4 files changed, 474 insertions, 0 deletions
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch
new file mode 100644
index 0000000000..120cf66f6a
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch
@@ -0,0 +1,179 @@
+From 59f024c76ee57c2bec84794536302fc770cd6ec2 Mon Sep 17 00:00:00 2001
+From: Gua Guo <gua.guo@intel.com>
+Date: Thu, 11 Jan 2024 13:01:19 +0800
+Subject: [PATCH] UefiPayloadPkg/Hob: Integer Overflow in CreateHob()
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
+Fix integer overflow in various CreateHob instances.
+Fixes: CVE-2022-36765
+The CreateHob() function aligns the requested size to 8
+performing the following operation:
+```
+HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+```
+No checks are performed to ensure this value doesn't
+overflow, and could lead to CreateHob() returning a smaller
+HOB than requested, which could lead to OOB HOB accesses.
+Reported-by: Marc Beatove <mbeatove@google.com>
+Cc: Guo Dong <guo.dong@intel.com>
+Cc: Sean Rhodes <sean@starlabs.systems>
+Cc: James Lu <james.lu@intel.com>
+Reviewed-by: Gua Guo <gua.guo@intel.com>
+Cc: John Mathew <john.mathews@intel.com>
+Authored-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Gua Guo <gua.guo@intel.com>
+CVE: CVE-2022-36765
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/59f024c76ee57c2bec84794536302fc770cd6ec2]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../Library/PayloadEntryHobLib/Hob.c          | 43 +++++++++++++++++++
+ .../UefiPayloadEntry/UniversalPayloadEntry.c  |  8 ++--
+ 2 files changed, 48 insertions(+), 3 deletions(-)
+diff --git a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
+index 2c3acbbc19..51c2e28d7d 100644
+--- a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
+++ b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
+@@ -110,6 +110,13 @@ CreateHob (
+ 
+   HandOffHob = GetHobList ();
+ 
+  //
+  // Check Length to avoid data overflow.
+  //
+  if (HobLength > MAX_UINT16 - 0x7) {
+    return NULL;
+  }
+
+   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+ 
+   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
+@@ -160,6 +167,9 @@ BuildResourceDescriptorHob (
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
+   ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->ResourceType      = ResourceType;
+   Hob->ResourceAttribute = ResourceAttribute;
+@@ -330,6 +340,10 @@ BuildModuleHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
+   Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
+@@ -378,6 +392,11 @@ BuildGuidHob (
+   ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return NULL;
+  }
+
+   CopyGuid (&Hob->Name, Guid);
+   return Hob + 1;
+ }
+@@ -441,6 +460,10 @@ BuildFvHob (
+   EFI_HOB_FIRMWARE_VOLUME  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -472,6 +495,10 @@ BuildFv2Hob (
+   EFI_HOB_FIRMWARE_VOLUME2  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -513,6 +540,10 @@ BuildFv3Hob (
+   EFI_HOB_FIRMWARE_VOLUME3  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->BaseAddress          = BaseAddress;
+   Hob->Length               = Length;
+@@ -546,6 +577,10 @@ BuildCpuHob (
+   EFI_HOB_CPU  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->SizeOfMemorySpace = SizeOfMemorySpace;
+   Hob->SizeOfIoSpace     = SizeOfIoSpace;
+@@ -583,6 +618,10 @@ BuildStackHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid);
+   Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
+@@ -664,6 +703,10 @@ BuildMemoryAllocationHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
+   Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
+diff --git a/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c b/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c
+index edb3c20471..abfe75bd7b 100644
+--- a/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c
+++ b/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c
+@@ -111,10 +111,12 @@ AddNewHob (
+   }
+ 
+   NewHob.Header = CreateHob (Hob->Header->HobType, Hob->Header->HobLength);
+-
+-  if (NewHob.Header != NULL) {
+-    CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - sizeof (EFI_HOB_GENERIC_HEADER));
+  ASSERT (NewHob.Header != NULL);
+  if (NewHob.Header == NULL) {
+    return;
+   }
+
+  CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - sizeof (EFI_HOB_GENERIC_HEADER));
+ }
+ 
+ /**
+-- 
+2.40.0
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch
new file mode 100644
index 0000000000..1209be27b5
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch
@@ -0,0 +1,157 @@
+From aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 Mon Sep 17 00:00:00 2001
+From: Gua Guo <gua.guo@intel.com>
+Date: Thu, 11 Jan 2024 13:07:50 +0800
+Subject: [PATCH] EmbeddedPkg/Hob: Integer Overflow in CreateHob()
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
+Fix integer overflow in various CreateHob instances.
+Fixes: CVE-2022-36765
+The CreateHob() function aligns the requested size to 8
+performing the following operation:
+```
+HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+```
+No checks are performed to ensure this value doesn't
+overflow, and could lead to CreateHob() returning a smaller
+HOB than requested, which could lead to OOB HOB accesses.
+Reported-by: Marc Beatove <mbeatove@google.com>
+Cc: Leif Lindholm <quic_llindhol@quicinc.com>
+Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
+Cc: Abner Chang <abner.chang@amd.com>
+Cc: John Mathew <john.mathews@intel.com>
+Authored-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Gua Guo <gua.guo@intel.com>
+CVE: CVE-2022-36765
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/aeaee8944f0eaacbf4cdf39279785b9ba4836bb6]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ EmbeddedPkg/Library/PrePiHobLib/Hob.c | 43 +++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
+index 8eb175aa96..cbc35152cc 100644
+--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c
+++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
+@@ -110,6 +110,13 @@ CreateHob (
+ 
+   HandOffHob = GetHobList ();
+ 
+  //
+  // Check Length to avoid data overflow.
+  //
+  if (HobLength > MAX_UINT16 - 0x7) {
+    return NULL;
+  }
+
+   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+ 
+   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
+@@ -160,6 +167,9 @@ BuildResourceDescriptorHob (
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
+   ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->ResourceType      = ResourceType;
+   Hob->ResourceAttribute = ResourceAttribute;
+@@ -401,6 +411,10 @@ BuildModuleHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
+   Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
+@@ -449,6 +463,11 @@ BuildGuidHob (
+   ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return NULL;
+  }
+
+   CopyGuid (&Hob->Name, Guid);
+   return Hob + 1;
+ }
+@@ -512,6 +531,10 @@ BuildFvHob (
+   EFI_HOB_FIRMWARE_VOLUME  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -543,6 +566,10 @@ BuildFv2Hob (
+   EFI_HOB_FIRMWARE_VOLUME2  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -584,6 +611,10 @@ BuildFv3Hob (
+   EFI_HOB_FIRMWARE_VOLUME3  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->BaseAddress          = BaseAddress;
+   Hob->Length               = Length;
+@@ -639,6 +670,10 @@ BuildCpuHob (
+   EFI_HOB_CPU  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->SizeOfMemorySpace = SizeOfMemorySpace;
+   Hob->SizeOfIoSpace     = SizeOfIoSpace;
+@@ -676,6 +711,10 @@ BuildStackHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid);
+   Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
+@@ -756,6 +795,10 @@ BuildMemoryAllocationHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
+   Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
+-- 
+2.40.0
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch
new file mode 100644
index 0000000000..9579205e09
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch
@@ -0,0 +1,135 @@
+From 9a75b030cf27d2530444e9a2f9f11867f79bf679 Mon Sep 17 00:00:00 2001
+From: Gua Guo <gua.guo@intel.com>
+Date: Thu, 11 Jan 2024 13:03:26 +0800
+Subject: [PATCH] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
+Fix integer overflow in various CreateHob instances.
+Fixes: CVE-2022-36765
+The CreateHob() function aligns the requested size to 8
+performing the following operation:
+```
+HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+```
+No checks are performed to ensure this value doesn't
+overflow, and could lead to CreateHob() returning a smaller
+HOB than requested, which could lead to OOB HOB accesses.
+Reported-by: Marc Beatove <mbeatove@google.com>
+Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
+Cc: Sami Mujawar <sami.mujawar@arm.com>
+Reviewed-by: Ray Ni <ray.ni@intel.com>
+Cc: John Mathew <john.mathews@intel.com>
+Authored-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Gua Guo <gua.guo@intel.com>
+CVE: CVE-2022-36765
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/9a75b030cf27d2530444e9a2f9f11867f79bf679]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../Arm/StandaloneMmCoreHobLib.c              | 35 +++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
+index 1550e1babc..59473e28fe 100644
+--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
+++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
+@@ -34,6 +34,13 @@ CreateHob (
+ 
+   HandOffHob = GetHobList ();
+ 
+  //
+  // Check Length to avoid data overflow.
+  //
+  if (HobLength > MAX_UINT16 - 0x7) {
+    return NULL;
+  }
+
+   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+ 
+   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
+@@ -89,6 +96,10 @@ BuildModuleHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
+   Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
+@@ -129,6 +140,9 @@ BuildResourceDescriptorHob (
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
+   ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->ResourceType      = ResourceType;
+   Hob->ResourceAttribute = ResourceAttribute;
+@@ -167,6 +181,11 @@ BuildGuidHob (
+   ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return NULL;
+  }
+
+   CopyGuid (&Hob->Name, Guid);
+   return Hob + 1;
+ }
+@@ -226,6 +245,10 @@ BuildFvHob (
+   EFI_HOB_FIRMWARE_VOLUME  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -255,6 +278,10 @@ BuildFv2Hob (
+   EFI_HOB_FIRMWARE_VOLUME2  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -282,6 +309,10 @@ BuildCpuHob (
+   EFI_HOB_CPU  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   Hob->SizeOfMemorySpace = SizeOfMemorySpace;
+   Hob->SizeOfIoSpace     = SizeOfIoSpace;
+@@ -319,6 +350,10 @@ BuildMemoryAllocationHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
+  ASSERT (Hob != NULL);
+  if (Hob == NULL) {
+    return;
+  }
+ 
+   ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
+   Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
+-- 
+2.40.0
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index dbfed086e4..1dba709824 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -50,6 +50,9 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
           file://CVE-2023-45237-0001.patch \
           file://CVE-2023-45237-0002.patch \
           file://CVE-2023-45236.patch \
+           file://CVE-2022-36765-0001.patch \
+           file://CVE-2022-36765-0002.patch \
+           file://CVE-2022-36765-0003.patch \
           "
 PV = "edk2-stable202202"

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch new file mode 100644 index 0000000000..120cf66f6a --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch
@@ -0,0 +1,179 @@
		1	From 59f024c76ee57c2bec84794536302fc770cd6ec2 Mon Sep 17 00:00:00 2001
		2	From: Gua Guo <gua.guo@intel.com>
		3	Date: Thu, 11 Jan 2024 13:01:19 +0800
		4	Subject: [PATCH] UefiPayloadPkg/Hob: Integer Overflow in CreateHob()
		5
		6	REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
		7
		8	Fix integer overflow in various CreateHob instances.
		9	Fixes: CVE-2022-36765
		10
		11	The CreateHob() function aligns the requested size to 8
		12	performing the following operation:
		13	```
		14	HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
		15	```
		16
		17	No checks are performed to ensure this value doesn't
		18	overflow, and could lead to CreateHob() returning a smaller
		19	HOB than requested, which could lead to OOB HOB accesses.
		20
		21	Reported-by: Marc Beatove <mbeatove@google.com>
		22	Cc: Guo Dong <guo.dong@intel.com>
		23	Cc: Sean Rhodes <sean@starlabs.systems>
		24	Cc: James Lu <james.lu@intel.com>
		25	Reviewed-by: Gua Guo <gua.guo@intel.com>
		26	Cc: John Mathew <john.mathews@intel.com>
		27	Authored-by: Gerd Hoffmann <kraxel@redhat.com>
		28	Signed-off-by: Gua Guo <gua.guo@intel.com>
		29
		30	CVE: CVE-2022-36765
		31
		32	Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/59f024c76ee57c2bec84794536302fc770cd6ec2]
		33
		34	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		35	---
		36	.../Library/PayloadEntryHobLib/Hob.c \| 43 +++++++++++++++++++
		37	.../UefiPayloadEntry/UniversalPayloadEntry.c \| 8 ++--
		38	2 files changed, 48 insertions(+), 3 deletions(-)
		39
		40	diff --git a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
		41	index 2c3acbbc19..51c2e28d7d 100644
		42	--- a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
		43	+++ b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
		44	@@ -110,6 +110,13 @@ CreateHob (
		45
		46	HandOffHob = GetHobList ();
		47
		48	+ //
		49	+ // Check Length to avoid data overflow.
		50	+ //
		51	+ if (HobLength > MAX_UINT16 - 0x7) {
		52	+ return NULL;
		53	+ }
		54	+
		55	HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
		56
		57	FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
		58	@@ -160,6 +167,9 @@ BuildResourceDescriptorHob (
		59
		60	Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
		61	ASSERT (Hob != NULL);
		62	+ if (Hob == NULL) {
		63	+ return;
		64	+ }
		65
		66	Hob->ResourceType = ResourceType;
		67	Hob->ResourceAttribute = ResourceAttribute;
		68	@@ -330,6 +340,10 @@ BuildModuleHob (
		69	);
		70
		71	Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
		72	+ ASSERT (Hob != NULL);
		73	+ if (Hob == NULL) {
		74	+ return;
		75	+ }
		76
		77	CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
		78	Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
		79	@@ -378,6 +392,11 @@ BuildGuidHob (
		80	ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
		81
		82	Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
		83	+ ASSERT (Hob != NULL);
		84	+ if (Hob == NULL) {
		85	+ return NULL;
		86	+ }
		87	+
		88	CopyGuid (&Hob->Name, Guid);
		89	return Hob + 1;
		90	}
		91	@@ -441,6 +460,10 @@ BuildFvHob (
		92	EFI_HOB_FIRMWARE_VOLUME *Hob;
		93
		94	Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
		95	+ ASSERT (Hob != NULL);
		96	+ if (Hob == NULL) {
		97	+ return;
		98	+ }
		99
		100	Hob->BaseAddress = BaseAddress;
		101	Hob->Length = Length;
		102	@@ -472,6 +495,10 @@ BuildFv2Hob (
		103	EFI_HOB_FIRMWARE_VOLUME2 *Hob;
		104
		105	Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
		106	+ ASSERT (Hob != NULL);
		107	+ if (Hob == NULL) {
		108	+ return;
		109	+ }
		110
		111	Hob->BaseAddress = BaseAddress;
		112	Hob->Length = Length;
		113	@@ -513,6 +540,10 @@ BuildFv3Hob (
		114	EFI_HOB_FIRMWARE_VOLUME3 *Hob;
		115
		116	Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3));
		117	+ ASSERT (Hob != NULL);
		118	+ if (Hob == NULL) {
		119	+ return;
		120	+ }
		121
		122	Hob->BaseAddress = BaseAddress;
		123	Hob->Length = Length;
		124	@@ -546,6 +577,10 @@ BuildCpuHob (
		125	EFI_HOB_CPU *Hob;
		126
		127	Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
		128	+ ASSERT (Hob != NULL);
		129	+ if (Hob == NULL) {
		130	+ return;
		131	+ }
		132
		133	Hob->SizeOfMemorySpace = SizeOfMemorySpace;
		134	Hob->SizeOfIoSpace = SizeOfIoSpace;
		135	@@ -583,6 +618,10 @@ BuildStackHob (
		136	);
		137
		138	Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK));
		139	+ ASSERT (Hob != NULL);
		140	+ if (Hob == NULL) {
		141	+ return;
		142	+ }
		143
		144	CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid);
		145	Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
		146	@@ -664,6 +703,10 @@ BuildMemoryAllocationHob (
		147	);
		148
		149	Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
		150	+ ASSERT (Hob != NULL);
		151	+ if (Hob == NULL) {
		152	+ return;
		153	+ }
		154
		155	ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
		156	Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
		157	diff --git a/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c b/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c
		158	index edb3c20471..abfe75bd7b 100644
		159	--- a/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c
		160	+++ b/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c
		161	@@ -111,10 +111,12 @@ AddNewHob (
		162	}
		163
		164	NewHob.Header = CreateHob (Hob->Header->HobType, Hob->Header->HobLength);
		165	-
		166	- if (NewHob.Header != NULL) {
		167	- CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - sizeof (EFI_HOB_GENERIC_HEADER));
		168	+ ASSERT (NewHob.Header != NULL);
		169	+ if (NewHob.Header == NULL) {
		170	+ return;
		171	}
		172	+
		173	+ CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - sizeof (EFI_HOB_GENERIC_HEADER));
		174	}
		175
		176	/**
		177	--
		178	2.40.0
		179


diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch new file mode 100644 index 0000000000..1209be27b5 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch
@@ -0,0 +1,157 @@
		1	From aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 Mon Sep 17 00:00:00 2001
		2	From: Gua Guo <gua.guo@intel.com>
		3	Date: Thu, 11 Jan 2024 13:07:50 +0800
		4	Subject: [PATCH] EmbeddedPkg/Hob: Integer Overflow in CreateHob()
		5
		6	REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
		7
		8	Fix integer overflow in various CreateHob instances.
		9	Fixes: CVE-2022-36765
		10
		11	The CreateHob() function aligns the requested size to 8
		12	performing the following operation:
		13	```
		14	HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
		15	```
		16
		17	No checks are performed to ensure this value doesn't
		18	overflow, and could lead to CreateHob() returning a smaller
		19	HOB than requested, which could lead to OOB HOB accesses.
		20
		21	Reported-by: Marc Beatove <mbeatove@google.com>
		22	Cc: Leif Lindholm <quic_llindhol@quicinc.com>
		23	Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
		24	Cc: Abner Chang <abner.chang@amd.com>
		25	Cc: John Mathew <john.mathews@intel.com>
		26	Authored-by: Gerd Hoffmann <kraxel@redhat.com>
		27	Signed-off-by: Gua Guo <gua.guo@intel.com>
		28
		29	CVE: CVE-2022-36765
		30
		31	Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/aeaee8944f0eaacbf4cdf39279785b9ba4836bb6]
		32
		33	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		34	---
		35	EmbeddedPkg/Library/PrePiHobLib/Hob.c \| 43 +++++++++++++++++++++++++++
		36	1 file changed, 43 insertions(+)
		37
		38	diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
		39	index 8eb175aa96..cbc35152cc 100644
		40	--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c
		41	+++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
		42	@@ -110,6 +110,13 @@ CreateHob (
		43
		44	HandOffHob = GetHobList ();
		45
		46	+ //
		47	+ // Check Length to avoid data overflow.
		48	+ //
		49	+ if (HobLength > MAX_UINT16 - 0x7) {
		50	+ return NULL;
		51	+ }
		52	+
		53	HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
		54
		55	FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
		56	@@ -160,6 +167,9 @@ BuildResourceDescriptorHob (
		57
		58	Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
		59	ASSERT (Hob != NULL);
		60	+ if (Hob == NULL) {
		61	+ return;
		62	+ }
		63
		64	Hob->ResourceType = ResourceType;
		65	Hob->ResourceAttribute = ResourceAttribute;
		66	@@ -401,6 +411,10 @@ BuildModuleHob (
		67	);
		68
		69	Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
		70	+ ASSERT (Hob != NULL);
		71	+ if (Hob == NULL) {
		72	+ return;
		73	+ }
		74
		75	CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
		76	Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
		77	@@ -449,6 +463,11 @@ BuildGuidHob (
		78	ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
		79
		80	Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
		81	+ ASSERT (Hob != NULL);
		82	+ if (Hob == NULL) {
		83	+ return NULL;
		84	+ }
		85	+
		86	CopyGuid (&Hob->Name, Guid);
		87	return Hob + 1;
		88	}
		89	@@ -512,6 +531,10 @@ BuildFvHob (
		90	EFI_HOB_FIRMWARE_VOLUME *Hob;
		91
		92	Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
		93	+ ASSERT (Hob != NULL);
		94	+ if (Hob == NULL) {
		95	+ return;
		96	+ }
		97
		98	Hob->BaseAddress = BaseAddress;
		99	Hob->Length = Length;
		100	@@ -543,6 +566,10 @@ BuildFv2Hob (
		101	EFI_HOB_FIRMWARE_VOLUME2 *Hob;
		102
		103	Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
		104	+ ASSERT (Hob != NULL);
		105	+ if (Hob == NULL) {
		106	+ return;
		107	+ }
		108
		109	Hob->BaseAddress = BaseAddress;
		110	Hob->Length = Length;
		111	@@ -584,6 +611,10 @@ BuildFv3Hob (
		112	EFI_HOB_FIRMWARE_VOLUME3 *Hob;
		113
		114	Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3));
		115	+ ASSERT (Hob != NULL);
		116	+ if (Hob == NULL) {
		117	+ return;
		118	+ }
		119
		120	Hob->BaseAddress = BaseAddress;
		121	Hob->Length = Length;
		122	@@ -639,6 +670,10 @@ BuildCpuHob (
		123	EFI_HOB_CPU *Hob;
		124
		125	Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
		126	+ ASSERT (Hob != NULL);
		127	+ if (Hob == NULL) {
		128	+ return;
		129	+ }
		130
		131	Hob->SizeOfMemorySpace = SizeOfMemorySpace;
		132	Hob->SizeOfIoSpace = SizeOfIoSpace;
		133	@@ -676,6 +711,10 @@ BuildStackHob (
		134	);
		135
		136	Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK));
		137	+ ASSERT (Hob != NULL);
		138	+ if (Hob == NULL) {
		139	+ return;
		140	+ }
		141
		142	CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid);
		143	Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
		144	@@ -756,6 +795,10 @@ BuildMemoryAllocationHob (
		145	);
		146
		147	Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
		148	+ ASSERT (Hob != NULL);
		149	+ if (Hob == NULL) {
		150	+ return;
		151	+ }
		152
		153	ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
		154	Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
		155	--
		156	2.40.0
		157


diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch new file mode 100644 index 0000000000..9579205e09 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch
@@ -0,0 +1,135 @@
		1	From 9a75b030cf27d2530444e9a2f9f11867f79bf679 Mon Sep 17 00:00:00 2001
		2	From: Gua Guo <gua.guo@intel.com>
		3	Date: Thu, 11 Jan 2024 13:03:26 +0800
		4	Subject: [PATCH] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
		5
		6	REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
		7
		8	Fix integer overflow in various CreateHob instances.
		9	Fixes: CVE-2022-36765
		10
		11	The CreateHob() function aligns the requested size to 8
		12	performing the following operation:
		13	```
		14	HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
		15	```
		16
		17	No checks are performed to ensure this value doesn't
		18	overflow, and could lead to CreateHob() returning a smaller
		19	HOB than requested, which could lead to OOB HOB accesses.
		20
		21	Reported-by: Marc Beatove <mbeatove@google.com>
		22	Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
		23	Cc: Sami Mujawar <sami.mujawar@arm.com>
		24	Reviewed-by: Ray Ni <ray.ni@intel.com>
		25	Cc: John Mathew <john.mathews@intel.com>
		26	Authored-by: Gerd Hoffmann <kraxel@redhat.com>
		27	Signed-off-by: Gua Guo <gua.guo@intel.com>
		28
		29	CVE: CVE-2022-36765
		30
		31	Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/9a75b030cf27d2530444e9a2f9f11867f79bf679]
		32
		33	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		34	---
		35	.../Arm/StandaloneMmCoreHobLib.c \| 35 +++++++++++++++++++
		36	1 file changed, 35 insertions(+)
		37
		38	diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
		39	index 1550e1babc..59473e28fe 100644
		40	--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
		41	+++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
		42	@@ -34,6 +34,13 @@ CreateHob (
		43
		44	HandOffHob = GetHobList ();
		45
		46	+ //
		47	+ // Check Length to avoid data overflow.
		48	+ //
		49	+ if (HobLength > MAX_UINT16 - 0x7) {
		50	+ return NULL;
		51	+ }
		52	+
		53	HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
		54
		55	FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
		56	@@ -89,6 +96,10 @@ BuildModuleHob (
		57	);
		58
		59	Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
		60	+ ASSERT (Hob != NULL);
		61	+ if (Hob == NULL) {
		62	+ return;
		63	+ }
		64
		65	CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
		66	Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
		67	@@ -129,6 +140,9 @@ BuildResourceDescriptorHob (
		68
		69	Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
		70	ASSERT (Hob != NULL);
		71	+ if (Hob == NULL) {
		72	+ return;
		73	+ }
		74
		75	Hob->ResourceType = ResourceType;
		76	Hob->ResourceAttribute = ResourceAttribute;
		77	@@ -167,6 +181,11 @@ BuildGuidHob (
		78	ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
		79
		80	Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
		81	+ ASSERT (Hob != NULL);
		82	+ if (Hob == NULL) {
		83	+ return NULL;
		84	+ }
		85	+
		86	CopyGuid (&Hob->Name, Guid);
		87	return Hob + 1;
		88	}
		89	@@ -226,6 +245,10 @@ BuildFvHob (
		90	EFI_HOB_FIRMWARE_VOLUME *Hob;
		91
		92	Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
		93	+ ASSERT (Hob != NULL);
		94	+ if (Hob == NULL) {
		95	+ return;
		96	+ }
		97
		98	Hob->BaseAddress = BaseAddress;
		99	Hob->Length = Length;
		100	@@ -255,6 +278,10 @@ BuildFv2Hob (
		101	EFI_HOB_FIRMWARE_VOLUME2 *Hob;
		102
		103	Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
		104	+ ASSERT (Hob != NULL);
		105	+ if (Hob == NULL) {
		106	+ return;
		107	+ }
		108
		109	Hob->BaseAddress = BaseAddress;
		110	Hob->Length = Length;
		111	@@ -282,6 +309,10 @@ BuildCpuHob (
		112	EFI_HOB_CPU *Hob;
		113
		114	Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
		115	+ ASSERT (Hob != NULL);
		116	+ if (Hob == NULL) {
		117	+ return;
		118	+ }
		119
		120	Hob->SizeOfMemorySpace = SizeOfMemorySpace;
		121	Hob->SizeOfIoSpace = SizeOfIoSpace;
		122	@@ -319,6 +350,10 @@ BuildMemoryAllocationHob (
		123	);
		124
		125	Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
		126	+ ASSERT (Hob != NULL);
		127	+ if (Hob == NULL) {
		128	+ return;
		129	+ }
		130
		131	ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
		132	Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
		133	--
		134	2.40.0
		135


diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index dbfed086e4..1dba709824 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -50,6 +50,9 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
50	file://CVE-2023-45237-0001.patch \	50	file://CVE-2023-45237-0001.patch \
51	file://CVE-2023-45237-0002.patch \	51	file://CVE-2023-45237-0002.patch \
52	file://CVE-2023-45236.patch \	52	file://CVE-2023-45236.patch \
		53	file://CVE-2022-36765-0001.patch \
		54	file://CVE-2022-36765-0002.patch \
		55	file://CVE-2022-36765-0003.patch \
53	"	56	"
54		57
55	PV = "edk2-stable202202"	58	PV = "edk2-stable202202"