From 73840139ffb3d822b69c9536a422eb4d1cbe4dea Mon Sep 17 00:00:00 2001 From: yexiao Date: Fri, 26 Jan 2024 10:32:43 +0800 Subject: [PATCH] Fix some CVE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2023-3446、CVE-2023-3817、CVE-2024-0727、CVE-2023-2975、CVE-2023-6129 Signed-off-by: yexiao --- ...r-empty-associated-data-entries-with.patch | 69 ++++++++++ ...pty-associated-data-with-AES-SIV-mod.patch | 57 ++++++++ 0005-Add-a-test-for-CVE-2023-3446.patch | 63 +++++++++ ...cessive-time-with-over-sized-modulus.patch | 74 +++++++++++ ...t-some-error-bits-in-recently-added-.patch | 39 ++++++ ...try-checking-q-properties-if-it-is-o.patch | 60 +++++++++ ...st.c-Add-test-of-DH_check-with-q-p-1.patch | 52 ++++++++ ...s-where-ContentInfo-data-can-be-NULL.patch | 123 ++++++++++++++++++ ...pc.pl-Fix-vector-register-clobbering.patch | 112 ++++++++++++++++ edk2.spec | 14 +- 10 files changed, 662 insertions(+), 1 deletion(-) create mode 100644 0003-Add-testcases-for-empty-associated-data-entries-with.patch create mode 100644 0004-Do-not-ignore-empty-associated-data-with-AES-SIV-mod.patch create mode 100644 0005-Add-a-test-for-CVE-2023-3446.patch create mode 100644 0006-Fix-DH_check-excessive-time-with-over-sized-modulus.patch create mode 100644 0007-Make-DH_check-set-some-error-bits-in-recently-added-.patch create mode 100644 0008-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch create mode 100644 0009-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch create mode 100644 0010-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch create mode 100644 0011-poly1305-ppc.pl-Fix-vector-register-clobbering.patch diff --git a/0003-Add-testcases-for-empty-associated-data-entries-with.patch b/0003-Add-testcases-for-empty-associated-data-entries-with.patch new file mode 100644 index 0000000..bf71532 --- /dev/null +++ b/0003-Add-testcases-for-empty-associated-data-entries-with.patch @@ -0,0 +1,69 @@ +From 02ea09fc1e2ca35033db52384543c47329d3566f Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 4 Jul 2023 17:50:37 +0200 +Subject: [PATCH 1/9] Add testcases for empty associated data entries with + AES-SIV + +CVE-2023-2975 + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale + +reference: https://github.com/openssl/openssl/pull/21384 +Signed-off-by: yexiao +--- + .../30-test_evp_data/evpciph_aes_siv.txt | 31 +++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_evp_data/evpciph_aes_siv.txt b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_evp_data/evpciph_aes_siv.txt +index a78a4915..e434f13f 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_evp_data/evpciph_aes_siv.txt ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_evp_data/evpciph_aes_siv.txt +@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93 + Plaintext = 112233445566778899aabbccddee + Ciphertext = 40c02b9690c4dc04daef7f6afe5c + ++Cipher = aes-128-siv ++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff ++Tag = f1c5fdeac1f15a26779c1501f9fb7588 ++Plaintext = 112233445566778899aabbccddee ++Ciphertext = 27e946c669088ab06da58c5c831c ++ ++Cipher = aes-128-siv ++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff ++AAD = ++Tag = d1022f5b3664e5a4dfaf90f85be6f28a ++Plaintext = 112233445566778899aabbccddee ++Ciphertext = b66cff6b8eca0b79f083b39a0901 ++ + Cipher = aes-128-siv + Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f + AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 +@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f + Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 + Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d + ++Cipher = aes-128-siv ++Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f ++AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 ++AAD = ++AAD = 09f911029d74e35bd84156c5635688c0 ++Tag = 83ce6593a8fa67eb6fcd2819cedfc011 ++Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 ++Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d ++ ++Cipher = aes-128-siv ++Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f ++AAD = ++AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 ++AAD = 09f911029d74e35bd84156c5635688c0 ++Tag = 77dd4a44f5a6b41302121ee7f378de25 ++Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 ++Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe ++ + Cipher = aes-192-siv + Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0 + AAD = 101112131415161718191a1b1c1d1e1f2021222324252627 +-- +2.33.0 + diff --git a/0004-Do-not-ignore-empty-associated-data-with-AES-SIV-mod.patch b/0004-Do-not-ignore-empty-associated-data-with-AES-SIV-mod.patch new file mode 100644 index 0000000..b4c32af --- /dev/null +++ b/0004-Do-not-ignore-empty-associated-data-with-AES-SIV-mod.patch @@ -0,0 +1,57 @@ +From 7058d271753e1c2ca7d9384e09fd84b98e92c440 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 4 Jul 2023 17:30:35 +0200 +Subject: [PATCH 2/9] Do not ignore empty associated data with AES-SIV mode + +The AES-SIV mode allows for multiple associated data items +authenticated separately with any of these being 0 length. + +The provided implementation ignores such empty associated data +which is incorrect in regards to the RFC 5297 and is also +a security issue because such empty associated data then become +unauthenticated if an application expects to authenticate them. + +Fixes CVE-2023-2975 + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale + +reference: https://github.com/openssl/openssl/pull/21384 +Signed-off-by: yexiao +--- + .../implementations/ciphers/cipher_aes_siv.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_siv.c b/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_siv.c +index 45010b90..b396c865 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_siv.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_siv.c +@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, + if (!ossl_prov_is_running()) + return 0; + +- if (inl == 0) { +- *outl = 0; +- return 1; +- } ++ /* Ignore just empty encryption/decryption call and not AAD. */ ++ if (out != NULL) { ++ if (inl == 0) { ++ if (outl != NULL) ++ *outl = 0; ++ return 1; ++ } + +- if (outsize < inl) { +- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); +- return 0; ++ if (outsize < inl) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); ++ return 0; ++ } + } + + if (ctx->hw->cipher(ctx, out, in, inl) <= 0) +-- +2.33.0 + diff --git a/0005-Add-a-test-for-CVE-2023-3446.patch b/0005-Add-a-test-for-CVE-2023-3446.patch new file mode 100644 index 0000000..d596992 --- /dev/null +++ b/0005-Add-a-test-for-CVE-2023-3446.patch @@ -0,0 +1,63 @@ +From 3a2feb831096ede8621a9ae9053b48f732dc30b1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 7 Jul 2023 14:39:48 +0100 +Subject: [PATCH 3/9] Add a test for CVE-2023-3446 + +Confirm that the only errors DH_check() finds with DH parameters with an +excessively long modulus is that the modulus is too large. We should not +be performing time consuming checks using that modulus. + +Reviewed-by: Paul Dale +Reviewed-by: Tom Cosgrove +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz + +reference: https://github.com/openssl/openssl/pull/21451 +Signed-off-by: yexiao +--- + .../Library/OpensslLib/openssl/test/dhtest.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c b/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c +index 7b587f3c..f8dd8f3a 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c +@@ -73,7 +73,7 @@ static int dh_test(void) + goto err1; + + /* check fails, because p is way too small */ +- if (!DH_check(dh, &i)) ++ if (!TEST_true(DH_check(dh, &i))) + goto err2; + i ^= DH_MODULUS_TOO_SMALL; + if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) +@@ -124,6 +124,17 @@ static int dh_test(void) + /* We'll have a stale error on the queue from the above test so clear it */ + ERR_clear_error(); + ++ /* Modulus of size: dh check max modulus bits + 1 */ ++ if (!TEST_true(BN_set_word(p, 1)) ++ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) ++ goto err3; ++ ++ /* ++ * We expect no checks at all for an excessively large modulus ++ */ ++ if (!TEST_false(DH_check(dh, &i))) ++ goto err3; ++ + /* + * II) key generation + */ +@@ -138,7 +149,7 @@ static int dh_test(void) + goto err3; + + /* ... and check whether it is valid */ +- if (!DH_check(a, &i)) ++ if (!TEST_true(DH_check(a, &i))) + goto err3; + if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) + || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) +-- +2.33.0 + diff --git a/0006-Fix-DH_check-excessive-time-with-over-sized-modulus.patch b/0006-Fix-DH_check-excessive-time-with-over-sized-modulus.patch new file mode 100644 index 0000000..68bf2d2 --- /dev/null +++ b/0006-Fix-DH_check-excessive-time-with-over-sized-modulus.patch @@ -0,0 +1,74 @@ +From 96452ca9276610c46b7cb61f9efaf787bea627d0 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 6 Jul 2023 16:36:35 +0100 +Subject: [PATCH 4/9] Fix DH_check() excessive time with over sized modulus + +The DH_check() function checks numerous aspects of the key or parameters +that have been supplied. Some of those checks use the supplied modulus +value even if it is excessively large. + +There is already a maximum DH modulus size (10,000 bits) over which +OpenSSL will not generate or derive keys. DH_check() will however still +perform various tests for validity on such a large modulus. We introduce a +new maximum (32,768) over which DH_check() will just fail. + +An application that calls DH_check() and supplies a key or parameters +obtained from an untrusted source could be vulnerable to a Denial of +Service attack. + +The function DH_check() is itself called by a number of other OpenSSL +functions. An application calling any of those other functions may +similarly be affected. The other functions affected by this are +DH_check_ex() and EVP_PKEY_param_check(). + +CVE-2023-3446 + +Reviewed-by: Paul Dale +Reviewed-by: Tom Cosgrove +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz + +reference: https://github.com/openssl/openssl/pull/21451 +Signed-off-by: yexiao +--- + CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c | 6 ++++++ + CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h | 6 +++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c +index 0b391910..84a92699 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c +@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret) + if (nid != NID_undef) + return 1; + ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + if (!DH_check_params(dh, ret)) + return 0; + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h +index b97871ec..36420f51 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/dh.h +@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); + # include + + # ifndef OPENSSL_DH_MAX_MODULUS_BITS +-# define OPENSSL_DH_MAX_MODULUS_BITS 10000 ++# define OPENSSL_DH_MAX_MODULUS_BITS 10000 ++# endif ++ ++# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS ++# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 + # endif + + # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 +-- +2.33.0 + diff --git a/0007-Make-DH_check-set-some-error-bits-in-recently-added-.patch b/0007-Make-DH_check-set-some-error-bits-in-recently-added-.patch new file mode 100644 index 0000000..7d7047e --- /dev/null +++ b/0007-Make-DH_check-set-some-error-bits-in-recently-added-.patch @@ -0,0 +1,39 @@ +From 66ed0773fff248363b63273f78de8fe6da87a8b4 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 23 Jul 2023 14:27:54 +0200 +Subject: [PATCH 5/9] Make DH_check set some error bits in recently added error + +The pre-existing error cases where DH_check returned zero +are not related to the dh params in any way, but are only +triggered by out-of-memory errors, therefore having *ret +set to zero feels right, but since the new error case is +triggered by too large p values that is something different. +On the other hand some callers of this function might not +be prepared to handle the return value correctly but only +rely on *ret. Therefore we set some error bits in *ret as +additional safety measure. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz + +reference: https://github.com/openssl/openssl/pull/21524 +Signed-off-by: yexiao +--- + CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c +index 84a92699..aef6f9b1 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c +@@ -155,6 +155,7 @@ int DH_check(const DH *dh, int *ret) + /* Don't do any checks at all with an excessively large modulus */ + if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); ++ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_P_NOT_PRIME; + return 0; + } + +-- +2.33.0 + diff --git a/0008-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch b/0008-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch new file mode 100644 index 0000000..2eb03ab --- /dev/null +++ b/0008-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch @@ -0,0 +1,60 @@ +From 7d3ba65d3f707ba29c854e6b1c73a68c941041ba Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 25 Jul 2023 15:22:48 +0200 +Subject: [PATCH 6/9] DH_check(): Do not try checking q properties if it is + obviously invalid + +If |q| >= |p| then the q value is obviously wrong as q +is supposed to be a prime divisor of p-1. + +We check if p is overly large so this added test implies that +q is not large either when performing subsequent tests using that +q value. + +Otherwise if it is too large these additional checks of the q value +such as the primality test can then trigger DoS by doing overly long +computations. + +Fixes CVE-2023-3817 + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +Reviewed-by: Tom Cosgrove +Reviewed-by: Todd Short + +reference: https://github.com/openssl/openssl/pull/21550 +Signed-off-by: yexiao +--- + .../Library/OpensslLib/openssl/crypto/dh/dh_check.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c +index aef6f9b1..fbe27975 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dh/dh_check.c +@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret) + #ifdef FIPS_MODULE + return DH_check_params(dh, ret); + #else +- int ok = 0, r; ++ int ok = 0, r, q_good = 0; + BN_CTX *ctx = NULL; + BIGNUM *t1 = NULL, *t2 = NULL; + int nid = DH_get_nid((DH *)dh); +@@ -172,6 +172,13 @@ int DH_check(const DH *dh, int *ret) + goto err; + + if (dh->params.q != NULL) { ++ if (BN_ucmp(dh->params.p, dh->params.q) > 0) ++ q_good = 1; ++ else ++ *ret |= DH_CHECK_INVALID_Q_VALUE; ++ } ++ ++ if (q_good) { + if (BN_cmp(dh->params.g, BN_value_one()) <= 0) + *ret |= DH_NOT_SUITABLE_GENERATOR; + else if (BN_cmp(dh->params.g, dh->params.p) >= 0) +-- +2.33.0 + diff --git a/0009-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch b/0009-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch new file mode 100644 index 0000000..91a17dd --- /dev/null +++ b/0009-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch @@ -0,0 +1,52 @@ +From 6f3b1ae0a836880038787a1315b5b815f2951c8d Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 25 Jul 2023 15:23:43 +0200 +Subject: [PATCH 7/9] dhtest.c: Add test of DH_check() with q = p + 1 + +This must fail with DH_CHECK_INVALID_Q_VALUE and +with DH_CHECK_Q_NOT_PRIME unset. + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +Reviewed-by: Tom Cosgrove +Reviewed-by: Todd Short + +reference: https://github.com/openssl/openssl/pull/21550 +Signed-off-by: yexiao +--- + CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c b/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c +index f8dd8f3a..d02b3b7c 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/dhtest.c +@@ -124,6 +124,15 @@ static int dh_test(void) + /* We'll have a stale error on the queue from the above test so clear it */ + ERR_clear_error(); + ++ if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one()))) ++ goto err3; ++ ++ if (!TEST_true(DH_check(dh, &i))) ++ goto err3; ++ if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE) ++ || !TEST_false(i & DH_CHECK_Q_NOT_PRIME)) ++ goto err3; ++ + /* Modulus of size: dh check max modulus bits + 1 */ + if (!TEST_true(BN_set_word(p, 1)) + || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) +@@ -135,6 +144,9 @@ static int dh_test(void) + if (!TEST_false(DH_check(dh, &i))) + goto err3; + ++ /* We'll have a stale error on the queue from the above test so clear it */ ++ ERR_clear_error(); ++ + /* + * II) key generation + */ +-- +2.33.0 + diff --git a/0010-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch b/0010-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch new file mode 100644 index 0000000..36049b2 --- /dev/null +++ b/0010-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch @@ -0,0 +1,123 @@ +From 6b5fa79607808b28830ac267253dfbf6ed9c463c Mon Sep 17 00:00:00 2001 +From: liwei +Date: Fri, 26 Jan 2024 18:45:28 +0800 +Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL + +PKCS12 structures contain PKCS7 ContentInfo fields. These fields are +optional and can be NULL even if the "type" is a valid value. OpenSSL +was not properly accounting for this and a NULL dereference can occur +causing a crash. + +CVE-2024-0727 + +Reviewed-by: Tomas Mraz +Reviewed-by: Hugo Landau +Reviewed-by: Neil Horman + +reference: https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2 +Signed-off-by: yexiao +--- + .../OpensslLib/openssl/crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ + .../openssl/crypto/pkcs12/p12_mutl.c | 5 +++++ + .../openssl/crypto/pkcs12/p12_npas.c | 5 +++-- + .../OpensslLib/openssl/crypto/pkcs7/pk7_mime.c | 7 +++++-- + 4 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_add.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_add.c +index 6fd4184a..80ce31b3 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_add.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_add.c +@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p7->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); + } + +@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, + { + if (!PKCS7_type_is_encrypted(p7)) + return NULL; ++ ++ if (p7->d.encrypted == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), + pass, passlen, +@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p12->authsafes->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + p7s = ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + if (p7s != NULL) { +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_mutl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_mutl.c +index afdb8d68..67be81eb 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_mutl.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_mutl.c +@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + return 0; + } + ++ if (p12->authsafes->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return 0; ++ } ++ + salt = p12->mac->salt->data; + saltlen = p12->mac->salt->length; + if (p12->mac->iter == NULL) +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_npas.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_npas.c +index 62230bc6..1e5b5495 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_npas.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_npas.c +@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) + bags = PKCS12_unpack_p7data(p7); + } else if (bagnid == NID_pkcs7_encrypted) { + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, +- &pbe_nid, &pbe_iter, &pbe_saltlen)) ++ if (p7->d.encrypted == NULL ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { + continue; +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_mime.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_mime.c +index 49a0da5f..8228315e 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_mime.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_mime.c +@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) + int ctype_nid = OBJ_obj2nid(p7->type); + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); + +- if (ctype_nid == NID_pkcs7_signed) ++ if (ctype_nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) ++ return 0; + mdalgs = p7->d.sign->md_algs; +- else ++ } else { + mdalgs = NULL; ++ } + + flags ^= SMIME_OLDMIME; + +-- +2.33.0 + diff --git a/0011-poly1305-ppc.pl-Fix-vector-register-clobbering.patch b/0011-poly1305-ppc.pl-Fix-vector-register-clobbering.patch new file mode 100644 index 0000000..1be35a9 --- /dev/null +++ b/0011-poly1305-ppc.pl-Fix-vector-register-clobbering.patch @@ -0,0 +1,112 @@ +From 1df7dcaa6684420a74e6f935e0b5290fb616d5a8 Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Thu, 4 Jan 2024 10:25:50 +0100 +Subject: [PATCH 9/9] poly1305-ppc.pl: Fix vector register clobbering + +Fixes CVE-2023-6129 + +The POLY1305 MAC (message authentication code) implementation in OpenSSL for +PowerPC CPUs saves the the contents of vector registers in different order +than they are restored. Thus the contents of some of these vector registers +is corrupted when returning to the caller. The vulnerable code is used only +on newer PowerPC processors supporting the PowerISA 2.07 instructions. + +Reviewed-by: Matt Caswell +Reviewed-by: Richard Levitte +Reviewed-by: Tomas Mraz + +reference: https://github.com/openssl/openssl/pull/23200 +Signed-off-by: yexiao +--- + .../crypto/poly1305/asm/poly1305-ppc.pl | 42 +++++++++---------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/asm/poly1305-ppc.pl b/CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/asm/poly1305-ppc.pl +index 9f86134d..2e601bb9 100755 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/asm/poly1305-ppc.pl ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/asm/poly1305-ppc.pl +@@ -744,7 +744,7 @@ ___ + my $LOCALS= 6*$SIZE_T; + my $VSXFRAME = $LOCALS + 6*$SIZE_T; + $VSXFRAME += 128; # local variables +- $VSXFRAME += 13*16; # v20-v31 offload ++ $VSXFRAME += 12*16; # v20-v31 offload + + my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; + +@@ -919,12 +919,12 @@ __poly1305_blocks_vsx: + addi r11,r11,32 + stvx v22,r10,$sp + addi r10,r10,32 +- stvx v23,r10,$sp +- addi r10,r10,32 +- stvx v24,r11,$sp ++ stvx v23,r11,$sp + addi r11,r11,32 +- stvx v25,r10,$sp ++ stvx v24,r10,$sp + addi r10,r10,32 ++ stvx v25,r11,$sp ++ addi r11,r11,32 + stvx v26,r10,$sp + addi r10,r10,32 + stvx v27,r11,$sp +@@ -1153,12 +1153,12 @@ __poly1305_blocks_vsx: + addi r11,r11,32 + stvx v22,r10,$sp + addi r10,r10,32 +- stvx v23,r10,$sp +- addi r10,r10,32 +- stvx v24,r11,$sp ++ stvx v23,r11,$sp + addi r11,r11,32 +- stvx v25,r10,$sp ++ stvx v24,r10,$sp + addi r10,r10,32 ++ stvx v25,r11,$sp ++ addi r11,r11,32 + stvx v26,r10,$sp + addi r10,r10,32 + stvx v27,r11,$sp +@@ -1899,26 +1899,26 @@ Ldone_vsx: + mtspr 256,r12 # restore vrsave + lvx v20,r10,$sp + addi r10,r10,32 +- lvx v21,r10,$sp +- addi r10,r10,32 +- lvx v22,r11,$sp ++ lvx v21,r11,$sp + addi r11,r11,32 +- lvx v23,r10,$sp ++ lvx v22,r10,$sp + addi r10,r10,32 +- lvx v24,r11,$sp ++ lvx v23,r11,$sp + addi r11,r11,32 +- lvx v25,r10,$sp ++ lvx v24,r10,$sp + addi r10,r10,32 +- lvx v26,r11,$sp ++ lvx v25,r11,$sp + addi r11,r11,32 +- lvx v27,r10,$sp ++ lvx v26,r10,$sp + addi r10,r10,32 +- lvx v28,r11,$sp ++ lvx v27,r11,$sp + addi r11,r11,32 +- lvx v29,r10,$sp ++ lvx v28,r10,$sp + addi r10,r10,32 +- lvx v30,r11,$sp +- lvx v31,r10,$sp ++ lvx v29,r11,$sp ++ addi r11,r11,32 ++ lvx v30,r10,$sp ++ lvx v31,r11,$sp + $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) + $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) + $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) +-- +2.33.0 + diff --git a/edk2.spec b/edk2.spec index 0b910f0..99f8ed1 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 2 +Release: 3 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -20,6 +20,15 @@ Source5: edk2-ovmf-x64-nosb.json patch0: 0001-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch patch1: 0002-add-Wno-maybe-uninitialized-to-fix-build-error.patch +patch2: 0003-Add-testcases-for-empty-associated-data-entries-with.patch +patch3: 0004-Do-not-ignore-empty-associated-data-with-AES-SIV-mod.patch +patch4: 0005-Add-a-test-for-CVE-2023-3446.patch +patch5: 0006-Fix-DH_check-excessive-time-with-over-sized-modulus.patch +patch6: 0007-Make-DH_check-set-some-error-bits-in-recently-added-.patch +patch7: 0008-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch +patch8: 0009-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch +patch9: 0010-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch +patch10: 0011-poly1305-ppc.pl-Fix-vector-register-clobbering.patch BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl @@ -257,6 +266,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Sat Feb 24 2024 yexiao - 202308-3 +- Fix CVE-2023-3446、CVE-2023-3817、CVE-2024-0727、CVE-2023-2975、CVE-2023-6129 + * Thu Jan 25 2024 duyiwei - 202308-2 - Added firmware scanning directory mapping for libvirt XML -- Gitee