From 6bae7eff7973948b5b2d5e15d16272581610fc64 Mon Sep 17 00:00:00 2001
From: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
Date: Mon, 3 Jun 2024 10:08:19 +0800
Subject: [PATCH] Fix CVE-2024-1298

Backport upstream patches to fix CVE-2024-1298

Link:
https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19

Signed-off-by: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
---
 ...ential-UINT32-overflow-in-S3-ResumeC.patch | 47 +++++++++++++++++++
 edk2.spec                                     |  8 +++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 0046-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch

diff --git a/0046-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch b/0046-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
new file mode 100644
index 0000000..9f24024
--- /dev/null
+++ b/0046-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
@@ -0,0 +1,47 @@
+From 489e33b1b37c802349f16d2ef19e7c207dbc01c3 Mon Sep 17 00:00:00 2001
+From: Shanmugavel Pakkirisamy <shanmugavelx.pakkirisamy@intel.com>
+Date: Mon, 6 May 2024 17:53:09 +0800
+Subject: [PATCH] MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
+
+Attacker able to modify physical memory and ResumeCount.
+System will crash/DoS when ResumeCount reaches its MAX_UINT32.
+
+Cc: Zhiguang Liu <zhiguang.liu@intel.com>
+Cc: Dandan Bi <dandan.bi@intel.com>
+Cc: Liming Gao <gaoliming@byosoft.com.cn>
+
+Signed-off-by: Pakkirisamy ShanmugavelX <shanmugavelx.pakkirisamy@intel.com>
+Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+---
+ .../FirmwarePerformancePei.c                         | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+index 2f2b2a8..2ba9215 100644
+--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+@@ -112,11 +112,15 @@ FpdtStatusCodeListenerPei (
+   //
+   S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount);
+   AcpiS3ResumeRecord->ResumeCount++;
+-  AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
++  if (AcpiS3ResumeRecord->ResumeCount > 0) {
++    AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
++    DEBUG ((DEBUG_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume));
++  } else {
++    DEBUG ((DEBUG_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero."));
++  }
+ 
+-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount   = %d\n", AcpiS3ResumeRecord->ResumeCount));
+-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume    = %ld\n", AcpiS3ResumeRecord->FullResume));
+-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume));
++  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount   = 0x%x\n", AcpiS3ResumeRecord->ResumeCount));
++  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume    = 0x%x\n", AcpiS3ResumeRecord->FullResume));
+ 
+   //
+   // Update S3 Suspend Performance Record.
+-- 
+2.33.0
+
diff --git a/edk2.spec b/edk2.spec
index 6a4b577..b162c32 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -7,7 +7,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 7
+Release: 8
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent and OpenSSL and MIT 
 URL: https://github.com/tianocore/edk2
@@ -69,6 +69,9 @@ patch43: 0043-Hardening-around-not_resumable-sessions.patch
 patch44: 0044-Add-a-test-for-session-cache-overflow.patch
 patch45: 0045-Limit-the-execution-time-of-RSA-public-key-check.patch
 
+# Fix CVE-2024-1298
+patch46: 0046-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
+
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl 
 
 %description
@@ -307,6 +310,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Mon Jun 03 2024 Zhao Mengmeng <zhaomengmeng@kylinos.cn> - 202308-8
+- fix CVE-2024-1298
+
 * Wed Apr 17 2024 jiangdongxu<jiangdongxu1@huawei.com> - 202308-7
 - make EFI_LOADER_DATA executable again.
 
-- 
Gitee