[AUTO-CHERRYPICK] [High] patch vendored openssl code in hvloader in 2.0 - branch main (#13147)

CBL-Mariner-Bot · tobiasb-ms · web-flow · commit 6927cd42ccd3 · 2025-03-27T17:58:27.000-04:00
Co-authored-by: Tobias Brick &lt;39196763+tobiasb-ms@users.noreply.github.com&gt;
diff --git a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec
@@ -6,7 +6,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           hvloader-signed-%{buildarch}
 Version:        1.0.1
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,6 +69,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Wed Mar 26 2025 Tobias Brick <tobiasb@microsoft.com> - 1.0.1-10
+- Bump release for consistency with hvloader spec.
+
 * Fri Mar 21 2025 Daniel McIlvaney <damcilva@microsoft.com> - 1.0.1-9
 - Update version for consistency with hvloader spec
 
diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec
@@ -4,7 +4,7 @@
 Summary:        HvLoader.efi is an EFI application for loading an external hypervisor loader.
 Name:           hvloader
 Version:        1.0.1
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -28,6 +28,7 @@ Patch10:        CVE-2023-0465.patch
 Patch11:        CVE-2024-0727.patch
 Patch12:        CVE-2023-3817.patch
 Patch13:        CVE-2023-5678.patch
+Patch14:        vendored-openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch
 
 BuildRequires:  bc
 BuildRequires:  gcc
@@ -73,6 +74,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{
 /boot/efi/HvLoader.efi
 
 %changelog
+* Tue Mar 25 2025 Tobias Brick <tobiasb@microsoft.com> - 1.0.1-10
+- Patch vendored openssl to only free read buffers if not in use.
+
 * Fri Mar 21 2025 Daniel McIlvaney <damcilva@microsoft.com> - 1.0.1-9
 - Reconcile merge issue
 
diff --git a/SPECS/hvloader/vendored-openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch b/SPECS/hvloader/vendored-openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch
@@ -0,0 +1,67 @@
+From f7a045f3143fc6da2ee66bf52d8df04829590dd4 Mon Sep 17 00:00:00 2001
+From: Watson Ladd <watsonbladd@gmail.com>
+Date: Wed, 24 Apr 2024 11:26:56 +0100
+Subject: [PATCH] Only free the read buffers if we're not using them
+
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c | 9 +++++++++
+ CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h       | 1 +
+ CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c             | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
+index 1db1712a0..525c3abf4 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
+index af56206e0..513ab3988 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
+@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+index c01ad8291..356d65cb6 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+@@ -5248,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
+-- 
+2.33.8
+
