From 6c804f113c3658d5e2429ab067076d7a7c18f5a4 Mon Sep 17 00:00:00 2001 From: hanliyang Date: Tue, 19 Nov 2024 16:03:19 +0800 Subject: [PATCH] Fix some missing code for CVE-2023-45236 & CVE-2023-45237 Signed-off-by: hanliyang --- ...de-for-CVE-2023-45236-CVE-2023-45237.patch | 793 ++++++++++++++++++ edk2.spec | 13 +- 2 files changed, 805 insertions(+), 1 deletion(-) create mode 100644 0023-Sync-missing-code-for-CVE-2023-45236-CVE-2023-45237.patch diff --git a/0023-Sync-missing-code-for-CVE-2023-45236-CVE-2023-45237.patch b/0023-Sync-missing-code-for-CVE-2023-45236-CVE-2023-45237.patch new file mode 100644 index 0000000..890229b --- /dev/null +++ b/0023-Sync-missing-code-for-CVE-2023-45236-CVE-2023-45237.patch @@ -0,0 +1,793 @@ +From 236243122532b7b86e91bee5c37133b04a9bf437 Mon Sep 17 00:00:00 2001 +From: hanliyang +Date: Tue, 19 Nov 2024 06:26:38 +0000 +Subject: [PATCH] Sync missing code for CVE-2023-45236 & CVE-2023-45237 + +The previous commit included the bugfix for CVE-2023-45236 +and CVE-2023-45237. Due to missing the dependency on +gEfiRngProtocolGuid and omitting the references to +gEfiRngAlgorithmArmRndr and gEfiRngAlgorithmRaw, OVMF will +trigger ASSERT() when booting the virtual machine. Fix it +here. + +Besides, update the copyright of the files changed by the +bugfix. + +Note: the previous commit also missing some other codes in +the following files, they were not synced in this commit. + NetworkPkg/TcpDxe/TcpDriver.c + NetworkPkg/TcpDxe/TcpDxe.inf + NetworkPkg/TcpDxe/TcpFunc.h + NetworkPkg/TcpDxe/TcpInput.c + NetworkPkg/TcpDxe/TcpMain.h + NetworkPkg/TcpDxe/TcpMisc.c + NetworkPkg/TcpDxe/TcpTimer.c + +Signed-off-by: hanliyang +--- + NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 3 +- + NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 4 +- + NetworkPkg/DnsDxe/DnsDhcp.c | 3 +- + NetworkPkg/DnsDxe/DnsImpl.c | 3 +- + NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 3 +- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 1 + + NetworkPkg/IScsiDxe/IScsiMisc.c | 1 + + NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + + NetworkPkg/Include/Library/NetLib.h | 38 +++++++++---- + NetworkPkg/Ip4Dxe/Ip4Driver.c | 3 +- + NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 2 +- + NetworkPkg/Ip6Dxe/Ip6Driver.c | 4 +- + NetworkPkg/Ip6Dxe/Ip6If.c | 4 +- + NetworkPkg/Ip6Dxe/Ip6Mld.c | 2 +- + NetworkPkg/Ip6Dxe/Ip6Nd.c | 6 +- + NetworkPkg/Ip6Dxe/Ip6Nd.h | 2 +- + NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 66 ++++++++++++---------- + NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 7 ++- + NetworkPkg/NetworkPkg.dec | 1 + + NetworkPkg/SecurityFixes.yaml | 61 ++++++++++++++++++++ + NetworkPkg/TcpDxe/TcpDriver.c | 4 +- + NetworkPkg/Udp4Dxe/Udp4Driver.c | 3 +- + NetworkPkg/Udp6Dxe/Udp6Driver.c | 4 +- + NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 4 +- + NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 10 +++- + NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 1 + + 26 files changed, 174 insertions(+), 67 deletions(-) + +diff --git a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c +index 338b1be..892caee 100644 +--- a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c ++++ b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c +@@ -1,6 +1,7 @@ + /** @file + + Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -193,7 +194,7 @@ Dhcp4CreateService ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c +index 1e49990..e7f2787 100644 +--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c ++++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c +@@ -3,7 +3,7 @@ + implementation for Dhcp6 Driver. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -127,7 +127,7 @@ Dhcp6CreateService ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/DnsDxe/DnsDhcp.c b/NetworkPkg/DnsDxe/DnsDhcp.c +index 0b95d52..9eb3c1d 100644 +--- a/NetworkPkg/DnsDxe/DnsDhcp.c ++++ b/NetworkPkg/DnsDxe/DnsDhcp.c +@@ -2,6 +2,7 @@ + Functions implementation related with DHCPv4/v6 for DNS driver. + + Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -295,7 +296,7 @@ GetDns4ServerFromDhcp4 ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c +index 876b163..c2629bb 100644 +--- a/NetworkPkg/DnsDxe/DnsImpl.c ++++ b/NetworkPkg/DnsDxe/DnsImpl.c +@@ -2,6 +2,7 @@ + DnsDxe support functions implementation. + + Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -1968,7 +1969,7 @@ ConstructDNSQuery ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c +index 74b8634..f964515 100644 +--- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c ++++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c +@@ -2,6 +2,7 @@ + Functions implementation related with DHCPv6 for HTTP boot driver. + + Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -964,7 +965,7 @@ HttpBootDhcp6Sarr ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index 9dda7d1..bebb1ac 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -3,6 +3,7 @@ + Configuration. + + Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index 5c67f53..2159b84 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -2,6 +2,7 @@ + Miscellaneous routines for iSCSI driver. + + Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 82c1598..91b2cd2 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -2,6 +2,7 @@ + Miscellaneous definitions for iSCSI driver. + + Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +diff --git a/NetworkPkg/Include/Library/NetLib.h b/NetworkPkg/Include/Library/NetLib.h +index d2b1787..e8108b7 100644 +--- a/NetworkPkg/Include/Library/NetLib.h ++++ b/NetworkPkg/Include/Library/NetLib.h +@@ -3,6 +3,7 @@ + It provides basic functions for the UEFI network stack. + + Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -577,19 +578,19 @@ NetPutUint32 ( + IN UINT32 Data + ); + +-/* +-Generate a 32-bit pseudo-random number. ++/** ++ Generate a Random output data given a length. + +- @param[out] Output - The buffer to store the generated random number. ++ @param[out] Output - The buffer to store the generated random data. ++ @param[in] OutputLength - The length of the output buffer. + +-@return EFI_SUCCESS on success, error code on failure. +-*/ +-EFI_STATUS +-EFIAPI +-PseudoRandomU32 ( +- OUT UINT32 *Output +- ); ++ @retval EFI_SUCCESS On Success ++ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero ++ @retval EFI_NOT_FOUND RNG protocol not found ++ @retval Others Error from RngProtocol->GetRNG() + ++ @return Status code ++**/ + EFI_STATUS + EFIAPI + PseudoRandom ( +@@ -597,6 +598,23 @@ PseudoRandom ( + IN UINTN OutputLength + ); + ++/** ++ Generate a 32-bit pseudo-random number. ++ ++ @param[out] Output - The buffer to store the generated random number. ++ ++ @retval EFI_SUCCESS On Success ++ @retval EFI_NOT_FOUND RNG protocol not found ++ @retval Others Error from RngProtocol->GetRNG() ++ ++ @return Status code ++**/ ++EFI_STATUS ++EFIAPI ++PseudoRandomU32 ( ++ OUT UINT32 *Output ++ ); ++ + #define NET_LIST_USER_STRUCT(Entry, Type, Field) \ + BASE_CR(Entry, Type, Field) + +diff --git a/NetworkPkg/Ip4Dxe/Ip4Driver.c b/NetworkPkg/Ip4Dxe/Ip4Driver.c +index 3b3544d..683423f 100644 +--- a/NetworkPkg/Ip4Dxe/Ip4Driver.c ++++ b/NetworkPkg/Ip4Dxe/Ip4Driver.c +@@ -2,6 +2,7 @@ + The driver binding and service binding protocol for IP4 driver. + + Copyright (c) 2005 - 2019, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent +@@ -557,7 +558,7 @@ Ip4DriverBindingStart ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c +index cadb99a..4c1354d 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c ++++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c +@@ -2280,7 +2280,7 @@ Ip6ConfigInitInstance ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/Ip6Dxe/Ip6Driver.c b/NetworkPkg/Ip6Dxe/Ip6Driver.c +index 0585420..cbe011d 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6Driver.c ++++ b/NetworkPkg/Ip6Dxe/Ip6Driver.c +@@ -3,7 +3,7 @@ + + Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+ (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -528,7 +528,7 @@ Ip6DriverBindingStart ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/Ip6Dxe/Ip6If.c b/NetworkPkg/Ip6Dxe/Ip6If.c +index 8c044ad..f3d11c4 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6If.c ++++ b/NetworkPkg/Ip6Dxe/Ip6If.c +@@ -2,7 +2,7 @@ + Implement IP6 pseudo interface. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -94,7 +94,7 @@ Ip6SetAddress ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/Ip6Dxe/Ip6Mld.c b/NetworkPkg/Ip6Dxe/Ip6Mld.c +index c2ead86..498a118 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6Mld.c ++++ b/NetworkPkg/Ip6Dxe/Ip6Mld.c +@@ -702,7 +702,7 @@ Ip6UpdateDelayTimer ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c +index 1d51e11..72aa45c 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6Nd.c ++++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c +@@ -2,7 +2,7 @@ + Implementation of Neighbor Discovery support routines. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -29,7 +29,7 @@ Ip6UpdateReachableTime ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +@@ -990,7 +990,7 @@ Ip6InitDADProcess ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h +index 739e87f..5795e23 100644 +--- a/NetworkPkg/Ip6Dxe/Ip6Nd.h ++++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h +@@ -2,7 +2,7 @@ + Definition of Neighbor Discovery support routines. + + Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c +index a1b42ad..01c13c0 100644 +--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c ++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c +@@ -3,6 +3,7 @@ + + Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
+ (C) Copyright 2015 Hewlett Packard Enterprise Development LP
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + **/ + +@@ -129,22 +130,23 @@ GLOBAL_REMOVE_IF_UNREFERENCED VLAN_DEVICE_PATH mNetVlanDevicePathTemplate = { + }; + + // +-// These represent UEFI SPEC & NIST SP-800-90 approved algorithms that should be supported by the RNG protocol +-// and are generally considered secure. This list enforces a minimum set of secure algorithms that must +-// be supported by the RNG protocol. ++// These represent UEFI SPEC defined algorithms that should be supported by ++// the RNG protocol and are generally considered secure. + // +-// The order of the algorithms in this array is important. The first algorithm that is supported by the RNG +-// protocol will be used to generate the seed for the random number generator. +-// If your platform needs to use a specific algorithm to generate the seed for the random number generator, ++// The order of the algorithms in this array is important. This order is the order ++// in which the algorithms will be tried by the RNG protocol. ++// If your platform needs to use a specific algorithm for the random number generator, + // then you should place that algorithm first in the array. + // + GLOBAL_REMOVE_IF_UNREFERENCED EFI_GUID *mSecureHashAlgorithms[] = { + &gEfiRngAlgorithmSp80090Ctr256Guid, // SP800-90A DRBG CTR using AES-256 + &gEfiRngAlgorithmSp80090Hmac256Guid, // SP800-90A DRBG HMAC using SHA-256 +- &gEfiRngAlgorithmSp80090Hash256Guid // SP800-90A DRBG Hash using SHA-256 ++ &gEfiRngAlgorithmSp80090Hash256Guid, // SP800-90A DRBG Hash using SHA-256 ++ &gEfiRngAlgorithmArmRndr, // unspecified SP800-90A DRBG via ARM RNDR register ++ &gEfiRngAlgorithmRaw, // Raw data from NRBG (or TRNG) + }; + +-#define mSecureHashAlgorithmsSize (sizeof (mSecureHashAlgorithms) / sizeof (EFI_GUID *)) ++#define SECURE_HASH_ALGORITHMS_SIZE (sizeof (mSecureHashAlgorithms) / sizeof (EFI_GUID *)) + + /** + Locate the handles that support SNP, then open one of them +@@ -902,17 +904,19 @@ Ip6Swap128 ( + return Ip6; + } + +-/* +-Generate a Random output data given a length. ++/** ++ Generate a Random output data given a length. ++ ++ @param[out] Output - The buffer to store the generated random data. ++ @param[in] OutputLength - The length of the output buffer. + +-@param[out] Output - The buffer to store the generated random data. +-@param[in] OutputLength - The length of the output buffer. ++ @retval EFI_SUCCESS On Success ++ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero ++ @retval EFI_NOT_FOUND RNG protocol not found ++ @retval Others Error from RngProtocol->GetRNG() + +-@retval EFI_SUCCESS On Success +-@retval EFI_INVALID_PARAMETER Pointer is null or size is zero +-@retval EFI_NOT_FOUND RNG protocol not found +-@Retval Others Error from RngProtocol->GetRNG() +-*/ ++ @return Status code ++**/ + EFI_STATUS + EFIAPI + PseudoRandom ( +@@ -922,6 +926,7 @@ PseudoRandom ( + { + EFI_RNG_PROTOCOL *RngProtocol; + EFI_STATUS Status; ++ UINTN AlgorithmIndex; + + if ((Output == NULL) || (OutputLength == 0)) { + return EFI_INVALID_PARAMETER; +@@ -935,8 +940,8 @@ PseudoRandom ( + } + + if (PcdGetBool (PcdEnforceSecureRngAlgorithms)) { +- for (UINTN i = 0; i < mSecureHashAlgorithmsSize; i++) { +- Status = RngProtocol->GetRNG (RngProtocol, mSecureHashAlgorithms[i], OutputLength, (UINT8 *)Output); ++ for (AlgorithmIndex = 0; AlgorithmIndex < SECURE_HASH_ALGORITHMS_SIZE; AlgorithmIndex++) { ++ Status = RngProtocol->GetRNG (RngProtocol, mSecureHashAlgorithms[AlgorithmIndex], OutputLength, (UINT8 *)Output); + if (!EFI_ERROR (Status)) { + // + // Secure Algorithm was supported on this platform +@@ -946,7 +951,7 @@ PseudoRandom ( + // + // Secure Algorithm was not supported on this platform + // +- DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", i, Status)); ++ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); + + // + // Try the next secure algorithm +@@ -956,7 +961,7 @@ PseudoRandom ( + // + // Some other error occurred + // +- DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", i, Status)); ++ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); + ASSERT_EFI_ERROR (Status); + return Status; + } +@@ -975,7 +980,7 @@ PseudoRandom ( + // + Status = RngProtocol->GetRNG (RngProtocol, NULL, OutputLength, (UINT8 *)Output); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random data: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random data: %r\n", __func__, Status)); + ASSERT_EFI_ERROR (Status); + return Status; + } +@@ -983,16 +988,17 @@ PseudoRandom ( + return EFI_SUCCESS; + } + +-/* +-Generate a 32-bit pseudo-random number. ++/** ++ Generate a 32-bit pseudo-random number. ++ ++ @param[out] Output - The buffer to store the generated random number. + +-@param[out] Output - The buffer to store the generated random number. ++ @retval EFI_SUCCESS On Success ++ @retval EFI_NOT_FOUND RNG protocol not found ++ @retval Others Error from RngProtocol->GetRNG() + +-@retval EFI_SUCCESS On Success +-@retval EFI_INVALID_PARAMETER Pointer is null or size is zero +-@retval EFI_NOT_FOUND RNG protocol not found +-@Retval Others Error from RngProtocol->GetRNG() +-*/ ++ @return Status code ++**/ + EFI_STATUS + EFIAPI + PseudoRandomU32 ( +diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf +index 98152b1..a8f534a 100644 +--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf ++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf +@@ -3,6 +3,7 @@ + # + # Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+ # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
++# Copyright (c) Microsoft Corporation + # SPDX-License-Identifier: BSD-2-Clause-Patent + # + ## +@@ -49,10 +50,11 @@ + gEfiSmbiosTableGuid ## SOMETIMES_CONSUMES ## SystemTable + gEfiSmbios3TableGuid ## SOMETIMES_CONSUMES ## SystemTable + gEfiAdapterInfoMediaStateGuid ## SOMETIMES_CONSUMES +- ++ gEfiRngAlgorithmRaw ## CONSUMES + gEfiRngAlgorithmSp80090Ctr256Guid ## CONSUMES + gEfiRngAlgorithmSp80090Hmac256Guid ## CONSUMES + gEfiRngAlgorithmSp80090Hash256Guid ## CONSUMES ++ gEfiRngAlgorithmArmRndr ## CONSUMES + + [Protocols] + gEfiSimpleNetworkProtocolGuid ## SOMETIMES_CONSUMES +@@ -66,3 +68,6 @@ + + [FixedPcd] + gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES ++ ++[Depex] ++ gEfiRngProtocolGuid +diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec +index 6957890..7c4289b 100644 +--- a/NetworkPkg/NetworkPkg.dec ++++ b/NetworkPkg/NetworkPkg.dec +@@ -5,6 +5,7 @@ + # + # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.
+ # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP
++# Copyright (c) Microsoft Corporation + # + # SPDX-License-Identifier: BSD-2-Clause-Patent + # +diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml +index fa42025..4305328 100644 +--- a/NetworkPkg/SecurityFixes.yaml ++++ b/NetworkPkg/SecurityFixes.yaml +@@ -122,3 +122,64 @@ CVE_2023_45235: + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html ++CVE_2023_45236: ++ commit_titles: ++ - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch" ++ cve: CVE-2023-45236 ++ date_reported: 2023-08-28 13:56 UTC ++ description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers" ++ note: ++ files_impacted: ++ - NetworkPkg/Include/Library/NetLib.h ++ - NetworkPkg/TcpDxe/TcpDriver.c ++ - NetworkPkg/TcpDxe/TcpDxe.inf ++ - NetworkPkg/TcpDxe/TcpFunc.h ++ - NetworkPkg/TcpDxe/TcpInput.c ++ - NetworkPkg/TcpDxe/TcpMain.h ++ - NetworkPkg/TcpDxe/TcpMisc.c ++ - NetworkPkg/TcpDxe/TcpTimer.c ++ links: ++ - https://bugzilla.tianocore.org/show_bug.cgi?id=4541 ++ - https://nvd.nist.gov/vuln/detail/CVE-2023-45236 ++ - http://www.openwall.com/lists/oss-security/2024/01/16/2 ++ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html ++ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html ++CVE_2023_45237: ++ commit_titles: ++ - "NetworkPkg:: SECURITY PATCH CVE 2023-45237" ++ cve: CVE-2023-45237 ++ date_reported: 2023-08-28 13:56 UTC ++ description: "Bug 09 - Use of a Weak PseudoRandom Number Generator" ++ note: ++ files_impacted: ++ - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c ++ - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c ++ - NetworkPkg/DnsDxe/DnsDhcp.c ++ - NetworkPkg/DnsDxe/DnsImpl.c ++ - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c ++ - NetworkPkg/IScsiDxe/IScsiCHAP.c ++ - NetworkPkg/IScsiDxe/IScsiMisc.c ++ - NetworkPkg/IScsiDxe/IScsiMisc.h ++ - NetworkPkg/Include/Library/NetLib.h ++ - NetworkPkg/Ip4Dxe/Ip4Driver.c ++ - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c ++ - NetworkPkg/Ip6Dxe/Ip6Driver.c ++ - NetworkPkg/Ip6Dxe/Ip6If.c ++ - NetworkPkg/Ip6Dxe/Ip6Mld.c ++ - NetworkPkg/Ip6Dxe/Ip6Nd.c ++ - NetworkPkg/Ip6Dxe/Ip6Nd.h ++ - NetworkPkg/Library/DxeNetLib/DxeNetLib.c ++ - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf ++ - NetworkPkg/NetworkPkg.dec ++ - NetworkPkg/TcpDxe/TcpDriver.c ++ - NetworkPkg/Udp4Dxe/Udp4Driver.c ++ - NetworkPkg/Udp6Dxe/Udp6Driver.c ++ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c ++ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c ++ - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c ++ links: ++ - https://bugzilla.tianocore.org/show_bug.cgi?id=4542 ++ - https://nvd.nist.gov/vuln/detail/CVE-2023-45237 ++ - http://www.openwall.com/lists/oss-security/2024/01/16/2 ++ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html ++ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html +diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c +index 3ad6bd4..8fe6bad 100644 +--- a/NetworkPkg/TcpDxe/TcpDriver.c ++++ b/NetworkPkg/TcpDxe/TcpDriver.c +@@ -2,7 +2,7 @@ + The driver binding and service binding protocol for the TCP driver. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -167,7 +167,7 @@ TcpDriverEntryPoint ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/Udp4Dxe/Udp4Driver.c b/NetworkPkg/Udp4Dxe/Udp4Driver.c +index 1062d75..c7ea16f 100644 +--- a/NetworkPkg/Udp4Dxe/Udp4Driver.c ++++ b/NetworkPkg/Udp4Dxe/Udp4Driver.c +@@ -1,6 +1,7 @@ + /** @file + + Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -559,7 +560,7 @@ Udp4DriverEntryPoint ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/Udp6Dxe/Udp6Driver.c b/NetworkPkg/Udp6Dxe/Udp6Driver.c +index 434139c..edb758d 100644 +--- a/NetworkPkg/Udp6Dxe/Udp6Driver.c ++++ b/NetworkPkg/Udp6Dxe/Udp6Driver.c +@@ -2,7 +2,7 @@ + Driver Binding functions and Service Binding functions for the Network driver module. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -600,7 +600,7 @@ Udp6DriverEntryPoint ( + + Status = PseudoRandomU32 (&Random); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c +index 9afcebf..452038c 100644 +--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c ++++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c +@@ -2,7 +2,7 @@ + Functions implementation related with DHCPv4 for UefiPxeBc Driver. + + Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+- ++ Copyright (c) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -1383,7 +1383,7 @@ PxeBcDhcp4Discover ( + + Status = PseudoRandomU32 (&Xid); + if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_ERROR, "Failed to generate random number: %r\n", Status)); ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); + return Status; + } + +diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +index dcdd322..bcabbd2 100644 +--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c ++++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +@@ -2180,7 +2180,7 @@ PxeBcDhcp6Discover ( + UINTN ReadSize; + UINT16 OpCode; + UINT16 OpLen; +- UINT32 Xid; ++ UINT32 Random; + EFI_STATUS Status; + UINTN DiscoverLenNeeded; + +@@ -2198,6 +2198,12 @@ PxeBcDhcp6Discover ( + return EFI_DEVICE_ERROR; + } + ++ Status = PseudoRandomU32 (&Random); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); ++ return Status; ++ } ++ + DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); + Discover = AllocateZeroPool (DiscoverLenNeeded); + if (Discover == NULL) { +@@ -2207,7 +2213,7 @@ PxeBcDhcp6Discover ( + // + // Build the discover packet by the cached request packet before. + // +- Discover->TransactionId = HTONL (Xid); ++ Discover->TransactionId = HTONL (Random); + Discover->MessageType = Request->Dhcp6.Header.MessageType; + RequestOpt = Request->Dhcp6.Option; + DiscoverOpt = Discover->DhcpOptions; +diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c +index dc923a2..4cd915b 100644 +--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c ++++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c +@@ -3,6 +3,7 @@ + + (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
+ Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.
++ Copyright (c) Microsoft Corporation + + SPDX-License-Identifier: BSD-2-Clause-Patent + +-- +2.31.1 + diff --git a/edk2.spec b/edk2.spec index 8d73034..c84227a 100644 --- a/edk2.spec +++ b/edk2.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 6 %undefine _auto_set_build_flags ExclusiveArch: x86_64 aarch64 loongarch64 @@ -87,6 +87,14 @@ Patch0021: 0021-OvmfPkg-IoMmuDxe-Implement-SetAttribute-of-CsvIoMmu.patch # 漏洞 8-9 的补丁文件现在通过 https://bugzilla.tianocore.org/show_bug.cgi?id=4541 和 https://bugzilla.tianocore.org/show_bug.cgi?id=4542 提供。这些修补程序已集成到 2024 年 5 月的 EDK2 版本 (edk2-stable202405) 中。 Patch0022: 0022-Bugfix-for-CVE-2023-45236-CVE-2023-45237.patch +# Sync some code for CVE-2023-45236 & CVE-2023-45237 +# +# Due to missing the dependency on gEfiRngProtocolGuid and +# omitting the references to gEfiRngAlgorithmArmRndr and +# gEfiRngAlgorithmRaw. The former bugfix will cause ASSERT() +# in OVMF stage. +Patch0023: 0023-Sync-missing-code-for-CVE-2023-45236-CVE-2023-45237.patch + BuildRequires: python3-devel BuildRequires: libuuid-devel %ifnarch loongarch64 @@ -485,6 +493,9 @@ install -m 0644 \ %changelog +* Tue Nov 19 2024 hanliyang - 202402-6 +- Sync some missing code for CVE-2023-45236 & CVE-2023-45237 + * Fri Aug 02 2024 lidongyue - 202402-5 - fix CVE-2023-45236 - fix CVE-2023-45237 -- Gitee