From e90700e1bbee8afb2e66b8b19bfce953a9146841 Mon Sep 17 00:00:00 2001
From: zhangxianting <zhangxianting@uniontech.com>
Date: Wed, 9 Oct 2024 16:00:51 +0800
Subject: [PATCH] fix CVE-2024-38796

---
 ...-Fix-overflow-issue-in-BasePeCoffLib.patch | 32 +++++++++++++++++++
 edk2.spec                                     |  8 ++++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 0054-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch

diff --git a/0054-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch b/0054-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
new file mode 100644
index 0000000..559fd57
--- /dev/null
+++ b/0054-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
@@ -0,0 +1,32 @@
+From c95233b8525ca6828921affd1496146cff262e65 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 27 Sep 2024 12:08:55 -0700
+Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
+
+The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
+also a UINT32 value. The current code does not check for overflow when
+adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
+check to ensure that the addition does not overflow.
+
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
+---
+ MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+index 86ff2e769b..128090d98e 100644
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -1054,7 +1054,7 @@ PeCoffLoaderRelocateImage (
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
++  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
+     RelocBase    = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
+                                                   ImageContext,
+-- 
+2.20.1
+
diff --git a/edk2.spec b/edk2.spec
index 5535ef3..7c5aedc 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -7,7 +7,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 11
+Release: 12
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent and OpenSSL and MIT 
 URL: https://github.com/tianocore/edk2
@@ -90,6 +90,9 @@ patch52: 0052-Revert-LoongArchQemuPkg-auto-gen-fix-SEC-ProcessLibr.patch
 # Fix edk2 build errror with gcc-14
 patch53: 0053-relax_edk2_gcc14.patch
 
+# Fix CVE-2024-38796
+patch54: 0054-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
+
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl 
 
 %description
@@ -359,6 +362,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Wed Oct 09 2024 zhangxianting <zhangxianting@uniontech.com> - 202308-12
+- fix CVE-2024-38796
+
 * Fri Sep 13 2024 Xiaotian Wu <wuxiaotian@loongson.cn> - 202308-11
 - add LoongArch support
 - backport edk2-platform to build with edk2-2308
-- 
Gitee