From dca6166663981abae5d7ae58a31264ac580d2f9b Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 10:52:25 +0000 Subject: [PATCH 1/4] fix CVE-2024-4603 --- ...ters-for-excessive-sizes-before-vali.patch | 203 ++++++++++++++++++ edk2.spec | 8 +- 2 files changed, 210 insertions(+), 1 deletion(-) create mode 100644 0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch diff --git a/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch b/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch new file mode 100644 index 0000000..be8ac11 --- /dev/null +++ b/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch @@ -0,0 +1,203 @@ +From 3559e868e58005d15c6013a0c1fd832e51c73397 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 8 May 2024 15:23:45 +0200 +Subject: [PATCH] Check DSA parameters for excessive sizes before validating + +This avoids overly long computation of various validation +checks. + +Fixes CVE-2024-4603 + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +Reviewed-by: Neil Horman +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/24346) + +(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b) +--- + CHANGES.md | 17 ++++++ + crypto/dsa/dsa_check.c | 44 ++++++++++++-- + .../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++ + 3 files changed, 114 insertions(+), 4 deletions(-) + create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem + +diff --git a/CHANGES.md b/CHANGES.md +index 5590704670..16913a049b 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -30,6 +30,23 @@ breaking changes, and mappings for the large list of deprecated functions. + + ### Changes between 3.0.13 and 3.0.14 [xx XXX xxxx] + ++ * Fixed an issue where checking excessively long DSA keys or parameters may ++ be very slow. ++ ++ Applications that use the functions EVP_PKEY_param_check() or ++ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may ++ experience long delays. Where the key or parameters that are being checked ++ have been obtained from an untrusted source this may lead to a Denial of ++ Service. ++ ++ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS ++ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error ++ reason. ++ ++ ([CVE-2024-4603]) ++ ++ *Tomáš Mráz* ++ + * Fixed an issue where some non-default TLS server configurations can cause + unbounded memory growth when processing TLSv1.3 sessions. An attacker may + exploit certain server configurations to trigger unbounded memory growth that +diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c +index fb0e9129a2..122449a7bf 100644 +--- a/crypto/dsa/dsa_check.c ++++ b/crypto/dsa/dsa_check.c +@@ -19,8 +19,34 @@ + #include "dsa_local.h" + #include "crypto/dsa.h" + ++static int dsa_precheck_params(const DSA *dsa, int *ret) ++{ ++ if (dsa->params.p == NULL || dsa->params.q == NULL) { ++ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS); ++ *ret = FFC_CHECK_INVALID_PQ; ++ return 0; ++ } ++ ++ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE); ++ *ret = FFC_CHECK_INVALID_PQ; ++ return 0; ++ } ++ ++ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) { ++ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE); ++ *ret = FFC_CHECK_INVALID_PQ; ++ return 0; ++ } ++ ++ return 1; ++} ++ + int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) + { ++ if (!dsa_precheck_params(dsa, ret)) ++ return 0; ++ + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) + return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, + FFC_PARAM_TYPE_DSA, ret); +@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) + */ + int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) + { ++ if (!dsa_precheck_params(dsa, ret)) ++ return 0; ++ + return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret) + && *ret == 0; + } +@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) + */ + int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) + { ++ if (!dsa_precheck_params(dsa, ret)) ++ return 0; ++ + return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret) + && *ret == 0; + } +@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret) + { + *ret = 0; + +- return (dsa->params.q != NULL +- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret)); ++ if (!dsa_precheck_params(dsa, ret)) ++ return 0; ++ ++ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret); + } + + /* +@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa) + BN_CTX *ctx = NULL; + BIGNUM *pub_key = NULL; + +- if (dsa->params.p == NULL +- || dsa->params.g == NULL ++ if (!dsa_precheck_params(dsa, &ret)) ++ return 0; ++ ++ if (dsa->params.g == NULL + || dsa->priv_key == NULL + || dsa->pub_key == NULL) + return 0; +diff --git a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem +new file mode 100644 +index 0000000000..e85e2953b7 +--- /dev/null ++++ b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem +@@ -0,0 +1,57 @@ ++-----BEGIN DSA PARAMETERS----- ++MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja ++p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil ++XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF ++x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk ++oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW ++dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb ++Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O ++pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ ++P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5 ++hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2 ++UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB ++koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN ++TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl ++RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ ++4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg ++c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG ++cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE ++DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN ++Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2 ++rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8 ++PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd ++UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW ++5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9 ++wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7 ++R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s ++xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs ++0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN ++uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy ++9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx ++TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36 ++gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2 ++ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B ++R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8 ++F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W ++SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl +++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX ++UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq ++fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX ++qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot ++B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK ++hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco ++4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD ++vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3 ++k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy ++i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct ++9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+ ++ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd ++Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG ++KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E ++x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk ++XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF ++YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d ++ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa ++4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D ++vKuje86bePD6kD/LH3wmkA== ++-----END DSA PARAMETERS----- +-- +2.43.0 + diff --git a/edk2.spec b/edk2.spec index 0fa6b76..b2095d7 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 18 +Release: 19 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -135,6 +135,9 @@ patch83: 0083-Fix-timing-side-channel-CVE-2024-13176.patch patch84: 0084-Free-the-read-buffers-CVE-2024-4741.patch patch85: 0085-Process-key-length-CVE-2023-5363.patch +#Fix CVE-2024-4603 +patch86: 0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl %description @@ -404,6 +407,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Thu Mar 6 2025 zhihang - 202308-19 +- fix CVE-2024-4603 + * Sun Feb 23 2025 huyu - 202308-18 - fix CVE-2024-13176、CVE-2024-4741、CVE-2023-5363 -- Gitee From c60708fa45672fcdef367754b27ac0e7df53abae Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 10:56:32 +0000 Subject: [PATCH 2/4] update 0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch. Signed-off-by: zhihang --- ...ters-for-excessive-sizes-before-vali.patch | 31 +------------------ 1 file changed, 1 insertion(+), 30 deletions(-) diff --git a/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch b/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch index be8ac11..3313448 100644 --- a/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch +++ b/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch @@ -16,40 +16,11 @@ Reviewed-by: Shane Lontis (cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b) --- - CHANGES.md | 17 ++++++ crypto/dsa/dsa_check.c | 44 ++++++++++++-- .../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++ - 3 files changed, 114 insertions(+), 4 deletions(-) + 2 files changed, 97 insertions(+), 4 deletions(-) create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem -diff --git a/CHANGES.md b/CHANGES.md -index 5590704670..16913a049b 100644 ---- a/CHANGES.md -+++ b/CHANGES.md -@@ -30,6 +30,23 @@ breaking changes, and mappings for the large list of deprecated functions. - - ### Changes between 3.0.13 and 3.0.14 [xx XXX xxxx] - -+ * Fixed an issue where checking excessively long DSA keys or parameters may -+ be very slow. -+ -+ Applications that use the functions EVP_PKEY_param_check() or -+ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may -+ experience long delays. Where the key or parameters that are being checked -+ have been obtained from an untrusted source this may lead to a Denial of -+ Service. -+ -+ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS -+ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error -+ reason. -+ -+ ([CVE-2024-4603]) -+ -+ *Tomáš Mráz* -+ - * Fixed an issue where some non-default TLS server configurations can cause - unbounded memory growth when processing TLSv1.3 sessions. An attacker may - exploit certain server configurations to trigger unbounded memory growth that diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c index fb0e9129a2..122449a7bf 100644 --- a/crypto/dsa/dsa_check.c -- Gitee From 8f3f37bc5fd44acf3dcc8cee3ce52dc71734a6db Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 11:00:08 +0000 Subject: [PATCH 3/4] update 0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch. Signed-off-by: zhihang --- ...SA-parameters-for-excessive-sizes-before-vali.patch | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch b/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch index 3313448..2b0020c 100644 --- a/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch +++ b/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch @@ -21,10 +21,10 @@ Reviewed-by: Shane Lontis 2 files changed, 97 insertions(+), 4 deletions(-) create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem -diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c index fb0e9129a2..122449a7bf 100644 ---- a/crypto/dsa/dsa_check.c -+++ b/crypto/dsa/dsa_check.c +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c @@ -19,8 +19,34 @@ #include "dsa_local.h" #include "crypto/dsa.h" @@ -106,11 +106,11 @@ index fb0e9129a2..122449a7bf 100644 || dsa->priv_key == NULL || dsa->pub_key == NULL) return 0; -diff --git a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem +diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem new file mode 100644 index 0000000000..e85e2953b7 --- /dev/null -+++ b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem @@ -0,0 +1,57 @@ +-----BEGIN DSA PARAMETERS----- +MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja -- Gitee From 25616c61c107184e3d76798636ada72e66a2cb01 Mon Sep 17 00:00:00 2001 From: zhihang Date: Thu, 6 Mar 2025 11:04:49 +0000 Subject: [PATCH 4/4] update 0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch. Signed-off-by: zhihang --- ...Check-DSA-parameters-for-excessive-sizes-before-vali.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch b/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch index 2b0020c..15e3682 100644 --- a/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch +++ b/0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch @@ -16,8 +16,8 @@ Reviewed-by: Shane Lontis (cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b) --- - crypto/dsa/dsa_check.c | 44 ++++++++++++-- - .../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++ + CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c | 44 ++++++++++++-- + CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++ 2 files changed, 97 insertions(+), 4 deletions(-) create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem -- Gitee