From a3b550aa10c0796b3fe3d1a6269c2d76ead6ff2e Mon Sep 17 00:00:00 2001
From: TL <1045523086@qq.com>
Date: Wed, 22 Oct 2025 21:25:52 +0800
Subject: [PATCH] fix CVE-2025-9230

---
 ...ix-incorrect-check-of-unwrapped-key-.patch | 31 +++++++++++++++++++
 edk2.spec                                     |  8 ++++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 0123-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch

diff --git a/0123-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch b/0123-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch
new file mode 100644
index 0000000..1a42879
--- /dev/null
+++ b/0123-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch
@@ -0,0 +1,31 @@
+From 02fb52822b45ac385a964a44335b9c6933d6d9a9 Mon Sep 17 00:00:00 2001
+From: TL <1045523086@qq.com>
+Date: Wed, 15 Oct 2025 12:05:39 +0800
+Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
+
+Fix CVE-2025-9230
+
+The check is off by 8 bytes so it is possible to overread by
+up to 8 bytes and overwrite up to 4 bytes.
+
+Origin: https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45
+---
+ CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
+index 2373092b..6b507c3f 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
+@@ -228,7 +228,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
+         /* Check byte failure */
+         goto err;
+     }
+-    if (inlen < (size_t)(tmp[0] - 4)) {
++    if (inlen < 4 + (size_t)tmp[0]) {
+         /* Invalid length value */
+         goto err;
+     }
+-- 
+2.43.0
+
diff --git a/edk2.spec b/edk2.spec
index 8f42b7a..59395f6 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -7,7 +7,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 27
+Release: 28
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent and OpenSSL and MIT 
 URL: https://github.com/tianocore/edk2
@@ -195,6 +195,9 @@ Patch120: 0120-OvmfPkg-HashLibCsv-Add-HashLibCsv.patch
 Patch121: 0121-OvmfPkg-CsvTcg2Dxe-Add-CsvTcg2Dxe.patch
 Patch122: 0122-OvmfPkg-OvmfPkgX64-Set-default-value-of-CC_MEASUREME.patch
 
+# Fix CVE-2025-9230
+patch123: 0123-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch
+
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl 
 
 %ifarch x86_64
@@ -506,6 +509,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Wed Oct 22 2025 taolinghongfei <taolinghongfei@h-partners.com> - 202308-28
+- fix CVE-2025-9230
+
 * Wed Sep 03 2025 hanliyang<hanliyang@hygon.cn> - 202308-27
 - Support RTMR and CC Measurement on CSV3 Guest
 
-- 
Gitee