[AUTO-CHERRYPICK] Fix CVE-2024-5535 in hvloader - branch main (#11232)

CBL-Mariner-Bot · joejoew · web-flow · commit 73a888e47886 · 2024-11-26T23:48:47.000-05:00
Co-authored-by: joejoew &lt;111843948+joejoew@users.noreply.github.com&gt;
diff --git a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec
@@ -6,7 +6,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           hvloader-signed-%{buildarch}
 Version:        1.0.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,6 +69,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Mon Nov 25 2024 Zhichun Wan <zhichunwan@microsoft.com> - 1.0.1-6
+- Update version for consistency with hvloader spec
+
 * Wed Jun 19 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-5
 - Update version for consistency with hvloader spec
 
diff --git a/SPECS/hvloader/CVE-2024-5535.patch b/SPECS/hvloader/CVE-2024-5535.patch
@@ -0,0 +1,94 @@
+From 7a96ccee7892abe6ee1d8b8b42d293bd5261c2ef Mon Sep 17 00:00:00 2001
+From: Zhichun Wan <zhichunwan@microsoft.com>
+Date: Tue, 26 Nov 2024 01:49:38 +0000
+Subject: [PATCH] patches
+
+---
+ .../Library/OpensslLib/openssl/ssl/ssl_lib.c  | 63 ++++++++++++-------
+ 1 file changed, 40 insertions(+), 23 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+index 47adc321..0dca8e69 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+@@ -2761,37 +2761,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
+                           unsigned int server_len,
+                           const unsigned char *client, unsigned int client_len)
+ {
+-    unsigned int i, j;
+-    const unsigned char *result;
+-    int status = OPENSSL_NPN_UNSUPPORTED;
++    PACKET cpkt, csubpkt, spkt, ssubpkt;
++
++    if (!PACKET_buf_init(&cpkt, client, client_len)
++            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
++            || PACKET_remaining(&csubpkt) == 0) {
++        *out = NULL;
++        *outlen = 0;
++        return OPENSSL_NPN_NO_OVERLAP;
++    }
++
++    /*
++     * Set the default opportunistic protocol. Will be overwritten if we find
++     * a match.
++     */
++    *out = (unsigned char *)PACKET_data(&csubpkt);
++    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
+ 
+     /*
+      * For each protocol in server preference order, see if we support it.
+      */
+-    for (i = 0; i < server_len;) {
+-        for (j = 0; j < client_len;) {
+-            if (server[i] == client[j] &&
+-                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
+-                /* We found a match */
+-                result = &server[i];
+-                status = OPENSSL_NPN_NEGOTIATED;
+-                goto found;
++    if (PACKET_buf_init(&spkt, server, server_len)) {
++        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
++            if (PACKET_remaining(&ssubpkt) == 0)
++                continue; /* Invalid - ignore it */
++            if (PACKET_buf_init(&cpkt, client, client_len)) {
++                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
++                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
++                                     PACKET_remaining(&ssubpkt))) {
++                        /* We found a match */
++                        *out = (unsigned char *)PACKET_data(&ssubpkt);
++                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
++                        return OPENSSL_NPN_NEGOTIATED;
++                    }
++                }
++                /* Ignore spurious trailing bytes in the client list */
++            } else {
++                /* This should never happen */
++                return OPENSSL_NPN_NO_OVERLAP;
+             }
+-            j += client[j];
+-            j++;
+         }
+-        i += server[i];
+-        i++;
++        /* Ignore spurious trailing bytes in the server list */
+     }
+ 
+-    /* There's no overlap between our protocols and the server's list. */
+-    result = client;
+-    status = OPENSSL_NPN_NO_OVERLAP;
+-
+- found:
+-    *out = (unsigned char *)result + 1;
+-    *outlen = result[0];
+-    return status;
++    /*
++     * There's no overlap between our protocols and the server's list. We use
++     * the default opportunistic protocol selected earlier
++     */
++    return OPENSSL_NPN_NO_OVERLAP;
+ }
+ 
+ #ifndef OPENSSL_NO_NEXTPROTONEG
+-- 
+2.45.2
+
diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec
@@ -4,7 +4,7 @@
 Summary:        HvLoader.efi is an EFI application for loading an external hypervisor loader.
 Name:           hvloader
 Version:        1.0.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -16,6 +16,7 @@ Source1:        https://github.com/tianocore/edk2/archive/refs/tags/%{edk2_tag}.
 Source2:        target-x86.txt
 Patch0:         CVE-2024-1298.patch
 Patch1:         CVE-2023-0464.patch
+Patch2:         CVE-2024-5535.patch
 BuildRequires:  bc
 BuildRequires:  gcc
 BuildRequires:  build-essential
@@ -60,6 +61,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{
 /boot/efi/HvLoader.efi
 
 %changelog
+* Mon Nov 25 2024 Zhichun Wan <zhichunwan@microsoft.com> - 1.0.1-6
+- Add patch to resolve CVE-2024-5535
+
 * Wed Jun 19 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-5
 - Add patch to resolve CVE-2023-0464
 
