diff --git a/0080-Fix-timing-side-channel-CVE-2024-13176.patch b/0080-Fix-timing-side-channel-CVE-2024-13176.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba4b4829cfe54fe18fe66a2f46b33da819e4325d --- /dev/null +++ b/0080-Fix-timing-side-channel-CVE-2024-13176.patch @@ -0,0 +1,121 @@ +From ccdf50988462e9889f3553cbefbe81bba3e41e1f Mon Sep 17 00:00:00 2001 +From: hy <12444214+dhjgty@user.noreply.gitee.com> +Date: Tue, 25 Feb 2025 23:29:26 +0800 +Subject: [PATCH] Fix timing side-channel in ECDSA signature computation +There is a timing signal of around 300 nanoseconds when the top word of +the inverted ECDSA nonce value is zero. This can happen with significant +probability only for some of the supported elliptic curves. In particular +the NIST P-521 curve is affected. To be able to measure this leak, the +attacker process must either be located in the same physical computer or +must have a very fast network connection with low latency. + +Attacks on ECDSA nonce are also known as Minerva attack. + +Fixes CVE-2024-13176 + +Reviewed-by: Tim Hudson +Reviewed-by: Neil Horman +Reviewed-by: Paul Dale + +--- + .../OpensslLib/openssl/crypto/bn/bn_exp.c | 21 +++++++++++++------ + .../OpensslLib/openssl/crypto/ec/ec_lib.c | 7 ++++--- + .../OpensslLib/openssl/include/crypto/bn.h | 3 +++ + 3 files changed, 22 insertions(+), 9 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c +index 4e169ae1..a161e580 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c +@@ -598,7 +598,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, + * out by Colin Percival, + * http://www.daemonology.net/hyperthreading-considered-harmful/) + */ +-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont) + { +@@ -615,10 +615,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + unsigned int t4 = 0; + #endif + +- bn_check_top(a); +- bn_check_top(p); +- bn_check_top(m); +- + if (!BN_is_odd(m)) { + ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS); + return 0; +@@ -1138,7 +1134,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + goto err; + } else + #endif +- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) ++ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) + goto err; + ret = 1; + err: +@@ -1152,6 +1148,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + return ret; + } + ++int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, ++ BN_MONT_CTX *in_mont) ++{ ++ bn_check_top(a); ++ bn_check_top(p); ++ bn_check_top(m); ++ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) ++ return 0; ++ bn_correct_top(rr); ++ return 1; ++} ++ + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) + { +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c +index b1696d93..1f0bf1ec 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c +@@ -20,6 +20,7 @@ + #include + #include + #include "crypto/ec.h" ++#include "crypto/bn.h" + #include "internal/nelem.h" + #include "ec_local.h" + +@@ -1262,10 +1263,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, + if (!BN_sub(e, group->order, e)) + goto err; + /*- +- * Exponent e is public. +- * No need for scatter-gather or BN_FLG_CONSTTIME. ++ * Although the exponent is public we want the result to be ++ * fixed top. + */ +- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) ++ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) + goto err; + + ret = 1; +diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h +index fd1c09d9..ba50bca2 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h +@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); + */ + int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx); ++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, ++ BN_MONT_CTX *in_mont); + int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx); + int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, +-- +2.33.0 + diff --git a/0081-Free-the-read-buffers-CVE-2024-4741.patch b/0081-Free-the-read-buffers-CVE-2024-4741.patch new file mode 100644 index 0000000000000000000000000000000000000000..43730faf6d5a0873bff07c8b9c63f045fbd2544f --- /dev/null +++ b/0081-Free-the-read-buffers-CVE-2024-4741.patch @@ -0,0 +1,70 @@ +From f40c84cc031796e0469c6294abbf945455084627 Mon Sep 17 00:00:00 2001 +From: hy <12444214+dhjgty@user.noreply.gitee.com> +Date: Mon, 24 Feb 2025 22:50:29 +0800 +Subject: [PATCH] fix CVE-2024-4741 +Only free the read buffers if we're not using them +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell + +--- + .../Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c | 9 +++++++++ + CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h | 1 + + CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c +index 3baf8207..99602b6b 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++ if (rl->rstate == SSL_ST_READ_BODY) ++ return 1; ++ if (RECORD_LAYER_processed_read_pending(rl)) ++ return 1; ++ return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h +index 234656bf..b60f71c8 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h +@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c +index 5d57f5d2..ac4ae41e 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c +@@ -5489,6 +5489,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++ if (RECORD_LAYER_data_present(rl)) ++ return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } +-- +2.33.0 + diff --git a/0082-Process-key-length-CVE-2023-5363.patch b/0082-Process-key-length-CVE-2023-5363.patch new file mode 100644 index 0000000000000000000000000000000000000000..055c6bd26b6f9f89b8240c36d1a4cf7494d5a1d0 --- /dev/null +++ b/0082-Process-key-length-CVE-2023-5363.patch @@ -0,0 +1,79 @@ +From 583189d64994d0a2eb2bac1591fa207210d4be7f Mon Sep 17 00:00:00 2001 +From: hy <12444214+dhjgty@user.noreply.gitee.com> +Date: Mon, 24 Feb 2025 23:05:55 +0800 +Subject: [PATCH] evp: process key length and iv length early if present + evp_cipher_init_internal() takes a params array argument and this is + processed late in the initialisation process for some ciphers (AEAD ones). + +This means that changing the IV length as a parameter will either truncate the +IV (very bad if SP 800-38d section 8.2.1 is used) or grab extra uninitialised +bytes. + +Truncation is very bad if SP 800-38d section 8.2.1 is being used to +contruct a deterministic IV. This leads to an instant loss of confidentiality. + +Grabbing extra bytes isn't so serious, it will most likely result in a bad +decryption. + +Problem reported by Tony Battersby of Cybernetics.com but earlier discovered +and raised as issue #19822. + +Fixes CVE-2023-5363 +Fixes #19822 + +Reviewed-by: Hugo Landau +Reviewed-by: Matt Caswell +--- + .../OpensslLib/openssl/crypto/evp/evp_enc.c | 36 +++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/evp/evp_enc.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/evp/evp_enc.c +index b178d108..2dff3e66 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/evp/evp_enc.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/evp/evp_enc.c +@@ -218,6 +218,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, + return 0; + } + ++#ifndef FIPS_MODULE ++ /* ++ * Fix for CVE-2023-5363 ++ * Passing in a size as part of the init call takes effect late ++ * so, force such to occur before the initialisation. ++ * ++ * The FIPS provider's internal library context is used in a manner ++ * such that this is not an issue. ++ */ ++ if (params != NULL) { ++ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END, ++ OSSL_PARAM_END }; ++ OSSL_PARAM *q = param_lens; ++ const OSSL_PARAM *p; ++ ++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); ++ if (p != NULL) ++ memcpy(q++, p, sizeof(*q)); ++ ++ /* ++ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for ++ * OSSL_CIPHER_PARAM_IVLEN so both are covered here. ++ */ ++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN); ++ if (p != NULL) ++ memcpy(q++, p, sizeof(*q)); ++ ++ if (q != param_lens) { ++ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); ++ return 0; ++ } ++ } ++ } ++#endif ++ + if (enc) { + if (ctx->cipher->einit == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +-- +2.33.0 + diff --git a/edk2.spec b/edk2.spec index 507a06f09738ece7ce1988a4d7cf92f38deddb15..ba85a91065375325c0c1e2213c3a24fef2b24c46 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 16 +Release: 17 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -127,6 +127,11 @@ patch77: 0077-VirtioDxe-add-support-of-MMIO-Bar-for-virtio-devices.patch patch78: 0078-Virtio-wait-virtio-device-reset-done.patch patch79: 0079-VirtioBlk-split-large-IO-according-to-segment_size_m.patch +# Fix CVE-2024-13176 +patch80: 0080-Fix-timing-side-channel-CVE-2024-13176.patch +patch81: 0081-Free-the-read-buffers-CVE-2024-4741.patch +patch82: 0082-Process-key-length-CVE-2023-5363.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl %description @@ -396,6 +401,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Sun Feb 23 2025 huyu - 202308-17 +- fix CVE-2024-13176、CVE-2024-4741、CVE-2023-5363 + * Fri Nov 29 2024 adttil<2429917001@qq.com> - 202308-16 - vdpa: support vdpa blk/scsi device boot