[MEDIUM] Patch edk2 for CVE-2024-2511, CVE-2024-38796 & CVE-2024-4603 (#13715)

Author: archana25-ms

SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec

@@ -11,7 +11,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           edk2-hvloader-signed-%{buildarch}
 Version:        %{GITDATE}git%{GITCOMMIT}
-Release:        6%{?dist}
+Release:        8%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -74,6 +74,12 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Thu Apr 24 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 20240524git3e722403cd16-8
+- Bump release for consistency with edk2 spec.
+
+* Wed Apr 23 2025 Archana Choudhary <archana1@microsoft.com> - 20240524git3e722403cd16-7
+- Bump release for consistency with edk2 spec.
+
 * Tue Apr 15 2025 Tobias Brick <tobiasb@microsoft.com> - 20240524git3e722403cd16-6
 - Bump release for consistency with edk2 spec.
 

SPECS/edk2/CVE-2024-2511.patch

@@ -0,0 +1,95 @@
+From dfa811c4173d0b520de4cfb0e7794781ad41289a Mon Sep 17 00:00:00 2001
+From: Archana Choudhary <archana1@microsoft.com>
+Date: Tue, 29 Apr 2025 09:04:40 +0000
+Subject: [PATCH] Patch for CVE-2024-2511
+
+Ported from https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
+---
+ .../Library/OpensslLib/openssl/ssl/ssl_lib.c  |  5 ++--
+ .../Library/OpensslLib/openssl/ssl/ssl_sess.c | 28 +++++++++++++++----
+ .../openssl/ssl/statem/statem_srvr.c          |  5 ++--
+ 3 files changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+index 99ce450..158b550 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+@@ -3717,9 +3717,10 @@ void ssl_update_cache(SSL *s, int mode)
+ 
+     /*
+      * If the session_id_length is 0, we are not supposed to cache it, and it
+-     * would be rather hard to do anyway :-)
++     * would be rather hard to do anyway :-). Also if the session has already
++     * been marked as not_resumable we should not cache it for later reuse.
+      */
+-    if (s->session->session_id_length == 0)
++    if (s->session->session_id_length == 0 || s->session->not_resumable)
+         return;
+ 
+     /*
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
+index 68b57a5..c1c7837 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
+@@ -152,16 +152,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+     return ss;
+ }
+ 
+-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+-{
+-    return ssl_session_dup(src, 1);
+-}
+-
+ /*
+  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+  * ticket == 0 then no ticket information is duplicated, otherwise it is.
+  */
+-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
+ {
+     SSL_SESSION *dest;
+ 
+@@ -281,6 +276,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+     return NULL;
+ }
+ 
++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
++{
++    return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++{
++    SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++    if (sess != NULL)
++        sess->not_resumable = 0;
++
++    return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+ {
+     if (len)
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c
+index a9e67f9..6c942e6 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c
+@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
+      * so the following won't overwrite an ID that we're supposed
+      * to send back.
+      */
+-    if (s->session->not_resumable ||
+-        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+-         && !s->hit))
++    if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
++            && !s->hit)
+         s->session->session_id_length = 0;
+ 
+     if (usetls13) {

SPECS/edk2/CVE-2024-38796.patch

@@ -0,0 +1,26 @@
+From a6d8206a22d70dc5e6d7ac8aae8e69b80ace7e61 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Wed, 2 Apr 2025 05:23:55 +0000
+Subject: [PATCH] CVE-2024-38796
+
+Upstream patch reference: https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65
+---
+ MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+index 86ff2e7..128090d 100644
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -1054,7 +1054,7 @@ PeCoffLoaderRelocateImage (
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
++  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
+     RelocBase    = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
+                                                   ImageContext,
+-- 
+2.45.2
+

SPECS/edk2/CVE-2024-4603.patch

@@ -0,0 +1,125 @@
+From d2bbe37ccf8857197a4b6c36fc0381ab58bb8b09 Mon Sep 17 00:00:00 2001
+From: Archana Choudhary <archana1@microsoft.com>
+Date: Tue, 29 Apr 2025 09:12:17 +0000
+Subject: [PATCH] Fix for CVE-2024-4603
+
+Ported from https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397
+---
+ .../Library/OpensslLib/openssl/CHANGES.md     | 17 +++++++
+ .../OpensslLib/openssl/crypto/dsa/dsa_check.c | 45 +++++++++++++++++--
+ 2 files changed, 58 insertions(+), 4 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md b/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md
+index 84933a8..34a2e7f 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md
++++ b/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md
+@@ -30,6 +30,23 @@ breaking changes, and mappings for the large list of deprecated functions.
+ 
+ ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
+ 
++ * Fixed an issue where checking excessively long DSA keys or parameters may
++   be very slow.
++
++   Applications that use the functions EVP_PKEY_param_check() or
++   EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
++   experience long delays. Where the key or parameters that are being checked
++   have been obtained from an untrusted source this may lead to a Denial of
++   Service.
++
++   To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
++   will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
++   reason.
++
++   ([CVE-2024-4603])
++
++   *Tomáš Mráz*
++
+  * Fixed two buffer overflows in punycode decoding functions.
+ 
+    A buffer overrun can be triggered in X.509 certificate verification,
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c
+index 7ee914a..a66fe05 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c
+@@ -19,8 +19,34 @@
+ #include "dsa_local.h"
+ #include "crypto/dsa.h"
+ 
++static int dsa_precheck_params(const DSA *dsa, int *ret)
++{
++    if (dsa->params.p == NULL || dsa->params.q == NULL) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    return 1;
++}
++
+ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
+         return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
+                                                FFC_PARAM_TYPE_DSA, ret);
+@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+  */
+ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret);
+ }
+ 
+@@ -49,6 +78,10 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+  */
+ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++    
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++    
+     return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret);
+ }
+ 
+@@ -56,8 +89,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)
+ {
+     *ret = 0;
+ 
+-    return (dsa->params.q != NULL
+-            && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
++    return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
+ }
+ 
+ /*
+@@ -70,8 +105,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
+     BN_CTX *ctx = NULL;
+     BIGNUM *pub_key = NULL;
+ 
+-    if (dsa->params.p == NULL
+-        || dsa->params.g == NULL
++    if (!dsa_precheck_params(dsa, &ret))
++        return 0;
++
++    if (dsa->params.g == NULL
+         || dsa->priv_key == NULL
+         || dsa->pub_key == NULL)
+         return 0;

SPECS/edk2/edk2.spec

@@ -55,10 +55,10 @@ ExclusiveArch: x86_64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    6%{?dist}
+Release:    8%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain
-URL:        http://www.tianocore.org
+URL:        https://www.tianocore.org
 
 # The source tarball is created using following commands:
 # COMMIT=bb1bba3d7767
@@ -129,12 +129,15 @@ Patch0017: 0017-silence-.-has-a-LOAD-segment-with-RWX-permissions-wa.patch
 %endif
 Patch0018: 0018-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch
 Patch0019: 0019-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch
+Patch0020: CVE-2024-38796.patch
 
 # Patches for the vendored OpenSSL are in the range from 1000 to 1999 (inclusive).
 Patch1000: CVE-2022-3996.patch
 Patch1001: CVE-2024-6119.patch
 Patch1002: CVE-2024-4741.patch
 Patch1003: CVE-2024-13176.patch
+Patch1004: CVE-2024-2511.patch
+Patch1005: CVE-2024-4603.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -796,6 +799,12 @@ done
 /boot/efi/HvLoader.efi
 
 %changelog
+* Thu Apr 24 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 20240524git3e722403cd16-8
+- Fix CVE-2024-38796
+
+* Wed Apr 23 2025 Archana Choudhary <archana1@microsoft.com> - 20240524git3e722403cd16-7
+- Add patch for CVE-2024-2511, CVE-2024-4603
+
 * Mon Apr 14 2025 Tobias Brick <tobiasb@microsoft.com> - 20240524git3e722403cd16-6
 - Patch CVE-2024-13176.
 - Rename patch for CVE-2024-4741 to standard name format.