2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch b/meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
new file mode 100644
index 0000000000..8d36bdf1c1
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
@@ -0,0 +1,37 @@
+From c4d6af8428375c0343fcfd20bf1465e6d4be4690 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 22 Nov 2024 17:44:27 +0800
+Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
+The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
+also a UINT32 value. The current code does not check for overflow when
+adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
+check to ensure that the addition does not overflow.
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
+CVE: CVE-2024-38796
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+index 6d8d9faeb8..2339b111b5 100644
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -1014,7 +1014,7 @@ PeCoffLoaderRelocateImage (
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
+  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
+     RelocBase    = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
+                                                   ImageContext,
+-- 
+2.34.1
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 1dba709824..e626d306a4 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -53,6 +53,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
           file://CVE-2022-36765-0001.patch \
           file://CVE-2022-36765-0002.patch \
           file://CVE-2022-36765-0003.patch \
+           file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \
           "
 PV = "edk2-stable202202"

diff --git a/meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch b/meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch new file mode 100644 index 0000000000..8d36bdf1c1 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
@@ -0,0 +1,37 @@
		1	From c4d6af8428375c0343fcfd20bf1465e6d4be4690 Mon Sep 17 00:00:00 2001
		2	From: Doug Flick <dougflick@microsoft.com>
		3	Date: Fri, 22 Nov 2024 17:44:27 +0800
		4	Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
		5
		6	The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
		7	also a UINT32 value. The current code does not check for overflow when
		8	adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
		9	check to ensure that the addition does not overflow.
		10
		11	Signed-off-by: Doug Flick <dougflick@microsoft.com>
		12	Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
		13
		14	CVE: CVE-2024-38796
		15	Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65]
		16
		17	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		18	---
		19	MdePkg/Library/BasePeCoffLib/BasePeCoff.c \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
		23	index 6d8d9faeb8..2339b111b5 100644
		24	--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
		25	+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
		26	@@ -1014,7 +1014,7 @@ PeCoffLoaderRelocateImage (
		27	RelocDir = &Hdr.Te->DataDirectory[0];
		28	}
		29
		30	- if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
		31	+ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
		32	RelocBase = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
		33	RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
		34	ImageContext,
		35	--
		36	2.34.1
		37


diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index 1dba709824..e626d306a4 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -53,6 +53,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
53	file://CVE-2022-36765-0001.patch \	53	file://CVE-2022-36765-0001.patch \
54	file://CVE-2022-36765-0002.patch \	54	file://CVE-2022-36765-0002.patch \
55	file://CVE-2022-36765-0003.patch \	55	file://CVE-2022-36765-0003.patch \
		56	file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \
56	"	57	"
57		58
58	PV = "edk2-stable202202"	59	PV = "edk2-stable202202"