From a95770f1400ba5a8c141ba582a07bbfa825482cc Mon Sep 17 00:00:00 2001
From: zhangxianting <zhangxianting@uniontech.com>
Date: Wed, 9 Oct 2024 16:26:15 +0800
Subject: [PATCH] fix CVE-2024-38796

---
 ...-Fix-overflow-issue-in-BasePeCoffLib.patch | 32 +++++++++++++++++++
 edk2.spec                                     |  9 +++++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 0102-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch

diff --git a/0102-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch b/0102-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
new file mode 100644
index 0000000..82620e6
--- /dev/null
+++ b/0102-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
@@ -0,0 +1,32 @@
+From c95233b8525ca6828921affd1496146cff262e65 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 27 Sep 2024 12:08:55 -0700
+Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
+
+The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
+also a UINT32 value. The current code does not check for overflow when
+adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
+check to ensure that the addition does not overflow.
+
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
+---
+ MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+index 1102833..7fa4714 100644
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -991,7 +991,7 @@ PeCoffLoaderRelocateImage (
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
++  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
+     RelocBase = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext,
+                                                                             RelocDir->VirtualAddress + RelocDir->Size - 1,
+-- 
+2.43.0
+
diff --git a/edk2.spec b/edk2.spec
index 8a5b4b3..8bd076f 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -5,7 +5,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 24
+Release: 25
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@@ -117,6 +117,10 @@ Patch0098: 0096-Fix-append_ia5-function-to-not-assume-NUL-terminated.patch
 Patch0099: 0097-Fix-NETSCAPE_SPKI_print-function-to-not-assume-NUL-t.patch
 Patch0100: 0098-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch
 Patch0101: 0099-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
+
+# Fix CVE-2024-38796
+patch0102: 0102-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
+
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2
 
 %description
@@ -311,6 +315,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Wed Oct 09 2024 zhangxianting <zhangxianting@uniontech.com> - 202002-25
+- fix CVE-2024-38796
+
 * Tue Sep 3 2024 shenyage<shenyage1@huawei.com> - 202002-24
 - fix CVE-2021-3712、CVE-2022-0778
 
-- 
Gitee