataSize
+    is not large enough for containing the OID in question, starting
+    at offset 32), then the function returns EFI_UNSUPPORTED at once.
+    This is bogus; this case should simply be treated as an OID
+    mismatch, and the loop should advance to the next Index value /
+    hash algorithm candidate. A remaining hash algo may have a shorter
+    OID and yield an OID match.
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/8676572908b950dd4d1f8985006011be99c0a5b6]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../SecureBootConfigImpl.c                    | 37 +++++++++++--------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+index 6d4560c..155e755 100644
+--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+@@ -2096,30 +2096,35 @@ HashPeImageByType (
+ {
+   UINT8                     Index;
+   WIN_CERTIFICATE_EFI_PKCS  *PkcsCertData;
+  UINT32                    PkcsCertSize;
+ 
+   PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *)(mImageBase + mSecDataDir->Offset);
+  PkcsCertSize = mSecDataDir->SizeOfCert;
+ 
+-  for (Index = 0; Index < HASHALG_MAX; Index++) {
+  //
+  // Check the Hash algorithm in PE/COFF Authenticode.
+  //    According to PKCS#7 Definition:
+  //        SignedData ::= SEQUENCE {
+  //            version Version,
+  //            digestAlgorithms DigestAlgorithmIdentifiers,
+  //            contentInfo ContentInfo,
+  //            .... }
+  //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
+  //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+  //    Fixed offset (+32) is calculated based on two bytes of length encoding.
+  //
+  if ((PkcsCertSize > 1) && ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
+     //
+-    // Check the Hash algorithm in PE/COFF Authenticode.
+-    //    According to PKCS#7 Definition:
+-    //        SignedData ::= SEQUENCE {
+-    //            version Version,
+-    //            digestAlgorithms DigestAlgorithmIdentifiers,
+-    //            contentInfo ContentInfo,
+-    //            .... }
+-    //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
+-    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+-    //    Fixed offset (+32) is calculated based on two bytes of length encoding.
+    // Only support two bytes of Long Form of Length Encoding.
+     //
+-    if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+-      //
+-      // Only support two bytes of Long Form of Length Encoding.
+-      //
+    return EFI_BAD_BUFFER_SIZE;
+  }
+
+  for (Index = 0; Index < HASHALG_MAX; Index++) {
+    if (PkcsCertSize < 32 + mHash[Index].OidLength) {
+       continue;
+     }
+ 
+-    //
+     if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
+       break;
+     }
+-- 
+2.34.1
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index aa7de3af2b..ab6c580722 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -27,6 +27,10 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
           file://0003-debug-prefix-map.patch \
           file://0004-reproducible.patch \
           file://CVE-2025-2295.patch \
+           file://CVE-2024-38797-1.patch \
+           file://CVE-2024-38797-2.patch \
+           file://CVE-2024-38797-3.patch \
+           file://CVE-2024-38797-4.patch \
           "
 PV = "edk2-stable202502"

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch new file mode 100644 index 0000000000..066dfa0ff0 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch
@@ -0,0 +1,43 @@
		1	From 2c8fb3e5164effc8a370e800fe91db7341e69116 Mon Sep 17 00:00:00 2001
		2	From: Doug Flick <dougflick@microsoft.com>
		3	Date: Mon, 7 Apr 2025 11:23:41 -0700
		4	Subject: [PATCH 1/4] SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797
		5
		6	This commit updates the SecurityFixes.yaml file to include
		7	information about the CVE-2024-38797 vulnerability.
		8
		9	Signed-off-by: Doug Flick <DougFlick@microsoft.com>
		10
		11	CVE: CVE-2024-38797
		12	Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/519366f542e9370bee982b1c3687ffedb5cabc21]
		13	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		14	---
		15	SecurityPkg/SecurityFixes.yaml \| 15 +++++++++++++++
		16	1 file changed, 15 insertions(+)
		17
		18	diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
		19	index b4006b4..06b597a 100644
		20	--- a/SecurityPkg/SecurityFixes.yaml
		21	+++ b/SecurityPkg/SecurityFixes.yaml
		22	@@ -40,3 +40,18 @@ CVE_2022_36764:
		23	- Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
		24	links:
		25	- https://bugzilla.tianocore.org/show_bug.cgi?id=4118
		26	+CVE_2024_38797:
		27	+ commit-titles:
		28	+ - "SecurityPkg: Out of bound read in HashPeImageByType()"
		29	+ - "SecurityPkg: Improving HashPeImageByType () logic"
		30	+ - "SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic"
		31	+ cve: CVE-2024-38797
		32	+ date_reported: 2024-06-04 12:00 UTC
		33	+ description: Out of bound read in HashPeImageByType()
		34	+ note:
		35	+ files_impacted:
		36	+ - SecurityPkg\Library\DxeImageVerificationLib\DxeImageVerificationLib.c
		37	+ - SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigImpl.c
		38	+ links:
		39	+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2214
		40	+ - https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf
		41	--
		42	2.34.1
		43


diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch new file mode 100644 index 0000000000..9bf6645681 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch
@@ -0,0 +1,63 @@
		1	From 1a7be26382c4a34504875f094e15fe371d44192e Mon Sep 17 00:00:00 2001
		2	From: Doug Flick <dougflick@microsoft.com>
		3	Date: Thu, 3 Oct 2024 09:37:18 -0700
		4	Subject: [PATCH 2/4] SecurityPkg: Out of bound read in HashPeImageByType()
		5
		6	In HashPeImageByType(), the hash of PE/COFF image is calculated.
		7	This function may get untrusted input.
		8
		9	Inside this function, the following code verifies the loaded image has
		10	the correct format, by reading the second byte of the buffer.
		11
		12	```c
		13	if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
		14	...
		15	}
		16	```
		17
		18	The input image is not trusted and that may not have the second byte to
		19	read. So this poses an out of bound read error.
		20
		21	With below fix we are assuring that we don't do out of bound read. i.e,
		22	we make sure that AuthDataSize is greater than 1.
		23
		24	```c
		25	if (AuthDataSize > 1
		26	&& (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
		27	...
		28	}
		29	```
		30
		31	AuthDataSize size is verified before reading the second byte.
		32	So if AuthDataSize is less than 2, the second byte will not be read, and
		33	the out of bound read situation won't occur.
		34
		35	Tested the patch on real platform with and without TPM connected and
		36	verified image is booting fine.
		37
		38	Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com>
		39	Signed-off-by: Doug Flick <DougFlick@microsoft.com>
		40
		41	CVE: CVE-2024-38797
		42	Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/2dcdb41b564aa3cb846644b4b1722a0b3ae5e06b]
		43	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		44	---
		45	.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c \| 2 +-
		46	1 file changed, 1 insertion(+), 1 deletion(-)
		47
		48	diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
		49	index b05da19..2afa2c9 100644
		50	--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
		51	+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
		52	@@ -642,7 +642,7 @@ HashPeImageByType (
		53	// This field has the fixed offset (+32) in final Authenticode ASN.1 data.
		54	// Fixed offset (+32) is calculated based on two bytes of length encoding.
		55	//
		56	- if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
		57	+ if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
		58	//
		59	// Only support two bytes of Long Form of Length Encoding.
		60	//
		61	--
		62	2.34.1
		63


diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch new file mode 100644 index 0000000000..169c78daab --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch
@@ -0,0 +1,99 @@
		1	From 4db363db013a92937431234252fc9d84e44fc120 Mon Sep 17 00:00:00 2001
		2	From: Doug Flick <dougflick@microsoft.com>
		3	Date: Thu, 3 Oct 2024 10:16:57 -0700
		4	Subject: [PATCH 3/4] SecurityPkg: Improving HashPeImageByType () logic
		5
		6	Namely:
		7
		8	(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
		9	to TRUE for Index==0, then it will evaluate to TRUE for all other
		10	Index values as well. As a result, the (Index == HASHALG_MAX)
		11	condition will fire after the loop, and we'll return
		12	EFI_UNSUPPORTED.
		13
		14	While this is correct, functionally speaking, it is wasteful to
		15	keep re-checking TWO_BYTE_ENCODE in the loop body. The check
		16	should be made at the top of the function, and EFI_UNSUPPORTED
		17	should be returned at once, if appropriate.
		18
		19	(2) If the hash algorithm selected by Index has such a large OID that
		20	the OID comparison cannot even be performed (because AuthDataSize
		21	is not large enough for containing the OID in question, starting
		22	at offset 32), then the function returns EFI_UNSUPPORTED at once.
		23
		24	This is bogus; this case should simply be treated as an OID
		25	mismatch, and the loop should advance to the next Index value /
		26	hash algorithm candidate. A remaining hash algo may have a shorter
		27	OID and yield an OID match.
		28
		29	Signed-off-by: Doug Flick <DougFlick@microsoft.com>
		30
		31	CVE: CVE-2024-38797
		32	Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/5df518ec510324f48ed1cf0376150960644b41f0]
		33	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		34	---
		35	.../DxeImageVerificationLib.c \| 37 ++++++++++---------
		36	1 file changed, 19 insertions(+), 18 deletions(-)
		37
		38	diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
		39	index 2afa2c9..2eca39d 100644
		40	--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
		41	+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
		42	@@ -618,6 +618,7 @@ Done:
		43	@param[in] AuthDataSize Size of the Authenticode Signature in bytes.
		44
		45	@retval EFI_UNSUPPORTED Hash algorithm is not supported.
		46	+ @retval EFI_BAD_BUFFER_SIZE AuthData provided is invalid size.
		47	@retval EFI_SUCCESS Hash successfully.
		48
		49	**/
		50	@@ -629,28 +630,28 @@ HashPeImageByType (
		51	{
		52	UINT8 Index;
		53
		54	- for (Index = 0; Index < HASHALG_MAX; Index++) {
		55	+ //
		56	+ // Check the Hash algorithm in PE/COFF Authenticode.
		57	+ // According to PKCS#7 Definition:
		58	+ // SignedData ::= SEQUENCE {
		59	+ // version Version,
		60	+ // digestAlgorithms DigestAlgorithmIdentifiers,
		61	+ // contentInfo ContentInfo,
		62	+ // .... }
		63	+ // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
		64	+ // This field has the fixed offset (+32) in final Authenticode ASN.1 data.
		65	+ // Fixed offset (+32) is calculated based on two bytes of length encoding.
		66	+ //
		67	+ if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
		68	//
		69	- // Check the Hash algorithm in PE/COFF Authenticode.
		70	- // According to PKCS#7 Definition:
		71	- // SignedData ::= SEQUENCE {
		72	- // version Version,
		73	- // digestAlgorithms DigestAlgorithmIdentifiers,
		74	- // contentInfo ContentInfo,
		75	- // .... }
		76	- // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
		77	- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.
		78	- // Fixed offset (+32) is calculated based on two bytes of length encoding.
		79	+ // Only support two bytes of Long Form of Length Encoding.
		80	//
		81	- if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
		82	- //
		83	- // Only support two bytes of Long Form of Length Encoding.
		84	- //
		85	- continue;
		86	- }
		87	+ return EFI_BAD_BUFFER_SIZE;
		88	+ }
		89
		90	+ for (Index = 0; Index < HASHALG_MAX; Index++) {
		91	if (AuthDataSize < 32 + mHash[Index].OidLength) {
		92	- return EFI_UNSUPPORTED;
		93	+ continue;
		94	}
		95
		96	if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
		97	--
		98	2.34.1
		99


diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch new file mode 100644 index 0000000000..86bc950e7d --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch
@@ -0,0 +1,97 @@
		1	From cb3342702c5c1f8a4ddbb6d503a98ed720d14eb3 Mon Sep 17 00:00:00 2001
		2	From: Doug Flick <dougflick@microsoft.com>
		3	Date: Fri, 17 Jan 2025 11:30:17 -0800
		4	Subject: [PATCH 4/4] SecurityPkg: Improving
		5	SecureBootConfigImpl:HashPeImageByType () logic
		6
		7	Namely:
		8
		9	(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
		10	to TRUE for Index==0, then it will evaluate to TRUE for all other
		11	Index values as well. As a result, the (Index == HASHALG_MAX)
		12	condition will fire after the loop, and we'll return
		13	EFI_UNSUPPORTED.
		14
		15	While this is correct, functionally speaking, it is wasteful to
		16	keep re-checking TWO_BYTE_ENCODE in the loop body. The check
		17	should be made at the top of the function, and EFI_UNSUPPORTED
		18	should be returned at once, if appropriate.
		19
		20	(2) If the hash algorithm selected by Index has such a large OID that
		21	the OID comparison cannot even be performed (because AuthDataSize
		22	is not large enough for containing the OID in question, starting
		23	at offset 32), then the function returns EFI_UNSUPPORTED at once.
		24
		25	This is bogus; this case should simply be treated as an OID
		26	mismatch, and the loop should advance to the next Index value /
		27	hash algorithm candidate. A remaining hash algo may have a shorter
		28	OID and yield an OID match.
		29
		30	Signed-off-by: Doug Flick <DougFlick@microsoft.com>
		31
		32	CVE: CVE-2024-38797
		33	Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/8676572908b950dd4d1f8985006011be99c0a5b6]
		34	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		35	---
		36	.../SecureBootConfigImpl.c \| 37 +++++++++++--------
		37	1 file changed, 21 insertions(+), 16 deletions(-)
		38
		39	diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
		40	index 6d4560c..155e755 100644
		41	--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
		42	+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
		43	@@ -2096,30 +2096,35 @@ HashPeImageByType (
		44	{
		45	UINT8 Index;
		46	WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;
		47	+ UINT32 PkcsCertSize;
		48
		49	PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *)(mImageBase + mSecDataDir->Offset);
		50	+ PkcsCertSize = mSecDataDir->SizeOfCert;
		51
		52	- for (Index = 0; Index < HASHALG_MAX; Index++) {
		53	+ //
		54	+ // Check the Hash algorithm in PE/COFF Authenticode.
		55	+ // According to PKCS#7 Definition:
		56	+ // SignedData ::= SEQUENCE {
		57	+ // version Version,
		58	+ // digestAlgorithms DigestAlgorithmIdentifiers,
		59	+ // contentInfo ContentInfo,
		60	+ // .... }
		61	+ // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
		62	+ // This field has the fixed offset (+32) in final Authenticode ASN.1 data.
		63	+ // Fixed offset (+32) is calculated based on two bytes of length encoding.
		64	+ //
		65	+ if ((PkcsCertSize > 1) && ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
		66	//
		67	- // Check the Hash algorithm in PE/COFF Authenticode.
		68	- // According to PKCS#7 Definition:
		69	- // SignedData ::= SEQUENCE {
		70	- // version Version,
		71	- // digestAlgorithms DigestAlgorithmIdentifiers,
		72	- // contentInfo ContentInfo,
		73	- // .... }
		74	- // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
		75	- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.
		76	- // Fixed offset (+32) is calculated based on two bytes of length encoding.
		77	+ // Only support two bytes of Long Form of Length Encoding.
		78	//
		79	- if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
		80	- //
		81	- // Only support two bytes of Long Form of Length Encoding.
		82	- //
		83	+ return EFI_BAD_BUFFER_SIZE;
		84	+ }
		85	+
		86	+ for (Index = 0; Index < HASHALG_MAX; Index++) {
		87	+ if (PkcsCertSize < 32 + mHash[Index].OidLength) {
		88	continue;
		89	}
		90
		91	- //
		92	if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
		93	break;
		94	}
		95	--
		96	2.34.1
		97


diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index aa7de3af2b..ab6c580722 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -27,6 +27,10 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
27	file://0003-debug-prefix-map.patch \	27	file://0003-debug-prefix-map.patch \
28	file://0004-reproducible.patch \	28	file://0004-reproducible.patch \
29	file://CVE-2025-2295.patch \	29	file://CVE-2025-2295.patch \
		30	file://CVE-2024-38797-1.patch \
		31	file://CVE-2024-38797-2.patch \
		32	file://CVE-2024-38797-3.patch \
		33	file://CVE-2024-38797-4.patch \
30	"	34	"
31		35
32	PV = "edk2-stable202502"	36	PV = "edk2-stable202502"