2 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch
new file mode 100644
index 0000000000..038a3f2dbc
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch
@@ -0,0 +1,56 @@
+From 4b028816b5619ede6c3720664478055e09151516 Mon Sep 17 00:00:00 2001
+From: Madhavan <madavtechy@gmail.com>
+Date: Fri, 14 Mar 2025 14:15:13 -0400
+Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI
+ bz4206
+Used SafeUint32Add to calculate and validate OutTransferLength with
+boundary check in IScsiOnR2TRcvd to avoid integer overflow
+Signed-off-by: Madhavan <madavtechy@gmail.com>
+CVE: CVE-2025-2295
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
+index ef587649a0..fb48e6304d 100644
+--- a/NetworkPkg/IScsiDxe/IScsiProto.c
+++ b/NetworkPkg/IScsiDxe/IScsiProto.c
+@@ -1,7 +1,7 @@
+ /** @file
+   The implementation of iSCSI protocol based on RFC3720.
+ 
+-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd (
+   EFI_STATUS               Status;
+   ISCSI_XFER_CONTEXT       *XferContext;
+   UINT8                    *Data;
+  UINT32                   TransferLength;
+ 
+   R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL);
+   if (R2THdr == NULL) {
+@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd (
+   XferContext->Offset            = R2THdr->BufferOffset;
+   XferContext->DesiredLength     = R2THdr->DesiredDataTransferLength;
+ 
+-  if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) ||
+  Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength);
+  if (EFI_ERROR (Status)) {
+    return EFI_PROTOCOL_ERROR;
+  }
+
+  if ((TransferLength > Packet->OutTransferLength) ||
+       (XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength)
+       )
+   {
+-- 
+2.48.1
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 764d79854f..41ab85b703 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
           file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
           file://0003-debug-prefix-map.patch \
           file://0004-reproducible.patch \
+           file://CVE-2025-2295.patch \
           "
 PV = "edk2-stable202411"

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch new file mode 100644 index 0000000000..038a3f2dbc --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch
@@ -0,0 +1,56 @@
		1	From 4b028816b5619ede6c3720664478055e09151516 Mon Sep 17 00:00:00 2001
		2	From: Madhavan <madavtechy@gmail.com>
		3	Date: Fri, 14 Mar 2025 14:15:13 -0400
		4	Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI
		5	bz4206
		6
		7	Used SafeUint32Add to calculate and validate OutTransferLength with
		8	boundary check in IScsiOnR2TRcvd to avoid integer overflow
		9
		10	Signed-off-by: Madhavan <madavtechy@gmail.com>
		11
		12	CVE: CVE-2025-2295
		13	Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda]
		14	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		15	---
		16	NetworkPkg/IScsiDxe/IScsiProto.c \| 10 ++++++++--
		17	1 file changed, 8 insertions(+), 2 deletions(-)
		18
		19	diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
		20	index ef587649a0..fb48e6304d 100644
		21	--- a/NetworkPkg/IScsiDxe/IScsiProto.c
		22	+++ b/NetworkPkg/IScsiDxe/IScsiProto.c
		23	@@ -1,7 +1,7 @@
		24	/** @file
		25	The implementation of iSCSI protocol based on RFC3720.
		26
		27	-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
		28	+Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR>
		29	SPDX-License-Identifier: BSD-2-Clause-Patent
		30
		31	**/
		32	@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd (
		33	EFI_STATUS Status;
		34	ISCSI_XFER_CONTEXT *XferContext;
		35	UINT8 *Data;
		36	+ UINT32 TransferLength;
		37
		38	R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL);
		39	if (R2THdr == NULL) {
		40	@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd (
		41	XferContext->Offset = R2THdr->BufferOffset;
		42	XferContext->DesiredLength = R2THdr->DesiredDataTransferLength;
		43
		44	- if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) \|\|
		45	+ Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength);
		46	+ if (EFI_ERROR (Status)) {
		47	+ return EFI_PROTOCOL_ERROR;
		48	+ }
		49	+
		50	+ if ((TransferLength > Packet->OutTransferLength) \|\|
		51	(XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength)
		52	)
		53	{
		54	--
		55	2.48.1
		56


diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index 764d79854f..41ab85b703 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
26	file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \	26	file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
27	file://0003-debug-prefix-map.patch \	27	file://0003-debug-prefix-map.patch \
28	file://0004-reproducible.patch \	28	file://0004-reproducible.patch \
		29	file://CVE-2025-2295.patch \
29	"	30	"
30		31
31	PV = "edk2-stable202411"	32	PV = "edk2-stable202411"