From 9922853b9e2ecd74aee6298aa5a4570e649dddc2 Mon Sep 17 00:00:00 2001
From: s00803682 <shaodenghui@huawei.com>
Date: Mon, 20 Feb 2023 22:16:35 +0800
Subject: [PATCH 1/2] fix CVE-2022-4450

---
 ...ling-ptrs-in-header-and-data-params-.patch | 41 +++++++++++++++++++
 edk2.spec                                     |  7 +++-
 2 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch

diff --git a/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
new file mode 100644
index 0000000..c1de655
--- /dev/null
+++ b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
@@ -0,0 +1,41 @@
+From a114dc3c9af48a8f8ed22e738944a9c3e830a088 Mon Sep 17 00:00:00 2001
+From: s00803682 <shaodenghui@huawei.com>
+Date: Mon, 20 Feb 2023 21:59:31 +0800
+Subject: [PATCH] [PATCH] Avoid dangling ptrs in header and data params for
+ PEM_read_bio_ex In the event of a failure in PEM_read_bio_ex() we free the
+ buffers we allocated for the header and data buffers. However we were not
+ clearing the ptrs stored in *header and *data. Since, on success, the caller
+ is responsible for freeing these ptrs this can potentially lead to a double
+ free if the caller frees them even on failure.
+
+Thanks to Dawei Wang for reporting this issue.
+
+Based on a proposed patch by Kurt Roeckx.
+
+CVE-2022-4450
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+
+Signed-off-by: s00803682 <shaodenghui@huawei.com>
+---
+ CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c
+index 64baf71..6c7c4fe 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c
+@@ -940,7 +940,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
+     *data = pem_malloc(len, flags);
+     if (*header == NULL || *data == NULL) {
+         pem_free(*header, flags, 0);
++        *header = NULL;
+         pem_free(*data, flags, 0);
++        *data = NULL;
+         goto end;
+     }
+     BIO_read(headerB, *header, headerlen);
+-- 
+2.27.0
+
diff --git a/edk2.spec b/edk2.spec
index 435bbaa..5752fb5 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -5,7 +5,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 7
+Release: 8
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@@ -43,7 +43,7 @@ Patch0020: 0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch
 Patch0021: 0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
 
 Patch0022: 0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch
-
+Patch0023: 0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command
 
 %description
@@ -244,6 +244,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Mon Feb 20 2023 shaodenghui<shaodenghui@huawei.com> - 202011-8
+- fix CVE-2022-4450
+
 * Tue Nov 29 2022 chenhuiying<chenhuiying4@huawei.com> - 202011-7
 - fix CVE-2021-38578
 
-- 
Gitee


From 752ed5887070c9f4d05eb790ccec8dd18eb7a0ad Mon Sep 17 00:00:00 2001
From: s00803682 <shaodenghui@huawei.com>
Date: Sat, 25 Feb 2023 14:19:07 +0800
Subject: [PATCH 2/2] fix CVE-2023-0401

---
 ...ling-ptrs-in-header-and-data-params-.patch |  1 +
 ...t.c-Check-return-of-BIO_set_md-calls.patch | 57 +++++++++++++++++++
 edk2.spec                                     |  6 +-
 3 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch

diff --git a/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
index c1de655..5314e7b 100644
--- a/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
+++ b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
@@ -11,6 +11,7 @@ Subject: [PATCH] [PATCH] Avoid dangling ptrs in header and data params for
 Thanks to Dawei Wang for reporting this issue.
 
 Based on a proposed patch by Kurt Roeckx.
+reference: https://github.com/openssl/openssl/commit/ee6243f3947107d655f6dee96f63861561a5aaeb
 
 CVE-2022-4450
 
diff --git a/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch b/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
new file mode 100644
index 0000000..5a61de7
--- /dev/null
+++ b/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
@@ -0,0 +1,57 @@
+From 7dd5a23212e3c7bf25a9cd7689681beb89b2d20f Mon Sep 17 00:00:00 2001
+From: s00803682 <shaodenghui@huawei.com>
+Date: Tue, 21 Feb 2023 20:12:59 +0800
+Subject: [PATCH] [PATCH] pk7_doit.c: Check return of BIO_set_md() calls
+
+These calls invoke EVP_DigestInit() which can fail for digests
+with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write()
+or EVP_DigestFinal() from BIO_read() will segfault on NULL
+dereference. This can be triggered by an attacker providing
+PKCS7 data digested with MD4 for example if the legacy provider
+is not loaded.
+
+If BIO_set_md() fails the md BIO cannot be used.
+
+CVE-2023-0401
+
+Reference: https://github.com/openssl/openssl/commit/6eebe6c0238178356114a96a7858f36b24172847
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Signed-off-by: s00803682 <shaodenghui@huawei.com>
+---
+ .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+index f63fbc5..bbfcf27 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+@@ -67,7 +67,10 @@ static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg)
+         goto err;
+     }
+ 
+-    BIO_set_md(btmp, md);
++    if (BIO_set_md(btmp, md) <= 0) {
++        PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB);
++        goto err;
++    }
+     if (*pbio == NULL)
+         *pbio = btmp;
+     else if (!BIO_push(*pbio, btmp)) {
+@@ -454,7 +457,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
+                 goto err;
+             }
+ 
+-            BIO_set_md(btmp, evp_md);
++            if (BIO_set_md(btmp, evp_md) <= 0) {
++                PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB);
++                goto err;
++            }
+             if (out == NULL)
+                 out = btmp;
+             else
+-- 
+2.27.0
+
diff --git a/edk2.spec b/edk2.spec
index 5752fb5..c0cfeaa 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -5,7 +5,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 8
+Release: 9
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@@ -44,6 +44,7 @@ Patch0021: 0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
 
 Patch0022: 0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch
 Patch0023: 0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
+Patch0024: 0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command
 
 %description
@@ -244,6 +245,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Sat Feb 25 2023 shaodenghui<shaodenghui@huawei.com> - 202011-9
+- fix CVE-2023-0401 
+
 * Mon Feb 20 2023 shaodenghui<shaodenghui@huawei.com> - 202011-8
 - fix CVE-2022-4450
 
-- 
Gitee